MacInTouch Amazon link...

scams and phishing

Channels
Security
I mentioned before that I've had quite a few clients fall for those JavaScript popups or out-of-the-blue phone calls claiming to be from Microsoft or "tech support" or even Apple. Just ran across a new twist, though.

An elderly client "called Alexa" recently for tech support help with a computer problem. It sounds like Alexa came up with the name of some outfit whom the client called and left a message, then got a call back within 20 minutes. This outfit charged him $300 to do the standard impressive geeky remote stuff. They told him they removed six pieces of malware and he does say his computer ran better afterward — they may have simply removed some adware, I'm guessing.

That might've been okay except they also claimed that they could "clean up all other devices on the network" using the same connection. At this point his wife grumbled that her iPad wasn't running any better.

This claim convinced me that they got scammed. I advised him to protest the charge — it was just last month — and at least change his login password, and possibly ask for a new credit card and monitor his statements closely. I mean, I don't believe it's possible to "clean up" all the devices via a remote connection to one computer. I'd just like to confirm that I wasn't out of line.

Shucks, I'm still hoping for a way to remotely view someone's iPhone, so I can help faraway clients. (That's not possible yet, is it? I've been out of touch.)

As a side note, these delightful elderly people view Alexa as a personal trusted representative, of what I do not know — Amazon? — and do not seem to understand that it's simply a verbal web browser in the context of this story. They politely listened to my explanation but I'm not sure they believed me!
 


I mentioned before that I've had quite a few clients fall for those JavaScript popups or out-of-the-blue phone calls claiming to be from Microsoft or "tech support" or even Apple. Just ran across a new twist, though.

An elderly client "called Alexa" recently for tech support help with a computer problem. It sounds like Alexa came up with the name of some outfit whom the client called and left a message, then got a call back within 20 minutes. This outfit charged him $300 to do the standard impressive geeky remote stuff. They told him they removed six pieces of malware and he does say his computer ran better afterward — they may have simply removed some adware, I'm guessing.

That might've been okay except they also claimed that they could "clean up all other devices on the network" using the same connection. At this point his wife grumbled that her iPad wasn't running any better.

This claim convinced me that they got scammed. I advised him to protest the charge — it was just last month — and at least change his login password, and possibly ask for a new credit card and monitor his statements closely. I mean, I don't believe it's possible to "clean up" all the devices via a remote connection to one computer. I'd just like to confirm that I wasn't out of line.

Shucks, I'm still hoping for a way to remotely view someone's iPhone, so I can help faraway clients. (That's not possible yet, is it? I've been out of touch.)

As a side note, these delightful elderly people view Alexa as a personal trusted representative, of what I do not know — Amazon? — and do not seem to understand that it's simply a verbal web browser in the context of this story. They politely listened to my explanation but I'm not sure they believed me!
I hope you convinced them to take your advice. I don’t even know these folks, and the proverbial red flags and alarms bells are respectively flying and ringing on their behalf. If there is a way to remotely view iOS devices, I have not heard of it, and I hope others will chime in here and confirm that.

How did the “support” person work his remote magic? Were your clients asked to install anything? If they did, yikes. And their view of Alexa is really disturbing. How did they end up with their “plastic pal who’s fun to be with”? (I hope I am quoting Douglas Adams more or less correctly.)

When my late father, who was fairly savvy about some kinds of fraud, talked about getting a computer when he was in his mid-80s, the variety of scams already rampant just through email made me discourage him from doing so.
 


Ric Ford

MacInTouch
Sophos talks about one type of rampant scam:
Naked Security said:
Elderly victims conned out of millions by tech support scammer

... The scams worked like this: Indian telemarketers would contact victims by phone or via pop-up web ads, and would talk their prey into paying to solve fictitious problems affecting their computers.

Often, the fraudsters pretended to be from well-known companies and would attempt to gain remote access to peoples’ computers, a ruse to install out-of-date AV or to rummage for personal data.

If the victim seemed gullible, they’d receive follow-up calls where the same tricks would be repeated.

It’s a well-trodden path to riches for scammers which in this case is believed to have resulted in millions being lifted from victims.
 


This story hit close to home. My father (83 y.o.) was scammed just a few weeks ago. He is smart, quick of mind, and has never been taken in by other types of scams. But he is an unsophisticated computer user, who often finds it difficult to distinguish between legitimate messages that pop up on his screen, telling him that updates to his OS or other installed programs are ready, and advertisements/scams telling him his computer is at risk.

