Hacker News new | comments | show | ask | jobs | submit login
I am going to eradicate the inbound Windows Support scam (jollyrogertelephone.com)
331 points by hourislate 229 days ago | hide | past | web | 151 comments | favorite

A good start, but needs a lot of work. If it's targeting a Windows Support scam, why not tailor the audio to that? Mention one of various viruses. If the "tech" asks you to do something, say your Windows just bluescreened and have them wait 30 seconds while it reboots, all the while saying "hang on, it's almost there", "this thing's been really slow lately", etc. and then play the Windows startup sound. Pretend to have typed your password incorrectly a few times. Occasionally ignore whatever they say and start telling them you're running this program your nephew told you about.

And so on. If you call them yourself and actually follow their instructions, installing something from some site into an isolated, disposable VM and then running it, you can record what happens and then build that into a better script. Trigger these instructions by asking them what they can do to fix your computer, and time their response. Bonus points if you can detect them saying "http" which kicks off that part of the script.

When Dell was breeched a few years back my details made their way to India. I get a call from them about once a month. I've learned the script and various vectors they try to get the software onto my computer.

The longest I've had them on the phone is 20 minutes. He's one of my favourite recordings though


It's funny, someone pointed me at this thread because I sort of sound similar to the OP's site.

20 min is pretty good. I will usually get called while away from my computer. I try to see how long I can go from memory of windows (been using Mac for 8 years). Once they pass me to their manager I know they've caught on I'm fucking with them. The second guy is clearly more technical/experienced and starts trying to determine as fast as possible if I'm legit. My "computer" will slow down at that point, then, I ask stuff like "can you guys fix this as well?"

I love it when the person yells at me for wasting their time.

I'm on mac too with a win7 vm, I hit upon the idea of tagging them along as far as I could when they asked me to press the windows key and I'm looking at a mac keyboard.

The different shops that have called me all follow a similar set of attacks

1) windows key 2) run command to msconfig 3) browser to download payload.

I had a 'supervisor' on the line once and when they asked me to connect to the internet I'm pretty sure I heard them curse at me with incredulity as I played the 56K dialup sound.

I once got them down a conversation cul-de-sac when I asked them which they preferred - Minesweeper or Solitaire.

>> I'm pretty sure I heard them curse at me with incredulity as I played the 56K dialup sound.

That is some comedy GOLD right there.


Yeah they always use the prompt to get to the admin panel with the list of errors and logs to prove there's an issue. I always act nervous. "There's a lot, Is it that bad?", and they respond with "don't worry sir, we're going to get it fixed for you".

I usually tell them its a hyper key...

Oh do you have that recording. Awesome

I lost them cursing at me and I don't have the Solitaire v. Minesweeper discussion recorded but here's something similar at 11 minutes https://soundcloud.com/radiorental1/dell-support

Hah, this was great, listened to the whole thing. You had some nice tricks up your sleeve, laughed out loud a couple of times. Thanks! Love the response you got at the end...

I've only played along once, when the guy called while I was cooking lunch, but yes, after 15 minutes or so the "manager" came on and cursed me out very vehemently. I told him he should be ashamed for scamming people.

Omg, hilarious, I laughed the entire way through. Your creativity was/is genius. I love the animal sounds in the background. Were they real?

Edit: you said in another post further down it was a recording.

The plot twist at 8:10 had me doubled over laughing.

I had one call at home that I kept on for over 30 minutes, just coming back every 5 minutes or so and saying, "hold on, I'm just doing something, I'll be right with you", "sorry, just need to do this, I'm really sorry about the wait", etc, etc.

I did put some music on in the background so they might have enjoyed that.

You just made my commute way better.

I lost it at the end when you played the modem sound.

Also asking how to spell romeo was hilarious.

I just lost it when he asks you to connect to the internet. Great call!

I was losing it with the farm animals in the background. So funny.

That was fantastic, thank you for the morning laugh :-)

Is that a goat around 1:45? : D

Yeah... I was play 10hours of farm noises in the background.

I've had this plan for a while to get to the point where a 'generator' fails and I get to play the most awesome sound of someone firing up an old helicopter (i.e. restarting the 'generator'

It didn't get that far on that call. My thinking is that I was on a farm and one of the goats would chew through a power line.

For the next call I'm going to be on a construction site. I really want to play that helicopter noise...



If the "tech" asks you to do something, say your Windows just bluescreened

My brother did something like this once. Every time the guy told him to do something he just said it was reeeeeeallllyyyy slow. He also started with "hang on, I have to turn it on, its a bit slow starting...". He kept the guy on the phone for about 30 minutes before telling him he had a mac :-P

the 4th one has mention of "these viruses on my computer"

This is brilliant. Can't say whether it would work, but if you listen to the pre-recorded calls he's using to tie up the operators, they're ingenius in a comical way.

The second one features this woman who starts arguing with her teenage daughter in the background at length, then says to the guy "Oh my god I'm so distracted, I didn't hear anything you said, I'm really sorry, you're going to have to repeat all that."

What a brilliant strategy to tie them up.

This will absolutely work. Or at least should work based on a study by Microsoft researchers stating that the business model is very fragile.


Young female voices. Flustered and looking for help. Apparantly no males in the area, certainly no male voices in earshot. These recordings tap into some base instincts within the mostly male scammers. I suspect that a recording of my voice wouldnt keep them on the line nearly as long.

But for these scammers i'd go with something more targeted: old people. Thier prefered prey is flustered old people who dont understand computers. Give them an old woman with bad hearing who mumbles about her internet not working. Then toss in a few "do you take visa" and some random numbers. That will keep them on the hook.

I called one of these things back after a few beers one night, and before I could get connected to an "operator" I had to go to a web site and get a support code, which I had to dial into their answering system. Seems like that would thwart this robo-dialing scheme, at least to some extent.

Was it captcha'd? Probably wouldn't be hard to adapt to and as long as you're quick enough to adapt. Cat and mouse will end up costing them more and more as they reduce conversions and change business processes until ultimately they'll have to give up.

I'm Indian myself and it concerns me that so many of these scams emerge from what appears to be India (based on the Indian accents).

Does anyone know if any scammers have ever been "brought to justice" in India. Ever?

Seems like something that should be a high priority for the Indian Govt. if they want to help with India's image abroad, especially with the tech sector.

I correspond with someone from India that is heavily into marketing this stuff (he does legitimate things as well, and is one of the most knowledgable paid Facebook advertising specialists on earth, which is how I came to know him). He has been pushing it for years and the Indian government has never come close to bothering either him or the people that actually own the services that pay him for each phone call his advertising generates.

It's not just the Indian government that is lackadaisical about this either. He is able to run ads for tech these support scams through Facebook and get ROI above 500%. Facebook eventually stops his ads, then he buys another ad account. In fact, he claims a single aged Facebook account is worth roughly $10,000 to him (aged accounts have an easier time getting ads through). He spends well into the six figures each year on these types of ads through Facebook alone. Ad platforms share some of the blame for the proliferation of these scams because they simply do not police their platforms well - the tactics he uses to get these ads through their review process are truly elementary but are good enough to foil a company full of PhD's. Clearly they aren't trying very hard.

> the tactics he uses to get these ads through their review process are truly elementary but are good enough to foil a company full of PhD's

I'm reminded of the Upton Sinclair quote, It is difficult to get a man to understand something, when his salary depends upon his not understanding it!

Everything you just wrote is extremely interesting to me.

> he ... is one of the most knowledgable paid Facebook advertising specialists on earth, which is how I came to know him

> ...

> the tactics he uses to get these ads through their review process are truly elementary

I'm not a marketer or advertiser myself, but I'm always interested in learning more about these aspects of the Facebook "scene" just to better mentally map the state of things.

Sounds like a lot (if not most) of the things this person has learned are the kind that only keep working if you're quiet about them, but I'm still very curious to hear what could be shared.

Most rogue ads rely on "cloaking" which means showing an acceptable landing page to the ad network reviewers, while showing the bad landing page to everyone else. The LP's are cloaked for all visitors before they are approved and go live, since only the ad network would know the URL. The IP blocks that access these URL's during this time are recorded and permanently cloaked. Most cloakers also cloak all known data center and commercial IP blocks. Facebook sometimes checks LP's from residential and mobile IPs, and often that is how they catch rogue ads, but this isn't often done. Rogue advertisers also setup honeypot URL's, for example by sharing them on closed Facebook groups and adding any IP block that accesses them to the cloaking list.

Cloaking isn't perfect, but for those marketers with enough IP data, it is effective enough to make these kinds of campaigns enormously profitable and the occasional loss of accounts only a minor inconvenience.

That seems quite easy to catch. Couldn't facebook just use phones that have their app installed for this? That should of course be opt-in. I can't see any privacy problems with that and if distributed (maybe weighted by app usage) across all users, the bandiwidth usage should also be completeley negligible.

They could. They don't.

