The rules are simple.
1. Create your 4×5 Bingo card before you call your chosen scammer.
2. Tick off any word or phrase s/he says.
3. Complete a line or the whole card for a stunning prize*
Another day, another tech support scam. This time, a UK Freefone
number (08000588296) appeared on a fake virus pop-up. I couldn’t resist calling them
I do my usual thing of letting the scammers access a safe playpen (a virtual machine isolated from my real machine) and record their network activity using Wireshark.
The 08000588296 number and the U.S. number +1(844)525-6095 routes to Jaipur in India. Shame that ‘Kevin’ still insists he’s sitting in California :)
This video shows how to set up your PC to record the IP address of a ‘Windows Support Department’ (or similar) support scammer.
If more people could record their IP addresses, the more prosecutions we can secure the fewer calls we will get and the fewer victims they will rip off.
I set up a virtual PC to capture the IP address of a scammer then used this IP address to identify the people behind the scam. Sorry for the abrupt ending; I really only intended their ISP to use this and react quickly, so there’s little explanation of what I’m doing. See here https://www.youtube.com/watch?v=yGY7UQji2go for a bit more background and a description of this setup. There is also a Part 3 where I follow where the money went: https://www.youtube.com/watch?v=JxaIucFh_-g
The scammers IP address was 223.29.201.210 on 11/02/2015 @ 17:30 IST. The IP address is confirmed to be the ‘Ariba Call Center’ and they are a customer of MeghbelaBroadband in Kolkata, India. Part 2 (https://www.youtube.com/watch?v=jllY-8oBsso) describes how I got from the IP address to the Call Centre.
‘Ariba Call Centre’ is located at
22 Ashutosh Chowdary Ave, Ballygunge Park, Ballygunge Kolkata, West Bengal 700019 India
Direct phone number: +91 33 6503 3033
Email: aribacallcenter@gmail.com
Web: http://www.aribacallcenter.in
Their website was taken offline for a day after I published the name of the call centre. They claimed that this was for “renewal” reasons. When it reappeared, they removed the links to their directors accounts Facebook, Twitter, LinkedIn and other social media. I’ve reproduced these links below. The site changed again the following day to remove yet more details about the company directors and to remove details of their (legitimate) customers. I guess they fear that this exposure will damage their revenues. So here is a reminder of the original website: http://imgur.com/a/ZHpzW#0 (or just use a Google cache)
Ariba seem to be a real call center with legitimate customers, but their employees seem to enjoy a scamming sideline and have set up sites like http://techconsultancy.services and http://TheTechnicalz.com (note that the latter is identical bar the logo and domain name). See here to compare: http://imgur.com/gallery/7eVxBq1. I’m sure it’s a sheer coincidence that the Technicalz site became unavailable at exactly the same time that Ariba took down their own website and Facebook entry, however the domain registration tells its own story: http://who.is/whois/thetechnicalz.com (look at the history just in case Ariba re-register the domain).
Since I published their details, Ariba have carefully removed the UK and US phone numbers from their http://techconsultancy.services site. The phone numbers were UK: +44 116-318-4211 and US: +1 551-226-6078. Related phone numbers are +44 116-318-2304 and +1 212-456-7893. You can still see the numbers looking at the HTML source, a Google cache or this snapshot from 13/04/2015: http://imgur.com/gallery/7eVxBq1
If you look below at the comments, you’ll see a reply from Ariba Call Center. Needless to say ACC did not respond to my evidence nor did they answer any questions. They claim that “our IP is being hacked and used by someone else to do fraud activities”. Instead of thanking me (if it was a ‘hacker’ like they claim), they chose to remove all social media the links to their directors, remove their Facebook pages, remove the phone numbers from their scamming websites and accused me of “stalking” them! Bear in mind they phoned me. I’ll let you draw your own conclusions as to their responsibility for this scam. They removed their comments in June 2016, but I archived this too: http://pastebin.com/FKPnxPp3
Full audio, video and wireshark traces available to any authorities who need them.
Another YouTuber has reported capturing the scam from another IP address in the Ariba Call Centre (223.29.202.248 on 20/05/2015), so the scammers are still up and running :(