They got him via phone. And this monster was patient, and his scam was convincing: from spoofing the SOS Appl phone number on his caller ID to showing him "proof" of the "hackers" that had infiltrated his Mac. The scammer slowly walked Dad through the process of granting remote access to his machine, and he promised Dad he would "help" him by encrypting his hard drive.

The price for this monster's help: $500 in iTunes cards. One irony: the cashier at the local Walgreen's pharmacy where Dad bought the cards tried to warn Dad that this was a scam, but Dad didn't believe him. One hero: a genius at the Apple Store, where I directed Dad to take his machine to be checked out for malware, to see if the drive was encrypted, and to shut down remote access. I live several states away and could not help him myself. The Apple genius set everything right, and did not charge my father for his time.
 



This story hit close to home. My father (83 y.o.) was scammed just a few weeks ago....
Thanks, Lloyd. I forwarded this example to some "seniors" that I've dealt first-hand with - phone calls while I was working there! Client hands me phone, "I think you should talk to him"... typical non-English accent telling me my Windows computer is infected... and he was from Microsoft Support! (Client has Mac.)

I've witnessed or recall so many of these with no caller ID, or spoofed "random first/last name with local area code" to elderly with IP phone service (Comcast phone package, Verizon phone package...) that I wonder why we even have such poor phone service. FCC... cough. DoNotCall means nothing anymore.
 


Yesterday morning the phone rings. Automated voice with an American accent.
"Hello, this is the BT internet support. We have to advise you that your BT internet service will be terminated today. If you do not wish this to happen press 1 etc. etc. etc."

We've had a bit of a lull with these 'support' calls, but just lately they appear to be on the up.

There was another last week with a very nervous sounding Indian lady from "Microsoft", and one of my clients has had several since February. Unfortunately, he fell for the first one and so now they keep phoning back every other week.

BT have a reponse number to call so that they can track the calls, but I don't know how effective it is.

On a slightly different - but obviously related - topic, I received an email from my bank yesterday advising me of a need to verify my account details, as they were having to implement new security procedures. You may be aware that TSB here in the UK had a massive cock-up while migrating from their existing hosts to the host of the new owners. This resulted in (for most people) being unable to access accounts online, transfer money, pay bills, mortages and standing orders etc. Some people had a window of about 20 minutes where, when they logged in, they found themselves in someone else's account. Personally I had about 3 days when I couldn't log in.

The email refers to the incident. Only two issues: it has come to a mail account the TSB don't have, and the sender address is TSB Bank Plc <no_reply@tsb.co.nz>
(Strangely, I haven't managed to open a bank account on the other side of the world.)
 


Yeah, there's another round of scams going around.

I've so far received three calls claiming to be from Costco, that I've won some kind of fabulous travel prize. If I push the button to be connected to an operator and start grilling the person about who he works for, then the story changes. First he's a direct marketer contracted to Costco. Then an independent vacation company. Then working for Ramada. Then when I accused him of being a criminal and threatened to report him to the FTC (which I did), he got all angry and hung up.

Unfortunately, the caller ID was forged every time, so I'm not sure how much the FTC can do with my reports. But maybe they can find these scammers if enough people file reports.

I also got a few claiming to be from the IRS, threatening legal action if I don't send money to them (of course, by mailing iTunes gift cards - everybody knows that's how the IRS collects back taxes, right?) I reported them to the IRS fraud division, the FBI and the FTC. In that case, however, the caller ID wasn't spoofed. I called it back and got a call center manned by the scammers. I made a point of including that fact in the reports. With their actual phone number, law enforcement should be able to find them and arrest everybody present.

Assuming law enforcement actually cares, of course. And I'm not so sure about that.
 



This story hit close to home. My father (83 y.o.) was scammed just a few weeks ago.
...
The price for this monster's help: $500 in iTunes cards. One irony: the cashier at the local Waldreen's pharmacy where Dad bought the cards tried to warn Dad that this was a scam, but Dad didn't believe him. One hero: a genius at the Apple Store...
Give the Walgreen's cashier a hero award, too. He or she was clearly the first line in the defense chain.
 


Yeah, there's another round of scams going around. I've so far received three calls claiming to be from Costco, that I've won some kind of fabulous travel prize. If I push the button to be connected to an operator and start grilling the person about who he works for, then the story changes. First he's a direct marketer contracted to Costco. Then an independent vacation company. Then working for Ramada. Then when I accused him of being a criminal and threatened to report him to the FTC (which I did), he got all angry and hung up.

Unfortunately, the caller ID was forged every time, so I'm not sure how much the FTC can do with my reports. But maybe they can find these scammers if enough people file reports.

I also got a few claiming to be from the IRS, threatening legal action if I don't send money to them (of course, by mailing iTunes gift cards - everybody knows that's how the IRS collects back taxes, right?) I reported them to the IRS fraud division, the FBI and the FTC. In that case, however, the caller ID wasn't spoofed. I called it back and got a call center manned by the scammers. I made a point of including that fact in the reports. With their actual phone number, law enforcement should be able to find them and arrest everybody present. Assuming law enforcement actually cares, of course. And I'm not so sure about that.
I work in an area related to law enforcement support. They by nature would like to solve every case, but there are only 25 hours in a day, and the number of bad people goes up every year, because people have poorer and poorer value systems in their heads. You have to pick and choose your cases. Don't even waste the time filing unless you have a case you know is 101% of perfection before you start. I hope you recognize the truth in the irony.
 


Xfinity [abused] me with a scam of sorts. My elderly parents landline with Xfinity was 99% call scams or robo, so I disconnected my folks' Xfinity landline by having Ting port their land-line number to a Ting burner phone that I could monitor for them.

But by doing a port-out, Xfinity jumped monthly from $179 per month to $700+ per month--just for removing the land-line!

Endless calls escalations to them went nowhere. It was a weird billing error that no one sorted out for me. I finally dumped Xfinity cold-turkey to stop the crazy bills. Xfinity later credited and sent me a small check, but in total they got me for $500 additional, just for removing the landline by a port-out request.

So scams come from big companies too.
 


Here's a new variant. Why bother encrypting someone's hard drive with ransomeware when you can demand money first and threaten to erase everything later if they don't pay up?
Sophos Naked Security said:
“WannaCrypt” ransomware scam demands payment in advance!
... now there’s a back-to-front approach – a bunch of scammers who aren’t saying, “If you don’t pay we won’t fix your files,” but instead saying, “If you do pay we won’t scramble them in the first place.”

Simply put, it’s a protection racket, where you’re being stood over to prevent bad things happening, rather than a ransom-based racket, where you are being squeezed to recover from bad things that already happened:

From: WannaCry-Hack-team
To: **************
Subject: !!!Warning Wannacrypt!!!
Hello! WannaCry is back! All your devices were cracked with our program installed on them. We have improved operation of our program, so you will not be able to regain the data after the attack.
All the information will be encrypted and then erased. Antivirus software will not be able to detect our program, while firewalls will be strengthless against our unique code.
Should your files be encrypted, you will lose them forever.
Our program also covers the local network, erasing data on all computers connected to the network and remote servers, all cloud-stored data, and freezing website operation. We have already deployed our program on your devices.
Deletion of your data is scheduled for June **, 2018, at **:** – **:** PM. All data stored on your computers, servers, and mobile devices will be destroyed. Devices working on any version of Windows, iOS, macOS, Android, and Linux are subject to data erasion.
With an eye to ensure against data demolition, you can pay 0.1 BTC (~$650) to the bitcoin wallet: ****************

The bad news is that this WannaCrypt “demanding money with menaces” threat email is very widespread – we’ve had people worried about it from all over, which is why we decided to write up this warning.

The good news is that these particular crooks don’t actually have any malware to back up their threat.

Indeed, their claim that “antivirus software will not be able to detect [the] program” is one of the few truths in this scam, for the simple and fortunate reason that, in this case, there is no program to detect.

Just to be clear here: disk wiping malware – think of it as ransomware with no decryption key, so you can’t buy your files back from the crooks even if you want to – most certainly exists.

So, these WannaCrypt scammers could, in theory, have been telling the truth, giving you just a few hours to hunt down and turn off their attack code before your data was destroyed.

In this particular case, however, the whole thing is a fraud, right down to the existence of the malware in the first place.
 


FCC... cough. DoNotCall means nothing anymore.
There is indirect value in the DoNotCall list. If you are on it, it means that almost all solicitations you receive on the phone are from scammers. Thankfully NoMoRobo takes care of 90% of the scammers plus those who may legally call you but you don't want to hear from (nonprofits, surveys, political calls).
 