(though to be fair it's completely legitimate to have landing pages that change their text based on the user's location, referrer, etc., so that wouldn't be a silver bullet).

I've never heard of this, and yet I've read a number of think-pieces that have been on the front page lambasting the ad networks for letting sketchy ads through. If this is only the trivial end of hiding from the network's policing strategies, it seems like they're a lot less culpable than I thought. Do you have links to more information on the other tactics?

You can Google "PPC cloaking" and get quite a few interesting results. There are also professional cloaking services that maintain large IP datasets. The two most popular of those are called Just Cloak It [1], and, ironically, FraudBuster [2]. Also if you're looking in general for information on this and other black/grey hat marketing techniques, Black Hat World [3] is a great place to start.

[1] http://justcloakit.com/

[2] http://fraudbuster.im

[3] http://blackhatworld.com

Come on, we're talking about Facebook? They could easily "sample" the actual ads that are displaying for users on their computers, and compare them to the ones that were approved.

Wow. That was a bit of an education. Thanks for the information.

Where did you learn about this kind of stuff? I'd be interested in a larger writeup.

I'd start at http://blackhatworld.com . There is alot of crap there, but also a world of valuable knowledge of this and other internet marketing techniques.

I'd be weary of this person you are describing, depending how you got to know him. It reminds me a bit of certain poker coaches back in the day. You basically only have his word. I'd assume the 10k figure that accounts are worth and the 500% are vastly exaggerated. If it works so well, why is he sharing this with you? Let me guess, because he enjoys mentoring and is tired of doing the same profitable things over and over? He's probably charging a fee for these invaluable services?

We share technical and strategic internet marketing information/software, and info about what is and isn't currently working marketing-wise. The stuff about the specific campaigns he's running came up only after more than a year of such exchanges. Also he isn't giving me his landing pages, his advertiser contact info, etc., and he knows I'd never touch something as legally questionable as a tech support scam anyway. But of course at some point when talking to others, after long enough, you talk about what you are working on. I've never paid or been asked for a dime.

So your assumptions are incorrect.

They could most certainly be exaggerations in his case but the claims aren't that bad for experienced marketers. 500% ROI is a bit high for me but I wouldn't bat an eye if he had said half that.

People share stuff in the internet marketing industry/this niche, just like other industries. It's how things work.

My gut instinct is to have government hold these advertising platforms accountable for fighting this more effectively but I know that's a total mess waiting to happen because how do you measure the effectiveness of mitigation? I guess one option would be allowing merchants to recoup charge backs from the ad platforms but connecting the charge backs with the individual ads probably wouldn't be cost effective at all.

Maybe some of the active "Fake News" filtering will also (intentionally or incidentally) reduce these incidents? Would be nice.

The Indian government busted an IRS scam ring in India last October. Seventy people were arrested.[1]

It's a variation on the theme. They call Americans and impersonate the IRS, demanding payment of some imaginary taxes owed. A remarkable number of people have been gulled.

1. http://www.usnews.com/news/articles/2016-10-06/70-arrested-a...

I stopped getting calls after that! I was humored that they often called it 'IRS' rather than 'the IRS'.

> Seems like something that should be a high priority for the Indian Govt. if they want to help with India's image abroad, especially with the tech sector.

For sure. There is a similar scam where "Microsoft Tech Support" calls people who they have detected have a virus on their computers. They have called me many times and I always play along to try and waste their time as much as possible. I know it equally wastes my time, but it is for the greater good! Then when they figure out they get angry at me and yell obscenities. :)

Next time just forward them to Lenny so you don't have to waste your own time (see the sidebar at https://reddit.com/r/itslenny ) The best calls end up on YouTube https://www.youtube.com/user/ToaoDotNet/videos?view=0&sort=p...

A lot of the major corporations have tech support based in India, so this makes these scammers even more credible.

> "brought to justice" in India.

Good luck with that.

Why do you say that?

If you've been to India, you'd see it's much closer to anarchy than the US. There's almost no respect for the law. Car drivers don't even pull over to the side of a road to let cop cars with flashing lights go by. At train stations people sell fake tickets from scam booths, and can do so for months or years because they bribe the police or are ignored.

Please don't take my word for it, research but yourself, crime is rife and in your face. Even crime of a sexual nature. Turn the corner from gleaming skyscrapers and there is poverty, real people washing clothes and cooking utensils in sewage. Huge tech centres for the big outsourcing companies are literally across the road from slums.

100% true.

Well according to this other article that was on the front page of HN, it can take a decade or more to bring a case to court in India http://www.economist.com/news/books-and-arts/21716019-pencha...

I remember reading this a few months ago: http://www.ndtv.com/india-news/fake-call-centre-scam-masterm...

I had assumed they used people with an Indian accent because that is what people expect to hear when they call tech support at this point. I wouldn't be surprised if it increases someones level of trust. Do we know these schemes are originating from India.

Reminds me of Lenny, the bot that tricks telemarketers:


Lenny is a best-of-breed incoming telemarketer baiting system. It simulates a kindly but slightly addled old man--the perfect target for scammers--and through a simple Asterix system that waits for a pause, then plays a random response, can fool the telemarketer into repeating themselves over and over.

It's remarkably effective at wasting telemarketers' time. I once received a tech support scam call and I managed to conference in Lenny right at the start. The call lasted 40 minutes; they kept shuffling Lenny around to different people so it took forever for them to realize it was looping.

Now whenever I get a telemarketer call on my cell--illegal in the U.S., but no one seems able to do anything about VoIP calls from India--I rush to conference in Lenny and hope it "takes". Sometimes they stay on the phone but usually they disconnect. Lenny's starting to become famous!

The next phase in this war is speech recognition. If the answer bot can pull out a key word like "Windows" or "virus" and repeat it back to the telemarketer ("Virus? I have a virus? Oh, what do I do?"), it is highly likely to pass the Turing test and waste an extra ten minutes of the poor scammer's time.

I've only recently heard of Lenny (late to the party), but think some of the videos I've heard are hilarious.

I know "he's" been around for a while, and runs on a purely manual random delay system, but I wonder if Lenny could be updated with modern technology, to do a bit of rudimentary voice recognition for better interaction with the scam caller?

I know that his existing script is very cleverly generic and timed to work in with most telemarketing scripts, but I think if it was improved just a bit more, we could end up with quite a convincing respondee that would burn up more scammer time, and hopefully make a small dent in the enthusiasm of these con artists...

I believe it (or some other bot) detects silence on the other end of the line to trigger playing samples.

So it can insert "u-huh" whenever the salesman is done talking.

from what I've read, it is meant to wait for a pause (It uses Asterisk, which in turn has some basic detection for pauses and the such, which the script uses)

Is that the one with the ducks? I'm pretty sure there's a more recent version too, where the guy gets accused of being a robot?

They all have Ducks. That's the end of the script, then it goes around and starts again.

Yes, there was one when the caller realised that he is a recording.

An alternative I thought of the other day while watching one of the hundreds of YouTube videos of this was to simply batch-dial thousands of numbers all at once then randomly route them to each other. For bonus points, record everything and make it available live.

The next level up would be a trusted-user system where you could go to a website, hit a button and immediately be connected with an actual scammer; or you could listen in on other people currently in calls and suggest things they should do next. And maybe there could be a pool of VMs available to play with...

Regardless of technique - fake recordings or various types of routing - I would advise making friends with all the high-level VoIP gateways. That way you won't have any problems batch-establishing hundreds of calls at once (for example if you know all the numbers for a call center and you know what time the, er, staff get in), getting a new number block, or even getting general caller ID override (which I understand is sometimes unavailable?).

My thinking here is that if you can win over a bunch of providers (with money and inspiration/sentiment), you could VoIP-DDoS the gateway providers the scammers are using. Would tie up the scammers' time moving to a new VoIP provider.

This. Great idea. I love the idea of being able to be connected to an actual scammer via website and have a little pop-up window with others suggesting fun things to do to the scammer. The recordings can then be made into loops to autodial them.

While this seems satisfying, it would be more effective to figure out how these companies are still able to access the credit card networks and block the shit out of them. I used to work at one of the smaller international CC processors, and we specifically rejected merchants offering "remote technical support" (i.e., THIS EXACT SCAM) and the entire rest of the 5967 MCC (inbound teleservices).

I recall reading that the "fake IRS" crew had started working around this by telling people to buy iTunes gift cards, but it would be a start.

A word of warning for the author: phone numbers can be easily spoofed (like you can spoof the sender email address or the originating IP in a UDP packet). What's more, many scam calls do use spoofed phone numbers. Thus the number you might be flooding may not be the originating caller. This could turn your utility into something far more malicious than was originally intended.

I think this is aimed at viruses/scam popups etc that say "You have a virus! Call Windows support at this number now!"

In that case we can be pretty sure the number is correct.

Ahh I missed that part. Appologies.

Yes, but also get the ball rolling to also improve this system in the world. Companies do not care that systems are vurnable until it really affects them. Just look at the botnets from vilnerable IoT devices waking up parties so they start to protect them. Same with phones and their support periods...

