Update on Modem hijacking/internet dumping

Hi all

Received a report from Primus about usage...below is the pertinent info
relating to the disputed calls. From this website
(http://www.wtng.info/wtng-spe.html#GMSS), the 881-3 number is reserved for
Ellipso (with 881-6 and 881-7 reserved for Iridium), however their
subscriber numbers are only supposed to be 5 digits long. So perhaps it IS
a Caribbean toll-free scam. You'd think Primus would know who they are
paying!!!!!!!! I told my uncle to call Iridium and confirm that it is one
of their numbers.

My uncle just got a new computer, with free high speed for a while, so
hopefully he's going to give me his old computer and I can try to find out
what gems he has polluting his system. He's really interested to know how
this scam works. Hopefully I'll find the dialler and be able to enlighten
him (after getting someone wayyyyy more tech savvy to check it out).

Someone emailed me and said they had the same thing happen to them. I'm
sure there must be more than two people out there this is happening to. Any
suggestions as to how to round up a "posse" to compare notes?

Date /Time/ Duration /Number /Destination /Trans Type /Amount
14/10/2005 13:09:53 000:14:00 8813306341 Iridium IDD 140.42
14/10/2005 20:28:12 000:01:00 8813306341 Iridium IDD 10.03
14/10/2005 20:29:14 000:01:00 8813306342 Iridium IDD 10.03
14/10/2005 20:30:01 000:01:00 8813306342 Iridium IDD 10.03
16/10/2005 14:34:39 000:01:00 8813306343 Iridium IDD 10.03
16/10/2005 14:35:37 000:02:00 8813306343 Iridium IDD 20.06
18/10/2005 9:22:09 000:01:00 8813306344 Iridium IDD 10.03
18/10/2005 9:23:38 000:01:00 8813306344 Iridium IDD 10.03
18/10/2005 9:27:08 000:01:00 8813306345 Iridium IDD 10.03
20/10/2005 9:30:23 000:01:00 8813306345 Iridium IDD 10.03
20/10/2005 9:30:45 000:01:00 8813306346 Iridium IDD 10.03
20/10/2005 9:31:32 000:05:00 8813306346 Iridium IDD 50.15
22/10/2005 9:31:07 000:01:00 8813306347 Iridium IDD 10.03
22/10/2005 9:31:47 000:01:00 8813306347 Iridium IDD 10.03
27/10/2005 21:11:10 000:01:00 8813306348 Iridium IDD 10.03
27/10/2005 21:11:46 000:01:00 8813306348 Iridium IDD 10.03
28/10/2005 19:40:42 000:03:00 8813306349 Iridium IDD 30.09
29/10/2005 9:55:06 000:01:00 8813306349 Iridium IDD 10.03
29/10/2005 9:55:46 000:05:00 8813306350 Iridium IDD 50.15
29/10/2005 10:12:06 000:01:00 8813306350 Iridium IDD 10.03
29/10/2005 10:12:50 000:01:00 8813306351 Iridium IDD 10.03
30/10/2005 11:15:03 000:01:00 8813306351 Iridium IDD 10.03
30/10/2005 11:16:17 000:02:00 8813306352 Iridium IDD 20.06
30/10/2005 15:01:48 000:01:00 8813306352 Iridium IDD 10.03
TOTAL $491.47

Thanks for all your input so far, "Old guy", Jim and Winged!

Toni

Toni from T.O.

From: "Toni from T.O." <>

| Hi all
|
| Received a report from Primus about usage...below is the pertinent info
| relating to the disputed calls. From this website
| (http://www.wtng.info/wtng-spe.html#GMSS), the 881-3 number is reserved for
| Ellipso (with 881-6 and 881-7 reserved for Iridium), however their
| subscriber numbers are only supposed to be 5 digits long. So perhaps it IS
| a Caribbean toll-free scam. You'd think Primus would know who they are
| paying!!!!!!!! I told my uncle to call Iridium and confirm that it is one
| of their numbers.
|
| My uncle just got a new computer, with free high speed for a while, so
| hopefully he's going to give me his old computer and I can try to find out
| what gems he has polluting his system. He's really interested to know how
| this scam works. Hopefully I'll find the dialler and be able to enlighten
| him (after getting someone wayyyyy more tech savvy to check it out).
|
| Someone emailed me and said they had the same thing happen to them. I'm
| sure there must be more than two people out there this is happening to. Any
| suggestions as to how to round up a "posse" to compare notes?
|
| Date /Time/ Duration /Number /Destination /Trans Type /Amount
| 14/10/2005 13:09:53 000:14:00 8813306341 Iridium IDD 140.42
| 14/10/2005 20:28:12 000:01:00 8813306341 Iridium IDD 10.03
| 14/10/2005 20:29:14 000:01:00 8813306342 Iridium IDD 10.03
| 14/10/2005 20:30:01 000:01:00 8813306342 Iridium IDD 10.03
| 16/10/2005 14:34:39 000:01:00 8813306343 Iridium IDD 10.03
| 16/10/2005 14:35:37 000:02:00 8813306343 Iridium IDD 20.06
| 18/10/2005 9:22:09 000:01:00 8813306344 Iridium IDD 10.03
| 18/10/2005 9:23:38 000:01:00 8813306344 Iridium IDD 10.03
| 18/10/2005 9:27:08 000:01:00 8813306345 Iridium IDD 10.03
| 20/10/2005 9:30:23 000:01:00 8813306345 Iridium IDD 10.03
| 20/10/2005 9:30:45 000:01:00 8813306346 Iridium IDD 10.03
| 20/10/2005 9:31:32 000:05:00 8813306346 Iridium IDD 50.15
| 22/10/2005 9:31:07 000:01:00 8813306347 Iridium IDD 10.03
| 22/10/2005 9:31:47 000:01:00 8813306347 Iridium IDD 10.03
| 27/10/2005 21:11:10 000:01:00 8813306348 Iridium IDD 10.03
| 27/10/2005 21:11:46 000:01:00 8813306348 Iridium IDD 10.03
| 28/10/2005 19:40:42 000:03:00 8813306349 Iridium IDD 30.09
| 29/10/2005 9:55:06 000:01:00 8813306349 Iridium IDD 10.03
| 29/10/2005 9:55:46 000:05:00 8813306350 Iridium IDD 50.15
| 29/10/2005 10:12:06 000:01:00 8813306350 Iridium IDD 10.03
| 29/10/2005 10:12:50 000:01:00 8813306351 Iridium IDD 10.03
| 30/10/2005 11:15:03 000:01:00 8813306351 Iridium IDD 10.03
| 30/10/2005 11:16:17 000:02:00 8813306352 Iridium IDD 20.06
| 30/10/2005 15:01:48 000:01:00 8813306352 Iridium IDD 10.03
| TOTAL $491.47
|
| Thanks for all your input so far, "Old guy", Jim and Winged!
|
| Toni
|

Now multiply that by the number of infected platforms. Good money scam via a Dialer Trojan.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:Xz9hf.5857$Dx3.4663@trnddc07...
>
> Now multiply that by the number of infected platforms. Good money scam
via a Dialer Trojan.
>

Right. Who's making the cash?

Toni from T.O.

From: "Toni from T.O." <>

|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:Xz9hf.5857$Dx3.4663@trnddc07...
>>
>> Now multiply that by the number of infected platforms. Good money scam
| via a Dialer Trojan.
>>
| Right. Who's making the cash?
|

The one's who registered the phone number

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

On Thu, 24 Nov 2005 17:55:02 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Toni from T.O." <>
>
>|
>| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
>| news:Xz9hf.5857$Dx3.4663@trnddc07...
>>>
>>> Now multiply that by the number of infected platforms. Good money scam
>| via a Dialer Trojan.
>>>
>| Right. Who's making the cash?
>|
>
>The one's who registered the phone number

Yes and no, if it really is a satellite phone number I can't see
that the operator is going to offer a premium number service
and calling a normal subscriber with a modem is going to
really **** them off, indeed perhaps thats the only object
that makes sense, a DDOS attack on someones phone,
remembering who bought iridium out of bankrupcy.
--
Jim Watt
http://www.gibnet.com

Jim Watt

On Wed, 23 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<Lj8hf.27821$>, Toni from T.O. wrote:

>Received a report from Primus about usage...below is the pertinent info
>relating to the disputed calls.

Nothing really to add here. One minor observation. Two calls per
destination number, then the dialer sequences to the next one. Wonder
why? Also, it seems a bit odd for a "800" type service to have
consecutive numbers, never mind more than one. Such numbers are
relatively scarce, and a single number (which is really only used for
billing purposes, and is forwarded to some "normal" number at the
destination which might actually be a block of phones) is all that
would be needed.

>I told my uncle to call Iridium and confirm that it is one
>of their numbers.

I rather doubt it's going to run into anything useful. You _may_ be told
that the number is a private party (and run into privacy rules/laws), or
that the number is assigned to the "Family Fun Tourist Trap, Fish Market,
and Hosting Service" in Port-au-Prince or some such law abiding location.

>I'm sure there must be more than two people out there this is happening to.

Oh, I'm sure of that too.

>Any suggestions as to how to round up a "posse" to compare notes?

I'm in "the old West" (Arizona), and the term "posse" here means a bunch
of citizens summoned to aid a peace officer. Given the likely foreign
jurisdictions, I don't think you'd have much luck.

Old guy

Moe Trin

On Thu, 24 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<>, Jim Watt wrote:

>Yes and no, if it really is a satellite phone number I can't see
>that the operator is going to offer a premium number service

Plenty of people in other places have tried, enough so that the UK had
to put some rules in place. What surprises me is the sequencing of the
numbers - two calls per number, then increment.

>and calling a normal subscriber with a modem is going to
>really **** them off, indeed perhaps thats the only object
>that makes sense, a DDOS attack on someones phone,

Look at the log again - first call was 14 minutes, and while most of the
rest were only a minute (probably a minimum charge), several were longer.

>remembering who bought iridium out of bankrupcy.

I believe the original venture is long gone. The Federal Bankruptcy
judge approved to the sale to 'Iridium Satellite LLC' for a half penny
on the dollar, who bought it because they got something they could sell
for a healthy profit. Yes, US-DOD was a major customer of the new company,
but so is the (US) Federal Emergency Management Agency (FEMA), and a
moderate number of individuals - see the Business Journal reports.

Old guy

Moe Trin

"Moe Trin" <> wrote in message
news:...
> On Wed, 23 Nov 2005, in the Usenet newsgroup alt.computer.security, in
article
> <Lj8hf.27821$>, Toni from T.O. wrote:
>
> >Received a report from Primus about usage...below is the pertinent info
> >relating to the disputed calls.
>
> Nothing really to add here. One minor observation. Two calls per
> destination number, then the dialer sequences to the next one. Wonder
> why? Also, it seems a bit odd for a "800" type service to have
> consecutive numbers, never mind more than one. Such numbers are
> relatively scarce, and a single number (which is really only used for
> billing purposes, and is forwarded to some "normal" number at the
> destination which might actually be a block of phones) is all that
> would be needed.
>
>
OOPS! It was the same number every time. I did the list up in Excel and
used AutoFill and didn't proofread. Sorry!

Toni from T.O.

From: "Toni from T.O." <>


| OOPS! It was the same number every time. I did the list up in Excel and
| used AutoFill and didn't proofread. Sorry!
|



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

On Fri, 25 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<0SPhf.33055$>, Toni from T.O. wrote:
>
>"Moe Trin" <> wrote

>> One minor observation. Two calls per destination number, then the
>> dialer sequences to the next one. Wonder why?

> OOPS! It was the same number every time. I did the list up in Excel and
> used AutoFill and didn't proofread. Sorry!

Ahh, Microsoft strikes again.

Old guy

Moe Trin