(Just for clarification, this does not involve the real Microsoft.)
A few minutes ago I received a call to my cell phone from a rather nice, if somewhat hard to understand, gentleman who informed me that Microsoft had received highly unusual traffic from my computer.
"How did they get my number," I thought to myself. "Must be some lucrative agreement with the NSA."
Directing my attention back to the kind soul on the other end of the line, no doubt a descendant of those long oppressed by the British Empire in their search for the perfect curry blend, I asked for more information. He went on to say that the insidious network traffic was being sent as we spoke.
Expert technical support |
Silence.
Having obviously caught him mid-sip of what must have been perfectly spiced chai, he replied, "TCP."
Pressing further, I followed with "What port?"
"8080," the patient fellow answered with a somewhat ominous tone.
The dreaded port 8080 - what skullduggery was afoot?
He then instructed me to find my control key. Check.
"What is the key next to the control key?"
My lips trembled for a moment, pondering the dire implications of my next answer.
"The Windows key?"
"Very good then," he said. "Please hold down the Windows key and the R key. What do you see?"
I complied, but nothing happened. Was it too late? Could my computer be saved?
"Nothing happened," I answered.
Slightly dismayed, he reminded me of the crucial key combination and awaited my response.
My worst fears realized |
Undeterred by the fact that I was running the evil Linux, he guided me to a web site called www.pccheck.us. "Dot US, must be trustworthy! It's from Murrica," I thought to myself.
Upon accessing the site, all manner of tests for nefarious activity ensued. It looked bad. Really bad.
The gentleman inquired as to the results of the highly sophisticated scan. I stalled - "I'm sorry, my internet is really slow today." Perhaps it was due to the countless legions of viruses infecting my computer.
Then again, maybe it was due to me doing a little snooping on the backend. Eventually the "Microsoft tech" gave up and dropped the call.
Taking a look at the source for the page showed nothing more than script for flashy progress bars and random figures for naughty things that it "found" on your PC.
Of course, the first tip-off was the phone number listed on the caller ID - 99999992114. If you're going to fake a phone number, at least put some effort into it!
So what juicy info could I find on our betel-chewing friend? Not much, and all of it very predictable.
[Querying whois.nic.us]
[whois.nic.us]
Domain Name: PCCHECK.US
Domain ID: D46472462-US
Sponsoring Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Registrar URL (registration services): www.publicdomainregistry.com
Domain Status: clientTransferProhibited
Variant: PCCHECK.US
Registrant ID: DI_37041585
Registrant Name: NAUSHEEN AHMAD
Registrant Organization: N/A
Registrant Address1: SALT LAKE
Registrant City: KOLKATA
Registrant State/Province: West Bengal
Registrant Postal Code: 700101
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +91.9681409888
Registrant Email: roshni0087@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Administrative Contact ID: DI_37041585
Administrative Contact Name: NAUSHEEN AHMAD
Administrative Contact Organization: N/A
Administrative Contact Address1: SALT LAKE
Administrative Contact City: KOLKATA
Administrative Contact State/Province: West Bengal
Administrative Contact Postal Code: 700101
Administrative Contact Country: India
Administrative Contact Country Code: IN
Administrative Contact Phone Number: +91.9681409888
Administrative Contact Email: roshni0087@gmail.com
Administrative Application Purpose: P1
Administrative Nexus Category: C11
Billing Contact ID: DI_37041585
Billing Contact Name: NAUSHEEN AHMAD
Billing Contact Organization: N/A
Billing Contact Address1: SALT LAKE
Billing Contact City: KOLKATA
Billing Contact State/Province: West Bengal
Billing Contact Postal Code: 700101
Billing Contact Country: India
Billing Contact Country Code: IN
Billing Contact Phone Number: +91.9681409888
Billing Contact Email: roshni0087@gmail.com
Billing Application Purpose: P1
Billing Nexus Category: C11
Technical Contact ID: DI_37041585
Technical Contact Name: NAUSHEEN AHMAD
Technical Contact Organization: N/A
Technical Contact Address1: SALT LAKE
Technical Contact City: KOLKATA
Technical Contact State/Province: West Bengal
Technical Contact Postal Code: 700101
Technical Contact Country: India
Technical Contact Country Code: IN
Technical Contact Phone Number: +91.9681409888
Technical Contact Email: roshni0087@gmail.com
Technical Application Purpose: P1
Technical Nexus Category: C11
Name Server: NS2000.MOCHAHOST.COM
Name Server: NS1000.MOCHAHOST.COM
Created by Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Domain Registration Date: Tue Sep 02 19:56:57 GMT 2014
Domain Expiration Date: Tue Sep 01 23:59:59 GMT 2015
Domain Last Updated Date: Tue Sep 02 19:56:58 GMT 2014
DNSSEC: false
>>>> Whois database was last updated on: Tue Oct 21 16:06:28 GMT 2014 <<<<
Did I read that right? Salt Lake, Kolkata? That was good for a chuckle.
