Ned Turnbull
2014-08-26 17:15:29 UTC
Today, I got the second of my "official" Windows Support Calls,
from an Indian-accented guy wanting me to download software because
my machine has been 'sending them messages'.
So, I went onto Linux (for safety), and did everything he asked.
I kept him going for 33 minutes, until he finally started swearing
at me (actually using the f word and saying he was going to f my
mother, daughter, etc.).
On Android, I recorded the entire call, from when he asked my
name and address (yes, it was correct, so, we need to find out
*where* they are getting that info) down to the names of the
machines and files.
Unfortunately, I recorded on a smartphone, using Android Voice
Recorder, so, all I want to know is what's the best way to upload
that file so that others can benefit.
Mainly, we want to:
a) Warn others
b) Come up with valid answers so that we waste their time
For example, they had me go to the web site:
www (dot) windowscare (dot) us
Which brought me to:
http:// www (dot) windowscare (dot) us/microsoft.com/
And download a file, which actually came from:
www (dot) ammyy (dot) com
Which downloaded the 764KB file, named:
764184 Aug 26 09:28 AA_v3.exe
Which, a "file" command on Linux says is:
AA_v3.exe: PE32 executable (GUI) Intel 80386, for MS Windows
I was supposed to click on that file and then hit Run,
and then give him the 8-digit number starting with 39
that comes out of it.
Of course, I did everything on Linux, so, nothing happened,
but, I gave him a false number for a few times, and he caught
that. At first, he didn't get mad, and he had me close down
and start up Windows in safe mode (which I had to find a Windows
machine to do that so that it made the right noises).
Hint to self: Remind me to record windows noises on Linux for
the next call that comes in.
In safe mode, he had me go to the logmeinrescue web site:
https://secure (dot) logmeinrescue (dot) com/Customer/Code.aspx
Where he told me to type in this 6-digit code 106536.
https://secure (dot) logmeinrescue (dot) com/Customer/TrialWarning.aspx?code=106536
Interestingly, the site said specifically *not* go enter a
number given by an unsolicited technical support person, but,
of course, I was running on Linux so I didn't worry (but I did
mention that to the guy, and he glossed over it, heh heh).
That downloaded the file:
1529152 Aug 26 09:51 Support-LogMeInRescue.exe
Which the Linux "file" command reports as:
Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS Windows
At this point, there was another tirade with the f word, as
he had invested nearly a half hour in me, and I couldn't
tell him what I saw.
He was looking for a client window session of some sort.
Anyway, I have a few questions:
1. What are they after? (yes, I know it's a scam, but, what?)
2. What's a "valid" 8-digit number starting with 39?
3. What "should" I have seen (so I can get more info from them)?
4. Is this illegal enough to call the police?
Lastly:
5. How best do I upload that file, so you can hear it?
from an Indian-accented guy wanting me to download software because
my machine has been 'sending them messages'.
So, I went onto Linux (for safety), and did everything he asked.
I kept him going for 33 minutes, until he finally started swearing
at me (actually using the f word and saying he was going to f my
mother, daughter, etc.).
On Android, I recorded the entire call, from when he asked my
name and address (yes, it was correct, so, we need to find out
*where* they are getting that info) down to the names of the
machines and files.
Unfortunately, I recorded on a smartphone, using Android Voice
Recorder, so, all I want to know is what's the best way to upload
that file so that others can benefit.
Mainly, we want to:
a) Warn others
b) Come up with valid answers so that we waste their time
For example, they had me go to the web site:
www (dot) windowscare (dot) us
Which brought me to:
http:// www (dot) windowscare (dot) us/microsoft.com/
And download a file, which actually came from:
www (dot) ammyy (dot) com
Which downloaded the 764KB file, named:
764184 Aug 26 09:28 AA_v3.exe
Which, a "file" command on Linux says is:
AA_v3.exe: PE32 executable (GUI) Intel 80386, for MS Windows
I was supposed to click on that file and then hit Run,
and then give him the 8-digit number starting with 39
that comes out of it.
Of course, I did everything on Linux, so, nothing happened,
but, I gave him a false number for a few times, and he caught
that. At first, he didn't get mad, and he had me close down
and start up Windows in safe mode (which I had to find a Windows
machine to do that so that it made the right noises).
Hint to self: Remind me to record windows noises on Linux for
the next call that comes in.
In safe mode, he had me go to the logmeinrescue web site:
https://secure (dot) logmeinrescue (dot) com/Customer/Code.aspx
Where he told me to type in this 6-digit code 106536.
https://secure (dot) logmeinrescue (dot) com/Customer/TrialWarning.aspx?code=106536
Interestingly, the site said specifically *not* go enter a
number given by an unsolicited technical support person, but,
of course, I was running on Linux so I didn't worry (but I did
mention that to the guy, and he glossed over it, heh heh).
That downloaded the file:
1529152 Aug 26 09:51 Support-LogMeInRescue.exe
Which the Linux "file" command reports as:
Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS Windows
At this point, there was another tirade with the f word, as
he had invested nearly a half hour in me, and I couldn't
tell him what I saw.
He was looking for a client window session of some sort.
Anyway, I have a few questions:
1. What are they after? (yes, I know it's a scam, but, what?)
2. What's a "valid" 8-digit number starting with 39?
3. What "should" I have seen (so I can get more info from them)?
4. Is this illegal enough to call the police?
Lastly:
5. How best do I upload that file, so you can hear it?