It's rife. We're seeing many of these calltypes every day. Not only is the caller id witheld at the user level it's also hidden at the SS7 level. These guys have done their homework. All we know is that the calls are originating from 'somewhere' overseas and only TNZI (if anyone) has the ability to trace the source... -Sam ________________________________ From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Gareth Fletcher Sent: Tuesday, 7 June 2011 6:52 p.m. To: Andy Linton Cc: NZNOG List Subject: Re: [nznog] Social engineering attempt to infect hosts Yeah, have had some clients contacted by them recently. stuff ran an article a few months ago too: Http://i.stuff.co.nz/manawatu-standard/news/4682449/Fake-Microsoft-techn icians-in-computer-scam Ta GF On 7 Jun 2011 18:28, "Andy Linton" wrote:

I've just had an interesting and somewhat scary phone call where a well organised team tried to talk me into giving them access to my machine. The call started with a woman with what appeared to be an Indian accent telling me she was from something like the Technical Support department of Microsoft Windows and asked me a few questions about the computer. She told me that they had reports that my computer had been infected which of course is kind of interesting that my Mac and Linux systems would tell Microsoft that.

Anyway I played along and she said she was going to pass me over to her supervisor, a man again with an Indian accent apparently, who got me to get onto the machine and press the key combination 'Windows-r'. I'm bluffing like mad here while I'm talking and making noises on the keyboard. He gets me to remove the 'cmd' string from the run box and enter 'inf'. He then patiently explains to me that the files I can see there are all the infected viruses and bad things that have been put on my machine and he's going to help me get rid of them.

So we go back to the run box and type in 'www.teamviewer.com' and then I fluff about a bit having to connect to the Internet. He offers me the helpful suggestion that if I'm using wireless I should go to a "windy place" as that will help it go better. At this point I was thinking who's got me on the talkback radio setting me up but we continue and he gets me to type the domain name again. At this point he goes quiet and appears to be working - but not on my machine I think. I don't believe I can sustain the bluff any longer and drop the phone call.

At this point they've been talking to me for 13 minutes so I assume they think they've really hooked me and they ring back. I fail to answer and they give up. Using *52 reveals that their number is ....... withheld!

I looked at the URL and teamviewer appears to be a remote desktop app.

These people appear to be pretty happy to spend a longish period of time on this. They rang our number last week and my wife said they'd need to talk to me.

Has anyone else seen this?

Want to warn your customers? _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Yes, this was indeed on FairGo on June 1st. http://tvnz.co.nz/fair-go/june-1-4202937 http://tvnz.co.nz/fair-go/june-1-4202937 On Tue, Jun 7, 2011 at 7:08 PM, Sam Sargeant wrote:

I hear TVNZ is chasing these people. Expect a story soon, on Fair Go perhaps.

Sent from my phone

On 7/06/2011, at 7:03 PM, "Sam Deller - Airnet" wrote:

...

It's rife. We're seeing many of these calltypes every day. Not only is the caller id witheld at the user level it's also hidden at the SS7 level. These guys have done their homework. All we know is that the calls are originating from 'somewhere' overseas and only TNZI (if anyone) has the ability to trace the source...

-Sam

________________________________

From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Gareth Fletcher Sent: Tuesday, 7 June 2011 6:52 p.m. To: Andy Linton Cc: NZNOG List Subject: Re: [nznog] Social engineering attempt to infect hosts

Yeah, have had some clients contacted by them recently. stuff ran an article a few months ago too:

Http://i.stuff.co.nz/manawatu-standard/news/4682449/Fake-Microsoft-techn icians-in-computer-scam

Ta GF

On 7 Jun 2011 18:28, "Andy Linton" wrote:

...

I've just had an interesting and somewhat scary phone call where a well organised team tried to talk me into giving them access to my machine. The call started with a woman with what appeared to be an Indian accent telling me she was from something like the Technical Support department of Microsoft Windows and asked me a few questions about the computer. She told me that they had reports that my computer had been infected which of course is kind of interesting that my Mac and Linux systems would tell Microsoft that.

Anyway I played along and she said she was going to pass me over to her supervisor, a man again with an Indian accent apparently, who got me to get onto the machine and press the key combination 'Windows-r'. I'm bluffing like mad here while I'm talking and making noises on the keyboard. He gets me to remove the 'cmd' string from the run box and enter 'inf'. He then patiently explains to me that the files I can see there are all the infected viruses and bad things that have been put on my machine and he's going to help me get rid of them.

So we go back to the run box and type in 'www.teamviewer.com' and then I fluff about a bit having to connect to the Internet. He offers me the helpful suggestion that if I'm using wireless I should go to a "windy place" as that will help it go better. At this point I was thinking who's got me on the talkback radio setting me up but we continue and he gets me to type the domain name again. At this point he goes quiet and appears to be working - but not on my machine I think. I don't believe I can sustain the bluff any longer and drop the phone call.

At this point they've been talking to me for 13 minutes so I assume they think they've really hooked me and they ring back. I fail to answer and they give up. Using *52 reveals that their number is ....... withheld!

I looked at the URL and teamviewer appears to be a remote desktop app.

These people appear to be pretty happy to spend a longish period of time on this. They rang our number last week and my wife said they'd need to talk to me.

Has anyone else seen this?

Want to warn your customers? _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

---

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

There's an ongoing discussion on Geekzone, something like 12 months now. At some point we all laughed when some users posted YouTube clips they recorded of their "sessions" where they get those idiots to play along for 30 minutes. Wasting their time is great, makes it harder for them. I even have a virtual machine ready if they ever call me... In the last couple of months calls are coming from 25 (Dijbouti). Someone on Geekzone, probably using a badly configure VOIP client, thought it was 025 (the old Telecom network), but then someone clarified that his setup wasn't showing the numbers properly. Most of the times these folks use compromised Asterisk PBX... They scan networks, find an Asterisk setup that accepts calls without ID, have a voice mail with the default passwords, then they configure the voice mail to divert calls to the number they want to call... They have no expense, the PBX owner gets the bill. Mauricio Freitas www.geekzone.co.nzhttp://www.geekzone.co.nz www.geekzone.co.nz/freitasmhttp://www.geekzone.co.nz/freitasm www.twitter.com/freitasmhttp://www.twitter.com/freitasm From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Craig Whitmore Sent: Tuesday, 7 June 2011 00:20 To: Gareth Fletcher; Andy Linton Cc: NZNOG List Subject: Re: [nznog] Social engineering attempt to infect hosts

Yeah, have had some clients contacted by them recently. stuff ran an article a few months ago too:

Over the last couple of years I've had them call about 20 times and even had them on a few times :-) I just had them call about 5 mins ago. They seem to just call sequential numbers until they find someone. Blocking the CID doesn't help as they seem to change their caller id every so often. Even asking them not to call again won't work. The problem is actually getting them to stop is being able to have the police getting the authority to get the calls traced. Across Country border investigations are not easy to do especially when the calls could go thru various countries before it gets to New Zealand and then even when it gets in to NZ thru multiple companies in New Zealand. Lets see.. (An example) Call from India -> VOIP Provider in the India -> VOIP Provider in the USA -> USA Aggregation VOIP Service-> Callplus -> Telecom --> Orcon Customer (Telecom Wholesale ) Tracing it back to the place where is initiated from is 100% possible but do the Police really want to do anything??? Thanks Craig