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> www.pccheck.us ANY
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- 40347="" font="" id:="" noerror="" opcode:="" query="" status:="">->
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;www.pccheck.us. IN ANY
;; ANSWER SECTION:
www.pccheck.us. 9705 IN CNAME pccheck.us.
;; ADDITIONAL SECTION:
pccheck.us. 9705 IN A 198.38.82.4
;; Query time: 24 msec
[whois.nic.us]
Domain Name: PCCHECK.US
Domain ID: D46472462-US
Sponsoring Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Registrar URL (registration services): www.publicdomainregistry.com
Domain Status: clientTransferProhibited
Variant: PCCHECK.US
Registrant ID: DI_37041585
Registrant Name: NAUSHEEN AHMAD
Registrant Organization: N/A
Registrant Address1: SALT LAKE
Registrant City: KOLKATA
Registrant State/Province: West Bengal
Registrant Postal Code: 700101
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +91.9681409888
Registrant Email: roshni0087@gmail.com
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Administrative Contact ID: DI_37041585
Administrative Contact Name: NAUSHEEN AHMAD
Administrative Contact Organization: N/A
Administrative Contact Address1: SALT LAKE
Administrative Contact City: KOLKATA
Administrative Contact State/Province: West Bengal
Administrative Contact Postal Code: 700101
Administrative Contact Country: India
Administrative Contact Country Code: IN
Administrative Contact Phone Number: +91.9681409888
Administrative Contact Email: roshni0087@gmail.com
Administrative Application Purpose: P1
Administrative Nexus Category: C11
Billing Contact ID: DI_37041585
Billing Contact Name: NAUSHEEN AHMAD
Billing Contact Organization: N/A
Billing Contact Address1: SALT LAKE
Billing Contact City: KOLKATA
Billing Contact State/Province: West Bengal
Billing Contact Postal Code: 700101
Billing Contact Country: India
Billing Contact Country Code: IN
Billing Contact Phone Number: +91.9681409888
Billing Contact Email: roshni0087@gmail.com
Billing Application Purpose: P1
Billing Nexus Category: C11
Technical Contact ID: DI_37041585
Technical Contact Name: NAUSHEEN AHMAD
Technical Contact Organization: N/A
Technical Contact Address1: SALT LAKE
Technical Contact City: KOLKATA
Technical Contact State/Province: West Bengal
Technical Contact Postal Code: 700101
Technical Contact Country: India
Technical Contact Country Code: IN
Technical Contact Phone Number: +91.9681409888
Technical Contact Email: roshni0087@gmail.com
Technical Application Purpose: P1
Technical Nexus Category: C11
Name Server: NS2000.MOCHAHOST.COM
Name Server: NS1000.MOCHAHOST.COM
Created by Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Domain Registration Date: Tue Sep 02 19:56:57 GMT 2014
Domain Expiration Date: Tue Sep 01 23:59:59 GMT 2015
Domain Last Updated Date: Tue Sep 02 19:56:58 GMT 2014
DNSSEC: false
>>>> Whois database was last updated on: Tue Oct 21 16:06:28 GMT 2014 <<<<
Did I read that right? Salt Lake, Kolkata? That was good for a chuckle.
