Scammers hired hundreds of 'staff' to defraud TalkTalk customers Hundreds of staff were hired by scammers in Indian call centres to defraud TalkTalk customers, according to a BBC report revealing the extent of the scam. According to the report, employees worked in shifts and earned £120 per month phoning TalkTalk customers. The whistleblowers say they were given a script in which they were …
I'll bite.
A "trojan" isn't always a virus. It's something dressed as something else. Beware Greeks bearing gifts, or Geeks baring Gifs. c.f. Story of fall of Troy.
They existed in mainframe days, a free 9 track tape with a demo would actually also do something else.
A Trojan might have any purpose. It usually needs to be explicitly run. It might be presented as "click here to install this codec you need", or as legitimate app.
A "virus" is code that replicates itself from the computer it somehow got on, to another computer via any method. Amiga should have warned MS that "autorun" CDs on Win95 was rather ideal for a virus replication medium.
Malware can obviously combine Trojan and Virus techniques.
A root kit is a way of hiding malware, it may be legitimate such as special kind of device driver to emulate some particular hardware, or make a mounted ISO look like a CD/DVD to anti-piracy software.
I suspect wikipedia, bing, google, yahoo answer the question.
Yes, I did google before posting,
http://www.computerhope.com/issues/ch001045.htm
http://www.tech-faq.com/trojan-virus.html
and do know one or two things hence my question about the phrase, which I'd never heard/read in 20 years in the industry.
Now I know a bit more... but in this day and age of fake news who the hell knows anything?
"install a computer virus via a trojan, someone please explain this one?"
Just a speculation if that was the case here but popular method is something in the line of:
Scammer: Sir/Madame we detected that your computer is infected by viruses and as you are a valued customer we offer you free technical assistance in removing them.
TalkTalk punter: How can i trust you are from TalkTalk
Scammer: Here is your account number and private details that you only shares with TalkTalk (gives leaked details from the TalkTalk hack)
TalkTalk punter: Ok i trust you are from TT, now what?
Scammer: Please go to https://TalkTalkSupport.org/support download and install the remote assistance software that i need in order to get access to your PC and clean the viruses
TalkTalk punter: Ok, I'm installing the tool but my anti-virus warns me it might be a Trojan
Scammer: Not to worry kind sir, this is normal, just ignore the warning, I'm from TalkTalk, you trust me, no?
Scammer proceeds to gain access to the punter PC and instead of cleaning imaginary viruses actually infects it.
we take our responsibility to protect our customers very seriously.
and
helping all our customers to keep themselves safe
So which is it, they protect customers, or they expect customers to do it themselves?
Never mind, I know the answer
Aren't they ultimately in control of what voice calls and data is transmitted to the customer?
Surely it all has to pass through the Talk Talk network to get to the end user??
Could they find no way of identifying and blocking all traffic from a couple of Indian call centres??
yes, but Talk Talk is Cheap Cheap,
Blocking the call centers will simply make them move, not stop. Same as freezing account transactions etc.
You have to find the people in charge and get them locked up and their ill-gotten-gains seized.
I am sure this is not legal in spite of the cross border complications though so I would have thought the police their could still act in India.
Could they find no way of identifying and blocking all traffic from a couple of Indian call centres??
At the minimum, the scammers can just send no phone number, so identifying them is impossible. Alternatively, the scammers can just transmit fake/false phone numbers, which is trivial to do and almost impossible to detect.
Alternatively, the scammers can just transmit fake/false phone numbers, which is trivial to do and almost impossible to detect.
Hence why you get the situation:
"Another customer who was contacted by scammers in December separately, got in touch with The Register to share the telephone number from which they rang in order to defraud him by £257.
The Register phoned the number, but the respondent purporting to be a TalkTalk representative hung up when we put it to them the number was being used by fraudsters."
Now did El Reg talk to a real TalkTalk person, who thought they were being wound up, or were they talking to the scammers?
The problem seems to be there is no checking, whatsoever, of the CLI by the telco's. There is no reason why companies couldn't opt-in to a service that enabled telco's to check CLI's and guarantee that particular CLI's will only be on calls from predefined 'official' sources.
Oh, they did. When it happened. Here, on El Reg.
Many commentards at the time highlighted that given such a massive breach, there was basically a red carpet for call scams such as this to fleece a few unwary victims.