Blackhats don't tend to publish their work in a way that is traceable back to their person. If this system gets abused then the OP becomes liable. This was why I raised my warning to the author specifically - albeit I couldn't have made my point about the legal consequences of abuse clearer in my previous post.

Were a lot of those insecure IoT companies attacked by those botnets? If not, I still don't think much will change.

This is not for incoming calls, it's for outgoing calls.

I made an email equivalent of this:


The problem is when people send you numbers or emails of legitimate people, because now you're basically DDoSing their phone number for free. How is this service planning to vet these numbers?

You seem to have some loop there with the real Uber support? https://spa.mnesty.com/conversations/bmazjsnh/

And in one case the spammer was aware of your site! https://spa.mnesty.com/conversations/gywanvsb/

Maybe you can hide from Google with the appropiate robots.txt so the last one doesn't happen.

Thanks for that, I've deleted the first one. I have safeguards in place to prevent legitimate senders from being hassled, but I have to add them first.

That second one is hilarious, though :P

"She is a Monkey climbing trees "


In this case, you just need a human to call them up once to verify.

Alhough I shouldn't derive my enjoyment from others' suffering, I do on this capture. https://www.youtube.com/watch?v=Du6acZ-PZQ8

The long and short of it, the Indian scammer ends up setting a SysKey password and a bios password on his machine. He's using his bosses' machine, and it appears to be the domain controller.

The scammer ends up crying and screaming at the guy and out of terror and rage, ends up hanging up.

Normally, I would be like "I feel bad for this guy". Nope not at all. Bloody scammer got what he deserved - a taste of his own medicine.

My bullshit detector is bothering me.

- Scammer volunteers the information that he's "using his supervisor's computer". This increases the emotional satisfaction of watching the video but seems unmotivated.

- Scammer sounds like he's suppressing laughter at one point.

- Scammer follows the guy's instructions in the first place and continues doing so.

- Some of his lines seem to have an oddly flat affect, as if he were doing bad acting.

- Scammer doesn't actually have an Indian accent, is pretty clearly just pretending. They try to fake the grammar stuff but can't pull off the subtle mispronunciations.

This is incredibly fake. The end REALLY drives it home.

Maybe in the US it is not considered racist to mock an Indian accent but elsewhere it is.

I agree. The mocking because of being Indian is not cool. But harming scammers; I have a hard time not deriving enjoyment out of that.

It's probably wrong.. But these people are extra-legal. The US can't touch them. The Indian government doesn't care... and they bring in US money to their country along with tax revenue.

It is great to see this problem highlighted but herein we have found a line that some people find hard to walk. Real shame this person [whose voice is in the video] has created such a distraction.

True that. And that dead (and removed) comment was by "Asooka".. Seems like a slur to Maurya Ashoka. Some times, things like that will also catch me.. was just wrong, but couldn't put my finger on it until now.

This is neat, but at the end of the day, only user education will eradicate scams. As long as there are people willing to call strangers and give them access to their computers or buy iTunes gift cards for them, there will be scammers ready to be those strangers. Somehow people learn to not get into strangers' cars. They need to also learn to not trust uninvited solicitations, especially coming from the internet.

Please have someone manually call reported numbers once to confirm it's actually a scam so this can't be exploited.

This reminds me of stuff we used to do with 96 line dialers way back in the day. It was a pretty solid tactic for dealing with anyone that scammed us. Difficult number portability, a lack of ubiquitous capability to cost effectively deal with a phone DoS, their lack of knowledge about various telecommunications laws (what with search engines not being what they are today) and most importantly the fact that they were almost universally uninterested in engaging law enforcement (what with the scamming or fraud) it was a pretty effective way to get bad people to stop being bad. But it was a long time ago and I wouldn't do it again given the chance. I was really young, it was definitely an ethically gray area and we were breaking at least one law.

I also came to understand over time that the reason we kept having run ins with scammers was because we were running a shady ISP/hosting and telemarketing business that had a significant portion of customers who were scamming their own customers. If it always smells like shit there might be some on your shoe. It was an important lesson and now I pay a lot more attention to how my employer gets money and who they get it from.

On a lighter note we won tickets a couple times calling radio stations. We felt pretty bad about cheating like that so we never did it again but it was pretty effective as long as you had a couple butts in seats to deal with the "sorry you're not the 9th caller" pickups.

It's rather funny that all it takes to defeat UAC in Windows is for a complete stranger with a foreign accent to call you up and tell you in broken English to "push the 'Yes' button on that popup called 'Run as Administrator'".

