Modem hijacking/internet dumping

Discussion in 'Computer Security' started by Toni from T.O., Nov 2, 2005.

  1. Hello all

    Hope I'm in the right place. My uncle has been hit with a $600 bill from
    his long distance provider...it appears he has been the victim of a modem
    hijacking, with his dialup connection being redirected through Iridium
    satellite. My question is...who profits from this? Is it this Iridium
    company? Apparently the diallers usually are installed via porn popups,
    which my uncle says have been appearing all the time in the past two weeks.
    How can a legitimate company make money like this?

    If anyone has a link to good information concerning the situation with this
    in Canada, I'd be grateful.

    Thanks.

    Toni from T.O.
     
    Toni from T.O., Nov 2, 2005
    #1
    1. Advertising

  2. From: "Toni from T.O." <>

    | Hello all
    |
    | Hope I'm in the right place. My uncle has been hit with a $600 bill from
    | his long distance provider...it appears he has been the victim of a modem
    | hijacking, with his dialup connection being redirected through Iridium
    | satellite. My question is...who profits from this? Is it this Iridium
    | company? Apparently the diallers usually are installed via porn popups,
    | which my uncle says have been appearing all the time in the past two weeks.
    | How can a legitimate company make money like this?
    |
    | If anyone has a link to good information concerning the situation with this
    | in Canada, I'd be grateful.
    |
    | Thanks.
    |
    | Toni from T.O.
    |

    Have your uncle run the below software on his PC...


    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
    (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti Virus Command
    Line Scanners to remove viruses, Trojans and various other malware.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode.
    This way all the components can be downloaded from each AV vendor's web site.
    The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file. http://www.ik-cs.com/multi-av.htm

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to allow it to download the needed AV vendor related files.

    * * * Please report back your results * * *



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Nov 2, 2005
    #2
    1. Advertising

  3. Thanks David. However we will not be removing the malware until we find out
    what the long distance provider is willing to do. I CANNOT believe that the
    police do not consider this a criminal act! The CRTC won't force the phone
    companies to do anything about it because it is considered a competitive
    industry (and therefore exempt from regulation? wtf?). The phone companies
    don't care because they're making money off this. The more I look into
    this, the angrier I get (I feel a Norma Rae coming on). I wonder how
    widespread this problem is?

    <deep breath> Thanks for listening!

    Toni from T.O.

    p.s. I'll let you know what happens with the PC when we eventually clean it
    up. Until then...no internet for him!



    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:O6V9f.1405$wb3.1054@trnddc03...
    >
    > Have your uncle run the below software on his PC...
    >
    >
    > Download MULTI_AV.EXE from the URL --
    > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
    >
    > It is a self-extracting ZIP file that contains the Kixtart Script

    Interpreter {
    > http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts,

    one Link
    > (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and

    WGET.EXE. It will
    > simplify the process of using; Sophos, Trend, Kaspersky and McAfee Anti

    Virus Command
    > Line Scanners to remove viruses, Trojans and various other malware.
    >
    > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    > This will bring up the initial menu of choices and should be executed in

    Normal Mode.
    > This way all the components can be downloaded from each AV vendor's web

    site.
    > The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and

    Reboot the PC.
    >
    > You can choose to go to each menu item and just download the needed files

    or you can
    > download the files and perform a scan in Normal Mode. Once you have

    downloaded the files
    > needed for each scanner you want to use, you should reboot the PC into

    Safe Mode [F8 key
    > during boot] and re-run the menu again and choose which scanner you want

    to run in Safe
    > Mode. It is suggested to run the scanners in both Safe Mode and Normal

    Mode.
    >
    > When the menu is displayed hitting 'H' or 'h' will bring up a more

    comprehensive PDF help
    > file. http://www.ik-cs.com/multi-av.htm
    >
    > To use this utility, perform the following...
    > Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    > Choose; Unzip
    > Choose; Close
    >
    > Execute; C:\AV-CLS\StartMenu.BAT
    > { or Double-click on 'Start Menu' in C:\AV-CLS }
    >
    > NOTE: You may have to disable your software FireWall or allow WGET.EXE to

    go through your
    > FireWall to allow it to download the needed AV vendor related files.
    >
    > * * * Please report back your results * * *
    >
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
     
    Toni from T.O., Nov 2, 2005
    #3
  4. Toni from T.O.

