

Scamming the scammers – catching the virus call centre scammers red-handed - troyhunt
http://www.troyhunt.com/2012/02/scamming-scammers-catching-virus-call.html

======
orbitingpluto
I had a freshly cloned WinXP instance running in Hyper-V when I was called by
one of these scammers. I went through the same thing out of interest's sake. I
thought they might clue in when Oracle 10g was the only thing in the Start
Menu. They didn't.

The interesting bit is that I called LogMeIn with my other phone, excused
myself for a moment "to answer the door", explained the situation, gave the
session ID (whatever it's called) and they got to listen in on a good portion
of the whole thing.

After I called them on what they were doing, LogMeIn told me there was nothing
they can do about it. I suppose if the scammers are LogMeIn customers, LogMeIn
is perfectly willing to facilitate this sort of behaviour.

That put the nail in the coffin for my ever using LogMeIn.

~~~
vacri
To be fair to LogMeIn, it's a privacy violation to monitor the traffic that
goes on in the connections they facilitate, though they should at least
investigate such warnings, and perhaps suspend accounts that have had a
certain number.

~~~
orbitingpluto
Well the LogMeIn tech support rep got to actually hear the conversation
between myself and the scammer by speakerphone, so that should have sufficed
to start an investigation.

But I guess to be fair to LogMeIn, the tech support rep just might not have
cared.

------
bediger
How about something like this for the "Card Services" scams?

These are the robo-calls with the female voice telling you that you can lower
your credit card's interest rate, but it's only for a limited time, so press 1
to talk to a service rep.

I've gone pretty far down the road with a few of these "service reps". I'm
convinced they want credit card number, expiration date and CVS/CVC for cards
with a large available balance. They hang up on me if I just want the lower
interest, or if I inquire too closely about who they work for, or why they
need the CVS/CVC (3-digit code on the back of a card).

~~~
dkl
I had an interesting experience with these scammers.

I played dumb and got from automated to first line qualification to second
line qualification to the person that closes the deal. At each level you could
tell that the savvy-ness of the person went up dramatically. When I got to the
closer, he was smooth as silk. He asked me for info from my credit card
statement. I kept him on the phone a good 10-15 minutes playing dumb, then I
hung up. He called back immediate and said "oh, we got disconnected" and I
basically told him he was scum and I did this because I asked to be taken off
their "list" about 20 times. He said "you'll regret this" and hung up. At this
point my phone rang again and someone started screaming at me. He had
redirected the complaining victims like myself to my phone #. I unplugged my
landline and called AT&T on my cell. They really couldn't do anything, which I
found amazing. After 30 minutes I plugged the phone back in and didn't receive
any more calls.

Then, googled "card services". It took me a while, but I found a law suit
against some company from around 2002, and even found a PDF containing the
complaint by some lawyer in TX, complete with a phone number. I figured, what
the heck, I'll call it and see if anyone answers. Some old guy answered on the
2nd ring and I explained the situation and he was very surprised. He said the
company had been shutdown soon after the law suit. I told him they were back,
with a vengeance. They had been calling me at least once a day for a year. He
told me to start a case with the FCC (I think... it was a few years ago),
which I did by filling in a form on their website. Never heard squat.

After the incident mentioned above, I didn't get a call for more than a year.
Then, they started up again. Now, I just hang up immediately. I'd say I get a
few a week at this point.

------
noonespecial
Where's Anonymous when you need them? There's probably enough people with
enough chutzpa in that group to make business very difficult for these sorts
of crooks if they were so inclined. Defending little old ladies against this
sort of non-sense would go a long way toward polishing their image.

Anonymous: Get a bat-signal.

~~~
alecco
Their standard answer to calls like this is "we are not your personal army".

------
MichaelApproved
So how do you stop these kind of scams from continuing to go on? I would think
the best option would be to revoke their ability to collect money.
Visa/Mastercard/Amex should suspend their merchant accounts. Sure, it'll be a
cat and mouse game but at least they'll be doing _something_.

A friends machine was infected with a fake virus demanding the user purchase
software that'll clean the machine. I'm so surprised these guys are able to
steal money like this. Suspending the ability to process the credit card would
put a lot of these viruses out of business.

~~~
smokinn
Not really. The way these guys operate is that they often load balance their
charges over many merchant accounts.

Your merchant account can get into trouble if you have too many chargebacks
_and_ have too high a percentage of chargebacks. So the way most people do it
is try and stay under the hard limit. The percentage is still too high but as
long as you stay under the hard limit you'll be fine. If you know you're going
to bust that merchant account that month you pump as much of your transactions
through and close the account before the chargebacks inevitably pour in
leaving the issuing bank on the hook. I can't remember which of Visa or
Mastercard gave more leeway but the numbers were something like 35 max
chargebacks/month and under 2% of total transactions and the other 50 max
chargebacks and under 2.5% of total transactions. The numbers may not be exact
but they should reasonably close.

It's actually very easy to get a merchant account. You set up a dummy
corporation, get a legitimate-looking website and request one. You usually get
it. So if you just pay a web designer to make you a generic layout with 100
different logos/color schemes you can definitely get 100 merchant accounts.

One of my ideas was to create a crawler to detect a lot of these scams and
alert the banks before the scammers cut and run. It's a decent idea (most of
these scams run on very common patterns that can be detected scraping the web.
The terms of service are a great place to start) and would definitely save
them a lot of money but there's no way I want to get involved in sales to
banks.

~~~
MichaelApproved
I thought your company had to have a credit history or you would have to use
your personal credit to open the account. Is that just a requirement for the
better banks with lower rates?

~~~
smokinn
If you're going with a brand name bank you'll have to jump through many more
hoops than going through a small one.

There are also boards out there that scammers hang out on and share which
banks currently have the easiest-to-circumvent systems. I'm not sure where
they are anymore they tend to go up and down a lot and I haven't paid
attention to any of this for a couple of years now.

Some of these scams can be so profitable that the scammers literally buy small
banks to make sure they don't get shut down and give great rates to people
with legitimate business and high enough volume so that the blended rate
between their legitimate customers and their scammy cash cow looks ok. They
take a loss on the legitimate customers but the cash cow is a scam and almost
pure profit so they still make a huge amount of money.

------
michaelneale
I have had it twice - both times I was working - so I pretended to go along
with them. I faked crashes, and restarts (each that took ~ 5 minutes) while I
went on with my work. At about the 50 minute mark they seemed to realise (both
times) that it was a lost cause - so made excuses and just gave "advice" and
hung up. So from that small sample I guess there is a limit to what they are
able to sink on a given customer time-wise. My satisfaction was that it was 50
minutes they weren't perhaps attacking someone vulnerable.

------
joshuahedlund
I'm very familiar with the "you have a virus" pop-ups that trick helpless
users into downloading bogus software, but I've never heard of a cold call
version of that scam.

Am I misunderstanding something, or do these scammers literally call people's
phones and tell them out of the blue that their computer is infected? What if
they say "I don't have a computer"? What if they say "I have three computers,
which one?" Seems like that would raise more flags more quickly than a pop-up
showing on your actual computer, and manual phone calls can't scale like pop-
ups... how is that still profitable or what am I missing?

Edit: OK, number of computers is easy. Still surprised that it is profitable
given (what I suspect as) the inability to scale. I guess the conversion rate
just isn't that bad.

~~~
ceejayoz
> What if they say "I don't have a computer"?

 _click_

> What if they say "I have three computers, which one?"

"We're going to need to check all of them."

~~~
prawn
Exactly. Very low risk for them. If the call goes nowhere, they hang up and
move on to the next target. The previous target thinks it a bit odd but what
are they realistically going to do about it?

------
mpunaskar
I have asked one of my friend who works in Bank of baroda to look in to this.
Hopefully BOB will shut their account(s).

But even if Bank of baroda closes their merchant account they'll go somewhere
else & open new account and continue their bad activities.

~~~
troyhunt
Good work, I've also emailed Bank of Baroda directly and provided them with
the information in my post.

------
JonnieCache
My (hacker) friend gets these multiple times per week. He has tried being
increasingly lurid and profane but they still call him. They obviously aren't
doing much analytics.

~~~
smokinn
Weird. You'd think they wouldn't want to waste their own time like that.

They were targeting my grandfather for a while but stopped calling when I
would cut them off mid-sentence.

The first time I was thoroughly confused by the truly non-sensical gibberish
the guy was spouting until he got to the point where he offered to fix it all.
Then I just said I was a software engineer and that everything he just said
was garbage. He replied software engineer? I said yes and he hung up on me.

On the second call we got I just cut the guy off and asked: what company do
you work for? There were a few seconds of silence followed by a click and dial
tone. No calls since.

~~~
dspillett
_> Weird. You'd think they wouldn't want to waste their own time like that._

The same scammer will call back multiple times in case there are several
people that might answer the phone at that number which could be the case for
a household or small business (large businesses are not a target for this sort
of thing as the people who answer the phone won't have the access rights
needed for the scam to work). You knew that it was a scam but your
sibling/parent/secretary/what-ever might not and so might go along with it.

Once they've retried your number a few times they'll just add it to the pool
that they'll sell on to other scammers. By answering the phone you've proven
that the number is valid and can be used to contact a human. Lather, rinse,
repeat.

------
vinodkd
FWIW, here're some details about the company:

1\. It seems to be run from Kolkata (capital of West Bengal): Goto
maps.google.co.in and search for Comantra. The result has a phone number _you
can call_

2\. They seem to be hosted by GoDaddy. Does anyone want another go at that
angle? Although, knowing GD this is the kind of customer they want!

3\. Linked in also returns somebody who calls himself Owner of GoMantra. Not
linking here for obvious reasons of mistaken identity.

IANAL, and I couldn't find a resource that I could point you to from an indian
legal POV. Cybercrime has only recently been defined by indian law and from
all that I read (not much authoritative) there's not much in this area. Any
law-savvy indian HNers care to chime in?

------
nl
I've done similar, although I didn't go as far because I got bored quicker.

In the end I asked the guy how he felt about scamming people etc, and the
discussion that ensured convinced me that he _didn't actually realize_ what
they were doing. He actually went to get his boss to convince me, and I half
heard an argument before someone hung up my phone.

------
vacri
They use two remote access clients most likely because the second one gives
them invisible filesystem access - you can't see what they're looking at. The
first one is probably just simpler to connect and helps them get you over the
hurdles of the second one (which there aren't many of)

I had one of these scammers call, who was insistent there was an XP machine
with a virus. He called back three times in quick succession, the third time I
repeated that I used linux, not XP, and "I know you're a scammer, you know
you're a scammer, just fuck off". That seems to be what's required to make
them stop.

A friend of mine had one of these calls and decided to play along - he
followed all their instructions, but played the dumb user... neglecting to
tell them he was in KDE on ubuntu, not XP. "Yes, I'm clicking on the button in
the corner...". He had them on speakerphone while preparing dinner and
whatnot, went through several staff including 'senior advisors', and it
finally ended when the battery on his phone died an hour later...

~~~
foxylad
Luckily I had warned my mother-in-law about these - she's safely on Ubuntu,
but I keep everyone in the family aware of scams.

So she played along for at least 45 minutes, before telling them their mother
would be ashamed of them and they should get a useful job like sweeping the
streets!

This seems like the best approach, if you can spare the time - tie up so much
of their time that it is uneconomic.

~~~
redslazer
Isnt your time more valuable than theirs, making the last statement sort of
moot?

~~~
defrost
Speaking as an Australian that's had a few of these calls, it's kind of fun
stringing them along the first few times and then after that you can just hand
them off to the nearest grandmother or 13 year old and let them deal with it.

My nephew (13) thinks it's great fun to stretch these calls out as long as
possible, but then he's into playing Skyrim & what not.

------
celias
This reminds me of a This American Life story in 2008 about scam baiters
conning a 419 scammer and whether they went too far
[http://www.thisamericanlife.org/play_full.php?play=363&a...](http://www.thisamericanlife.org/play_full.php?play=363&act=1)

------
ishkur101
I must admit I am quite shocked to see that there is now a new account on HN
called Comantra advertising this "service". I am also quite sure that no one
that reads this site would fall for this scam.

Edit: spelling and punctuation

------
Shank
I love how at the end they kept trying to unsuccessfully explain how they
weren't a scam.

------
Funkier_Logic
I must have missed the part where you "scammed" them, unless you really just
meant to say "confronted on the phone". But that wouldn't get you as many
clicks, would it?

~~~
damian2000
the writer obviously put a lot of effort into this post ... I'd say trying to
get a bit of extra visibility with a catchy title is totally excusable

