21 Jun 2012 05:53
Re: virus phone call scam: question/wacky replies
On 21 June 2012 13:08, Chris Robinson <fabricator4-/E1597aS9LQAvxtiuMwx3w@public.gmane.org> wrote:
I have actually tried this before.
I setup a virtualmachine and put it in it's very own VLAN (so can't access other machines) I also setup routing so it was the default destination for a while.
They get you to go through a few steps to show some 'errors' (which are not really a problem)
Then they get you to go to a website and install a remote-access application to they can access your system directly
(note that some of the the webpages they can refer you to even have a nice big warning about scams :) )
After this they futz around a bit 'cleaning' the system.
At this point it is all pretty innocuous.
The big problem is that after all this the call ends - but the remote-access software is still installed!
I left the VM running for a few days and kept an eye on it (with wireshark running on host to track network connections to the VM)
Nothing much happened that day - but the next evening around 9pm there was a connection to the remote-access software and someone spent a while looking around on the computer.
They did things like looking for documents, and checking browser history/password store.
Since the VM was a clean install they didn't find anything and left after a while.
At this point I shutdown the VM and got rid of that VLAN/routing setup
I also blacklisted the IP range involved just in case ;)
Chris
>________________________________
> From: Chris Debenham <chris <at> adebenham.com>
>To: Boden Matthews <boden.matthews-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>Cc: ubuntu-au-nLRlyDuq1Ab8jaIunW+tqQ@public.gmane.orgu.com
>Sent: Thursday, 21 June 2012 10:02 AM>Subject: Re: virus phone call scam: question/wacky replies
>
>
>* Call them out on this all being a scam (in the process have had threats and rather bad language shouted at me)I've actually done that one. I was at my father-in-laws house - he's 90 and has never even owned a computer.
>
The person (female) did not get abusive, but rather got upset and admitted that it was a scam. Surprise! I like to think it might have been a life changing experience for her
I like the idea of letting them have access to a VM, just to see what will happen though. I'd be a little concerned about all the other computers on the same router though - some of them (the wife's) are Windows computers.
I have actually tried this before.
I setup a virtualmachine and put it in it's very own VLAN (so can't access other machines) I also setup routing so it was the default destination for a while.
They get you to go through a few steps to show some 'errors' (which are not really a problem)
Then they get you to go to a website and install a remote-access application to they can access your system directly
(note that some of the the webpages they can refer you to even have a nice big warning about scams :) )
After this they futz around a bit 'cleaning' the system.
At this point it is all pretty innocuous.
The big problem is that after all this the call ends - but the remote-access software is still installed!
I left the VM running for a few days and kept an eye on it (with wireshark running on host to track network connections to the VM)
Nothing much happened that day - but the next evening around 9pm there was a connection to the remote-access software and someone spent a while looking around on the computer.
They did things like looking for documents, and checking browser history/password store.
Since the VM was a clean install they didn't find anything and left after a while.
At this point I shutdown the VM and got rid of that VLAN/routing setup
I also blacklisted the IP range involved just in case ;)
Chris
<div> <br><div class="gmail_quote">On 21 June 2012 13:08, Chris Robinson <span dir="ltr"><<a href="mailto:fabricator4@..." target="_blank">fabricator4@...</a>></span> wrote:<br><blockquote class="gmail_quote"> <br> >________________________________<br> > From: Chris Debenham <<a href="mailto:chris@...">chris <at> adebenham.com</a>><br> >To: Boden Matthews <<a href="mailto:boden.matthews@...">boden.matthews@...</a>><br> >Cc: <a href="mailto:ubuntu-au@...">ubuntu-au@...u.com</a><br> >Sent: Thursday, 21 June 2012 10:02 AM<br><div class="im">>Subject: Re: virus phone call scam: question/wacky replies<br> ><br> ><br> </div> <div class="im">>* Call them out on this all being a scam (in the process have had threats and rather bad language shouted at me)<br> ><br><br><br> </div>I've actually done that one. I was at my father-in-laws house - he's 90 and has never even owned a computer.<br><br> The person (female) did not get abusive, but rather got upset and admitted that it was a scam. Surprise! I like to think it might have been a life changing experience for her <br><br> I like the idea of letting them have access to a VM, just to see what will happen though. I'd be a little concerned about all the other computers on the same router though - some of them (the wife's) are Windows computers.<br><span class="HOEnZb"></span><br> </blockquote> <div> <br>I have actually tried this before.<br>I setup a virtualmachine and put it in it's very own VLAN (so can't access other machines) I also setup routing so it was the default destination for a while.<br> They get you to go through a few steps to show some 'errors' (which are not really a problem)<br>Then they get you to go to a website and install a remote-access application to they can access your system directly<br> (note that some of the the webpages they can refer you to even have a nice big warning about scams :) )<br>After this they futz around a bit 'cleaning' the system.<br>At this point it is all pretty innocuous.<br> The big problem is that after all this the call ends - but the remote-access software is still installed!<br> I left the VM running for a few days and kept an eye on it (with wireshark running on host to track network connections to the VM)<br>Nothing much happened that day - but the next evening around 9pm there was a connection to the remote-access software and someone spent a while looking around on the computer.<br> They did things like looking for documents, and checking browser history/password store.<br>Since the VM was a clean install they didn't find anything and left after a while.<br>At this point I shutdown the VM and got rid of that VLAN/routing setup<br> I also blacklisted the IP range involved just in case ;)<br><br>Chris<br> </div> </div> </div>
RSS Feed