In Japan they have problems with scammers calling up pensioners claiming to be their sons in a bind, and directing them to go to an ATM and set up a wire transfer to drain their savings. One solution was to install cell jammers inside of the ATMs. https://www.engadget.com/2008/12/10/japan-installs-cellphone...

Time to put cell jammers inside of PCs that get activated with UAC is up?

The problem exists in America as well; my elderly father was hit by it. Luckily my mom overheard his end of the conversation and put a stop to it. (Turns out, the scammer is very good at crying, but not very good at proving their alleged identity by knowing my mother's name. Hurray impromptu two-factor authentication!)

But I believe that it's illegal to operate cell phone jammers, unless you're the government. And for good reason; it's wonderful that you prevent someone from being scammed, but if I'm attacked by a mugger near an ATM, I'd rather like to call 911.

The initiatives in Japan were in cooperation with the police, so I'm sure it's not impossible for them to get the proper permits. And many Japanese ATMs already have a "panic button", I'm sure the ones in question would too. Mugging isn't a huge crime here so I guess that's more of a problem implementing it in the US....

It's rather funny that all it takes to bring back preventable diseases is for a complete stranger with an impressive title to call you up and and tell you in intelligent English to "not vaccinate your kids because vaccines cause autism".

I don't think the problem has a solution, sadly.

What solution do you propose that doesn't interfere with normal operation of the computer? Its a very difficult question.

Locked down by default with an option for advanced users to jailbreak seems to be the in thing on handheld devices. This is something not easily done over the phone as there are extra dependencies (namely having another device with a debug SDK installed and a spare male-to-male cable).

What happens once someone sends you a fake report in order to trick you into harassing a real person with fake calls?

I'd hope that he gives the number one call to validate that it is, in fact, a scammer before putting it on blast. If he does, I really have no problem with this approach (and have considered it myself, frankly); if he doesn't, then this is just downright irresponsible. But I'd hope no one would be stupid enough to just trust random data from internet users, in this regard ...

You could wait for multiple verifications. For example wait until 3 reports of the same number from different IP blocks. It needs Tor and public VPNs filtering, but that should be enough for most cases.

What about someone using one of the hundreds of thousands of proxies to submit reports? IPs are easy to get.

Easy, use a handful of pre-vetted volunteers, not anonymous IPs. Like all the internet communities that require some form of vetting by mods before a user can do some action.

This post could be greatly improved by clearly stating what is the Windows Support scam. I read half the page and I am still not sure.

You get a phone call with a pre-recorded message "Hi, this is Microsoft calling, we have received notification you have a virus on your computer, please call 888-888-8888 for assistance removing it."

You call and they either charge you for "support," when they instruct you to delete some files from your event log or something benign or they direct you to install a program that gives them remote access to your computer so they call install malware or ransomware or steal all your files.

After the Dell breach they got even more convincing "This message is for John Doe, this is Dell, we are calling in regards to your Dell Inspiration 1234 with serial number XXXXXXXX."


Sometimes it's a person on the other end instead of a recording but I can't imagine a cold call that requires computer access would be very effective because how many people are going to be sitting in front of their computer at that time? They will almost always instruct you to call back.

An very old pre-internet scam is "you've won a free vacation call 888-888-8888 to claim it." When you call they ask you to pay taxes on your vacation then they run away with the money you paid in "taxes."

You get called by these people where they tell you that you have a virus on your computer and they are going to help you fix it.


I came across one of these a couple of weeks ago. I knew it immediately it was a scam because the guy had an indian accent. I played along just to see what he would do.

He directed me to site support95 .com. Apparently, there is a similar site called support18 .com. From there he told me to download an exe file. That was where I stopped. I did not know what would further happen.

If anyone wants to try it: Call 18005589204. Tell him you got a voicemail of someone from Microsoft saying something about license expired. I would love to know what ultimately happens.

What about the scammers that just cold call and don't have an inbound number?

Most of the ones that I have heard of here in Australia don't provide a number - they just call you direct and say that they are reacting to a 'virus log' on their system, apparently.

I have had several family members and colleagues being called by them over the years - some multiple time, but so far I've never received a call from them. I actually can't wait for one of them to call me. My intent is to string them along on the phone for as long as I can with the reasoning that every minute he is wasting with me is a minute that he can't scam an unsuspecting person...

My wife does this. One time a support scammer called trying to get her to install malware. It went something like this:

"Ok. Please press the Windows key"

"Ok (long pause)"

"Did you press it?"


