When Antivirus Scammers Call the Wrong Guy 473
ancientribe writes "Phony AV scammers posing as Microsoft dialed the wrong number when they inadvertently phoned a security researcher at home. He lured them into a honeypot to study their actions, and posted the video online here. His main takeaway: they were 'Stone Age' when it came to their tech know-how."
Comment removed (Score:5, Informative)
Re:Question- How did scammers do this? (Score:5, Informative)
Well... There used to be a slight delay (like 10 seconds) between the "on hook" (current stops flowing in the loop) and the processing of the "on Hook" condition by the switch. This was to avoid disconnecting calls for momentary current breaks such as when you where dialing a rotary phone or if the user was doing a hook "flash" to switch between parties in a 3-way call. In some cases this delay has been emulated by recent phone system designs for compatibility reasons or simply because that's the way things used to work and the spec still calls for it. These days, I don't think there are many land line phones doing rotary dial and processing flash hook signals, at least in the industrialized world.
This feature was what caused the "Telemarketers have total control of my phone when they call and I can't hang up on them!" rumor from yesteryear. I'm betting that this was the reason you couldn't hang up on them. Next time hang up and wait about 20 seconds and I'll bet you will get a dial tone when you pick up.
Re:Sounds familiar (Score:5, Informative)
So they're exactly like Norton, McAfee, and CA?
How did this get modded 'Funny?' That shit ain't funny, it's fucking Insightful.
How did this get modded 'Insightful'?
The GP was insightful. This shit ain't insightful, it's fucking Funny.
[Hint: to break the chain, mod this 'Informative'.]
Re:Question- How did scammers do this? (Score:5, Informative)
I think a dialer would have no way to know that the called party was trying to hang up until the local switch processed the "on hook" (hang up) event. Looking at the SS7 ISUP signaling, there is nothing that would carry that information back to the caller that indicated a hook flash once the call was Answered.
As I recall the one commercial dialer I worked on years ago, we did listen for modem tones, but would pass any answered calls to the operators for processing. We could also hear the "Beep" from most answering machines and deal with that by calling back later, but it was hit/miss at best. We could also listen for silence, and only transfer calls that somebody said "hello" (actually anything else) to operators, but we would hang up on silence after a few seconds, not on a called party hook flash. All this was done to reduce the Long Distance charges and not pass bad calls to operators that where paid by the hour. The motive was $$ not because the called party might need to make a 911 call.
Get them to hang up the quickest. (Score:4, Informative)
I've had numerous calls like this. I've taken a number of different stances on dealing with it. On the last one I didn't really have the time or patience so it went like this:-
Them: "Sir, we are ringing you about the errors on your computer".
Me: "Oh, this scam again, trying to get money from people that don't know any better. I don't know how you get away with it, you should be ashamed or yourselves, ashamed!"
Them: "Brrrrrrr....".
Quickest hang up yet. Felt kinda sorry for the poor woman reading the script but if you're gonna work for 'Evil Inc.' then that's what you get.
Other good tactics:
"Oh, I'm out of work, actually could you lend me fifty quid?"
"This is GCHQ madam, the UK government security center - it is a criminal offence to have access to our secure servers. Are you a terrorist?"
"On mondays my papa sings my happy song, huh, huh, huh"
Since they have a script maybe we should make one for us, just to see how they like it :-)
Re:Question- How did scammers do this? (Score:5, Informative)
I'm not a Pheaker, but as I understand it, there is a way to reverse the roles of the caller and the callee. It's useful for the 911 and the police as they can maintain the connection long enough to preform a trace.
My information is pretty dated, but as I recall, although theoretically you can do pretty much anything in the exchange (say like reverse roles and perform a trace), in practice, you probably can't do too much at the calling or called side unless it was the same exchange that handled the caller and callee (esp if it is a crufty old 5ESS). Of course with the current telephone network, no phreaking signals are accepted as the voice path and the signalling path is now totally separate... (In the United States, the last exchange that kind of stuff worked on was wawina [wikipedia.org] and that ended in June 15, 2006)
Note that in SS7 (and it's messages, described by the ITU Q.764 standard which is freely available), either side can disconnect. If the calling party disconnects, a release request (REL) is sent to the terminating exchange and it's up to that exchange to release the line and send a release complete (RLC). If the terminating exchange is next to the police dept or 911**, that terminating exchange could theoretically could hold the line for a while for a trace (although intermediate exchanges may time this out, so you can't do this forever). The same is true for the called party disconnecting which initiates a REL going back to the originating exchange. In this case the originating exchange might hold the line for a while after receiving a REL, but even if the caller doesn't hang up, eventually it will release and send the RLC back to the terminating exchange and release the called line. For other than weird billing purposes, there's not much of a reason to switch caller and callee after a call starts as the caller's exchange is the one that usually initiates the billing record (unless you want to bill say both sides). I don't think you can cancel billing once it started on the caller's originating exchange on most systems.
**911 doesn't work by tracing your call through the network, it works by the orignating exchange sending the correct network address information about the caller in a call-origination message to the 911 exchange (similar to callerID).
Re:Question- How did scammers do this? (Score:5, Informative)
Um. No. My phone works just fine. I also disconnected the line which should have terminated the call immediate, but the scammer was still talking when I reconnected the line. (I figure they were using some override built into the POTS.)
Such a feature doesn't exist in DMS-100 (unless an engineer is doing a dialtone plunge, but that's not a DMS feature, that's an actual set or test head connected to the line keeping it open). More likely, you have a marginal short on your line, and when you "hung up", the short was low enough at the time to trick the DMS into thinking that there was still a phone of the hook, so it didn't close the line. Depending on the amount of T-R leak that's happening, you may never notice it when you're using the phone, but it could still be enough to trick the DMS into thinking your phone's off the hook.
Of course, in a situation like that, chances are you'd have no dial tone at all, because the DMS would self-disconnect from the line to avoid being damaged, and they wouldn't have been able to ring your line at all, as it would sound busy (or forward to voicemail if you have that line option) with the DMS in PLO state. I suppose if it's a swinging short it could work the way you're describing, but the chances are slim enough that it's equally possible you're just making it up. I'd have to see a 12-point metallic test to know for sure what the problem is with your line, but assuming you're telling the truth, my money's on a swinging tip-ring short.
I guess, maybe, if you're on FTTH and the ONT is bugged out (or you have a problem with your inside wiring), it could behave like that, too. Usually with FTTH I don't see anywhere near the kind of weird shit that I see on copperline, though.
The other possibility is as folks have suggested, 3-way calling. If you hang up and pick up shortly afterwards, it's the same effect as pressing the "flash" or "link" button on your phone, and the DMS will put the first call on hold to allow you to dial a 2nd number. If it triggered when you hung up, it would suggest a defective phone.
Obligatory disclaimer: I do work for the local phone company, and one of my many job functions has been troubleshooting/diagnosing this kind of weird behaviour in order to determine if a field tech visit is needed. I have seen the problem you're describing before, but usually it's followed by a loss of dialtone within an hour after the fact.
Re:Sounds familiar (Score:4, Informative)
It's the plural of the Latin 2nd declension noun "virius," which means "One who does not understand Latin."
Re:Sounds familiar (Score:3, Informative)
Re:Question- How did scammers do this? (Score:4, Informative)
Disclaimer: I used to work on the DMS-100 (perhaps I should post this as anonymous coward... :-P ) At least when i worked on it, there were plenty of bugs with respect to various features (especially 3-way call) and various agent types. Stupidly enough, although it was not the correct way to do things, the most common way to clear a call was to take down one end and then wait for the audit process to come around, notice that one end was down and take down the other end. If you hang up and then pick up the phone again, depending on what code paths you were going through, you could reconnect the call before the audit process tore it down. Unfortunately, it was a problem that was nearly impossible to fix because the DMS uses completely different code depending on agent types and features that are in use. You would practically have to go through all 30 million lines of code.
It's been about 15 years since I worked there, so I can't remember very much any more, but I used to play party games demonstrating all the bizarre behaviour you could get your phone to do. The thing was that end users think of their phone as a kind of widget. They have no idea there's a computer in the switch directing things. When weird things happen they either blame themselves or come up with conclusions like the GP (the scammers figured out how to hold the line up). Just bad code, that's all.
Re:I recorded one (Score:5, Informative)
L.O.L!
It's funnier to me because you probaby did not catch him swearing in hindi. At around 17:32 he goes "madarchod have you put the dot", which transates to "Motherf**ker have you put the dot", and you go "Dot, yes".
Then at 19:28 he goes "kahan se ... behenchod" which is roughly "Where did this sisterf**ker come from?".
And then the end was epic! A++ would hear more recorded conversations