Friday, June 12, 2015

Miscreant Impersonating Century Link Technician - While I am Impersonating a Victim

This is a follow-up from the last post where I talked about a friends friend almost being victimized by scammers.  This post is meant to be used to educate others about scams like this that occur, the methods the miscreants make you do to demonstrate that your computer is infected and then to collect your credit card number.

I was provided the below phone number from a friend that had a friend almost become a victim of this scam:

(844) 409-6572

I decided I would impersonate a victim that needed his computer fixed.  So I called the number and was greeted by an automated system.  Then eventually a technician answered to greet me.  He proceeded to tell me that his name is "SUMIT RASTOGI" and that he can help me fix my computer.

He had me goto http://lmi1.com which redirects to "https://secure.logmeinrescue.com/Customer/Code.aspx" where I proceeded to enter the 6 digit code of 546084.  He then proceeded to tell me that he was a Jr. Technician for "Windows Online Support".  After inserting the code you are prompted to download the LogMeIn Rescue executable.  After it is downloaded and installed you are prompted with a box similar to the below screenshot:

The initial window that you see has an ok button that you must click before they can start viewing and controlling the computer.  After he was connected he proceeded to go into the Action Center and demonstrate to me that I did not have an Anti-Virus installed and other defenses enabled.


Then he showed me that I was not backing up my files by scrolling down a little in the Action Center.

The Jr. technician then proceeded to educate me about viruses, hackers and a need to backup my stuff.  I played along holding back my laughter.  Then it started to get interesting in how he was convincing me that my computer was infected.  He navigated to the prefetch files and asked if they looked familiar.  I stated no, and I had never seen those files before.  He was sure to point out that there were 140 files in this directory.


After opening up the prefetch file for explorer.exe in notepad.  He stated that a virus was already trying to take over my computer and corrupt my files.




He pointed out the word "harddisk" and that it was impacting my hard drive.  Then he said rest assured that he would take care of my well being.  Then he took me into the c:\windows\inf folder  and asked if I was familiar with these files.  Again I responded no and asked are they viruses also?

Again he reconfirmed that he was going to take care of my computer as he entered msconfig in the run box.


Then he navigated over to the services tab and stated it appears your computer is running fine but then scrolled down to find some of the services that were not running.  He proceeded to tell me that the computer was not functioning correctly and that those stopped services were because of the viruses and hackers.


He also showed me that the "Enable All" button was not able to be clicked and I should be able to enable all of the services to protect my computer.  He again reiterated that the hackers were already in my computer.  He opened a command prompt and then let me know he was going to run a "tree scan" running the windows tree command.


Then he escalated me to a senior technician to continue to diagnose my computer.  This other technician opened up "Task Manager" and then highlighted "csrss.exe".


He asked me if I knew what this was.  I responded stating I was not sure.  Then he navigated to a website to show me what this process is.


He then highlighted the first couple of sentences and asked me to read it to him.  He then started to escalate in emotion and tried to convey to me an emergency situation.  Then he took me back to the command prompt and ran the command "netstat" and stated that the hackers were already in my computer.


Then he continued typing into notepad, with horrible spelling, trying to convey to me of the issues I had.  For example if I wanted a peaceful life these trojans needed to be removed.  They would steal my information and track all of the data.  He also stated that from the internet it would infect my computer and my router.  Then after the infection it would infect other devices that I had.  Then he stated that I could have complete protection for "long long years" with my computer and that they could provide 10-12 years of protection for my computer.


He then stated that he was not a windows level 3 certified online expert but that one would be able to fix my computer on a permanent basis.  Then he went off on how this would bless him and then asked me for my name and other identification information.  Then finally he asked for my credit card number and expiration date.


I then went into a discussion with him how it was not secure to give him the card number.  He then said well if you push the "*" button on your phone it will disconnect me from seeing your computer screen so you can type in the card number.  I had to mute my phone to get over this moment of laughter.  Then I spoke to him again that how would that not be the same as giving him the card number over the phone.  He politely said to go ahead and press the "*" button again so he could resume remotely controlling my computer.

I then asked to have his technician information in the event I had any issues and a call back number.



I then stated isn't there a secure site where I can enter in my information.  He became a little impatient with me but eventually took me to a website.  However, he did not go through IE, he went through windows help to display the page.


This is where I disconnected my Virtual Machines network adapter and explained that I did not want to divulge my credit card information.  Then I received a call back from 844-219-1736.  With the disconnected network adapter I then went into "Task Manager" to determine the web sites address that he took me to.


The site of "http://support-samurai.com" is registered as a GoDaddy domain.  Below is a screenshot of the site.


The checkout area of the website that he took me to is displayed in the screenshot below.  This was the page he was trying to get me to input the credit card information after I complained about placing it in notepad.


With the above page he proceeded to tell me that it was "Safe and Secure" and my satisfaction would be guaranteed.

I have turned this information over to LogMeIn Support to see what they can do.  Again this post is meant to educate people about the scam that the miscreants are conducting.  The methods and websites may change but the scam and its tactics will continue to be about the same.






 be similar. 


No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...