Can any of you tell, from the accent of this English, WHERE it comes from?

Can any of you tell from whence this caller came from, based on his English accent (as he attempts to 'repair' my home Windows PC)?

Here is a 3MB 30-minute MP4 recording of an unsolicited call today that I received from the ?Microsoft IT? department, telling me my computer was "sending reports" to them (this file kindly uploaded by Marek):

formatting link

I realized it was a scam within the first seconds, but I was surprised, that, at the 21:30 mark, the increasingly frustrated caller threatens to f* up my entire family (explicitly threatening my sister, my mother, my daughter, etc.).

That first tirade lasted more than two minutes, from 21:30 to 23:50. Miraculously, the caller calmly resumes his attempt to get me to execute the Microsoft file, even going so far as to attempt to remotely log into my computer!

Despite the fact the caller calms down after the first set of invectives, within 10 minutes, the caller repeats the threats against me and my family at the 32:24 mark to about 33:29, which is essentially the end of the recording.

Here is a truncated 400KB 5-minute recording with chirps inserted into the removed (boring) sections:

formatting link

The first web site they had me go to was the following:

- http:// www (dot) windowscare (dot) us Which brought me to:

- http:// www (dot) windowscare (dot) us/microsoft.com/ (Calling the listed phone number, +1-845-241-1234, just gets a computer- generated recording identifying itself as "Thank you for calling Windows Support ... please leave a message"). The domain is registered to "windows tech support" (all lower-case), which has a New York, NY, postal address.

The caller then directed me to click on the green "Get Support" button at that web page, which downloaded a Windows executable file (into my Linux / tmp directory), which actually came from:

- http:// www (dot) ammyy (dot) com The postal address for the ammyy domain is in Panama.

The downloaded file was 764KB file, named:

- 764184 Aug 26 09:28 AA_v3.exe

$ md5sum AA_v3.exe

- f8cd52b70a11a1fb3f29c6f89ff971ec AA_v3.exe

$ sha1sum AA_v3.exe

- 6a0c46818a6a10c2c5a98a0cce65fbaf95caa344 AA_v3.exe

The caller repeatedly asked me to execute that AA_v3.exe file, which, of course, I wasn't going to do, so I had to fish for what he was looking for as a result.

After quite a few false starts where I made up numbers, and many excuses, I belatedly learned he was looking for an 8-digit number that starts with

39 just below the "client wait for session" text that said "Your ID".

Of course, I never came up with a valid number, which apparently frustrated the caller, who probably thought, at first anyway, that he had a fish hooked on his line from the very start.

At the 16:00 time point, he tried his second tack, which was to have me boot my Windows XP pc to Safe Mode, so, I stalled until I could find a Windows machine, and then booted it to "Safe Mode with Networking", where he told me "it's totally safe now". At 18:12, he had me go to the same web site above (you can hear me breathing heavily as I climb the stairs from Windows to Linux).

The caller used the "broken record" approach, to get me to repeatedly run the AA_v3.exe file, but I was guessing wrong as to what he had wanted me to report back to him (having never executed the file).

Finally, at the 26:40 time point, the caller tried a third, and totally new approach, which was for him to take over my machine so that he could (presumably) download the file himself.

In order to take over my machine, he instructed me to go to: http://www (dot) support (dot) me Which took me to: https://secure (dot) logmeinrescue (dot) com /Customer/Code.aspx The postal address for the above domain is in Boston, MA.

Then he gave me the 6-digit logmeinrescue authorization code: https://secure (dot) logmeinrescue (dot) com/Customer/TrialWarning.aspx? code=106536

Entering that 6-digit code downloaded the Windows executable file into my Linux /tmp directory:

1529152 Aug 26 09:51 Support-LogMeInRescue.exe

Which the Linux ?file? command reports as: Support-LogMeInRescue.exe: PE32 executable (GUI) Intel 80386, for MS Windows

Afterward, I called LogMeInRescue at 1-877-337-2102, and at

1-866-478-1805 and provided them with the 6-digit number, for which they thanked me, saying they will cancel the account, but that it could be a trial account, and therefore, it would have little real impact.

They did say that the Support-LogMeInRescue.exe file allows the attacker remote access to your Windows PC, but, since I was on Linux, they say nothing would happen.

Where, probably in India?, do you think this accent came from? I'm guessing somewhere in the middle or eastern India.

Reply to
Ned Turnbull
Loading thread data ...

Yet you carried on with the call for 30 minutes? Why?

--
Guy Barry
Reply to
Guy Barry

There is a similar thread in alt.windows7.general.

I'm not downloading a 3Mb file at this time of the month, but I receive such calls about 3 times a week, and in nearly all of them the accent has sounded Indian to me.

--
Steve Hayes from Tshwane, South Africa 
Web:  http://www.khanya.org.za/stevesig.htm 
 Click to see the full signature
Reply to
Steve Hayes

To waste their time. If everyone did this, they might be driven out of business.

I yell at them and call them dirty names, until they hang up.

Reply to
William Sommerwerck

| >I realized it was a scam within the first seconds, | | Yet you carried on with the call for 30 minutes? Why? |

Indeed. And don't people have caller ID? I get more spam phone calls than real calls these days. They even hide behind "Private Number" sometimes. So now I only answer known callers. The rest can leave a message.

Reply to
Mayayana

Sometimes a guy just wants to have fun!

Different Scam and different outcome...

Several years ago I posted an ad on Craigslist selling a rather expensive ($2,100) riding law mower. The creeps came out of the woodwork. One "I want to buy your lawnmower, I will have my man pick it up once we agree. I will send you a cashier's check for $2,500. You cash, give him $300 when he loads the lawnmower, and keep the extra $100 for your trouble" Obviously a scam since there was no questioning whatsoever about the mower, etc.

Decided to play along to see what would happen and what he would send. Stressed that it wasn't my mower, but my widowed mother's, had to send it via US Mail as it was the only way she could receive it and provided a PO Box.

The dumbsh*t's emails were traced back to North Carolina and he actually sent his "cashier's check" to me THREE times by FEDEX (I verified the tracking numbers, etc. by logging on to my FEDEX account so I KNOW that they were legit)

Each time he sent it, FEDEX (at the time anyway) could not deliver to a PO Box. I'd email him back explaining why we couldn't drive 20 miles to the nearest FEDEX "depot" to pick up the check and he'd turn around and send it again - to the same PO Box using FEDEX. He'd send an email inquiring after the check and was the deal still on and so it went.

I verified three separate FEDEX attempts at probably $15 each to scam me.

Never saw a check from him but took some satisfaction in screwing with him.

I can see where Ned's coming from on this. If you have the time to play with them, do so. While they are concentrating on you they have no time to mess with somebody who might actually follow through with their plan.

Reply to
Unquestionably Confused

To find out *what* the caller was up to, and, to get him to incriminate himself, and to have enough data to *report* to authorities and to provide enough information for the *next* person to pick up where I left off (e.g., the 8-digit number starting with 39), etc.

I reported the scam, in its entirety, to the FTC, logmein (who revoked the account), and to folks here (to make them more aware of the scam particulars and objectives).

I even appended my report to the various virus scan pages found by searching the MD5 checksum on the net.

If everyone were like you, nobody would help each other and it would be a selfish "everyman for himself".

Reply to
Ned Turnbull

That too!

It's selfish to just let the *next* person deal with it.

Reply to
Ned Turnbull

I don't have caller ID on my landline, unfortunately.

Reply to
Ned Turnbull

I usually asked them 'Which operating system'? They name one and I tell them, I don use that OS and hang up. It's also fun to ask which IP address the infected machine is on. :)

--
Anyone wanting to run for any political office in the US should have to 
have a DD214, and a honorable discharge.
Reply to
Michael A. Terrell

That's interesting. Do you know if the accent is particular to any specific region?

Reply to
Ned Turnbull

I play that game a lot and I'm dealing with legitimate support people at some large software companies. Sometimes I cop out, tell them I'm hard of hearing, and can we please move the conversation to email.

Reply to
rbowman

Hmm, Sounds like East Indian or Pakis. Nothing better to do, Eh?

Reply to
Tony Hwang

Hi, You can just hang up, on the first word you hear. I have caller id but I often don't even look at the display. Also I never say any thing first. Mostly we let the answerer do the job.

Reply to
Tony Hwang

Yesterday, I had called the High Technology Crimes Unit for Santa Clara county, at (408) 792-2804 and I had emailed the unedited phone recording to them at snipped-for-privacy@da.sccgov.org

They called back this morning from a San Jose task force called REACT, at

408-282-2425, who took down all my information, and who applauded me for reporting it as thoroughly as I could.

Unfortunately, they said that most people don't report it, so, they have nothing to go on, but, they did ask me to try to get the callers name and phone number next time, because they said that I'd be surprised how many people actually send them money, a and, they said they almost never get the money back unless it's a reverse on the credit card.

Reply to
Ned Turnbull

Here in Sweden, one typically has to order it from the phone company and pay a few bucks a month. For mobile phones, it is built into the protocol, so they always have it.

Reply to
Hans Aberg

They call Sweden too, typically from India; VoIP services make it cheap.

Reply to
Hans Aberg

I haven't heard a big enough sample.

Speakers of different Indian languages might have different accents whenn speaking English, but I haven't heard enough to say for sure.

--
Steve Hayes from Tshwane, South Africa 
Web:  http://www.khanya.org.za/stevesig.htm 
 Click to see the full signature
Reply to
Steve Hayes

Caller ID isn't available to people who use the Lifeline phone service. You can't have anything other than local phone service for that type of account.

--
Anyone wanting to run for any political office in the US should have to 
have a DD214, and a honorable discharge.
Reply to
Michael A. Terrell

Ned Turnbull pretended :

You did a fair job of not laughing, though I could tell that you were laughing inside. I was expecting "Could you put the nice fella I was talking to before back on?"

Reply to
FromTheRafters

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.