Another day, another tech support scam. This time, a UK Freefone
number (08000588296) appeared on a fake virus pop-up. I couldn’t resist calling them

I do my usual thing of letting the scammers access a safe playpen (a virtual machine isolated from my real machine) and record their network activity using Wireshark.

The 08000588296 number and the U.S. number +1(844)525-6095 routes to Jaipur in India. Shame that ‘Kevin’ still insists he’s sitting in California :)

I confront a Microsoft / Windows Support scammer after he has ‘fixed’ my PC. He claims not to be running a scam. I’ll let you decide.

Links:
Wireshark: http://wireshark.org (free)
VirtualBox: http://virtualbox.org (free)
XLite: http://www.counterpath.com/x-lite-download/ (free)
VMware: http://www.vmware.com/ (not free)
How to set up your PC to record these scams: https://www.youtube.com/watch?v=yGY7UQji2go
Coming soon: How to make perfect voice recordings if a scammer phones your land line.

This video shows how to set up your PC to record the IP address of a ‘Windows Support Department’ (or similar) support scammer.

If more people could record their IP addresses, the more prosecutions we can secure the fewer calls we will get and the fewer victims they will rip off.

VirtualBox: http://virtualbox.org
Wireshark: http://wireshark.org
Mini VoIP recorder: http://www.siprecorder.com/index.php
Zoiper: http://www.zoiper.com

I set up a virtual PC to capture the IP address of a scammer then used this IP address to identify the people behind the scam. Sorry for the abrupt ending; I really only intended their ISP to use this and react quickly, so there’s little explanation of what I’m doing. See here https://www.youtube.com/watch?v=yGY7UQji2go for a bit more background and a description of this setup. There is also a Part 3 where I follow where the money went: https://www.youtube.com/watch?v=JxaIucFh_-g

The scammers IP address was 223.29.201.210 on 11/02/2015 @ 17:30 IST. The IP address is confirmed to be the ‘Ariba Call Center’ and they are a customer of MeghbelaBroadband in Kolkata, India. Part 2 (https://www.youtube.com/watch?v=jllY-8oBsso) describes how I got from the IP address to the Call Centre.

‘Ariba Call Centre’ is located at
22 Ashutosh Chowdary Ave, Ballygunge Park, Ballygunge Kolkata, West Bengal 700019 India‎
Direct phone number: +91 33 6503 3033
Email: [email protected]
Web: http://www.aribacallcenter.in
Their website was taken offline for a day after I published the name of the call centre. They claimed that this was for “renewal” reasons. When it reappeared, they removed the links to their directors accounts Facebook, Twitter, LinkedIn and other social media. I’ve reproduced these links below. The site changed again the following day to remove yet more details about the company directors and to remove details of their (legitimate) customers. I guess they fear that this exposure will damage their revenues. So here is a reminder of the original website: http://imgur.com/a/ZHpzW#0 (or just use a Google cache)

Their Facebook page https://www.facebook.com/aribacallcenter was also removed this once their scam was rumbled on 14/04/2015. Copy of their FB pages here: http://imgur.com/a/9Ag1r#0

Ariba seem to be a real call center with legitimate customers, but their employees seem to enjoy a scamming sideline and have set up sites like http://techconsultancy.services and http://TheTechnicalz.com (note that the latter is identical bar the logo and domain name). See here to compare: http://imgur.com/gallery/7eVxBq1. I’m sure it’s a sheer coincidence that the Technicalz site became unavailable at exactly the same time that Ariba took down their own website and Facebook entry, however the domain registration tells its own story: http://who.is/whois/thetechnicalz.com (look at the history just in case Ariba re-register the domain).

Since I published their details, Ariba have carefully removed the UK and US phone numbers from their http://techconsultancy.services site. The phone numbers were UK: +44 116-318-4211 and US: +1 551-226-6078. Related phone numbers are +44 116-318-2304 and +1 212-456-7893. You can still see the numbers looking at the HTML source, a Google cache or this snapshot from 13/04/2015: http://imgur.com/gallery/7eVxBq1

If you look below at the comments, you’ll see a reply from Ariba Call Center. Needless to say ACC did not respond to my evidence nor did they answer any questions. They claim that “our IP is being hacked and used by someone else to do fraud activities”. Instead of thanking me (if it was a ‘hacker’ like they claim), they chose to remove all social media the links to their directors, remove their Facebook pages, remove the phone numbers from their scamming websites and accused me of “stalking” them! Bear in mind they phoned me. I’ll let you draw your own conclusions as to their responsibility for this scam. They removed their comments in June 2016, but I archived this too: http://pastebin.com/FKPnxPp3

Full audio, video and wireshark traces available to any authorities who need them.

Another YouTuber has reported capturing the scam from another IP address in the Ariba Call Centre (223.29.202.248 on 20/05/2015), so the scammers are still up and running :(

The capture of the fraud from a cold call from an India-based call center. This call was from smartsupportguys.com, which claimed that my PC had an infection and that I needed to pay £169.99 for unnecessary software and support.

I have made the whole recording available if you’re from a law enforcement agency or have been scammed and need more evidence about this firm’s activities. This version highlights the scam at work.

I used an expendable virtual machine and allowed them to remotely access the device, so no personal data was at risk; I’ve had a few similar companies who attempted to delete stuff once their scam was rumbled.