PC Speedy Phone Scam

Monday Monday! Got a call this morning from “PC Speedy” 🙂

Not a lot of time to play today so here is an example of a “Go away quickly” script. They get discouraged fairly fast when there doesn’t appear to be a good mark on the line…

If you get one of these calls and have some time, keep them on the line as long as you can. You will be doing your part to help prevent other more vulnerable people from being robbed. Seriously. hanging up has no effect and sometimes they just call right back. Identify yourself as an unprofitable target and they won’t call back. If you can, record the call, toy with them (that typically angers them once they catch on). If you have the time, waste their time. It takes time away from them for other calls and can help prevent others from being robbed.

PS: IF you record one of these calls please share it with Engineer LLC to help keep people informed.

The state of Malware: Mid 2014

My family participates in a Community Supported Agriculture (CSA) program where we pay a Quarterly Membership Fee and receive a basket of fresh locally grown vegetables and fruit every two weeks. Apparently, their mailing list was also recently “harvested” for what appears to be less legitimate purposes.

I received the message below this morning (6/27/2014). The timing was such that my initial reaction was “Good, it’s an announcement on the July 4th holiday CSA schedule adjustment”. But then I saw the link text and the fact that the link was pretty much all that was in the message body. Alarm bells went off… So, out of curiosity, I did an analysis of where this thing is coming from. See that below the original message, if interested.

From: My CSA [mailto:redactedRealAttorney@Redacted-Real-Law-Firm.com]
Sent: Friday, June 27, 2014 5:17 AM
To: RecipientYouShouldntHaveSpammed; numerous other recipients…
Subject: from CSA

News: http://blog.carpediem.in/xxx/@@@@@@@.php


So what was the payload? The link above was pasted (unredacted) into a private browser on a secure remote server and it produced an application window that looked like an Internet Explorer browser full of phony “Diet News” and suspicious related as content. An attempt to close the window with the upper right red X brought up a new window with an “Are you sure… blah blah blah and an OK button that would likely install the mailware. Some other time maybe.


The first clue it’s a malicious message is the link URL. The domain carpediem.in just doesn’t equate with my CSA and the TLD (top level domain) of .in means it is a registration originating in India. Furthermore the file type (the .php) of the page in the link indicates it is a dynamic page and possibly some sort of application that seeks to do something malicious.

Analyzing the header of the message reveals more clues…

The alleged sender email address indicated in the header is redactedRealAttorney@Redacted-Real-Law-Firm.com. Probably spoofed at random and likely another stolen piece of identity. This person apparently actually exists and has a law firm according to an internet search.

The last hop before my ISP was… Received: from maui.mirahost.com ([]) For the non geeks out there this means the last known place the message came from before my service provider got it. According to http://whatismyipaddress.com/ip/ it is a server at Softlayer in Texas.
Before Softlayer it came from… Received: from Redacted-Real-Law-Firm.com (unknown []) The word “unknown” in there is another indication that the association of the domain Redacted-Real-Law-Firm.com with this address was not resolved by known legitimate DNS servers. Looking up the numeric address reveals (no surprise) that it resolves to Morocco, a low enforcement region for internet concerns http://whatismyipaddress.com/ip/

Below is the message with an abridged full header…

Received: from eastrmimpi109 ([]) by RecipientISP.Redacted
(InterMail vM. 201-2260-151-145-20131218) with ESMTP
id 20140627111709.YCVC18287.RecipientISP.Redatced@RecipientISP.Redacted
for redacted@redacted.com; Fri, 27 Jun 2014 07:17:09 -0400
Received: from maui.mirahost.com ([])
by RecipientISP.redacted with
id KPH71o0052qsbMn01PH8tv; Fri, 27 Jun 2014 07:17:08 -0400
Message-Id: KPH71o0052qsbMn01PH8ua
Received: from maui.mirahost.com (unknown [])
by maui.mirahost.com (Postfix) with ESMTP id B307993E286E;
Fri, 27 Jun 2014 11:17:00 +0000 (UTC)
Received: from Redacted-Real-Law-Firm.com (unknown [])
by maui.mirahost.com (Postfix) with ESMTP;
Fri, 27 Jun 2014 11:17:00 +0000 (UTC)
Message-ID: <90cf96820dc5$315b9241$750189c6$@Redacted-Real-Law-Firm.com>
From: My CSA
Subject: from My CSA
Date: Thu, 27 Jun 2014 12:17:00 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: iPad Mail (11D201)

News: http://blog.carpediem.in/xxx/@@@@@@@.php


In Conclusion: This is what they do these days. It’s a blended threat with a portion old fashioned Identity Theft, a bit of deception and social engineering. If you fall for it and your device isn’t protected and secure you may end up running a malicious application on your system before you know it.