Thursday, 19 August 2010

Indian Call Centre cold calling people claiming their computers are infected

Background: Recently I got a call from a client of mine whose computer I occasionally service. They advised me they'd gotten a call from a person claiming to be a technician that worked with their antivirus vendor and Microsoft to detect problems in their Windows install, that they knew my client ran Windows and that they needed to perform some steps to clean the infection.

I was IMMEDIATELY suspicious, and asked my client what they asked him to do on his computer.
They asked me to press Win+R then win pc tech ...
ALARM BELLS WENT OFF!
(Jump to the bottom for my tips...)

Going back through what happened: I stepped him through bringing back the Windows "Run" dialog (which is what Win+R invokes) and going through the MRU (Most Recently Used) history.

In the Run MRU were:
  • http://www.winpctech.net/
  • eventvwr

Now, IMMEDIATELY I was suspicious that a cold caller had instructed my client to open a website and was extremely concerned they'd asked him to download something. I looked at the website, looked at these youtube videos, and came to the same conclusion the rest of the internet is seeming to. They're using pseudo-technical babble to bamboozle the computer illiterate into paying them to fix problems that aren't there!

The caller said things like each error in the Windows Event Viewer is an individual infection requiring immediate service (BULLS--T).

Quick sleuthing: Some quick sleuthing seems to suggest the operation is run out of Kolkata (formerly Calcutta). That said, whois information is very easy to fake.

Internet search results starting with +winpctech +cold call:
http://www.youtube.com/watch?v=41vbCFXqRy8
http://www.youtube.com/watch?v=WhV6rIgyQ-s
http://whocallsme.com/Phone-Number.aspx/0280062085

Some more technical info:
http://www.robtex.com/dns/winpctech.net.html
http://www.robtex.com/dns/pcrescueworld.com.html
http://www.robtex.com/dns/pcrescueworld.com.html
http://www.robtex.com/dns/kolkatabazaar.org.html
$ whois kolkatabazaar.org
...
Domain ID:D157011796-LROR
Domain Name:KOLKATABAZAAR.ORG
Created On:02-Sep-2009 06:12:58 UTC
Last Updated On:02-Nov-2009 04:03:23 UTC
Expiration Date:02-Sep-2010 06:12:58 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:OK
Registrant ID:DI_10327263
Registrant Name:Ankush Sood
Registrant Organization:Career Hunts
Registrant Street1:Kolkata
Registrant Street2:
Registrant Street3:
Registrant City:Kolkata
Registrant State/Province:West Bengal

Registrant Postal Code:700001
Registrant Country:IN
Registrant Phone:+033.32490407
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:kolkatabajar@yahoo.com
...
Name Server:NS1.VYOMS.INFO
Name Server:NS2.VYOMS.INFO
Things to remember:
  • If you get a cold call from a company you've never dealt with directly, or a company claiming to be receiving reports from your computer when you've not signed up for such a service, HANG UP! NEVER EVER EVER run commands or open websites some random person who calls you asks you to.
  • Just because a company has a website, doesn't mean it's legitimate
  • Just because a company has a phone number in your country, doesn't mean it's legitimate
  • If you're on a website, and something doesn't seem quite right - look at the "About Us" section on their website. If they don't have it, or it's full of fluff and doesn't actually say anything really about the company, especially if the company's location is omitted.. LEAVE THE SITE NOW!
Stay safe people, social engineering is not a new phenomena, but it's evolving to today's world.

3 comments:

  1. This happened to me last night!!!!
    Where did they get the information that I did complain to Virginmedia about my Broadband connection dropping off too much. Virginmedia sent an engineer to check and he did rectify the problem but a few days later it started again. This was about 4 weeks ago.
    When these crooks rang me they claimed to be affiliates of Virginmedia and other broadban d providers. After convincing me to allow their "Technical Engineers" to access my laptop and a lot of jibber jabber about virus's and infections they have found on mylaptop.
    The bombshell fell when they said I am now subscribed to their technical assistance for 9 years. I said thanks!!!
    Then they said they needed my Credit Card Details for verifying my name and address. I told them I do not give my card details to cold callers BUT I could allow Virginmedia to charge it to my account if they were affiliated!!! They then tried very hard to convince me that this was only for verification purposes BUT I insisted that since I have already given them my Date of Birth, Addtress with Post Code and repeated the fact that Virgin Media already has my details anyway.
    They kept me on the phone for almost 45 minutes,
    Today, My laptop seems otherwise unaffected But I am really worried that since I did allow them access to my laptop they might have infected it and could access my bank accounts which I use from this laptop!!! So far there has been no suspicious transactions on my Bank accounts.
    Please advise me as to what safeguardsI can apply.

    ReplyDelete
    Replies
    1. You might consider running one of the freely available anti-virus rescue CDs from Avira or Avast, available as burnable ISOs. You boot from the image once you've burnt it to disc (on another computer, if you're paranoid), and then it can scan your computer without Windows running and therefore any nasties loaded.

      Avira AntiVir Rescue System
      http://www.avira.com/en/download/product/avira-antivir-rescue-system

      AVG Rescue CD
      https://www.avg.com.au/products/avg-rescue-cd/

      The AVG one has a bit of a clunky user interface, but both have documentation available online.. AVG even has a video on how to use theirs...

      AVG Video Tutorial using the AVG Rescue CD (complete with cheesy muzak!)
      http://www.youtube.com/watch?v=fGX-592qty8

      Delete
    2. ... oops I mean AVG, not Avast :) ... Arrrgh, so many beginning with "A" :)

      Delete