    Winged Guest

    Toni from T.O. wrote:
    > Hello all
    >
    > Hope I'm in the right place. My uncle has been hit with a $600 bill from
    > his long distance provider...it appears he has been the victim of a modem
    > hijacking, with his dialup connection being redirected through Iridium
    > satellite. My question is...who profits from this? Is it this Iridium
    > company? Apparently the diallers usually are installed via porn popups,
    > which my uncle says have been appearing all the time in the past two weeks.
    > How can a legitimate company make money like this?
    >
    > If anyone has a link to good information concerning the situation with this
    > in Canada, I'd be grateful.
    >
    > Thanks.
    >
    > Toni from T.O.
    >
    >


    Interesting, I thought Iridium went broke and was under the ownership
    and use of the US government.

    Winged
     
    Winged, Nov 2, 2005
    #4
  5. Toni from T.O.

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <TVW9f.4258$>, Toni from T.O. wrote:

    >However we will not be removing the malware until we find out
    >what the long distance provider is willing to do.


    Correct - in one light, it's evidence of possibly criminal wrong-doing.

    >I CANNOT believe that the police do not consider this a criminal act!


    Making the charges - perhaps (I don't know Canadian law). There may be
    a criminal action in installing the malware in the first place, but if
    that is the case it's most likely at _least_ a provincial law, probably
    national. You shouldn't be soliciting legal advice on the Internet (it's
    worth exactly what you paid for it), but I would consult a lawyer. It
    may also help to consult the press to see if they have a consumer advocate
    type program.

    >I wonder how widespread this problem is?


    Apparently fairly wide. There are some laws about it in the UK and several
    states in the US from what I understand, though I don't know how enforceable
    they are.

    >Until then...no internet for him!


    You also want to consider some training - malware doesn't install
    automatically without some form of help from the user. Often, this
    is the user running as an elevated privileged user like 'administrator'
    and blindly clicking 'OK' just to get the damn message box to go away
    (or worse, having set a "Don't show me these messages - just do it"
    setting somewhere).

    Old guy
     
    Moe Trin, Nov 2, 2005
    #5
  6. "Winged" <> wrote in message
    news:dafd3$4368aead$45493f2f$...
    > >

    >
    > Interesting, I thought Iridium went broke and was under the ownership
    > and use of the US government.
    >
    > Winged


    Ya, sorry, I didn't make that clear in my first post. The long distance
    provider is Primus, and they tell my uncle the calls in question are to an
    881 number, which is an Iridium number. So I take it the settlement
    payments will go to Iridium. What I don't get is if Iridium are getting
    paid by Primus, how is the party responsible for installing this dialler
    making money? There doesn't seem to be much info on-line as to the workings
    of this scam. My uncle's an engineer...he wants to know :)
     
    Toni from T.O., Nov 2, 2005
    #6
  7. "Moe Trin" <> wrote in message
    news:...
    >
    > >I CANNOT believe that the police do not consider this a criminal act!

    >
    > Making the charges - perhaps (I don't know Canadian law). There may be
    > a criminal action in installing the malware in the first place, but if
    > that is the case it's most likely at _least_ a provincial law, probably
    > national. You shouldn't be soliciting legal advice on the Internet (it's
    > worth exactly what you paid for it), but I would consult a lawyer. It
    > may also help to consult the press to see if they have a consumer advocate
    > type program.
    >


    I'm not really looking for legal advice, more just trying to figure out how
    this scam works. Someone's making some cash, somewhere. Inquiring minds
    want to know!
     
    Toni from T.O., Nov 2, 2005
    #7
  8. Toni from T.O.

    Winged Guest

    Toni from T.O. wrote:
    > "Winged" <> wrote in message
    > news:dafd3$4368aead$45493f2f$...
    >
    >>Interesting, I thought Iridium went broke and was under the ownership
    >>and use of the US government.
    >>
    >>Winged

    >
    >
    > Ya, sorry, I didn't make that clear in my first post. The long distance
    > provider is Primus, and they tell my uncle the calls in question are to an
    > 881 number, which is an Iridium number. So I take it the settlement
    > payments will go to Iridium. What I don't get is if Iridium are getting
    > paid by Primus, how is the party responsible for installing this dialler
    > making money? There doesn't seem to be much info on-line as to the workings
    > of this scam. My uncle's an engineer...he wants to know :)
    >
    >



    Stranger still. All of the following links indicate 881 area code is a
    paid toll free number:

    881 US/Canada Paid Toll Free Service

    http://area-codes.1keydata.com/area-codes-8.html#881
    http://www.cs.ucsd.edu/users/bsy/area.html

    http://www.indiatraveltimes.com/telephone_area_codes/us_telephone_areacode_listing_byplaces.html


    From
    http://www.indiatraveltimes.com/telephone_area_codes/us_telephone_areacode_listing_byplaces.html

    What are area codes 880, 881, and 882 used for?

    These codes provide a way to extend toll-free calling beyond the borders
    of the country in which the party paying for the calls resides. These
    codes have been used primarily to allow Caribbean callers to reach toll
    free numbers in the US. With this arrangement, the caller pays for the
    international segment of the call (to the US gateway), and the called
    party pays for the remainder. In theory, this concept can be implemented
    between any of the countries sharing the NANP.

    How does NANPA decide who is entitled to the assignment of a NANP
    numbering resource; e.g., central office code, carrier identification code?

    NANPA follows assignment guidelines developed by the industry. These
    guidelines specify who is entitled to an assignment, how to apply, and
    what obligations the assignee must meet to retain the assignment. The
    guidelines and applications forms may be found on the Alliance for
    Telecommunications Industry Solutions (ATIS) web site. The URL is
    http://www.atis.org/atis/clc/inc/incdocs.htm.

    What country are you located in?

    It does not look like Iridium is necessarily involved. I am familiar
    with a dialer scam where the call is placed to a toll number in the
    Caribbean (if I read the above right this is what probably has happened).

    The telco in the Caribbean pays the number owner some outrageous
    predefined toll sum per minute with that toll is charged back to the caller.

    Good luck in your quest. I have heard that getting things settled can
    be painful. A bunch of issues come into play here relating to law and
    telco rules, as well as international treaties in the Caribbean.

    Recommend hiring your local Mafia type to visit the place of origin and
    inflicting great damage to sensitive portions of the culprits anatomy.
    While this may cost a little more and you probably won't recoup any
    funds, at least you'll have the satisfaction of knowing justice was done.


    Winged
     
    Winged, Nov 3, 2005
    #8
  9. Toni from T.O.

    Jim Watt Guest

    On Wed, 02 Nov 2005 19:16:45 -0600, Winged <>
    wrote:

    <snip>

    >Recommend hiring your local Mafia type to visit the place of origin and
    >inflicting great damage to sensitive portions of the culprits anatomy.
    >While this may cost a little more and you probably won't recoup any
    >funds, at least you'll have the satisfaction of knowing justice was done.


    In the UK there is a regulator of premium phone services, other places
    may vary.

    I know a service provider along the lines of winged's specification
    locally, although not in relation to gambling companies who are more
    experienced in that kind of thing themselves..
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 3, 2005
    #9
  10. Toni from T.O.

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <530b8$43696528$45493f2f$>, Winged wrote:

    >Toni from T.O. wrote:


    >> Ya, sorry, I didn't make that clear in my first post. The long distance
    >> provider is Primus, and they tell my uncle the calls in question are to an
    >> 881 number, which is an Iridium number. So I take it the settlement
    >> payments will go to Iridium. What I don't get is if Iridium are getting
    >> paid by Primus, how is the party responsible for installing this dialler
    >> making money?


    My understanding is that this is a multiple settlement thing - Primus is
    paying Iridium (or whatever they are called today), and they in turn are
    paying some other provider. There was a problem reported where a Nigerian
    scam was splitting moneys between the Nigerian phone company, and the
    crook. Can't recall if this was something related to a customer in the
    UK or Netherlands, but it's not new or unknown.

    >Stranger still. All of the following links indicate 881 area code is a
    >paid toll free number:
    >
    >881 US/Canada Paid Toll Free Service


    [compton ~]$ phone 881
    881 -- PAID 800 Service
    881 Global Mobile Satellite System (GMSS)
    [compton ~]$

    Look at the _country code_ 881, not the North American _area_ code. As
    another (random) example:

    [compton ~]$ phone 212
    212 NY New York City (Manhattan) (Overlays 646 and 917)
    212 Morocco
    [compton ~]$

    In North America, there's going to be a bit of a difference between you
    dialing '1 212 123 4567' and '011 212 123 4567' - see the long distance
    and "overseas" or "international" section of your phone book.

    >It does not look like Iridium is necessarily involved. I am familiar
    >with a dialer scam where the call is placed to a toll number in the
    >Caribbean (if I read the above right this is what probably has happened).
    >
    >The telco in the Caribbean pays the number owner some outrageous
    >predefined toll sum per minute with that toll is charged back to the caller.


    It's not limited to the Caribbean - but that is the basic concept.

    Old guy
     
    Moe Trin, Nov 3, 2005
    #10
  11. Toni from T.O.

    Winged Guest

    Moe Trin wrote:
    > In the Usenet newsgroup alt.computer.security, in article
    > <530b8$43696528$45493f2f$>, Winged wrote:
    >
    >
    >>Toni from T.O. wrote:

    >
    >
    >>>Ya, sorry, I didn't make that clear in my first post. The long distance
    >>>provider is Primus, and they tell my uncle the calls in question are to an
    >>>881 number, which is an Iridium number. So I take it the settlement
    >>>payments will go to Iridium. What I don't get is if Iridium are getting
    >>>paid by Primus, how is the party responsible for installing this dialler
    >>>making money?

    >
    >
    > My understanding is that this is a multiple settlement thing - Primus is
    > paying Iridium (or whatever they are called today), and they in turn are
    > paying some other provider. There was a problem reported where a Nigerian
    > scam was splitting moneys between the Nigerian phone company, and the
    > crook. Can't recall if this was something related to a customer in the
    > UK or Netherlands, but it's not new or unknown.
    >
    >
    >>Stranger still. All of the following links indicate 881 area code is a
    >>paid toll free number:
    >>
    >>881 US/Canada Paid Toll Free Service

    >
    >
    > [compton ~]$ phone 881
    > 881 -- PAID 800 Service
    > 881 Global Mobile Satellite System (GMSS)
    > [compton ~]$
    >
    > Look at the _country code_ 881, not the North American _area_ code. As
    > another (random) example:
    >
    > [compton ~]$ phone 212
    > 212 NY New York City (Manhattan) (Overlays 646 and 917)
    > 212 Morocco
    > [compton ~]$
    >
    > In North America, there's going to be a bit of a difference between you
    > dialing '1 212 123 4567' and '011 212 123 4567' - see the long distance
    > and "overseas" or "international" section of your phone book.
    >
    >
    >>It does not look like Iridium is necessarily involved. I am familiar
    >>with a dialer scam where the call is placed to a toll number in the
    >>Caribbean (if I read the above right this is what probably has happened).
    >>
    >>The telco in the Caribbean pays the number owner some outrageous
    >>predefined toll sum per minute with that toll is charged back to the caller.

    >
    >
    > It's not limited to the Caribbean - but that is the basic concept.
    >
    > Old guy

    Yup was trying to simplify scam. I have seen it several times (not
    personally) to Caribbean. But yes, a number of countries allow this
    behavior.

    Winged
     
    Winged, Nov 4, 2005
    #11
  12. "Moe Trin" <> wrote in message
    news:...
    >
    > >Stranger still. All of the following links indicate 881 area code is a
    > >paid toll free number:
    > >
    > >881 US/Canada Paid Toll Free Service

    >
    > [compton ~]$ phone 881
    > 881 -- PAID 800 Service
    > 881 Global Mobile Satellite System (GMSS)
    > [compton ~]$
    >
    > Look at the _country code_ 881, not the North American _area_ code. As
    > another (random) example:
    >



    Hmm. The number given by Primus is 1-881-330-6343. Primus said it was
    Iridium. I guess we have to wait for a detailed breakdown of the
    bill...curioser and curioser.
     
    Toni from T.O., Nov 5, 2005
    #12
  13. Toni from T.O.

    Jim Watt Guest

    On Fri, 4 Nov 2005 20:49:26 -0500, "Toni from T.O."
    <> wrote:

    >> [compton ~]$ phone 881
    >> 881 -- PAID 800 Service
    >> 881 Global Mobile Satellite System (GMSS)
    >> [compton ~]$
    >>
    >> Look at the _country code_ 881, not the North American _area_ code. As
    >> another (random) example:
    >>

    >
    >
    >Hmm. The number given by Primus is 1-881-330-6343. Primus said it was
    >Iridium.


    ITU assigned country code +881 for Global Mobile Satellite System
    (GMSS). This code is shared among providers of global satellite
    telecom services.

    +881 0 ICO Global Communications (reserved)
    +881 1 ICO Global Communications (reserved)
    +881 2 Ellipso (formerly assigned to Odyssey; assigned 29 June 2000)
    +881 3 Ellipso (formerly assigned to Odyssey; assigned 29 June 2000)
    +881 4 spare for future service
    +881 5 spare for future service
    +881 6 Iridium (assigned 10 November 1997)
    +881 7 Iridium (assigned 10 November 1997)
    +881 8 Globalstar (assigned 24 February 1999)
    +881 9 Globalstar (assigned 24 February 1999)

    "In December 2000, a group of private investors led by Dan Colussy
    organized Iridium Satellite LLC which acquired the operating assets of
    the bankrupt Iridium LLC including the satellite constellation, the
    terrestrial network, Iridium real property and intellectual capital."

    http://www.iridium.com

    I think you are getting confused with dialling the international
    prefix and 881 and the national prefix and 881 which are two
    different things. Iridium would require an international call and
    apart from malice their numbers are not going to be used as
    premium numbers for scams. They are in the business of high
    cost calls providing global coverage and are very reputable.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 5, 2005
    #13
  14. "Jim Watt" <_way> wrote in message
    news:...

    > I think you are getting confused with dialling the international
    > prefix and 881 and the national prefix and 881 which are two
    > different things. Iridium would require an international call and
    > apart from malice their numbers are not going to be used as
    > premium numbers for scams. They are in the business of high
    > cost calls providing global coverage and are very reputable.
    > --


    That's what I figured. But it was Primus who mentioned Iridium, and they
    must know. We haven't seen the details yet.
     
    Toni from T.O., Nov 5, 2005
    #14
  15. Toni from T.O.

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <DcUaf.11176$>, Toni from T.O. wrote:
    >
    >"Moe Trin" <> wrote


    >> [compton ~]$ phone 881
    >> 881 -- PAID 800 Service
    >> 881 Global Mobile Satellite System (GMSS)
    >> [compton ~]$


    >Hmm. The number given by Primus is 1-881-330-6343. Primus said it was
    >Iridium. I guess we have to wait for a detailed breakdown of the
    >bill...curioser and curioser.


    Well, the 881 (and 880 and 882) services are not the same as the 800 (and
    855, 866, 877 and 888) numbers. I've honestly never encountered them before,
    and the only things that google brings up on a quick search is their use
    overseas calling out-of-country toll free numbers. But this scheme NORMALLY
    seems to use the dialing sequence 'International Access Code, Country Code,
    PAID 800 Service number (880, 881, 882 here), and then the toll free number
    you are trying to reach. The difference is that YOU PAY the international
    part of the call, and the toll free part is only within the destination
    country. Thus, the number you indicate doesn't seem to fit the scheme I've
    seen - but that probably doesn't mean much, as I certainly haven't seen it
    used within North America.

    Spending a minute or two on google seems to indicate that as an International
    code, 881 is a Satellite access number, and 8813 is assigned to 'Ellipso',
    though I have no idea if 30-6343 is a valid telephone number within the
    Ellipso dialing scheme, or it needs more (or less) digits.

    Old guy
     
    Moe Trin, Nov 5, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ringo
    Replies:
    5
    Views:
    1,264
    ringo
    Dec 13, 2004
  2. Replies:
    3
    Views:
    852
    no way
    Aug 2, 2004
  3. johnsutherland

    dumping my internet connection

    johnsutherland, May 22, 2005, in forum: Computer Support
    Replies:
    71
    Views:
    1,531
    ellis_jay
    Jun 2, 2005
  4. Toni from T.O.

    Update on Modem hijacking/internet dumping

    Toni from T.O., Nov 24, 2005, in forum: Computer Security
    Replies:
    9
    Views:
    636
    Moe Trin
    Nov 26, 2005
  5. spviking

    modem hijacking or internet dumping

    spviking, Aug 29, 2006, in forum: Computer Security
    Replies:
    13
    Views:
    1,094
    Moe Trin
    Sep 1, 2006
Loading...

Share This Page