So.. another TalkTalk refund / western union scam.
You can find my previous articles on this scam here, with call recording, and here.
This time – customer is cold called by someone claiming to be from TalkTalk.
To prove their authenticity they tell the victim their TalkTalk account number – victim goes off to their filing cabinet and indeed the account number is correct. Using this “validation” the victim then follows the instructions to connect “TalkTalk” (the scammers) to their computer.
When connected to their computer they run the following .bat file:
echo
color ccd..
cd..
cd..
treetree
tree
Current Status:Router software warrenty has been expired..Router is not compatible with this network..Computer got corrupted and damaged 61 percent…Router needs to be changed…Customer is eligible to get back a refund of 320GBP from TALKTALK via BANk…pause
@ECHO off
:Begin
msg * Router software warrenty has been expired..Router is not compatible with this network..Computer got corrupted and damaged 61 percent…Router needs to be changed…Customer is eligible to get back a refund of 320GBP from TALKTALK via BANk…msg * may corrupt your system or processor
msg * go to this site money will be refundable….
start http://www.talktalkb.yolasite.com
The final step of that batch file loads up a fake version of the TalkTalk site.. under the Contact tab are very convenient and easy logos for the scammers to talk the victim into clicking so that the victim can log into their online banking and the scammer can then transfer money or at least, obtain more personal details.
In my case they got as far as asking the victim to enter into their online banking.. The victim refused and hangs up but isn’t savvy enough to know to also turn off their computer. Shortly after their computer user account password has been changed and their registry and been syskeyed.
This time the scammers used the syskey password “9748”. The computer account password appeared to be sufficiently complicated that ophcrack can’t guess it.
The password hint set on the victims windows account was “western union”.