A good start, but needs a lot of work. If it's targeting a Windows Support scam, why not tailor the audio to that? Mention one of various viruses. If the "tech" asks you to do something, say your Windows just bluescreened and have them wait 30 seconds while it reboots, all the while saying "hang on, it's almost there", "this thing's been really slow lately", etc. and then play the Windows startup sound. Pretend to have typed your password incorrectly a few times. Occasionally ignore whatever they say and start telling them you're running this program your nephew told you about.
And so on. If you call them yourself and actually follow their instructions, installing something from some site into an isolated, disposable VM and then running it, you can record what happens and then build that into a better script. Trigger these instructions by asking them what they can do to fix your computer, and time their response. Bonus points if you can detect them saying "http" which kicks off that part of the script.
When Dell was breeched a few years back my details made their way to India. I get a call from them about once a month. I've learned the script and various vectors they try to get the software onto my computer.
The longest I've had them on the phone is 20 minutes. He's one of my favourite recordings though
20 min is pretty good. I will usually get called while away from my computer. I try to see how long I can go from memory of windows (been using Mac for 8 years). Once they pass me to their manager I know they've caught on I'm fucking with them. The second guy is clearly more technical/experienced and starts trying to determine as fast as possible if I'm legit. My "computer" will slow down at that point, then, I ask stuff like "can you guys fix this as well?"
I love it when the person yells at me for wasting their time.
I'm on mac too with a win7 vm, I hit upon the idea of tagging them along as far as I could when they asked me to press the windows key and I'm looking at a mac keyboard.
The different shops that have called me all follow a similar set of attacks
1) windows key
2) run command to msconfig
3) browser to download payload.
I had a 'supervisor' on the line once and when they asked me to connect to the internet I'm pretty sure I heard them curse at me with incredulity as I played the 56K dialup sound.
I once got them down a conversation cul-de-sac when I asked them which they preferred - Minesweeper or Solitaire.
Yeah they always use the prompt to get to the admin panel with the list of errors and logs to prove there's an issue. I always act nervous. "There's a lot, Is it that bad?", and they respond with "don't worry sir, we're going to get it fixed for you".
Hah, this was great, listened to the whole thing. You had some nice tricks up your sleeve, laughed out loud a couple of times. Thanks! Love the response you got at the end...
I've only played along once, when the guy called while I was cooking lunch, but yes, after 15 minutes or so the "manager" came on and cursed me out very vehemently. I told him he should be ashamed for scamming people.
I had one call at home that I kept on for over 30 minutes, just coming back every 5 minutes or so and saying, "hold on, I'm just doing something, I'll be right with you", "sorry, just need to do this, I'm really sorry about the wait", etc, etc.
I did put some music on in the background so they might have enjoyed that.
Yeah... I was play 10hours of farm noises in the background.
I've had this plan for a while to get to the point where a 'generator' fails and I get to play the most awesome sound of someone firing up an old helicopter (i.e. restarting the 'generator'
It didn't get that far on that call. My thinking is that I was on a farm and one of the goats would chew through a power line.
For the next call I'm going to be on a construction site. I really want to play that helicopter noise...
If the "tech" asks you to do something, say your Windows just bluescreened
My brother did something like this once. Every time the guy told him to do something he just said it was reeeeeeallllyyyy slow. He also started with "hang on, I have to turn it on, its a bit slow starting...". He kept the guy on the phone for about 30 minutes before telling him he had a mac :-P
This is brilliant. Can't say whether it would work, but if you listen to the pre-recorded calls he's using to tie up the operators, they're ingenius in a comical way.
The second one features this woman who starts arguing with her teenage daughter in the background at length, then says to the guy "Oh my god I'm so distracted, I didn't hear anything you said, I'm really sorry, you're going to have to repeat all that."
Young female voices. Flustered and looking for help. Apparantly no males in the area, certainly no male voices in earshot. These recordings tap into some base instincts within the mostly male scammers. I suspect that a recording of my voice wouldnt keep them on the line nearly as long.
But for these scammers i'd go with something more targeted: old people. Thier prefered prey is flustered old people who dont understand computers. Give them an old woman with bad hearing who mumbles about her internet not working. Then toss in a few "do you take visa" and some random numbers. That will keep them on the hook.
I called one of these things back after a few beers one night, and before I could get connected to an "operator" I had to go to a web site and get a support code, which I had to dial into their answering system. Seems like that would thwart this robo-dialing scheme, at least to some extent.
Was it captcha'd? Probably wouldn't be hard to adapt to and as long as you're quick enough to adapt. Cat and mouse will end up costing them more and more as they reduce conversions and change business processes until ultimately they'll have to give up.
I'm Indian myself and it concerns me that so many of these scams emerge from what appears to be India (based on the Indian accents).
Does anyone know if any scammers have ever been "brought to justice" in India. Ever?
Seems like something that should be a high priority for the Indian Govt. if they want to help with India's image abroad, especially with the tech sector.
I correspond with someone from India that is heavily into marketing this stuff (he does legitimate things as well, and is one of the most knowledgable paid Facebook advertising specialists on earth, which is how I came to know him). He has been pushing it for years and the Indian government has never come close to bothering either him or the people that actually own the services that pay him for each phone call his advertising generates.
It's not just the Indian government that is lackadaisical about this either. He is able to run ads for tech these support scams through Facebook and get ROI above 500%. Facebook eventually stops his ads, then he buys another ad account. In fact, he claims a single aged Facebook account is worth roughly $10,000 to him (aged accounts have an easier time getting ads through). He spends well into the six figures each year on these types of ads through Facebook alone. Ad platforms share some of the blame for the proliferation of these scams because they simply do not police their platforms well - the tactics he uses to get these ads through their review process are truly elementary but are good enough to foil a company full of PhD's. Clearly they aren't trying very hard.
Everything you just wrote is extremely interesting to me.
> he ... is one of the most knowledgable paid Facebook advertising specialists on earth, which is how I came to know him
> ...
> the tactics he uses to get these ads through their review process are truly elementary
I'm not a marketer or advertiser myself, but I'm always interested in learning more about these aspects of the Facebook "scene" just to better mentally map the state of things.
Sounds like a lot (if not most) of the things this person has learned are the kind that only keep working if you're quiet about them, but I'm still very curious to hear what could be shared.
Most rogue ads rely on "cloaking" which means showing an acceptable landing page to the ad network reviewers, while showing the bad landing page to everyone else. The LP's are cloaked for all visitors before they are approved and go live, since only the ad network would know the URL. The IP blocks that access these URL's during this time are recorded and permanently cloaked. Most cloakers also cloak all known data center and commercial IP blocks. Facebook sometimes checks LP's from residential and mobile IPs, and often that is how they catch rogue ads, but this isn't often done. Rogue advertisers also setup honeypot URL's, for example by sharing them on closed Facebook groups and adding any IP block that accesses them to the cloaking list.
Cloaking isn't perfect, but for those marketers with enough IP data, it is effective enough to make these kinds of campaigns enormously profitable and the occasional loss of accounts only a minor inconvenience.
That seems quite easy to catch. Couldn't facebook just use phones that have their app installed for this? That should of course be opt-in. I can't see any privacy problems with that and if distributed (maybe weighted by app usage) across all users, the bandiwidth usage should also be completeley negligible.
(though to be fair it's completely legitimate to have landing pages that change their text based on the user's location, referrer, etc., so that wouldn't be a silver bullet).
I've never heard of this, and yet I've read a number of think-pieces that have been on the front page lambasting the ad networks for letting sketchy ads through. If this is only the trivial end of hiding from the network's policing strategies, it seems like they're a lot less culpable than I thought. Do you have links to more information on the other tactics?
You can Google "PPC cloaking" and get quite a few interesting results. There are also professional cloaking services that maintain large IP datasets. The two most popular of those are called Just Cloak It [1], and, ironically, FraudBuster [2]. Also if you're looking in general for information on this and other black/grey hat marketing techniques, Black Hat World [3] is a great place to start.
Come on, we're talking about Facebook? They could easily "sample" the actual ads that are displaying for users on their computers, and compare them to the ones that were approved.
I'd start at http://blackhatworld.com . There is alot of crap there, but also a world of valuable knowledge of this and other internet marketing techniques.
I'd be weary of this person you are describing, depending how you got to know him. It reminds me a bit of certain poker coaches back in the day. You basically only have his word. I'd assume the 10k figure that accounts are worth and the 500% are vastly exaggerated. If it works so well, why is he sharing this with you? Let me guess, because he enjoys mentoring and is tired of doing the same profitable things over and over? He's probably charging a fee for these invaluable services?
We share technical and strategic internet marketing information/software, and info about what is and isn't currently working marketing-wise. The stuff about the specific campaigns he's running came up only after more than a year of such exchanges. Also he isn't giving me his landing pages, his advertiser contact info, etc., and he knows I'd never touch something as legally questionable as a tech support scam anyway. But of course at some point when talking to others, after long enough, you talk about what you are working on. I've never paid or been asked for a dime.
They could most certainly be exaggerations in his case but the claims aren't that bad for experienced marketers. 500% ROI is a bit high for me but I wouldn't bat an eye if he had said half that.
People share stuff in the internet marketing industry/this niche, just like other industries. It's how things work.
My gut instinct is to have government hold these advertising platforms accountable for fighting this more effectively but I know that's a total mess waiting to happen because how do you measure the effectiveness of mitigation? I guess one option would be allowing merchants to recoup charge backs from the ad platforms but connecting the charge backs with the individual ads probably wouldn't be cost effective at all.
The Indian government busted an IRS scam ring in India last October. Seventy people were arrested.[1]
It's a variation on the theme. They call Americans and impersonate the IRS, demanding payment of some imaginary taxes owed. A remarkable number of people have been gulled.
> Seems like something that should be a high priority for the Indian Govt. if they want to help with India's image abroad, especially with the tech sector.
For sure. There is a similar scam where "Microsoft Tech Support" calls people who they have detected have a virus on their computers. They have called me many times and I always play along to try and waste their time as much as possible. I know it equally wastes my time, but it is for the greater good! Then when they figure out they get angry at me and yell obscenities. :)
If you've been to India, you'd see it's much closer to anarchy than the US. There's almost no respect for the law. Car drivers don't even pull over to the side of a road to let cop cars with flashing lights go by. At train stations people sell fake tickets from scam booths, and can do so for months or years because they bribe the police or are ignored.
Please don't take my word for it, research but yourself, crime is rife and in your face. Even crime of a sexual nature. Turn the corner from gleaming skyscrapers and there is poverty, real people washing clothes and cooking utensils in sewage. Huge tech centres for the big outsourcing companies are literally across the road from slums.
I had assumed they used people with an Indian accent because that is what people expect to hear when they call tech support at this point. I wouldn't be surprised if it increases someones level of trust. Do we know these schemes are originating from India.
Lenny is a best-of-breed incoming telemarketer baiting system. It simulates a kindly but slightly addled old man--the perfect target for scammers--and through a simple Asterix system that waits for a pause, then plays a random response, can fool the telemarketer into repeating themselves over and over.
It's remarkably effective at wasting telemarketers' time. I once received a tech support scam call and I managed to conference in Lenny right at the start. The call lasted 40 minutes; they kept shuffling Lenny around to different people so it took forever for them to realize it was looping.
Now whenever I get a telemarketer call on my cell--illegal in the U.S., but no one seems able to do anything about VoIP calls from India--I rush to conference in Lenny and hope it "takes". Sometimes they stay on the phone but usually they disconnect. Lenny's starting to become famous!
The next phase in this war is speech recognition. If the answer bot can pull out a key word like "Windows" or "virus" and repeat it back to the telemarketer ("Virus? I have a virus? Oh, what do I do?"), it is highly likely to pass the Turing test and waste an extra ten minutes of the poor scammer's time.
I've only recently heard of Lenny (late to the party), but think some of the videos I've heard are hilarious.
I know "he's" been around for a while, and runs on a purely manual random delay system, but I wonder if Lenny could be updated with modern technology, to do a bit of rudimentary voice recognition for better interaction with the scam caller?
I know that his existing script is very cleverly generic and timed to work in with most telemarketing scripts, but I think if it was improved just a bit more, we could end up with quite a convincing respondee that would burn up more scammer time, and hopefully make a small dent in the enthusiasm of these con artists...
from what I've read, it is meant to wait for a pause (It uses Asterisk, which in turn has some basic detection for pauses and the such, which the script uses)
An alternative I thought of the other day while watching one of the hundreds of YouTube videos of this was to simply batch-dial thousands of numbers all at once then randomly route them to each other. For bonus points, record everything and make it available live.
The next level up would be a trusted-user system where you could go to a website, hit a button and immediately be connected with an actual scammer; or you could listen in on other people currently in calls and suggest things they should do next. And maybe there could be a pool of VMs available to play with...
Regardless of technique - fake recordings or various types of routing - I would advise making friends with all the high-level VoIP gateways. That way you won't have any problems batch-establishing hundreds of calls at once (for example if you know all the numbers for a call center and you know what time the, er, staff get in), getting a new number block, or even getting general caller ID override (which I understand is sometimes unavailable?).
My thinking here is that if you can win over a bunch of providers (with money and inspiration/sentiment), you could VoIP-DDoS the gateway providers the scammers are using. Would tie up the scammers' time moving to a new VoIP provider.
This. Great idea. I love the idea of being able to be connected to an actual scammer via website and have a little pop-up window with others suggesting fun things to do to the scammer. The recordings can then be made into loops to autodial them.
While this seems satisfying, it would be more effective to figure out how these companies are still able to access the credit card networks and block the shit out of them. I used to work at one of the smaller international CC processors, and we specifically rejected merchants offering "remote technical support" (i.e., THIS EXACT SCAM) and the entire rest of the 5967 MCC (inbound teleservices).
I recall reading that the "fake IRS" crew had started working around this by telling people to buy iTunes gift cards, but it would be a start.
A word of warning for the author: phone numbers can be easily spoofed (like you can spoof the sender email address or the originating IP in a UDP packet). What's more, many scam calls do use spoofed phone numbers. Thus the number you might be flooding may not be the originating caller. This could turn your utility into something far more malicious than was originally intended.
Yes, but also get the ball rolling to also improve this system in the world. Companies do not care that systems are vurnable until it really affects them. Just look at the botnets from vilnerable IoT devices waking up parties so they start to protect them. Same with phones and their support periods...
Blackhats don't tend to publish their work in a way that is traceable back to their person. If this system gets abused then the OP becomes liable. This was why I raised my warning to the author specifically - albeit I couldn't have made my point about the legal consequences of abuse clearer in my previous post.
The problem is when people send you numbers or emails of legitimate people, because now you're basically DDoSing their phone number for free. How is this service planning to vet these numbers?
Thanks for that, I've deleted the first one. I have safeguards in place to prevent legitimate senders from being hassled, but I have to add them first.
The long and short of it, the Indian scammer ends up setting a SysKey password and a bios password on his machine. He's using his bosses' machine, and it appears to be the domain controller.
The scammer ends up crying and screaming at the guy and out of terror and rage, ends up hanging up.
Normally, I would be like "I feel bad for this guy". Nope not at all. Bloody scammer got what he deserved - a taste of his own medicine.
- Scammer volunteers the information that he's "using his supervisor's computer". This increases the emotional satisfaction of watching the video but seems unmotivated.
- Scammer sounds like he's suppressing laughter at one point.
- Scammer follows the guy's instructions in the first place and continues doing so.
- Some of his lines seem to have an oddly flat affect, as if he were doing bad acting.
- Scammer doesn't actually have an Indian accent, is pretty clearly just pretending. They try to fake the grammar stuff but can't pull off the subtle mispronunciations.
This is incredibly fake. The end REALLY drives it home.
I agree. The mocking because of being Indian is not cool. But harming scammers; I have a hard time not deriving enjoyment out of that.
It's probably wrong.. But these people are extra-legal. The US can't touch them. The Indian government doesn't care... and they bring in US money to their country along with tax revenue.
It is great to see this problem highlighted but herein we have found a line that some people find hard to walk. Real shame this person [whose voice is in the video] has created such a distraction.
True that. And that dead (and removed) comment was by "Asooka".. Seems like a slur to Maurya Ashoka. Some times, things like that will also catch me.. was just wrong, but couldn't put my finger on it until now.
This is neat, but at the end of the day, only user education will eradicate scams. As long as there are people willing to call strangers and give them access to their computers or buy iTunes gift cards for them, there will be scammers ready to be those strangers. Somehow people learn to not get into strangers' cars. They need to also learn to not trust uninvited solicitations, especially coming from the internet.
This reminds me of stuff we used to do with 96 line dialers way back in the day. It was a pretty solid tactic for dealing with anyone that scammed us. Difficult number portability, a lack of ubiquitous capability to cost effectively deal with a phone DoS, their lack of knowledge about various telecommunications laws (what with search engines not being what they are today) and most importantly the fact that they were almost universally uninterested in engaging law enforcement (what with the scamming or fraud) it was a pretty effective way to get bad people to stop being bad. But it was a long time ago and I wouldn't do it again given the chance. I was really young, it was definitely an ethically gray area and we were breaking at least one law.
I also came to understand over time that the reason we kept having run ins with scammers was because we were running a shady ISP/hosting and telemarketing business that had a significant portion of customers who were scamming their own customers. If it always smells like shit there might be some on your shoe. It was an important lesson and now I pay a lot more attention to how my employer gets money and who they get it from.
On a lighter note we won tickets a couple times calling radio stations. We felt pretty bad about cheating like that so we never did it again but it was pretty effective as long as you had a couple butts in seats to deal with the "sorry you're not the 9th caller" pickups.
It's rather funny that all it takes to defeat UAC in Windows is for a complete stranger with a foreign accent to call you up and tell you in broken English to "push the 'Yes' button on that popup called 'Run as Administrator'".
In Japan they have problems with scammers calling up pensioners claiming to be their sons in a bind, and directing them to go to an ATM and set up a wire transfer to drain their savings. One solution was to install cell jammers inside of the ATMs. https://www.engadget.com/2008/12/10/japan-installs-cellphone...
Time to put cell jammers inside of PCs that get activated with UAC is up?
The problem exists in America as well; my elderly father was hit by it. Luckily my mom overheard his end of the conversation and put a stop to it. (Turns out, the scammer is very good at crying, but not very good at proving their alleged identity by knowing my mother's name. Hurray impromptu two-factor authentication!)
But I believe that it's illegal to operate cell phone jammers, unless you're the government. And for good reason; it's wonderful that you prevent someone from being scammed, but if I'm attacked by a mugger near an ATM, I'd rather like to call 911.
The initiatives in Japan were in cooperation with the police, so I'm sure it's not impossible for them to get the proper permits. And many Japanese ATMs already have a "panic button", I'm sure the ones in question would too. Mugging isn't a huge crime here so I guess that's more of a problem implementing it in the US....
It's rather funny that all it takes to bring back preventable diseases is for a complete stranger with an impressive title to call you up and and tell you in intelligent English to "not vaccinate your kids because vaccines cause autism".
Locked down by default with an option for advanced users to jailbreak seems to be the in thing on handheld devices. This is something not easily done over the phone as there are extra dependencies (namely having another device with a debug SDK installed and a spare male-to-male cable).
I'd hope that he gives the number one call to validate that it is, in fact, a scammer before putting it on blast. If he does, I really have no problem with this approach (and have considered it myself, frankly); if he doesn't, then this is just downright irresponsible. But I'd hope no one would be stupid enough to just trust random data from internet users, in this regard ...
You could wait for multiple verifications. For example wait until 3 reports of the same number from different IP blocks. It needs Tor and public VPNs filtering, but that should be enough for most cases.
Easy, use a handful of pre-vetted volunteers, not anonymous IPs. Like all the internet communities that require some form of vetting by mods before a user can do some action.
You get a phone call with a pre-recorded message "Hi, this is Microsoft calling, we have received notification you have a virus on your computer, please call 888-888-8888 for assistance removing it."
You call and they either charge you for "support," when they instruct you to delete some files from your event log or something benign or they direct you to install a program that gives them remote access to your computer so they call install malware or ransomware or steal all your files.
After the Dell breach they got even more convincing "This message is for John Doe, this is Dell, we are calling in regards to your Dell Inspiration 1234 with serial number XXXXXXXX."
Sometimes it's a person on the other end instead of a recording but I can't imagine a cold call that requires computer access would be very effective because how many people are going to be sitting in front of their computer at that time? They will almost always instruct you to call back.
An very old pre-internet scam is "you've won a free vacation call 888-888-8888 to claim it." When you call they ask you to pay taxes on your vacation then they run away with the money you paid in "taxes."
I came across one of these a couple of weeks ago. I knew it immediately it was a scam because the guy had an indian accent. I played along just to see what he would do.
He directed me to site support95 .com. Apparently, there is a similar site called support18 .com. From there he told me to download an exe file. That was where I stopped. I did not know what would further happen.
If anyone wants to try it: Call 18005589204.
Tell him you got a voicemail of someone from Microsoft saying something about license expired. I would love to know what ultimately happens.
Most of the ones that I have heard of here in Australia don't provide a number - they just call you direct and say that they are reacting to a 'virus log' on their system, apparently.
I have had several family members and colleagues being called by them over the years - some multiple time, but so far I've never received a call from them. I actually can't wait for one of them to call me. My intent is to string them along on the phone for as long as I can with the reasoning that every minute he is wasting with me is a minute that he can't scam an unsuspecting person...
That's exactly the sort of thing I want to do with them. I have another colleague who managed to string a guy along for nearly half an hour. Always managing to convince him that he was a noob struggling to get around. He said you've got to give those guys 10/10 for patience. Just imagine if they had real support jobs - they could probably do well at it.
Do you have a landline? I've never got one on a mobile phone, but I used to be inundated with calls on my landline until I bought a Panasonic phone with a call block feature for up to 3000 numbers. (I had the same feature on an older phone, but I used up all 75 number memory slots with numbers I had to block from scammers & 'charities'.)
Some of the caller ID numbers are forged, but at least the one from +1 (234) 567 890 was obviously so.
If you've not seen it before, you might enjoy Troy Hunt's video stringing along one of the scammers:
Yes, caller ID on a landline has been available for at least 20+ years, at least that's about when my parents first got it from what I remember. At first it was a couple dollars extra a month but it's standard now.
Also every office phone I've ever had has caller ID.
Yup, for a few dollars extra per month (or sometimes for free) Australian telcos will let you see the number of the incoming call. You'll need a handset with a caller ID display, but most modern handsets do.
You know how all Telstra passwords used to be Bigpond1?
Well I changed back to Telstra a few years ago, and had a third party ring me trying to get me to switch over to some service. Anyway I had way too much time on my hands so I talked to her for ages, and asked them where they were and the weather and stuff but whenever they asked for some Id stuff I'd say that I don't give that over the phone to people who have called me, they have to give me some proof they're from the company.
Anyway she knew my address and my last months spend. So they had been spamming bigpond account logins with bigpond1 to get access to all the account verification details... then if you fell for it they wound switch your number over, they had some basic billing information so xould find your bank account, and then the endgame is drain your account.
Tried telling Telstra and the customer support guy couldn't have cared less; but I think the default is slightly more random now so might have closed it.
Imagine that. It affected a lot of people; I don't think there are all that many that cracked the problem. Telstra could be up for a lot of money if a few people who lost got together
If you make up some reason that you have to call them back (and seem earnest about wanting their "help") they will (often) give you a number (although they may stop doing that if they get blasted enough)
Well, there's already a technical solution for that. You can drop packets which are coming from inside your network but which have ips which don't belong to your ranges. If there was a law that you need to have equipment capable of that and be using it that would be a step in the right direction.
Same for telcos. Make it mandatory and watch them scramble to fix their shitty infrastructure.
Instead of fining them money when they fail to implement the law's requirements make them have to cut everyone's subscription charges in half until they do follow the law to the letter or face the SWAT teams.
What percentage of people doing this (or the "This is Lenny!" thing) would it take to make the scam unprofitable? Is there any work on that topic, like "what percentage of honeypots makes scammers quit"?
I don't get many "Windows Support" scam calls, the two I have gotten I was unable to play them for long, as I am a poor Linux user, not Windows knowledgeable at all, but I generally keep the "Card Services" people on the line for a few minutes.
A small percentage could hurt their profits a lot, but it's not like they are without counters to this. They could slap on a max length at which point they know they're wasting their time, and also start to blacklist numbers that waste their time. They could use audio recognition to avoid known automated honeytraps, but even humans would adapt after enough calls.
I still think it would be difficult to even reach that target %. As much as I would like to waste their time, I'm strapped for time myself. There would need to be a way to receive a call on your phone and send it to the honeytrap in two 'clicks', where it plays scripted responses in the background.
If we reached that magic percentage, I think they could have a counter. They could discourage this by using targeted harassment. Someone screws with them, they send a mass of random calls over the course of a day.
After a few years of monkeying with the "Cardholder Services" calls, I'm convinced there's two layers of crooks involved. The first layer is the autodialers, they just run through series of phone numbers, and play a recording. I'm pretty sure these bastards don't screen numbers, because I can at least get through to the (Indian) boiler room almost 100% of calls.
I think the boiler rooms are actually seperate organizations/crime clans. The boiler rooms do screen, but not universally. After years of being "Edward Snowden" and giving out fake card numbers that pass the Luhn checksum, only maybe 25% of the boiler rooms cut me off. A few days ago, the "service rep" had a bad headset and I could hear a recorded voice telling him to hang up, which he did.
Even Trump's FCC would have to deal with targeted harassment. That's the kind of crap that nobody puts up with. Besides that, harassment calls probably ruin the NSA's data retention practices, so that just can't happen.
Seems like it would be better to go through with the calls and destroy them at the payments gateway/payments provider level, same as was done with online pharma spam.
In my experience with counter-scamming, these guys generally don't actually use any kind of payment processor -- they ask people to go get gift cards and tell them the numbers. It's a clever way of going about it, which essentially guarantees that they can't be shut down directly. The only way to beat them is to waste so much of their time that it's no longer profitable.
I don't think this is going to DDoS the scammers by calling them back; I think the point is you just transfer the inbound call to his bot -- the success rate on these things is so low, if he's got good enough penetration the false positives will overwhelm the true positives.
I think, anyway. Spent five minutes reading the post and other parts of the blog, and dimly recall seeing something from this project posted previously. Happy to be proven wrong.
"As fast as you can report fake “you have a virus call this number now” messages to me, I will be able to hit them with thousands of calls from bots. It’s like when the pirate ship turns “broadside” on an enemy in order to attack with all cannons simultaneously."
But it's late, and I'm too tired to read the rest of his blog posts.
I'm assuming you're using a VoIP provider to do this - just be careful, they might have rules against this. Definitely don't do it on an account you have a personal number you value or something.
That said, I fire attacks at script kiddies in the clear from big server providers including DigitalOcean and OVH, so I suppose as long as the attackee can't really complain legally, you might be okay.
The video, the guy mocks the Indian scammer with repeated lines like "Not goot, not goot at all" in a very Midwestern->faux Indian accent. Think Apu on "The Simpsons".
And no, making fun of someone because of their nationality and origin language just isn't cool. Maybe it was 60 years ago, with killing Commies and Japs and Niggers. I'd like to think that most of us are past that brutish "ideal"..
Then again, with commentary of 'Please go back to tumblr until you develop the required reading skills to participate on HN.', they certainly have demonstrated more skills in understanding content than you have. Perhaps it ought to be you who "goes back wherever someone else thinks you came from?, no?
And so on. If you call them yourself and actually follow their instructions, installing something from some site into an isolated, disposable VM and then running it, you can record what happens and then build that into a better script. Trigger these instructions by asking them what they can do to fix your computer, and time their response. Bonus points if you can detect them saying "http" which kicks off that part of the script.