“Cisc Support” telephone fraud

I had a phone call today on my ex-directory home phone, from an Indian lady calling herself “Rachel” who claimed to be from “the computer maintenance department”.

TL;DR: an India-based fraud called “Cisc support” using the UK telephone number 01865 589087 and claiming to be based at 256 Banbury Road, Oxford has an interesting telephone patter.

About half the phone calls we get on our home phone are rubbish of one sort or another, and this one had the dead giveaway right at the start – of a silent line, followed by a burst of ringtone, before we were connected.

I expressed polite interest, and snapshotted the Windows XP VM in my home server while “Rachel” connected me to her supervisor “Peter”.

His spiel started with asking me to do windows-key-r (the Windows “run” dialog”) and type “inf”. This opens an explorer window on c:\windows\inf which contains several hundred harmless system files.

“Do you recongise these files?”
“No”
“These are the malicious files, these are the corrupted files. These hacking software get into the system without your information. They create problems into your systems. Your computer has downloaded this hacking software and unwanted malicious program”

Similar spiel for several minutes, then he asked me to windows-r again and run Event Viewer (“type eventvwr”), double-click “system” and tell him how many are “errors and warnings”. In a normal Windows system there are dozens-to-hundreds listed – not indicating anything necessarily amiss.
“These are indications that part of your system is getting infected, part of it is getting corrupted” then more spiel about hacking software.

Apparently “my computer is very badly corrupted and very badly infected” and I should close Event Viewer and not click on any of the events as “if you click any of it, it spreads in your computer like a disease.”

Next step (and the excitement in the chap’s voice is evident) is to visit http://www.support.me/ which loads the logmein.com

[aside – the logmein.com service is excellent and nothing to do with this fraud. We’re very happy users of their free service for supporting distant parents]

client in a window called “Cisc support”. He takes control and loads this:

screenshot of cisc support fraud website

and guides me to scroll the page, pick a £160 option from it, and enter card details. When I hesitate, he offers as evidence of their bona fides:

  • Their UK telephone number 01865 589087. This does indeed reach them, and their calls present it as CLIP. The 01865 589xxx block of numbers is allocated to Cable and Wireless UK and appears to have legitimate users in it – I’m not sure how this particular fraud has obtained a number from it but presumably there’s a VOIP service.
  • Their company address 256 Banbury Road, Oxford. This appears to be a large office building which has, or has had, numerous small organisations use it as registered office.
  • Google’ing their name “Cisc support”. This is of course auto-corrected by Google to “Cisco support” and the chap then claims to be from Cisco & therefore legit.

“netstat” shows the logmein session connected to an IP address on an Indian ISP Wishnet in Kolkata/Calcutta – 2.19.159.84.

I hang up, and another Indian chap, calling himself “Albert Justin” calls a few minutes later. I say that I’m not going to buy anything, and that’s it. No more calls. At some point in the call he’s taken over the logmein session from another wishnet IP address, 110.172.54.108.

I found a page at http://www.networksteve.com/windows/topic.php?TopicId=37310 which appears to be about the same scam; I have no information about whether the page at http://www.ciscsupport.com/is a legitimate company or not – it may be that the fraudsters are using their name without permission.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: