I guess someone in the general area of Kolkata reads my blog posts. At any rate, after I posted a blog yesterday bemoaning the fact that I had to do my own systems support, I got a phone call from a gentleman with a pronounced accent wanting to help me with my virus problem.

It's Raining Men (And Wooden Horses)

You didn't know I had a virus problem? Neither did I, but he assured me that I was spraying malware all over the part of town I live and work in. Well, I suppose that explains why I tripped over a Conficker and got fake AV all over my trousers on the way back from the library. And he quoted an address that was near enough to mine to convince someone who didn't know about telephone directories.

The People's Flag Is Deepest Red

So I asked him how he knew that my system was infected. He explained that my IP address was flashing red on his screen. I asked him what my IP address was, and he explained that he couldn't tell me that for security reasons, but he'd put me through to his supervisor.

All Your Base Are Belong To Us

His supervisor, it turned out, was, by his own account, a highly qualified tech support specialist, or some somewhat similar job title. He patiently explained to me that he was not a fool, that it was his computer (not mine) which was flashing red (perhaps I should have offered to sell him a copy of NOD32), but that it was my IP address which was being flagged. And he was quite ready to tell me what my IP address was, though not how he knew it was mine.

Well, whatever kind of tech support he did, I guess it wasn't network support. He started off well with what could have been the first two bytes of a class B address (though it didn't remotely resemble the address of my provider's gateway). However, he was either unfamiliar with the fine detail of dotted quad notation, or he changed numerical bases in midstream. Or he was using a form of IPv6 notation that I'm not familiar with.

Agent Provocateur

I guess I'm not cut out for undercover work: at any rate, he clearly realized I wasn't taking this nonsense as seriously as he felt I should. He told me that they were working very hard at protecting people, that they took it very seriously, and that I didn't have to do the test of my system he was offering to help me with if I didn't want to. Anxious not to offend him, I explained that I take computer security very seriously and that's why I work in that field. I was about to offer to explain subnet masking to him, but for some reason the line went dead just then.

What Do We Learn From This?

Primarily, that this type of scam is not only ongoing, but developing new twists. Yesterday I mentioned the fake survey ploy, where they ring you in advance to find out what kind of kit you have, so that it sounds as if they know what they're talking about when they ring again and tell you there's a problem with your PC. I still haven't found the reference to that, but while I was looking for it I came across this site which has lots of amusing stories from people who are better at scammer baiting than I am.

While it's obvious that the scammers have been using telephone directories to get the name of the lucky recipient of their cold calls, using the address for that number as "corroboration" of the problem is something I haven't noticed before. Of course, that sort of misdirection is very common in other scams: 419s, for instance, frequently direct the prospective victim to a vaguely-related news item on a legitimate web site as "proof" of their story.

I haven't come across the IP address wrinkle before, either. On this occasion neither miscreant knew enough to supply a convincing fake IP address (not that most people would recognize a fake like the one quoted to me, I suppose), but it wouldn't take much reading up for a scammer to repair that deficiency. It's not impossible that a scammer might actually give you your actual address, if you happen to know it. It would be childs play for him to capture your IP address by directing you to a poisoned web site.

I did wonder whether I ought to make that last point, in case some technically-challenged but eager-to-learn scammer really is reading my posts, but if that was really likely, you'd think I'd be on some sort of scammer's blacklist by now, so the calls would have stopped.  Admittedly, it's been a while since I had three in a single day...

More about the history of these scams at http://www.eset.com/resources/white-papers/Hanging-On-The-Telephone.pdf, in a paper by Jan Zeleznak, Urban Schrott and myself.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow