I had a freshly cloned WinXP instance running in Hyper-V when I was called by one of these scammers. I went through the same thing out of interest's sake. I thought they might clue in when Oracle 10g was the only thing in the Start Menu. They didn't.
The interesting bit is that I called LogMeIn with my other phone, excused myself for a moment "to answer the door", explained the situation, gave the session ID (whatever it's called) and they got to listen in on a good portion of the whole thing.
After I called them on what they were doing, LogMeIn told me there was nothing they can do about it. I suppose if the scammers are LogMeIn customers, LogMeIn is perfectly willing to facilitate this sort of behaviour.
That put the nail in the coffin for my ever using LogMeIn.
To be fair to LogMeIn, it's a privacy violation to monitor the traffic that goes on in the connections they facilitate, though they should at least investigate such warnings, and perhaps suspend accounts that have had a certain number.
Well the LogMeIn tech support rep got to actually hear the conversation between myself and the scammer by speakerphone, so that should have sufficed to start an investigation.
But I guess to be fair to LogMeIn, the tech support rep just might not have cared.
How about something like this for the "Card Services" scams?
These are the robo-calls with the female voice telling you that you can lower your credit card's interest rate, but it's only for a limited time, so press 1 to talk to a service rep.
I've gone pretty far down the road with a few of these "service reps". I'm convinced they want credit card number, expiration date and CVS/CVC for cards with a large available balance. They hang up on me if I just want the lower interest, or if I inquire too closely about who they work for, or why they need the CVS/CVC (3-digit code on the back of a card).
I had an interesting experience with these scammers.
I played dumb and got from automated to first line qualification to second line qualification to the person that closes the deal. At each level you could tell that the savvy-ness of the person went up dramatically. When I got to the closer, he was smooth as silk. He asked me for info from my credit card statement. I kept him on the phone a good 10-15 minutes playing dumb, then I hung up. He called back immediate and said "oh, we got disconnected" and I basically told him he was scum and I did this because I asked to be taken off their "list" about 20 times. He said "you'll regret this" and hung up. At this point my phone rang again and someone started screaming at me. He had redirected the complaining victims like myself to my phone #. I unplugged my landline and called AT&T on my cell. They really couldn't do anything, which I found amazing. After 30 minutes I plugged the phone back in and didn't receive any more calls.
Then, googled "card services". It took me a while, but I found a law suit against some company from around 2002, and even found a PDF containing the complaint by some lawyer in TX, complete with a phone number. I figured, what the heck, I'll call it and see if anyone answers. Some old guy answered on the 2nd ring and I explained the situation and he was very surprised. He said the company had been shutdown soon after the law suit. I told him they were back, with a vengeance. They had been calling me at least once a day for a year. He told me to start a case with the FCC (I think... it was a few years ago), which I did by filling in a form on their website. Never heard squat.
After the incident mentioned above, I didn't get a call for more than a year. Then, they started up again. Now, I just hang up immediately. I'd say I get a few a week at this point.
Card services are the calls I've been getting lately, although I haven't bothered to engage them.
Last year I got tons of auto warranty calls. The FCC eventually managed to shut them down, but not before they annoyed me quite a bit.
I got so tired of it I started playing with them. As soon as they were trapped, they'd hang up. When I pointed out I didn't own a car (as it's not in my name), they hung up. When I pointed out my car was out of warranty, they hung up.
When I thanked them for calling and was happy to renew my warranty, they were thrilled. I asked which of my two cars was out of warranty, they hung up.
I'm glad the new anti-robocalling rule just went got passed, but since 99% of the calls are either illegal already or by politicians/political groups, I doubt the law will make any difference.
Where's Anonymous when you need them? There's probably enough people with enough chutzpa in that group to make business very difficult for these sorts of crooks if they were so inclined. Defending little old ladies against this sort of non-sense would go a long way toward polishing their image.
From what I've heard their targets (assuming it is just one group, which I personally doubt) tend to be political, big commercial organisations (I'm not sure as this counts, they are not a high profile group even if they are or an interesting size), or those that take a specific stance "Anon" don't like (such as trying to arrest/charge/out/what-ever one of their number). This just doesn't feel like the sort of thing that would get them motivated to bother.
What is it that you think Anon might be able to do here? Even if they one of the scammers for a short time there are many more that will still be operating. The scammers are not a single large target like, for instance, Sony.
So how do you stop these kind of scams from continuing to go on? I would think the best option would be to revoke their ability to collect money. Visa/Mastercard/Amex should suspend their merchant accounts. Sure, it'll be a cat and mouse game but at least they'll be doing something.
A friends machine was infected with a fake virus demanding the user purchase software that'll clean the machine. I'm so surprised these guys are able to steal money like this. Suspending the ability to process the credit card would put a lot of these viruses out of business.
Not really. The way these guys operate is that they often load balance their charges over many merchant accounts.
Your merchant account can get into trouble if you have too many chargebacks and have too high a percentage of chargebacks. So the way most people do it is try and stay under the hard limit. The percentage is still too high but as long as you stay under the hard limit you'll be fine. If you know you're going to bust that merchant account that month you pump as much of your transactions through and close the account before the chargebacks inevitably pour in leaving the issuing bank on the hook. I can't remember which of Visa or Mastercard gave more leeway but the numbers were something like 35 max chargebacks/month and under 2% of total transactions and the other 50 max chargebacks and under 2.5% of total transactions. The numbers may not be exact but they should reasonably close.
It's actually very easy to get a merchant account. You set up a dummy corporation, get a legitimate-looking website and request one. You usually get it. So if you just pay a web designer to make you a generic layout with 100 different logos/color schemes you can definitely get 100 merchant accounts.
One of my ideas was to create a crawler to detect a lot of these scams and alert the banks before the scammers cut and run. It's a decent idea (most of these scams run on very common patterns that can be detected scraping the web. The terms of service are a great place to start) and would definitely save them a lot of money but there's no way I want to get involved in sales to banks.
I thought your company had to have a credit history or you would have to use your personal credit to open the account. Is that just a requirement for the better banks with lower rates?
If you're going with a brand name bank you'll have to jump through many more hoops than going through a small one.
There are also boards out there that scammers hang out on and share which banks currently have the easiest-to-circumvent systems. I'm not sure where they are anymore they tend to go up and down a lot and I haven't paid attention to any of this for a couple of years now.
Some of these scams can be so profitable that the scammers literally buy small banks to make sure they don't get shut down and give great rates to people with legitimate business and high enough volume so that the blended rate between their legitimate customers and their scammy cash cow looks ok. They take a loss on the legitimate customers but the cash cow is a scam and almost pure profit so they still make a huge amount of money.
That's not the way it works. If you have a merchant account, and someone issues a chargeback, you won't ever see the money again, unless you can somehow prove the charge was legit. It's not like you can pump and dump a merchant account for $1 million and then skate on to the next merchant account.
The way it really works is that merchant accounts don't get money for 90 days after the charge until it's really cleared.
Chargebacks can still come along up to 6 months after the charge date, not just 90 days.
And yes, you aren't going to see any of the money from the chargebacks but that doesn't matter. A very small percentage of people know about or bother to charge back. You'll lose maybe 5-10% at most (a higher cb rate would surprise me but then again I've never run a scam op so it may be common) and you will get a lot of faxes but you can just ignore them, take the 90% out and let the bank shut down your account eventually.
By the time the bank gets around to actually shutting down the account most of the money will be gone. I imagine they'll freeze the money at some point but if you're running a large operation you'll know at what point that will happen and will have stopped using that merchant account before then and have taken most of the money out.
EDIT: I forgot another reason why banks don't like chargebacks: banks themselves have to stay below a certain aggregate chargeback threshold across all their clients' accounts or they get grief from the credit card companies and have to pay penalties/fines. If they're a small bank there's even the possibility that the credit card companies will drop you entirely.
Remember the debacle where visa and mastercard were pressured by the government to run financial warfare against wikileaks? Any API where the government requires corporations to levy financial warfare against any or all users (across the globe) is the wrong sort of solution. I don't like these scams either, but sacrificing freedom for security is a bad idea.
The core problem is not the scammers, but the complete ignorance of some people in this country. As long as we have people who are dumber then fence posts, then these scams will always be with us. The solution to this problem is to find those responsible, bring them to justice, compensate the victims. Not create a new judicial branch out of international corporations.
I have had it twice - both times I was working - so I pretended to go along with them. I faked crashes, and restarts (each that took ~ 5 minutes) while I went on with my work. At about the 50 minute mark they seemed to realise (both times) that it was a lost cause - so made excuses and just gave "advice" and hung up. So from that small sample I guess there is a limit to what they are able to sink on a given customer time-wise. My satisfaction was that it was 50 minutes they weren't perhaps attacking someone vulnerable.
I'm very familiar with the "you have a virus" pop-ups that trick helpless users into downloading bogus software, but I've never heard of a cold call version of that scam.
Am I misunderstanding something, or do these scammers literally call people's phones and tell them out of the blue that their computer is infected? What if they say "I don't have a computer"? What if they say "I have three computers, which one?" Seems like that would raise more flags more quickly than a pop-up showing on your actual computer, and manual phone calls can't scale like pop-ups... how is that still profitable or what am I missing?
Edit: OK, number of computers is easy. Still surprised that it is profitable given (what I suspect as) the inability to scale. I guess the conversion rate just isn't that bad.
> Am I misunderstanding something, or do these scammers literally call people's phones and tell them out of the blue that their computer is infected?
Incredible as it sounds, that is literally what they do. My wife got called by these scammers last week but she knew enough to be suspicious and respond that her computer expert husband would look into it. :) (FWIW we live in Melbourne, Australia.)
This type of scam is one unfortunate side-effect of extremely cheap internet based telecommunications.
Exactly. Very low risk for them. If the call goes nowhere, they hang up and move on to the next target. The previous target thinks it a bit odd but what are they realistically going to do about it?
It works the same as those "We are from bank X, give us you accound details" scam emails. They completely miss people that don't use bank X but it looks much more legitimate for those that do.
Well, this actually happened to my Grandmother a few weeks ago (UK) who actually had them up to her bank login before my Grandfather stepped in. It quite disturbs me that scammers have better luck bluffing their way into someone's computer than hoping for a malicious script to catch a bite.
My (hacker) friend gets these multiple times per week. He has tried being increasingly lurid and profane but they still call him. They obviously aren't doing much analytics.
Weird. You'd think they wouldn't want to waste their own time like that.
They were targeting my grandfather for a while but stopped calling when I would cut them off mid-sentence.
The first time I was thoroughly confused by the truly non-sensical gibberish the guy was spouting until he got to the point where he offered to fix it all. Then I just said I was a software engineer and that everything he just said was garbage. He replied software engineer? I said yes and he hung up on me.
On the second call we got I just cut the guy off and asked: what company do you work for? There were a few seconds of silence followed by a click and dial tone. No calls since.
> Weird. You'd think they wouldn't want to waste their own time like that.
The same scammer will call back multiple times in case there are several people that might answer the phone at that number which could be the case for a household or small business (large businesses are not a target for this sort of thing as the people who answer the phone won't have the access rights needed for the scam to work). You knew that it was a scam but your sibling/parent/secretary/what-ever might not and so might go along with it.
Once they've retried your number a few times they'll just add it to the pool that they'll sell on to other scammers. By answering the phone you've proven that the number is valid and can be used to contact a human. Lather, rinse, repeat.
1. It seems to be run from Kolkata (capital of West Bengal):
Goto maps.google.co.in and search for Comantra. The result has a phone number you can call
2. They seem to be hosted by GoDaddy. Does anyone want another go at that angle? Although, knowing GD this is the kind of customer they want!
3. Linked in also returns somebody who calls himself Owner of GoMantra. Not linking here for obvious reasons of mistaken identity.
IANAL, and I couldn't find a resource that I could point you to from an indian legal POV. Cybercrime has only recently been defined by indian law and from all that I read (not much authoritative) there's not much in this area. Any law-savvy indian HNers care to chime in?
They use two remote access clients most likely because the second one gives them invisible filesystem access - you can't see what they're looking at. The first one is probably just simpler to connect and helps them get you over the hurdles of the second one (which there aren't many of)
I had one of these scammers call, who was insistent there was an XP machine with a virus. He called back three times in quick succession, the third time I repeated that I used linux, not XP, and "I know you're a scammer, you know you're a scammer, just fuck off". That seems to be what's required to make them stop.
A friend of mine had one of these calls and decided to play along - he followed all their instructions, but played the dumb user... neglecting to tell them he was in KDE on ubuntu, not XP. "Yes, I'm clicking on the button in the corner...". He had them on speakerphone while preparing dinner and whatnot, went through several staff including 'senior advisors', and it finally ended when the battery on his phone died an hour later...
Luckily I had warned my mother-in-law about these - she's safely on Ubuntu, but I keep everyone in the family aware of scams.
So she played along for at least 45 minutes, before telling them their mother would be ashamed of them and they should get a useful job like sweeping the streets!
This seems like the best approach, if you can spare the time - tie up so much of their time that it is uneconomic.
Speaking as an Australian that's had a few of these calls, it's kind of fun stringing them along the first few times and then after that you can just hand them off to the nearest grandmother or 13 year old and let them deal with it.
My nephew (13) thinks it's great fun to stretch these calls out as long as possible, but then he's into playing Skyrim & what not.
I've done similar, although I didn't go as far because I got bored quicker.
In the end I asked the guy how he felt about scamming people etc, and the discussion that ensured convinced me that he didn't actually realize what they were doing. He actually went to get his boss to convince me, and I half heard an argument before someone hung up my phone.
I must admit I am quite shocked to see that there is now a new account on HN called Comantra advertising this "service". I am also quite sure that no one that reads this site would fall for this scam.
I must have missed the part where you "scammed" them, unless you really just meant to say "confronted on the phone". But that wouldn't get you as many clicks, would it?
The interesting bit is that I called LogMeIn with my other phone, excused myself for a moment "to answer the door", explained the situation, gave the session ID (whatever it's called) and they got to listen in on a good portion of the whole thing.
After I called them on what they were doing, LogMeIn told me there was nothing they can do about it. I suppose if the scammers are LogMeIn customers, LogMeIn is perfectly willing to facilitate this sort of behaviour.
That put the nail in the coffin for my ever using LogMeIn.