Update on Modem hijacking/internet dumping

Discussion in 'Computer Security' started by Toni from T.O., Nov 24, 2005.

  1. Hi all

    Received a report from Primus about usage...below is the pertinent info
    relating to the disputed calls. From this website
    (http://www.wtng.info/wtng-spe.html#GMSS), the 881-3 number is reserved for
    Ellipso (with 881-6 and 881-7 reserved for Iridium), however their
    subscriber numbers are only supposed to be 5 digits long. So perhaps it IS
    a Caribbean toll-free scam. You'd think Primus would know who they are
    paying!!!!!!!! I told my uncle to call Iridium and confirm that it is one
    of their numbers.

    My uncle just got a new computer, with free high speed for a while, so
    hopefully he's going to give me his old computer and I can try to find out
    what gems he has polluting his system. He's really interested to know how
    this scam works. Hopefully I'll find the dialler and be able to enlighten
    him (after getting someone wayyyyy more tech savvy to check it out).

    Someone emailed me and said they had the same thing happen to them. I'm
    sure there must be more than two people out there this is happening to. Any
    suggestions as to how to round up a "posse" to compare notes?

    Date /Time/ Duration /Number /Destination /Trans Type /Amount
    14/10/2005 13:09:53 000:14:00 8813306341 Iridium IDD 140.42
    14/10/2005 20:28:12 000:01:00 8813306341 Iridium IDD 10.03
    14/10/2005 20:29:14 000:01:00 8813306342 Iridium IDD 10.03
    14/10/2005 20:30:01 000:01:00 8813306342 Iridium IDD 10.03
    16/10/2005 14:34:39 000:01:00 8813306343 Iridium IDD 10.03
    16/10/2005 14:35:37 000:02:00 8813306343 Iridium IDD 20.06
    18/10/2005 9:22:09 000:01:00 8813306344 Iridium IDD 10.03
    18/10/2005 9:23:38 000:01:00 8813306344 Iridium IDD 10.03
    18/10/2005 9:27:08 000:01:00 8813306345 Iridium IDD 10.03
    20/10/2005 9:30:23 000:01:00 8813306345 Iridium IDD 10.03
    20/10/2005 9:30:45 000:01:00 8813306346 Iridium IDD 10.03
    20/10/2005 9:31:32 000:05:00 8813306346 Iridium IDD 50.15
    22/10/2005 9:31:07 000:01:00 8813306347 Iridium IDD 10.03
    22/10/2005 9:31:47 000:01:00 8813306347 Iridium IDD 10.03
    27/10/2005 21:11:10 000:01:00 8813306348 Iridium IDD 10.03
    27/10/2005 21:11:46 000:01:00 8813306348 Iridium IDD 10.03
    28/10/2005 19:40:42 000:03:00 8813306349 Iridium IDD 30.09
    29/10/2005 9:55:06 000:01:00 8813306349 Iridium IDD 10.03
    29/10/2005 9:55:46 000:05:00 8813306350 Iridium IDD 50.15
    29/10/2005 10:12:06 000:01:00 8813306350 Iridium IDD 10.03
    29/10/2005 10:12:50 000:01:00 8813306351 Iridium IDD 10.03
    30/10/2005 11:15:03 000:01:00 8813306351 Iridium IDD 10.03
    30/10/2005 11:16:17 000:02:00 8813306352 Iridium IDD 20.06
    30/10/2005 15:01:48 000:01:00 8813306352 Iridium IDD 10.03
    TOTAL $491.47

    Thanks for all your input so far, "Old guy", Jim and Winged!

    Toni
     
    Toni from T.O., Nov 24, 2005
    #1
    1. Advertising

  2. From: "Toni from T.O." <>

    | Hi all
    |
    | Received a report from Primus about usage...below is the pertinent info
    | relating to the disputed calls. From this website
    | (http://www.wtng.info/wtng-spe.html#GMSS), the 881-3 number is reserved for
    | Ellipso (with 881-6 and 881-7 reserved for Iridium), however their
    | subscriber numbers are only supposed to be 5 digits long. So perhaps it IS
    | a Caribbean toll-free scam. You'd think Primus would know who they are
    | paying!!!!!!!! I told my uncle to call Iridium and confirm that it is one
    | of their numbers.
    |
    | My uncle just got a new computer, with free high speed for a while, so
    | hopefully he's going to give me his old computer and I can try to find out
    | what gems he has polluting his system. He's really interested to know how
    | this scam works. Hopefully I'll find the dialler and be able to enlighten
    | him (after getting someone wayyyyy more tech savvy to check it out).
    |
    | Someone emailed me and said they had the same thing happen to them. I'm
    | sure there must be more than two people out there this is happening to. Any
    | suggestions as to how to round up a "posse" to compare notes?
    |
    | Date /Time/ Duration /Number /Destination /Trans Type /Amount
    | 14/10/2005 13:09:53 000:14:00 8813306341 Iridium IDD 140.42
    | 14/10/2005 20:28:12 000:01:00 8813306341 Iridium IDD 10.03
    | 14/10/2005 20:29:14 000:01:00 8813306342 Iridium IDD 10.03
    | 14/10/2005 20:30:01 000:01:00 8813306342 Iridium IDD 10.03
    | 16/10/2005 14:34:39 000:01:00 8813306343 Iridium IDD 10.03
    | 16/10/2005 14:35:37 000:02:00 8813306343 Iridium IDD 20.06
    | 18/10/2005 9:22:09 000:01:00 8813306344 Iridium IDD 10.03
    | 18/10/2005 9:23:38 000:01:00 8813306344 Iridium IDD 10.03
    | 18/10/2005 9:27:08 000:01:00 8813306345 Iridium IDD 10.03
    | 20/10/2005 9:30:23 000:01:00 8813306345 Iridium IDD 10.03
    | 20/10/2005 9:30:45 000:01:00 8813306346 Iridium IDD 10.03
    | 20/10/2005 9:31:32 000:05:00 8813306346 Iridium IDD 50.15
    | 22/10/2005 9:31:07 000:01:00 8813306347 Iridium IDD 10.03
    | 22/10/2005 9:31:47 000:01:00 8813306347 Iridium IDD 10.03
    | 27/10/2005 21:11:10 000:01:00 8813306348 Iridium IDD 10.03
    | 27/10/2005 21:11:46 000:01:00 8813306348 Iridium IDD 10.03
    | 28/10/2005 19:40:42 000:03:00 8813306349 Iridium IDD 30.09
    | 29/10/2005 9:55:06 000:01:00 8813306349 Iridium IDD 10.03
    | 29/10/2005 9:55:46 000:05:00 8813306350 Iridium IDD 50.15
    | 29/10/2005 10:12:06 000:01:00 8813306350 Iridium IDD 10.03
    | 29/10/2005 10:12:50 000:01:00 8813306351 Iridium IDD 10.03
    | 30/10/2005 11:15:03 000:01:00 8813306351 Iridium IDD 10.03
    | 30/10/2005 11:16:17 000:02:00 8813306352 Iridium IDD 20.06
    | 30/10/2005 15:01:48 000:01:00 8813306352 Iridium IDD 10.03
    | TOTAL $491.47
    |
    | Thanks for all your input so far, "Old guy", Jim and Winged!
    |
    | Toni
    |

    Now multiply that by the number of infected platforms. Good money scam via a Dialer Trojan.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Nov 24, 2005
    #2
    1. Advertising

  3. "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:Xz9hf.5857$Dx3.4663@trnddc07...
    >
    > Now multiply that by the number of infected platforms. Good money scam

    via a Dialer Trojan.
    >


    Right. Who's making the cash?
     
    Toni from T.O., Nov 24, 2005
    #3
  4. David H. Lipman, Nov 24, 2005
    #4
  5. Toni from T.O.

    Jim Watt Guest

    On Thu, 24 Nov 2005 17:55:02 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >From: "Toni from T.O." <>
    >
    >|
    >| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    >| news:Xz9hf.5857$Dx3.4663@trnddc07...
    >>>
    >>> Now multiply that by the number of infected platforms. Good money scam

    >| via a Dialer Trojan.
    >>>

    >| Right. Who's making the cash?
    >|
    >
    >The one's who registered the phone number :)


    Yes and no, if it really is a satellite phone number I can't see
    that the operator is going to offer a premium number service
    and calling a normal subscriber with a modem is going to
    really piss them off, indeed perhaps thats the only object
    that makes sense, a DDOS attack on someones phone,
    remembering who bought iridium out of bankrupcy.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Nov 24, 2005
    #5
  6. Toni from T.O.

    Moe Trin Guest

    On Wed, 23 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <Lj8hf.27821$>, Toni from T.O. wrote:

    >Received a report from Primus about usage...below is the pertinent info
    >relating to the disputed calls.


    Nothing really to add here. One minor observation. Two calls per
    destination number, then the dialer sequences to the next one. Wonder
    why? Also, it seems a bit odd for a "800" type service to have
    consecutive numbers, never mind more than one. Such numbers are
    relatively scarce, and a single number (which is really only used for
    billing purposes, and is forwarded to some "normal" number at the
    destination which might actually be a block of phones) is all that
    would be needed.

    >I told my uncle to call Iridium and confirm that it is one
    >of their numbers.


    I rather doubt it's going to run into anything useful. You _may_ be told
    that the number is a private party (and run into privacy rules/laws), or
    that the number is assigned to the "Family Fun Tourist Trap, Fish Market,
    and Hosting Service" in Port-au-Prince or some such law abiding location.

    >I'm sure there must be more than two people out there this is happening to.


    Oh, I'm sure of that too.

    >Any suggestions as to how to round up a "posse" to compare notes?


    I'm in "the old West" (Arizona), and the term "posse" here means a bunch
    of citizens summoned to aid a peace officer. Given the likely foreign
    jurisdictions, I don't think you'd have much luck.

    Old guy
     
    Moe Trin, Nov 24, 2005
    #6
  7. Toni from T.O.

    Moe Trin Guest

    On Thu, 24 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <>, Jim Watt wrote:

    >Yes and no, if it really is a satellite phone number I can't see
    >that the operator is going to offer a premium number service


    Plenty of people in other places have tried, enough so that the UK had
    to put some rules in place. What surprises me is the sequencing of the
    numbers - two calls per number, then increment.

    >and calling a normal subscriber with a modem is going to
    >really piss them off, indeed perhaps thats the only object
    >that makes sense, a DDOS attack on someones phone,


    Look at the log again - first call was 14 minutes, and while most of the
    rest were only a minute (probably a minimum charge), several were longer.

    >remembering who bought iridium out of bankrupcy.


    I believe the original venture is long gone. The Federal Bankruptcy
    judge approved to the sale to 'Iridium Satellite LLC' for a half penny
    on the dollar, who bought it because they got something they could sell
    for a healthy profit. Yes, US-DOD was a major customer of the new company,
    but so is the (US) Federal Emergency Management Agency (FEMA), and a
    moderate number of individuals - see the Business Journal reports.

    Old guy
     
    Moe Trin, Nov 25, 2005
    #7
  8. "Moe Trin" <> wrote in message
    news:...
    > On Wed, 23 Nov 2005, in the Usenet newsgroup alt.computer.security, in

    article
    > <Lj8hf.27821$>, Toni from T.O. wrote:
    >
    > >Received a report from Primus about usage...below is the pertinent info
    > >relating to the disputed calls.

    >
    > Nothing really to add here. One minor observation. Two calls per
    > destination number, then the dialer sequences to the next one. Wonder
    > why? Also, it seems a bit odd for a "800" type service to have
    > consecutive numbers, never mind more than one. Such numbers are
    > relatively scarce, and a single number (which is really only used for
    > billing purposes, and is forwarded to some "normal" number at the
    > destination which might actually be a block of phones) is all that
    > would be needed.
    >
    >

    OOPS! It was the same number every time. I did the list up in Excel and
    used AutoFill and didn't proofread. Sorry!
     
    Toni from T.O., Nov 26, 2005
    #8
  9. David H. Lipman, Nov 26, 2005
    #9
  10. Toni from T.O.

    Moe Trin Guest

    On Fri, 25 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <0SPhf.33055$>, Toni from T.O. wrote:
    >
    >"Moe Trin" <> wrote


    >> One minor observation. Two calls per destination number, then the
    >> dialer sequences to the next one. Wonder why?


    > OOPS! It was the same number every time. I did the list up in Excel and
    > used AutoFill and didn't proofread. Sorry!


    Ahh, Microsoft strikes again.

    Old guy
     
    Moe Trin, Nov 26, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ringo
    Replies:
    5
    Views:
    1,283
    ringo
    Dec 13, 2004
  2. Replies:
    3
    Views:
    859
    no way
    Aug 2, 2004
  3. johnsutherland

    dumping my internet connection

    johnsutherland, May 22, 2005, in forum: Computer Support
    Replies:
    71
    Views:
    1,540
    ellis_jay
    Jun 2, 2005
  4. Toni from T.O.

    Modem hijacking/internet dumping

    Toni from T.O., Nov 2, 2005, in forum: Computer Security
    Replies:
    14
    Views:
    1,061
    Moe Trin
    Nov 5, 2005
  5. spviking

    modem hijacking or internet dumping

    spviking, Aug 29, 2006, in forum: Computer Security
    Replies:
    13
    Views:
    1,107
    Moe Trin
    Sep 1, 2006
Loading...

Share This Page