Saturday, September 21, 2013

The old "we're from windows" scam

Three times this past week, I've gotten phone calls with the "Windows tech support" scam.

For those unfamiliar, you get a phone call from someone (often with a Russian accent) claiming to be an employee of "Windows". No, not Microsoft, they are very clear to point that out. They claim your computer is full of viruses and that you need to install their software to let them clean it up.

If you're dumb enough to do this, their software locks your computer. You then have to pay these people several hundred dollars every months in order to use your computer. When you stop paying, their software bricks your computer.

So far, I've been threatening to report these people to the FBI, but unfortunately, they are using spoofed caller ID numbers (the most recent one is from 474-475-1328 - which is a non-existent area code. As a result, the national do-not-call list is useless, as is Verizon's service for tracking down criminal abuse of the phone system.

Does anyone have a clue what else I can do to find the bastards and nail their balls to the floor? If you know someone in the FBI or other appropriate government agency and can forward this to them, please do so. I'll testify in court. Heck, I'll flip the switch if they can be given the death penalty.

1 comment:

tsiv said...

Unfortunately there isn’t any good way to track that down. The inter-carrier signaling stinks – there isn’t any authentication on the caller ID information – if you have an SS7 trunk (ie. any PBX, soft switch, etc…) you can stuff any information in there you wish. Plus fewer and fewer carriers care what that info is – we treat it as garbage that just gets passed on.

While the FBI, FTC (who I think has the lead on this) and the FCC would all love to trash these guys, they are probably calling from another country – or at least routing it in such a way that it will be basically impossible to actually track down.

The biggest problem is that they’re bouncing through too many networks – Verizon is terminating the call, but some other carrier handles it as an International call, with yet a third as the originating carrier, all getting initiated by a compromised softswitch that some company admin didn’t clamp down on. (It’s a phone switch – nobody can get into that! Completely forgetting it’s running on an unpatched Win 2000 server attached to the Internet).

So even if you can get the carriers to move really fast while the call is up, or do some serious database groveling (Our databases are indexed for calling party, not called party - you have to get the other index from a TLA that starts with N), what you will most likely find is the poor admin, not the crooks.

It would be easier to catch the money mules the crooks are using on the financial transfer side – there’s much more incentive on the part of the government TLAs to get better controls installed there so they can track laundered money.

I’ll ask around in the security group to see if there is some sting process already set up to handle these situations. It might be easier to track them on the IP network side, though I suspect that will just point to a botnet.