Once again UK law is not fit for purpose, if it continues to insist that data breaches cost the victim "nothing".
Remember, in some cases, a data breach may lead to kidnap or murder.
A TalkTalk spokeswoman said... “We take our responsibility to protect our customers very seriously."
I don't believe anyone actually says it. I invite fellow commentards to try the following:
Imagine yourself to be a TalkTalk spokesdrone; now try actually saying the above. You will find your mouth automatically forms itself into "laugh" mode and your abdominal muscles will go into spasm as you force yourself to suppress the laugh. Advanced participants should imagine being in a room with other people who (knowing what you are going to say) are stuffing handkerchiefs into their mouths to avoid giving themselves away by guffawing in the background. Imagine them bent double with mirth. And they are probably having a bet on whether or not you will get through the sentence without laughing yourself. There is probably a chart on the wall with the total number of bogus apologies issued that week as well.
This is why we launched our ‘Beat the Scammers’ campaign, helping all our customers to keep themselves safe from scammers,,,
Perhaps this "campaign" should have been the subject of an Internal Memorandum rather than published advice for customers...
These calls were being made way before the data breaches were made public.
I actually received these calls at least a year or two before. The thick Indian accents weren't all that unusual (this was TalkTalk after all with call centres not only in India but S Africa etc).
The first ever call I received was at least superficially convincing in that the caller had all my details. That is: full name, account number, bank details etc. The call began to get a bit more suspicious as it progressed though, that a virus has been detected on my machine, they would clean it etc etc. Now, an "ordinary" punter might think what a great company TalkTalk is, the PC has been running a bit slow recently and the caller has all my details to hand so they must be genuine. People who frequent this site don't fall into that category but the detailed account knowledge is what could convince Joe Public.
Once I confronted the caller and exposed him for what he was, I remember his knowledge of swear words being quite extensive, then receiving a death threat together with threats of my wife and daughters being raped.
I called TalkTalk to tell them they clearly had a data breach. They dismissed my concerns.
Mark, I uses to 'bait' them (smoke coming from computer requesting they call the fire service for me, my computer developing wheels and hiding around the house etc), and frankly the nastier they got the funnier I found it. But, sheer volume of calls broke my spirit, and now I just boringly put the phone down. But yeah, some of them have an unpleasant side if you tweak them right, no mistake. Girls as well as chaps.
With modern SIP trunking, it's almost impossible to bother to police like that.
I can get a Weybridge number in seconds, dialled into from the other side of the world, paid with a credit card (probably stolen if they are a scammer) in minutes, and it would take days to work out what was happening and shut it down.
Additionally, when you did shut it down, it would take only minutes to set up another or use one I've set up previously but not yet used to spam.
CLI is as useless as a From: header in an email nowadays.
Hell, if you do it right, you can have one telecoms system set up in your callcenter with staffed phones, and SIP trunks from all over the world that weren't traceable to that IP (just wrap them in various VPNs, who cares?), and every time a SIP trunk falls over, you have another ten programmed to go. Your staff would never know, your system would just carry on working flawlessly, the SIP people wouldn't be able to play catch-up fast enough, and it would be rather difficult to trace to you.
And when you commit fraud for a living, that kind of setup is probably the bare basics. To be honest, when they catch phone scammers in the UK where every phone is just registered to a certain business that they then raid, I feel a hint of disappointment that they were that stupid to get caught.
Hell, Skype will give you phone numbers galore for a couple of quid a month.
And what if they respond instead, "Yes, I do, I LOVE it, and since I live in <Insert Western-hostile country here>, there's f***-all you can do about it. In fact, I'm telling my staff to start calling you several times a day using untraceable numbers. Have a nice day!" hangs up and cues a call storm?
With multiple SIP trunks at my disposal? Not a lot. Especially once you call the BT abuse line and just tell them to intercept your line for an hour because of the harassing calls. BT don't much care for such things and have ways to block it upstream and take you out of business past a certain point. Did it to a bank, who got threatened with all their phonelines being disabled (they had an automated dialler that went potty and just kept dialling the same number, no CLI, but soon after BT intercepted it I got a phone call from the managing director of the bank to apologise).
I don't answer non-CLI calls and it takes only a few seconds to add certain groups of international numbers for, say, a few days to a very, very, very long and boring phone menu that costs me nothing to send them through, doesn't disturb or interfere with my system at all, but costs them a lot to dial and listen to.
(Last time someone tried to pull similar stuff it was actually a UK letting agent I was dealing with, who didn't have anything at all techy in the way of a switchboard, and I pissed one of the call-centre guys off so they thought it would be funny to keep ringing from all their different numbers and from withheld numbers. So I called their call centre direct - always argue prepared - and when they realised who I was, i.e. the guy they were trying to spam for sport, they kept hanging up. So I jammed their phone lines solid for 30 minutes with automated calls and scripted it to ring me only when they decided to stay on the line for more than a few seconds. Basically, I carried on with my day and just waited for the phone to ring which meant they actually wanted to talk rather than hang up or play pranks. They confessed that they couldn't do any business for all that time and eventually relented and dealt with my complaint - after threatening all kinds of things that never happened. Probably cost me about £10. I think it cost them a LOT more. Worth every penny for the phrase "No, look, we're sorry, please stop")
The classic scam in France is dialling with a CLI on an 09XX prefix, that is, a premium number, and then hanging up. If the callee picks up, speak as if you can't hear them, even if they haven't said anything because you say "I can't hear you' as soon as they pick up...
If the callee calls back, big bill for the premium rate number...
It's been a long time since I have had any cold calls - even more so for the "Microsoft support" scam.
Had one this morning - usual Indian subcontinent accent "international" caller. Made me wonder if it was connected with a long conversation I had about an intermittent broadband fault with BT's Indian help desk yesterday.
If you get a call from a Talk Talk 'representative' redirect it to the bar steward of a 'representative' from Microsoft and let them have a nice conversation with each other ... At some point I'll probably hire out my mother as a call-divert number as she can talk at anyone for an hour too ...
If the caller has an Indian accent I put the phone down.
"Legitimate" businesses who choose to outsource are cheapskates. If their "support" is outsourced, it's usually script-followers and rubbish. I'd rather deal with competent organisations that do give a damn about customer care even if it does cost me a bit more.
Fair comment but cheapo support, sat in a call queue for ages only to end up speaking to a moron with a salary related to number of calls closed - does that constitute support?
There are companies that manage to get it right.
Trouble is if, as a reasonably intelligent competent user, you've found a provider that delivers quality support you then tell people about it and idiot users sign up and start asking idiot user questions creating a problem for the provider. The provider's response may be outsource or staff up front-line support with script followers paid by number of calls handled per hour so incentivised to fob you off.
A better response is to have an SLA allowing a user, say, 30 mins a month of support or maybe a premium rate support line and employ front-line that's trained to know when to escalate to experts and calls are always followed up with a brief "how did we do" email.
The prime example of doing it well must be First Direct bank.
Had great fun for about 20 minutes with one of these Indian gentlemen on Saturday stating my dissatisfaction with my Talk Talk broadband performance when indulging in my (completely fake) obsessive pornography habit. Of course I had to go into graphic detail about my habit and how upset I was that my videos kept stopping just as I was on the vinegar strokes.
These people are still using the old hacked info and today 22/6/2017 I get another call this time I answered only to be told I had internet problems, which was not true. This guy introduced himself as Max work id E261076 then told me that he needed to fix the problem of the virus attack he continued to ask me to take down my talk talk account number which I did and I asked him for his telephone number which he gave me 02031296265. I questioned this as the number displaying on my phone was 00572849929 to which he replied the call we make comes from a switchboard so this is different each time we call the customers. hmmm
Whilst he was talking I logged on to Talk Talk to check the acct id and what he had given me was correct. I was surprised as this is a security breach to still have this personal info, my question is why didn't Talk talk change the account numbers for all their customers once this hack occured in 2015? I told the guy I was talking to Talk Talk as we spoke relating my question as to why this scammer had my account number which should have been changed for security reasons and the scammer as soon as he realised I was communicating with Talk Talk he hung up.
This is a security breach that Talk Talk has not dealt with and should have changed all the acct ids using letters and numbers. This would then protect the unaware as they checked this info before unwittingly departing with any info and hanging up. There are thousands of customers and they will get lucky at some point. Either the original hackers must have sold this info on or are still employed because the personal account ids to date are still valid.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