"What happened?"

"Nothing happened"

"Try again."

"Ok... Nothing. Does it matter that I don't have a windows?"

"Oh you have Mac?"

"No, I have Ubuntu"

"Ok, what version?"

"I don't know!? You're the computer person. Why don't you know?!"

The best part is that she was sitting on the couch the whole time.

That's exactly the sort of thing I want to do with them. I have another colleague who managed to string a guy along for nearly half an hour. Always managing to convince him that he was a noob struggling to get around. He said you've got to give those guys 10/10 for patience. Just imagine if they had real support jobs - they could probably do well at it.

Maybe they quit their Dell support job for this for the better pay?

I did something similar with a Mac, reporting faithfully the reactions of the machine to his instructions. Eventually, he caught on:

"Oh, so you're not running Windows?" "I never said I was. YOU called me and claimed I was running it!" "<Click>"

Oh, you're just getting started! I would so keep on playing dumb.

"Oh, so you're not running Windows?"

"I don't know?"

"Do you have a Mac?"

"I don't know, what's a Mac? I have a computer."

"Where did you buy your computer from? Apple?"

"Idk, my daughter gave it to me."

"What does it look like?"

"It has a TV screen, mouse, and keyboard?"


Do you have a landline? I've never got one on a mobile phone, but I used to be inundated with calls on my landline until I bought a Panasonic phone with a call block feature for up to 3000 numbers. (I had the same feature on an older phone, but I used up all 75 number memory slots with numbers I had to block from scammers & 'charities'.)

Some of the caller ID numbers are forged, but at least the one from +1 (234) 567 890 was obviously so.

If you've not seen it before, you might enjoy Troy Hunt's video stringing along one of the scammers:


Caller id on landline?

Yes, caller ID on a landline has been available for at least 20+ years, at least that's about when my parents first got it from what I remember. At first it was a couple dollars extra a month but it's standard now.

Also every office phone I've ever had has caller ID.

Yup, for a few dollars extra per month (or sometimes for free) Australian telcos will let you see the number of the incoming call. You'll need a handset with a caller ID display, but most modern handsets do.

So Telstra had a good one...

You know how all Telstra passwords used to be Bigpond1?

Well I changed back to Telstra a few years ago, and had a third party ring me trying to get me to switch over to some service. Anyway I had way too much time on my hands so I talked to her for ages, and asked them where they were and the weather and stuff but whenever they asked for some Id stuff I'd say that I don't give that over the phone to people who have called me, they have to give me some proof they're from the company.

Anyway she knew my address and my last months spend. So they had been spamming bigpond account logins with bigpond1 to get access to all the account verification details... then if you fell for it they wound switch your number over, they had some basic billing information so xould find your bank account, and then the endgame is drain your account.

Tried telling Telstra and the customer support guy couldn't have cared less; but I think the default is slightly more random now so might have closed it.

Imagine that. It affected a lot of people; I don't think there are all that many that cracked the problem. Telstra could be up for a lot of money if a few people who lost got together

Go to the privacy commissioner.

If you make up some reason that you have to call them back (and seem earnest about wanting their "help") they will (often) give you a number (although they may stop doing that if they get blasted enough)

What happens when you say "I'm not at my computer right now, can I call you back when I get home?"

Or ones that provide a fake number. Sounds like an easy way to DDoS a bank, charity, political, call center.

What kind of shoddy phone infrastructure allows "faking" the caller ID. There should be laws to fix this.

What kind of shoddy network infrastructure allows faking an IP? There should be laws against this.

Well, there's already a technical solution for that. You can drop packets which are coming from inside your network but which have ips which don't belong to your ranges. If there was a law that you need to have equipment capable of that and be using it that would be a step in the right direction.

Same for telcos. Make it mandatory and watch them scramble to fix their shitty infrastructure.

Instead of fining them money when they fail to implement the law's requirements make them have to cut everyone's subscription charges in half until they do follow the law to the letter or face the SWAT teams.

What percentage of people doing this (or the "This is Lenny!" thing) would it take to make the scam unprofitable? Is there any work on that topic, like "what percentage of honeypots makes scammers quit"?

I don't get many "Windows Support" scam calls, the two I have gotten I was unable to play them for long, as I am a poor Linux user, not Windows knowledgeable at all, but I generally keep the "Card Services" people on the line for a few minutes.

A small percentage could hurt their profits a lot, but it's not like they are without counters to this. They could slap on a max length at which point they know they're wasting their time, and also start to blacklist numbers that waste their time. They could use audio recognition to avoid known automated honeytraps, but even humans would adapt after enough calls.

I still think it would be difficult to even reach that target %. As much as I would like to waste their time, I'm strapped for time myself. There would need to be a way to receive a call on your phone and send it to the honeytrap in two 'clicks', where it plays scripted responses in the background.

If we reached that magic percentage, I think they could have a counter. They could discourage this by using targeted harassment. Someone screws with them, they send a mass of random calls over the course of a day.

After a few years of monkeying with the "Cardholder Services" calls, I'm convinced there's two layers of crooks involved. The first layer is the autodialers, they just run through series of phone numbers, and play a recording. I'm pretty sure these bastards don't screen numbers, because I can at least get through to the (Indian) boiler room almost 100% of calls.

I think the boiler rooms are actually seperate organizations/crime clans. The boiler rooms do screen, but not universally. After years of being "Edward Snowden" and giving out fake card numbers that pass the Luhn checksum, only maybe 25% of the boiler rooms cut me off. A few days ago, the "service rep" had a bad headset and I could hear a recorded voice telling him to hang up, which he did.

Even Trump's FCC would have to deal with targeted harassment. That's the kind of crap that nobody puts up with. Besides that, harassment calls probably ruin the NSA's data retention practices, so that just can't happen.

Seems like it would be better to go through with the calls and destroy them at the payments gateway/payments provider level, same as was done with online pharma spam.


In my experience with counter-scamming, these guys generally don't actually use any kind of payment processor -- they ask people to go get gift cards and tell them the numbers. It's a clever way of going about it, which essentially guarantees that they can't be shut down directly. The only way to beat them is to waste so much of their time that it's no longer profitable.

That or install ransomware on your pc.

I don't think this is going to DDoS the scammers by calling them back; I think the point is you just transfer the inbound call to his bot -- the success rate on these things is so low, if he's got good enough penetration the false positives will overwhelm the true positives.

I think, anyway. Spent five minutes reading the post and other parts of the blog, and dimly recall seeing something from this project posted previously. Happy to be proven wrong.

"As fast as you can report fake “you have a virus call this number now” messages to me, I will be able to hit them with thousands of calls from bots. It’s like when the pirate ship turns “broadside” on an enemy in order to attack with all cannons simultaneously."

But it's late, and I'm too tired to read the rest of his blog posts.

I'm assuming you're using a VoIP provider to do this - just be careful, they might have rules against this. Definitely don't do it on an account you have a personal number you value or something.

That said, I fire attacks at script kiddies in the clear from big server providers including DigitalOcean and OVH, so I suppose as long as the attackee can't really complain legally, you might be okay.

There's an inbound version of this? I've gotten calls from the outbound version, but those I hang up on in the first four seconds.

Turn off the adblocker and go to some popular TV streaming sites. You'll find a few of them.

Right. I have so much ad-blocking that I never see this crap.

~~ Yes. Yes. Hello? Sorry, you're going to have to start again. Yes? Go on. Ahum. ~~

Absolutely love this guy. Can't say it enough.

The problem is that scammers can fake the CallerID. Yes it's illegal but they are already engaging in dubious activities.

So this bot would just dial back at innocent victims whose numbers were unknowingly used by the scammers.

I wonder if a sprinkling of ML could be used here.

The science of Marxism-Leninism is always relevant.

Nah, I think AI would be a more suitable candidate.

Standard ML is probably a safe bet.

Are you sure the client's needs would not have been better met with over fitting? I heard it has superb performance!

I look forward to hearing more in the future.

you could add voice recognition to cue up responses and also launch a vm for them to take control of.

this is generic to hassle any kind of call centre: PPI claims, accident claims etc..


> Please go back to tumblr until you

You can't attack other people like that on HN, regardless of whether they also broke the rules. You owe better to the community here.

We detached this subthread from https://news.ycombinator.com/item?id=13597588 and marked it off-topic.

No, kjjw is indeed correct. They know the video.

The video, the guy mocks the Indian scammer with repeated lines like "Not goot, not goot at all" in a very Midwestern->faux Indian accent. Think Apu on "The Simpsons".

And no, making fun of someone because of their nationality and origin language just isn't cool. Maybe it was 60 years ago, with killing Commies and Japs and Niggers. I'd like to think that most of us are past that brutish "ideal"..

Then again, with commentary of 'Please go back to tumblr until you develop the required reading skills to participate on HN.', they certainly have demonstrated more skills in understanding content than you have. Perhaps it ought to be you who "goes back wherever someone else thinks you came from?, no?

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact