
I am going to eradicate the inbound Windows Support scam - hourislate
http://jollyrogertelephone.com/i-am-going-to-eradicate-the-inbound-windows-support-scam/
======
biot
A good start, but needs a lot of work. If it's targeting a Windows Support
scam, why not tailor the audio to that? Mention one of various viruses. If the
"tech" asks you to do something, say your Windows just bluescreened and have
them wait 30 seconds while it reboots, all the while saying "hang on, it's
almost there", "this thing's been really slow lately", etc. and then play the
Windows startup sound. Pretend to have typed your password incorrectly a few
times. Occasionally ignore whatever they say and start telling them you're
running this program your nephew told you about.

And so on. If you call them yourself and actually follow their instructions,
installing something from some site into an isolated, disposable VM and then
running it, you can record what happens and then build that into a better
script. Trigger these instructions by asking them what they can do to fix your
computer, and time their response. Bonus points if you can detect them saying
"http" which kicks off that part of the script.

~~~
radiorental
When Dell was breeched a few years back my details made their way to India. I
get a call from them about once a month. I've learned the script and various
vectors they try to get the software onto my computer.

The longest I've had them on the phone is 20 minutes. He's one of my favourite
recordings though

[https://soundcloud.com/radiorental1/dellsupport2](https://soundcloud.com/radiorental1/dellsupport2)

It's funny, someone pointed me at this thread because I sort of sound similar
to the OP's site.

~~~
gloverkcn
20 min is pretty good. I will usually get called while away from my computer.
I try to see how long I can go from memory of windows (been using Mac for 8
years). Once they pass me to their manager I know they've caught on I'm
fucking with them. The second guy is clearly more technical/experienced and
starts trying to determine as fast as possible if I'm legit. My "computer"
will slow down at that point, then, I ask stuff like "can you guys fix this as
well?"

I love it when the person yells at me for wasting their time.

~~~
radiorental
I'm on mac too with a win7 vm, I hit upon the idea of tagging them along as
far as I could when they asked me to press the windows key and I'm looking at
a mac keyboard.

The different shops that have called me all follow a similar set of attacks

1) windows key 2) run command to msconfig 3) browser to download payload.

I had a 'supervisor' on the line once and when they asked me to connect to the
internet I'm pretty sure I heard them curse at me with incredulity as I played
the 56K dialup sound.

I once got them down a conversation cul-de-sac when I asked them which they
preferred - Minesweeper or Solitaire.

~~~
lighttower
Oh do you have that recording. Awesome

~~~
radiorental
I lost them cursing at me and I don't have the Solitaire v. Minesweeper
discussion recorded but here's something similar at 11 minutes
[https://soundcloud.com/radiorental1/dell-
support](https://soundcloud.com/radiorental1/dell-support)

~~~
elsurudo
Hah, this was great, listened to the whole thing. You had some nice tricks up
your sleeve, laughed out loud a couple of times. Thanks! Love the response you
got at the end...

------
aerovistae
This is brilliant. Can't say whether it would work, but if you listen to the
pre-recorded calls he's using to tie up the operators, they're ingenius in a
comical way.

The second one features this woman who starts arguing with her teenage
daughter in the background at length, then says to the guy "Oh my god I'm so
distracted, I didn't hear anything you said, I'm really sorry, you're going to
have to repeat all that."

What a brilliant strategy to tie them up.

~~~
konceptz
This will absolutely work. Or at least should work based on a study by
Microsoft researchers stating that the business model is very fragile.

[https://www.microsoft.com/en-us/research/wp-
content/uploads/...](https://www.microsoft.com/en-us/research/wp-
content/uploads/2016/02/WhyFromNigeria.pdf)

------
hive_mind
I'm Indian myself and it concerns me that so many of these scams emerge from
what appears to be India (based on the Indian accents).

Does anyone know if any scammers have ever been "brought to justice" in India.
Ever?

Seems like something that should be a high priority for the Indian Govt. if
they want to help with India's image abroad, especially with the tech sector.

~~~
downandout
I correspond with someone from India that is heavily into marketing this stuff
(he does legitimate things as well, and is one of the most knowledgable paid
Facebook advertising specialists on earth, which is how I came to know him).
He has been pushing it for years and the Indian government has never come
close to bothering either him or the people that actually own the services
that pay him for each phone call his advertising generates.

It's not just the Indian government that is lackadaisical about this either.
He is able to run ads for tech these support scams through Facebook and get
ROI above 500%. Facebook eventually stops his ads, then he buys another ad
account. In fact, he claims a single aged Facebook account is worth roughly
$10,000 to him (aged accounts have an easier time getting ads through). He
spends well into the six figures each year on these types of ads through
Facebook alone. Ad platforms share some of the blame for the proliferation of
these scams because they simply do not police their platforms well - the
tactics he uses to get these ads through their review process are truly
elementary but are good enough to foil a company full of PhD's. Clearly they
aren't trying very hard.

~~~
kriro
I'd be weary of this person you are describing, depending how you got to know
him. It reminds me a bit of certain poker coaches back in the day. You
basically only have his word. I'd assume the 10k figure that accounts are
worth and the 500% are vastly exaggerated. If it works so well, why is he
sharing this with you? Let me guess, because he enjoys mentoring and is tired
of doing the same profitable things over and over? He's probably charging a
fee for these invaluable services?

~~~
downandout
We share technical and strategic internet marketing information/software, and
info about what is and isn't currently working marketing-wise. The stuff about
the specific campaigns he's running came up only after more than a year of
such exchanges. Also he isn't giving me his landing pages, his advertiser
contact info, etc., and he knows I'd never touch something as legally
questionable as a tech support scam anyway. But of course at some point when
talking to others, after long enough, you talk about what you are working on.
I've never paid or been asked for a dime.

So your assumptions are incorrect.

------
fjarlq
Reminds me of Lenny, the bot that tricks telemarketers:

[https://www.toao.net/595-lenny](https://www.toao.net/595-lenny)

~~~
cyberferret
I've only recently heard of Lenny (late to the party), but think some of the
videos I've heard are hilarious.

I know "he's" been around for a while, and runs on a purely manual random
delay system, but I wonder if Lenny could be updated with modern technology,
to do a bit of rudimentary voice recognition for better interaction with the
scam caller?

I know that his existing script is very cleverly generic and timed to work in
with most telemarketing scripts, but I think if it was improved just a bit
more, we could end up with quite a convincing respondee that would burn up
more scammer time, and hopefully make a small dent in the enthusiasm of these
con artists...

~~~
geon
I believe it (or some other bot) detects silence on the other end of the line
to trigger playing samples.

So it can insert "u-huh" whenever the salesman is done talking.

------
i336_
An alternative I thought of the other day while watching one of the hundreds
of YouTube videos of this was to simply batch-dial thousands of numbers all at
once then randomly route them to each other. For bonus points, record
everything and make it available live.

The next level up would be a trusted-user system where you could go to a
website, hit a button and immediately be connected with an actual scammer; or
you could listen in on other people currently in calls and suggest things they
should do next. And maybe there could be a pool of VMs available to play
with...

Regardless of technique - fake recordings or various types of routing - I
would advise making friends with all the high-level VoIP gateways. That way
you won't have any problems batch-establishing hundreds of calls at once (for
example if you know all the numbers for a call center and you know what time
the, er, _staff_ get in), getting a new number block, or even getting general
caller ID override (which I understand is sometimes unavailable?).

My thinking here is that if you can win over a bunch of providers (with money
and inspiration/sentiment), you could VoIP-DDoS the gateway providers the
scammers are using. Would tie up the scammers' time moving to a new VoIP
provider.

~~~
lighttower
This. Great idea. I love the idea of being able to be connected to an actual
scammer via website and have a little pop-up window with others suggesting fun
things to do to the scammer. The recordings can then be made into loops to
autodial them.

------
al2o3cr
While this seems satisfying, it would be more effective to figure out how
these companies are still able to access the credit card networks and block
the shit out of them. I used to work at one of the smaller international CC
processors, and we _specifically_ rejected merchants offering "remote
technical support" (i.e., THIS EXACT SCAM) and the entire rest of the 5967 MCC
(inbound teleservices).

I recall reading that the "fake IRS" crew had started working around this by
telling people to buy iTunes gift cards, but it would be a start.

------
laumars
A word of warning for the author: phone numbers can be easily spoofed (like
you can spoof the sender email address or the originating IP in a UDP packet).
What's more, many scam calls _do_ use spoofed phone numbers. Thus the number
you might be flooding may not be the originating caller. This could turn your
utility into something far more malicious than was originally intended.

~~~
diamondo25
Yes, but also get the ball rolling to also improve this system in the world.
Companies do not care that systems are vurnable until it really affects them.
Just look at the botnets from vilnerable IoT devices waking up parties so they
start to protect them. Same with phones and their support periods...

~~~
laumars
Blackhats don't tend to publish their work in a way that is traceable back to
their person. If this system gets abused then the OP becomes liable. This was
why I raised my warning to the author specifically - albeit I couldn't have
made my point about the legal consequences of abuse clearer in my previous
post.

------
StavrosK
I made an email equivalent of this:

[https://spa.mnesty.com/](https://spa.mnesty.com/)

The problem is when people send you numbers or emails of legitimate people,
because now you're basically DDoSing their phone number for free. How is this
service planning to vet these numbers?

~~~
martinml
You seem to have some loop there with the real Uber support?
[https://spa.mnesty.com/conversations/bmazjsnh/](https://spa.mnesty.com/conversations/bmazjsnh/)

And in one case the spammer was aware of your site!
[https://spa.mnesty.com/conversations/gywanvsb/](https://spa.mnesty.com/conversations/gywanvsb/)

Maybe you can hide from Google with the appropiate robots.txt so the last one
doesn't happen.

~~~
StavrosK
Thanks for that, I've deleted the first one. I have safeguards in place to
prevent legitimate senders from being hassled, but I have to add them first.

That second one is hilarious, though :P

~~~
Doctor_Fegg
" _She is a Monkey climbing trees_ "

Brilliant!

------
kefka
Alhough I shouldn't derive my enjoyment from others' suffering, I do on this
capture. [https://www.youtube.com/watch?v=Du6acZ-
PZQ8](https://www.youtube.com/watch?v=Du6acZ-PZQ8)

The long and short of it, the Indian scammer ends up setting a SysKey password
and a bios password on his machine. He's using his bosses' machine, and it
appears to be the domain controller.

The scammer ends up crying and screaming at the guy and out of terror and
rage, ends up hanging up.

Normally, I would be like "I feel bad for this guy". Nope not at all. Bloody
scammer got what he deserved - a taste of his own medicine.

~~~
rogual
My bullshit detector is bothering me.

\- Scammer volunteers the information that he's "using his supervisor's
computer". This increases the emotional satisfaction of watching the video but
seems unmotivated.

\- Scammer sounds like he's suppressing laughter at one point.

\- Scammer follows the guy's instructions in the first place and continues
doing so.

\- Some of his lines seem to have an oddly flat affect, as if he were doing
bad acting.

~~~
SippinLean
\- Scammer doesn't actually have an Indian accent, is pretty clearly just
pretending. They try to fake the grammar stuff but can't pull off the subtle
mispronunciations.

This is incredibly fake. The end REALLY drives it home.

------
ryandrake
This is neat, but at the end of the day, only user education will eradicate
scams. As long as there are people willing to call strangers and give them
access to their computers or buy iTunes gift cards for them, there will be
scammers ready to be those strangers. Somehow people learn to not get into
strangers' cars. They need to also learn to not trust uninvited solicitations,
especially coming from the internet.

------
ikeboy
Please have someone manually call reported numbers once to confirm it's
actually a scam so this can't be exploited.

------
brazzledazzle
This reminds me of stuff we used to do with 96 line dialers way back in the
day. It was a pretty solid tactic for dealing with anyone that scammed us.
Difficult number portability, a lack of ubiquitous capability to cost
effectively deal with a phone DoS, their lack of knowledge about various
telecommunications laws (what with search engines not being what they are
today) and most importantly the fact that they were almost universally
uninterested in engaging law enforcement (what with the scamming or fraud) it
was a pretty effective way to get bad people to stop being bad. But it was a
long time ago and I wouldn't do it again given the chance. I was really young,
it was definitely an ethically gray area and we were breaking at least one
law.

I also came to understand over time that the reason we kept having run ins
with scammers was because we were running a shady ISP/hosting and
telemarketing business that had a significant portion of customers who were
scamming their own customers. If it always smells like shit there might be
some on your shoe. It was an important lesson and now I pay a lot more
attention to how my employer gets money and who they get it from.

On a lighter note we won tickets a couple times calling radio stations. We
felt pretty bad about cheating like that so we never did it again but it was
pretty effective as long as you had a couple butts in seats to deal with the
"sorry you're not the 9th caller" pickups.

------
teknologist
It's rather funny that all it takes to defeat UAC in Windows is for a complete
stranger with a foreign accent to call you up and tell you in broken English
to "push the 'Yes' button on that popup called 'Run as Administrator'".

~~~
kalleboo
In Japan they have problems with scammers calling up pensioners claiming to be
their sons in a bind, and directing them to go to an ATM and set up a wire
transfer to drain their savings. One solution was to install cell jammers
inside of the ATMs. [https://www.engadget.com/2008/12/10/japan-installs-
cellphone...](https://www.engadget.com/2008/12/10/japan-installs-cellphone-
jammers-near-atms-to-prevent-fraud/)

Time to put cell jammers inside of PCs that get activated with UAC is up?

~~~
pavel_lishin
The problem exists in America as well; my elderly father was hit by it.
Luckily my mom overheard his end of the conversation and put a stop to it.
(Turns out, the scammer is very good at crying, but not very good at proving
their alleged identity by knowing my mother's name. Hurray impromptu two-
factor authentication!)

But I believe that it's illegal to operate cell phone jammers, unless you're
the government. And for good reason; it's wonderful that you prevent someone
from being scammed, but if I'm attacked by a mugger near an ATM, I'd rather
like to call 911.

~~~
kalleboo
The initiatives in Japan were in cooperation with the police, so I'm sure it's
not impossible for them to get the proper permits. And many Japanese ATMs
already have a "panic button", I'm sure the ones in question would too.
Mugging isn't a huge crime here so I guess that's more of a problem
implementing it in the US....

------
eridius
What happens once someone sends you a fake report in order to trick you into
harassing a real person with fake calls?

~~~
daeken
I'd hope that he gives the number one call to validate that it is, in fact, a
scammer before putting it on blast. If he does, I really have no problem with
this approach (and have considered it myself, frankly); if he doesn't, then
this is just downright irresponsible. But I'd hope no one would be stupid
enough to just trust random data from internet users, in this regard ...

~~~
viraptor
You could wait for multiple verifications. For example wait until 3 reports of
the same number from different IP blocks. It needs Tor and public VPNs
filtering, but that should be enough for most cases.

~~~
iopq
What about someone using one of the hundreds of thousands of proxies to submit
reports? IPs are easy to get.

~~~
nommm-nommm
Easy, use a handful of pre-vetted volunteers, not anonymous IPs. Like all the
internet communities that require some form of vetting by mods before a user
can do some action.

------
dandare
This post could be greatly improved by clearly stating what is the Windows
Support scam. I read half the page and I am still not sure.

~~~
chrisan
You get called by these people where they tell you that you have a virus on
your computer and they are going to help you fix it.

[http://www.makeuseof.com/tag/anatomy-scam-windows-tech-
suppo...](http://www.makeuseof.com/tag/anatomy-scam-windows-tech-support-con-
examined/)

~~~
nashashmi
I came across one of these a couple of weeks ago. I knew it immediately it was
a scam because the guy had an indian accent. I played along just to see what
he would do.

He directed me to site support95 .com. Apparently, there is a similar site
called support18 .com. From there he told me to download an exe file. That was
where I stopped. I did not know what would further happen.

If anyone wants to try it: Call 18005589204. Tell him you got a voicemail of
someone from Microsoft saying something about license expired. I would love to
know what ultimately happens.

------
verroq
What about the scammers that just cold call and don't have an inbound number?

~~~
cyberferret
Most of the ones that I have heard of here in Australia don't provide a number
- they just call you direct and say that they are reacting to a 'virus log' on
their system, apparently.

I have had several family members and colleagues being called by them over the
years - some multiple time, but so far I've never received a call from them. I
actually can't wait for one of them to call me. My intent is to string them
along on the phone for as long as I can with the reasoning that every minute
he is wasting with me is a minute that he can't scam an unsuspecting person...

~~~
acbabis
My wife does this. One time a support scammer called trying to get her to
install malware. It went something like this:

"Ok. Please press the Windows key"

"Ok (long pause)"

"Did you press it?"

"Yes"

"What happened?"

"Nothing happened"

"Try again."

"Ok... Nothing. Does it matter that I don't have a windows?"

"Oh you have Mac?"

"No, I have Ubuntu"

"Ok, what version?"

"I don't know!? You're the computer person. Why don't you know?!"

The best part is that she was sitting on the couch the whole time.

~~~
cyberferret
That's exactly the sort of thing I want to do with them. I have another
colleague who managed to string a guy along for nearly half an hour. Always
managing to convince him that he was a noob struggling to get around. He said
you've got to give those guys 10/10 for patience. Just imagine if they had
_real_ support jobs - they could probably do well at it.

~~~
brianwawok
Maybe they quit their Dell support job for this for the better pay?

------
bediger4000
What percentage of people doing this (or the "This is Lenny!" thing) would it
take to make the scam unprofitable? Is there any work on that topic, like
"what percentage of honeypots makes scammers quit"?

I don't get many "Windows Support" scam calls, the two I have gotten I was
unable to play them for long, as I am a poor Linux user, not Windows
knowledgeable at all, but I generally keep the "Card Services" people on the
line for a few minutes.

~~~
TheCowboy
A small percentage could hurt their profits a lot, but it's not like they are
without counters to this. They could slap on a max length at which point they
know they're wasting their time, and also start to blacklist numbers that
waste their time. They could use audio recognition to avoid known automated
honeytraps, but even humans would adapt after enough calls.

I still think it would be difficult to even reach that target %. As much as I
would like to waste their time, I'm strapped for time myself. There would need
to be a way to receive a call on your phone and send it to the honeytrap in
two 'clicks', where it plays scripted responses in the background.

If we reached that magic percentage, I think they could have a counter. They
could discourage this by using targeted harassment. Someone screws with them,
they send a mass of random calls over the course of a day.

~~~
bediger4000
After a few years of monkeying with the "Cardholder Services" calls, I'm
convinced there's two layers of crooks involved. The first layer is the
autodialers, they just run through series of phone numbers, and play a
recording. I'm pretty sure these bastards don't screen numbers, because I can
at least get through to the (Indian) boiler room almost 100% of calls.

I think the boiler rooms are actually seperate organizations/crime clans. The
boiler rooms do screen, but not universally. After years of being "Edward
Snowden" and giving out fake card numbers that pass the Luhn checksum, only
maybe 25% of the boiler rooms cut me off. A few days ago, the "service rep"
had a bad headset and I could hear a recorded voice telling him to hang up,
which he did.

Even Trump's FCC would have to deal with targeted harassment. That's the kind
of crap that nobody puts up with. Besides that, harassment calls probably ruin
the NSA's data retention practices, so that just can't happen.

------
rdl
Seems like it would be better to go through with the calls and destroy them at
the payments gateway/payments provider level, same as was done with online
pharma spam.

[https://www.usenix.org/conference/usenixsecurity12/technical...](https://www.usenix.org/conference/usenixsecurity12/technical-
sessions/presentation/mccoy)

~~~
daeken
In my experience with counter-scamming, these guys generally don't actually
use any kind of payment processor -- they ask people to go get gift cards and
tell them the numbers. It's a clever way of going about it, which essentially
guarantees that they can't be shut down directly. The only way to beat them is
to waste so much of their time that it's no longer profitable.

~~~
a_t48
That or install ransomware on your pc.

------
ryandamm
I don't think this is going to DDoS the scammers by calling them back; I think
the point is you just transfer the inbound call to his bot -- the success rate
on these things is so low, if he's got good enough penetration the false
positives will overwhelm the true positives.

I think, anyway. Spent five minutes reading the post and other parts of the
blog, and dimly recall seeing something from this project posted previously.
Happy to be proven wrong.

~~~
rconti
"As fast as you can report fake “you have a virus call this number now”
messages to me, I will be able to hit them with thousands of calls from bots.
It’s like when the pirate ship turns “broadside” on an enemy in order to
attack with all cannons simultaneously."

But it's late, and I'm too tired to read the rest of his blog posts.

------
problems
I'm assuming you're using a VoIP provider to do this - just be careful, they
might have rules against this. Definitely don't do it on an account you have a
personal number you value or something.

That said, I fire attacks at script kiddies in the clear from big server
providers including DigitalOcean and OVH, so I suppose as long as the attackee
can't really complain legally, you might be okay.

------
Animats
There's an inbound version of this? I've gotten calls from the outbound
version, but those I hang up on in the first four seconds.

~~~
viraptor
Turn off the adblocker and go to some popular TV streaming sites. You'll find
a few of them.

~~~
Animats
Right. I have so much ad-blocking that I never see this crap.

------
sundvor
~~ Yes. Yes. Hello? Sorry, you're going to have to start again. Yes? Go on.
Ahum. ~~

Absolutely love this guy. Can't say it enough.

------
athenot
The problem is that scammers can fake the CallerID. Yes it's illegal but they
are already engaging in dubious activities.

So this bot would just dial back at innocent victims whose numbers were
unknowingly used by the scammers.

------
m00dy
I found this on soundcloud. [https://soundcloud.com/user-486592840/scam-
recording](https://soundcloud.com/user-486592840/scam-recording)

------
zamalek
I wonder if a sprinkling of ML could be used here.

~~~
frozenport
Nah, I think AI would be a more suitable candidate.

~~~
rhaps0dy
Standard ML is probably a safe bet.

~~~
frozenport
Are you sure the client's needs would not have been better met with over
fitting? I heard it has superb performance!

------
JacenRKohler
I look forward to hearing more in the future.

------
jlebrech
you could add voice recognition to cue up responses and also launch a vm for
them to take control of.

------
jlebrech
this is generic to hassle any kind of call centre: PPI claims, accident claims
etc..

