virus phone call scam: question/wacky replies

Chris Debenham chris at adebenham.com
Thu Jun 21 03:53:16 UTC 2012


On 21 June 2012 13:08, Chris Robinson <fabricator4 at yahoo.com> wrote:

>
> >________________________________
> > From: Chris Debenham <chris at adebenham.com>
> >To: Boden Matthews <boden.matthews at gmail.com>
> >Cc: ubuntu-au at lists.ubuntu.com
> >Sent: Thursday, 21 June 2012 10:02 AM
> >Subject: Re: virus phone call scam: question/wacky replies
> >
> >
> >* Call them out on this all being a scam (in the process have had threats
> and rather bad language shouted at me)
> >
>
>
> I've actually done that one.  I was at my father-in-laws house - he's 90
> and has never even owned a computer.
>
> The person (female) did not get abusive, but rather got upset and admitted
> that it was a scam.  Surprise!  I like to think it might have been a life
> changing experience for her  ;-)
>
> I like the idea of letting them have access to a VM, just to see what will
> happen though.  I'd be a little concerned about all the other computers on
> the same router though - some of them (the wife's) are Windows computers.
>
>
I have actually tried this before.
I setup a virtualmachine and put it in it's very own VLAN (so can't access
other machines)  I also setup routing so it was the default destination for
a while.
They get you to go through a few steps to show some 'errors' (which are not
really a problem)
Then they get you to go to a website and install a remote-access
application to they can access your system directly
(note that some of the the webpages they can refer you to even have a nice
big warning about scams :) )
After this they futz around a bit 'cleaning' the system.
At this point it is all pretty innocuous.
The big problem is that after all this the call ends - but the
remote-access software is still installed!
I left the VM running for a few days and kept an eye on it (with wireshark
running on host to track network connections to the VM)
Nothing much happened that day - but the next evening around 9pm there was
a connection to the remote-access software and someone spent a while
looking around on the computer.
They did things like looking for documents, and checking browser
history/password store.
Since the VM was a clean install they didn't find anything and left after a
while.
At this point I shutdown the VM and got rid of that VLAN/routing setup
I also blacklisted the IP range involved just in case ;)

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-au/attachments/20120621/5d698976/attachment.html>


More information about the ubuntu-au mailing list