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1 <<>> www.pccheck.us ANY
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- 40347="" font="" id:="" noerror="" opcode:="" query="" status:="">->
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;www.pccheck.us. IN ANY
;; ANSWER SECTION:
www.pccheck.us. 9705 IN CNAME pccheck.us.
;; ADDITIONAL SECTION:
pccheck.us. 9705 IN A 198.38.82.4
;; Query time: 24 msec
Ok, we now have an IP.
NetRange: 198.38.80.0 - 198.38.95.255
CIDR: 198.38.80.0/20
OriginAS: AS23352
NetName: MOCAH-1
NetHandle: NET-198-38-80-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Allocation
RegDate: 2012-04-20
Updated: 2012-04-20
Ref: http://whois.arin.net/rest/net/NET-198-38-80-0-1
OrgName: Mochahost.com
OrgId: ML-17
Address: 2880 Zanker Rd #203
City: San Jose
StateProv: CA
PostalCode: 95134
Country: US
RegDate: 2011-05-25
Updated: 2013-07-03
Ref: http://whois.arin.net/rest/org/ML-17
OrgAbuseHandle: MLABU-ARIN
OrgAbuseName: ML-ABUSE
OrgAbusePhone: +1-408-351-0116
OrgAbuseEmail: abuse@mochahost.com
OrgAbuseRef: http://whois.arin.net/rest/poc/MLABU-ARIN
OrgTechHandle: MLADM-ARIN
OrgTechName: ML-ADMIN
OrgTechPhone: +1-408-351-0116
OrgTechEmail: daves@mochahost.com
OrgTechRef: http://whois.arin.net/rest/poc/MLADM-ARIN
OrgTechHandle: MDG35-ARIN
OrgTechName: Gams, Matthew D.
OrgTechPhone: +1-920-232-9914
OrgTechEmail: matthew.gams@xipher.net
OrgTechRef: http://whois.arin.net/rest/poc/MDG35-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#
Mochahost.com. Let's see what we get there...
Domain Name: MOCHAHOST.COM
Registry Domain ID: 100160031_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2014-06-07 01:35:39Z
Creation Date: 2003-07-06 20:35:16Z
Registrar Registration Expiration Date: 2015-07-06 20:35:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252982646
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: SHARED AND MANAGED HOSTING
Registrant Organization: MOCHAHOST
Registrant Street: 2880 ZANKER RD. #203
Registrant City: SAN JOSE
Registrant State/Province: CA
Registrant Postal Code: 95134
Registrant Country: US
Registrant Phone: +1.18886761343
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: SALES@MOCHAHOST.COM
Registry Admin ID:
Admin Name: SHARED AND MANAGED HOSTING
Admin Organization: MOCHAHOST
Admin Street: 2880 ZANKER RD. #203
Admin City: SAN JOSE
Admin State/Province: CA
Admin Postal Code: 95134
Admin Country: US
Admin Phone: +1.18886761343
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: SALES@MOCHAHOST.COM
Registry Tech ID:
Tech Name: SHARED AND MANAGED HOSTING
Tech Organization: MOCHAHOST
Tech Street: 2880 ZANKER RD. #203
Tech City: SAN JOSE
Tech State/Province: CA
Tech Postal Code: 95134
Tech Country: US
Tech Phone: +1.18886761343
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: SALES@MOCHAHOST.COM
Name Server: DNS1.MOCHASUPPORT.COM
Name Server: DNS2.MOCHASUPPORT.COM
Name Server: DNS3.MOCHASUPPORT.COM
DNSSEC: unSigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-06-07 01:35:39Z
I doubt it will do any good, but I'll see if I can elicit some kind of response from their dutiful abuse contacts. Stay tuned.
On a completely serious note, here's some info from Microsoft on the current trend of scam phone calls.
On a completely serious note, here's some info from Microsoft on the current trend of scam phone calls.
No comments:
Post a Comment