Fake Microsoft support caller demanding Moneygram payments.

Another customer, another scam call.. “Microsoft” supposedly called them and said they had a virus (as is standard) and talked the user through connecting the scammer to the computer.

logmein-rescue-in-use-scam

It is astonishing that LogMeIn Rescue allows the company name “Microsoft” and the technician name “Microsoft Technician”!

TechnicianID=14872756
and
TechnicianID=14872728
were used.

At one point the scammer stole some of the contents of the Pictures folder.

The caller ID was 01163183604 (aka. +44116318360 or “0116 318 360”). The phone number is supplied by a provider called Wavecrest (UK) Ltd.

This is where it turns unusual.. Normally the scammers request a credit card payment as a supposed subscription to their support services. However this time the caller, one supposed “John Martin”, requested that the victim register for Microsoft Security Essentials using an html form the scammer had transfered to the desktop… weirdly it actually submitted the payment to the donations URL for techguy.org – a support forum. I can only assume this is there as a red herring and also so that the scammer can watch the victim typing their credit card details. I don’t know if this donation actually went through.

scam order form

They then used the details the victim had put on the screen to send multiple Moneygram payments to:

Person 1: “Naresh Kumar bhujwani” (MoneyGram had one over Western Union here – they called the victim and gauged how likely it was to be fraud and then decided to block the payment from proceeding!)

Western Union:
Person 1: £200 (Cancelled thankfully)
Person 2: £600 (Picked up by someone called “Rodolfo Portorreal” according to WU [Why do they allow someone not the named person to pick up money?])

This telephone number has been in use for the same scam since at least February.

The victim was taken in for several days and at some point during those days they asked for a refund. A file was put on their desktop called “UK Refund form amount.htm” which seems to be a modified version of the form I can find here:
http://webcache.googleusercontent.com/search?q=cache:WyVsrQH13vcJ:www.callremotexpert.com/index_1.php+&cd=1&hl=en&ct=clnk

(PDF Copy of the page in case the google cache goes offline.)

scam refund form original

But the modified form on the desktop wouldn’t post to a url as it tried to post to call.php on the hard disk (which didn’t exist) but it did have a few extra lines in it requesting “Date of Birth”, “Driving License/Passport” and bank sort code:

scam-refund-form

I presume this broken form is another attempt to watch the victim typing in their passport or other identity information for further scamming or theft.

They passworded the computer using a function called syskey. The password they used was “qwe”. After calling them back and playing dumb saying “my mum paid you to protect the computer  and I want to do my homework” they also told me to try “qwe888” and then talked “me” through getting ammyy and LogMeIn connected again. They then changed the syskey password, this time to “qwerty”.

The only vague thing I can find relating to what company they are is callremotexpert.com who’s website, which used to work on the 4th May but went wrong before the 13th May, no longer serves any pages.
The contact page matches all the other company names I can find.
The whois information for the domain is as follows too:

Registrant Name: Arpit Parakh
Registrant Organization: United Enterprises
Registrant Street: AA-50, Sector 1
Registrant Street: Salt Lake, 1st Floor
Registrant City: Kolkata
Registrant State/Province: West Bengal
Registrant Postal Code: 700064
Registrant Country: India
Registrant Phone: +919836969811
Registrant Email: arpitparakh@gmail.com

Who at one point listed their phone numbers as:

+13022893311
+441438940777
1-877-778-8287
+61390157678

and

020-3286-9239
075-641-0315
033-65006849

The 01438 UK number listed on the website is, as with the scam number at the top of the article, also registered with Wavecrest (UK) Ltd.

The apritparakh@gmail.com domain is also associated with:
-fixmycomputerbuddy.com
-askremotexpert.com
-unitedoutbound.com (now expired)
-paymecentral.com

fixmycomputerbuddy.com lists their address as the same as the domain whois:

Company Name : UTD e-Services Private Limited
Company Address :AA-50 Sector 1 Salt Lake 1st Floor Kolkata – 700064 WB IND
Toll Free Number : 1-855-234-8747 (18552348747)

Also hidden around their site is another number, 1-800-491-3022 (18004913022)
Funnily enough this same 1-800-491-3022 number is also associated with another scam.. “AskPCExperts” (And on Twitter)

The unitedoutbound.com domain is interesting and probably relates to the call center the scam is run from or at least ex-employees from there who use some of the same infrastructure and telecoms providers that United Outbound do. This site lists the same address on a copy of their website from 2013:

AA-50 Sector 1 Salt Lake,
1st Floor,
Kolkata – 700064,
India, West Bengal.
T: +91-9830096207
E: support@unitedinside.org

The company, at the time, was touting the generic 24×7 telephone support, web design services and telemarketing services.
The domain unitedeservices.co.uk is also owned by the same Arpit guy at the same Sector 1 address and was once used for recruiting call center workers.

UTD e-Services Private Limited actually stands for United e-Services who’s website is http://cometounited.com/ and also have a presence on LinkedIn and Facebook:
https://www.linkedin.com/company/united-e-services
https://www.facebook.com/pages/United-E-Services-in-Salt-Lake/510121185737969
https://www.facebook.com/UnitedEServices

One result appears from Facebook of a disgruntled ex-employee too who claims they didn’t pay him after he complained that he can’t scam people:

utd-e-services-scam-facebook

Arpit Parakh appears on Facebook too linked with the United e-Services page.
Their company, as well as outbound scam calling people, also seems to provide onsite support for businesses in Calcutta. It also looks like they may have already had a raid / shut down of their tech support scam in 2012 which also gives away the fact they outbound dial for it!
united e-services tech support outbound dial shut down

Edit: 13th June 2015 – I called these people again to check. I was worried they were spoofing the caller ID of Microsoft. I called and hung up when they greeted me “Hello, Microsoft”.
They instantly called back and launched into the “your computer is infected, this is why we may have called you” junk.. then did their normal scam.

This time they just used the syskey password of “q”.

The file they put on my desktop to try and phish my card details gave away a username of the scammer computer.. C:\Users\Zahid

I’ve also tracked down this domain associated with the scam:

http://microsoftsupport.ga/Contacts/

moneygramscam-microsoft

The page they just used for phishing and copy / pasting the details for use on Western Union later on in the scam. The form doesn't do anything.

The page they just used for phishing and copy / pasting the details for use on Western Union later on in the scam. The form doesn’t do anything.

Copy and paste

Copy and paste “my” details :<

western-union-recipientMultiple times during the call (sadly I lost the call recording due to complications with the way my system triggers a call recording and multiple calls in a row) I asked if I could speak to Arpit Parakh and commented on company names that I had researched in the past.

None of the requests were met with a “ok”, they were either genuinely confusing names to her or she tried to go back to the script.

Update: 15th June 2015 – Another syskey password being used by the scammers is “12344321”. This time they tried getting the victim to log into their internet banking to perform direct payments after Western Union money sends using credit and debit cards were denied / declined. I think their inbound number, 01163183604, has also been suspended! The call won’t connect from my mobile phone or my land line.

Update: 16th June 2015 – Extensive googling finally resulted in me finding another person who has attributed these calls to United e-Services / United Outbound!
www.stayingaliveuk.com/blog/2014/11/computer-virus-scammers-in-india

Update: 24th Jan 2016: Another syskey password being used this month is “1234589”

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Fake Microsoft support caller demanding Moneygram payments.

  1. Pingback: TalkTalk Western Union / moneygram scammers re-appear | thecomputerperson

  2. Pingback: TalkTalk Refund Scammers part 3 | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s