DoNotCall means nothing anymore.
Has it ever meant something? Years back, before I realized it was a mistake, I registered on the Do Not Call list. It did absolutely nothing to reduce my spam/junk calls. I'm at the point now where I have to drop my land line because it is nothing but a spam box.

Why?

in my opinion, the majority of such callers are scammer/spammers/unethical marketers. This is obvious by the sheer volume of robocalls which violate the rules.

If the callers are ignoring the rules about robocalls, or just simply running an illegal scam operation, what makes anyone think they are going to honor a no-call list?

It seems to me that a no-call list is a great tool for these low-lifes. It provides a list of active, legitimate numbers that they can call. For those naive enough to believe it magically stops unwanted calls, it also provides the scammer with some level of legitimacy. If my phone is blocked from unwanted calls, this must really be my bank, the IRS, Microsoft, etc.

What gets me is the phone companies insistence that they can do nothing to identify these people, many of whom are engaging in criminal activity. I cannot believe the technology isn't there. They have to bill someone for making the call. Are we to believe that there are millions of calls made each day for which there is no party being billed? More likely they don't want to lose the income from this activity.
 


Oh the irony. I got a phish email purportedly from PayPal. As usual the main button links to a scam site and the return address is an innocent bystander. In the message further below is the line "PayPal is focused on avoiding fraud emails. Learn to recognize phishing." Clicking the link goes to PayPal's page to report a suspicious email or website. I reported it.
 


Has it ever meant something? Years back, before I realized it was a mistake, I registered on the Do Not Call list. It did absolutely nothing to reduce my spam/junk calls. I'm at the point now where I have to drop my land line because it is nothing but a spam box..
Don't expect any better on cell. Lately I've been getting 2-4 spam calls a day on cell.
 


Don't expect any better on cell. Lately I've been getting 2-4 spam calls a day on cell.
I've noted the same when I have my cell turned on. I rarely use it, and almost never give out the number, yet now I get a call or two a day when I have it on. I assume these are robocalls programmed to step through every number on every exchange in service. That's not much less than the number I get on my home/office landline.
 


What gets me is the phone companies insistence that they can do nothing to identify these people, many of whom are engaging in criminal activity. I cannot believe the technology isn't there. They have to bill someone for making the call. Are we to believe that there are millions of calls made each day for which there is no party being billed? More likely they don't want to lose the income from this activity.
I've written about this before. Unfortunately, it is a much harder problem than you'd think.

First off, phone companies are "common carriers" which means they are not allowed to censor content. Every call that a customer places must be connected. They can only cut you off for not paying your bill.

They can't just look at a customer and say "he's placing tons of short calls, so he must be a scammer" because there are plenty of legitimate businesses that do this too. And they're not allowed to monitor the actual content of calls without a warrant. And they wouldn't even know that "he's placing tons of short calls" if the calls are originating from some other carrier's network.

Second, the switching/signaling system is designed to track all of the outbound calls placed by customers (so they can be charged). It does not attempt to trace calls in order to identify the source of all inbound calls to a particular number. Law enforcement can use this outbound-billing information to build a case one the criminal's phones have been identified, but it's not useful for actually determining that identity.

Although there is a system for identifying the source of a call (Caller ID and ANI), both of these systems can be tricked into delivering bogus information, especially if the call originates from another carrier's network. Caller ID is trivial to spoof. ANI requires hacking a phone switch to forge, but that also happens (see below).

It is not uncommon for these criminal organizations to steal phone service for this purpose. It often involves hacking into a poorly-secured phone switch (e.g. some corporate PBX or a phone company (possibly in a foreign country) with bad network security) and placing calls through it, often with bogus caller ID and ANI data.

If their calls don't provide accurate caller ID/ANI information, then identifying the source means running a trace while the call is active. It's not hard to do, but the phone company needs to be ready and waiting for the call, since it will take too long to set up if they wait until after you've been called. They are legally prohibited from tracing the call without a warrant. And no judge will issue a warrant unless there's an ongoing investigation.

So yes, I believe the phone companies when they say it is that hard to identify the source of these telemarketers. Some of the reason is technical, some is legal, but it's all a mess.
 


The problem can be solved by simply making spam calling uneconomical. There would be no requirement to identify callers or get law enforcement involved.
talkingpointz.com said:
A Simple Solution to Robo-Calls
We all know robo and spam calling is out of control. And, everybody professes that there is no answer. There is an answer, and it is a simple one. Charge people who generate traffic. It will make spam calling uneconomical. Here is how it would work, and it is simple…
 


I've written about this before. Unfortunately, it is a much harder problem than you'd think.
...
So yes, I believe the phone companies when they say it is that hard to identify the source of these telemarketers. Some of the reason is technical, some is legal, but it's all a mess.
I hear you and would not argue against any of your statements. My complaint is that when the topic is discussed, the phone companies claim they don't have the technology to identify callers. This is in the context of working with proper enforcement agencies - not some annoying telemarketer.

If it was one or two calls here and there, I would be more understanding of the challenges involved. However, the abuse is widespread and common. It's a virtual plague.

If phone companies and lawmakers really wanted this activity to stop, they could find a way. I believe there is simply too much money involved (via call volume income or lobbyist dollars) to make it worth their while.
 


... If phone companies and lawmakers really wanted this activity to stop, they could find a way. I believe there is simply too much money involved (via call volume income or lobbyist dollars) to make it worth their while.
The phone companies are arms dealers - they sell to both sides. Because they make money off of both sides, they don't want the war to end. The only thing that will change this is if customers get rid of their phone service.

It's gotten so bad I'm preparing to tell my clients and friends that I'm turning off my phones' ringers (calls will go to voicemail).
 


Don't expect any better on cell. Lately I've been getting 2-4 spam calls a day on cell.
Have you tried NoMoRobo? It works for VoIP and mobile phones. If you have a conventional landline... well, that was the main reason I gave up my landline a few years ago: multiple spam/robocalls a day, particularly in election seasons, and no other calls, as everyone I knew had my cell number.

Can't do much about spam Caller ID robocalls for political candidates (they've exempted themselves), other than reporting the number to NoMoRobo and its competitors. But even that has reduced the number of spam calls I've gotten this primary election cycle.

What I find obnoxious is political contribution websites that insist on having your cell number so they can text you to help form political flash mobs. Sorry, not gonna happen.
 


Another robocaller blocking option, in addition to NoMoRobo, is RoboFence. I bought it after reading about it here on MacInTouch. I don't think it's as fully featured as NMR but the main things I like are that RF doesn't access or transmit Address Book data, doesn't charge a monthly fee, is ad-free, and was super cheap to buy. The interface isn't the greatest or prettiest and sometimes there's a delay in submitting new phone numbers to the master database but overall it offers pretty good bang-for-buck.

Bottom line: I would buy RF again.
 


Can't do much about spam Caller ID robocalls for political candidates (they've exempted themselves), other than reporting the number to NoMoRobo and its competitors.
Fundraising activity on behalf of non-profit organizations and calls related to political campaigns are exempt from the provisions of the Do Not Call list.

Mystifyingly, I receive a large number of what sound like pocket dialed calls that result in voice messages consisting of many minutes of background noise. These outnumber "Rachel from Cardholder Services" and her ilk.
 


Fundraising activity on behalf of non-profit organizations and calls related to political campaigns are exempt from the provisions of the Do Not Call list. Mystifyingly, I receive a large number of what sound like pocket dialed calls that result in voice messages consisting of many minutes of background noise. These outnumber "Rachel from Cardholder Services" and her ilk.
I suspect a number of these come from call centers working for many customers who want to determine if there's a live, but preferably confused, human being on the other end of the line.

But the number of calls I receive from unfamiliar or bogus numbers has remained far from zero after my state's recent primary election, and a friend who listened to a voice message on her cell phone the other day found it was from one of the fine human beings who try to con people into believing they're from the Social Security Administration's "fraud division" (if there is such a thing) and trying to lure the unwitting to call them back. And then, no doubt, convince the credulous victim that they could erase this problem by sending several $K in gift cards to.... Makes me almost appreciate the bogus Caller ID calls that don't bother to leave messages about credit "help" or "free vacations."

And, indeed, I referred to the exclusion of political calls because (surprise!) elected politicians got to write the law.
 


Mystifyingly, I receive a large number of what sound like pocket dialed calls that result in voice messages consisting of many minutes of background noise.
I've gotten voice mails that sound like about a minute of somebody talking in Chinese or with a thick Chinese accent, then a hangup. There's no intelligible English.
 



Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts