PG - Scamming the Scammers - Becoming the Robin Hood of the Phones - Nathan Clark

so morning everyone I'm actually surprised people are here after well yesterday normally people are not up this morning yeah this is scamming the scammers let's go ahead and get started I have a lot of knowledge to go through in a short amount of time so the table of contents for this we're going to go to introduction I have to do legal of course we're going to an intro to the talk some exploits concept other inputs skip over number four there we're going to go to a demo but first we have to pray to the demo gods we all know if we do not say that short prayer it will not work then you know the actual demo if

you actually want to contact me go right ahead I'll give you my information I'll even give you my phone number don't call it so Who am I my name is Nathan you can find me on twitter at log killer IT guy specifically a IT manager I'm also a physical penetration tester I do some development work like Java get to see Python I can't say who I work for only thing I can say is they're at this con free time I'm working a home lab just to get a dumb a power bill is insanely high I do do safety and security for Circle City con besause Las Vegas so I'm the guy that makes sure you don't get drunk

and fall over and hurt yourself I'm also a staff member for skylock con as well and I'm Austin organizer of be size Lexington and let some teen Kentucky even though I do not live there so let's go ahead and go through legal first off if you're sensitive profanity this talk will might have some profanity in it also I am NOT going to read this out you can totally read it the email address is valid please if you want to spam it make sure you lose some good and while your Joe STIs that does go to my actual lawyer dumb mmm so cool we're done with the legal stuff we can actually get on to the meat

and potatoes of this talk so let's go ahead and go through the introduction I always like to start out presentations with a survey I wonder who never heard this topic all I know almost everyone here has well you know what it's probably not gonna play but yeah it's not gonna play fantastic but most of you guys have heard of a Microsoft Tech Support Scheme call hopefully mostly you have hopefully most of you guys have [ __ ] with them amazing so reason I'm doing this talk I have had so many of my co-workers and even our call centers have been getting these calls so much so I've had to actually load up rededicated laptops of

deep-freeze so these guys can screw with it and you know I've also given them ransomware okay but this is happening too much in these days and it's that you're getting bad Americans lost for seven point we're billion dollars of this in 2015 I can't even imagine how much money that would actually be be course I don't make that much I wish it did but this is gonna be little bit small but the survey was actually done by true caller true caller is a spam blocking service you install on your phone Android iPhone if you have a Windows Phone I feel sorry for you but actually is a service that actually blocks each type of calls from a

database so they've done a survey of all the user that done it all the ones that were willing to participate and you know these are ways that they actually you know block or how they stop or once they have been scammed what do they do well you know some of them down on a caller ID yet they check their phone bill they call the carrier they call it the authorities they send up for credit monitoring awesome they send that for the Do Not Call Registry which for the this would do absolutely nothing because these guys are already breaking law whoo what makes you think you're gonna follow federal law he'll change your phone number but the one I'm really concerned

about is the one second from the top did nothing people did enough and bees are ashamed they would do nothing because they just gave you their credit card number to someone over the internet and just gave them money people don't want to admit that and it's getting so bad that over a hundred people a day are getting scanned an average price is 200 to 500 dollars you think about that before come before Commission cuts there's a lot of money it's absolutely disgusting how these guys are doing this but you know if we got Gordon Ramsay in there they'll be amazing so here's just a typical list of what we're going through these days so of

course you have your vacation ones which those are really nice you know warrant for your arrest tech support you know you have to get personal scams you do in person looking on self like eBay and Amazon eBay just a scam itself it's all PayPal but how are people actually protecting us that's the real question I like to add here so I am going to display who my carrier is I don't care I use t-mobile if you have used t-mobile or if you currently have them you'd know of this wonderful feature that goes on your phone call scam block it will actually do a network over right for the caller ID display it is a scam phone

number and if you even subscribe subscribe to their name ID service it'll actually to con the call in general so you don't even get the phone call they've done this because of course people are losing money they want to make sure their customers are actually basically being secure they want to make sure their customers are not following to this and they least release this really cheesy promo video of how it actually works on a why go slow-motion that's it very cheesy but you also see how easy it is to a roll on an iPhone and then you're enrolled simple as that that's all you have to do to Network basically this network caller ID feature it's fantastic it works great

and this is even well it looks like this was taken on an LG g4 board up the phone number I caught truck hauling it was it was spoofed but this is what looks like and of course you know you'll see on the actual dialer this is also what it looks like so it helps people you'll actually stop getting this done to them so that's one great way people are actually helping us stop this and of course not having money stolen so what are some exploits in some concepts we can do for this but first I have some questions how can we get these out of offline that's my main thing this is going to be part

of the exploit part we have three ways we can do this one we can do scan baiting em you guys actually know what that is wow if you get a phone call from and you start [ __ ] with them that's called scam baiting you start doing us to some exploits which will go over a quarter see gauzy your typical social engineering and have phone that way so let's start with exploitation how come you actually exploit some of these phone systems well the what I have found the most common phone system used by these scammers is 3c x36 is a free PBX that you can actually download on their website get a license key you have a

a.com you get a free license key who knew but is a windows-based PBX it can run all on net you can write your own net app so even integrate into it so it's actually a pretty powerful software but it has this you know it has those nice vulnerabilities so I went on Fiverr and I posted this ad I'm still inside up for you $50 yeah just give me $50 I'll set it up for you you might have a backdoor in it but who knows so I set this up and I she got tons of messages about this hey will you set my phone says hey we sent my phone system they got one message in particular hey

we are based in Pakistan we need a phone system to do technical support for Americans and Canadians with their Microsoft Windows operating system about viruses great phantoms that's actually what I wanted I wanted that message to come in and you know what they didn't even buy the basic they bought the premium delivery it is almost just like Amazon Prime but you know cool I install their system for them I set up all those engines I give them support but then of course you know I have to change the root password I keep the private keys for the Linux distro that this runs on they're not going to SSH access and you know here's my packages so you will see

the premium unlimited entrance I started three days oops but set this up for him and actually got into the system now we'll let you be displaying a demo system not their system Diaz they've already taken down reported to authorities they gave me their real address [ __ ] sake they gave you through legit address in a legit business name really but this is just one simple way we can do it of course I got legit entries and Nagi did help some doctors offices and everything on that yeah but a couple of things about this don't [ __ ] it up if you're actually gonna do this make sure you do it right and make sure you're at not

showing I'm gonna screw you over by this yeah who cares also don't be an idiot see above all so let's go ahead and go on to some social engineering so the weird thing about these offices we all know there's these mom-and-pop shops or you know smaller doctor's offices about ten users they only have 80 these guys have four users and they have a DFS this is actually a system that I found what using shown in and you know I just went in there yeah I changed it non InfoSec and change the password from administrator to password one I don't think they still guessed it but this is one thing that they do and they leave

all these ports open they basically have their firewall to allow every single port but you know you're doing that customer service for or customer service for them you don't want your network to be bought just to love everything in screw it within the you know they also do know the syn password never expires ok cool gotta password amazing the weird thing about this one the IG done to get these screenshots I went in change your whole entire domain system change everything to my information so now they they can't even log in properly because they probably don't even know what the domain actually is yeah who cares but the weird thing was that also ran BitLocker networking lock these guys

were actually securing systems with deep-freeze BitLocker and some other suite of tools to actually stop some of the stuff we're actually going over do you guys were actually gettin smart which is the sad part these are actually hiring real engineers well we're done this is not row engineer um but they're actually hiring real IT guys to actually start doing this stuff this is a stupid why are they doing this well of course money but also they do have a couple of you know they actually started also doing training the one I want to say about training I've actually had one basically was a blower reach out the company actually bought training from social engineer that is that was needs

dollars where for training to stop social engineering attacks you tell how much money these guys are making so I didn't go over a little bit of scam baiting but basically we've already explained what it is well so basically how can get it off offline scam baiting is fun yet stupid you can be on the phone call for four plus hours screw of them yeah you know you stop someone else from getting scammed but your whole day's been wasted if you're at work getting paid for it sure system exploitation it's fun yeah illegal Astrix I don't know your little applause in your area if you're not random country in the world I don't know if your laws are only they knows in

Canada it's illegal so engineering well it's fun it's really fun and especially get their information and get access to everything they own cool you're basing it on the company so it's like of these how can we get people's money back you give your credit card to them they take about three hundred dollars okay well I've also found out that most of these guys are also using stripe for the payment processing stripe it's an easy alternative you can actually integrate it in almost anything and you can actually immigrate into 3cx phone system as well so you can do payments right over to foam but stripe is also getting this really well what they were actually doing this amazingly well because if

you're having fraud they just ban your account instantly almost then they report your information to other credit card processors so you could never sign up again for another credit card processor they're actually doing it right some are now using PayPal for the processing and PayPal does doesn't care you suffer as me PayPal account sees you want if you get limited make a new one with someone else's information you have credit card processing so IG did reach out to stripe to see if we can get some more information but they actually told me they have actually stopped over 500 accounts for this 500 accounts shut down overnight just because of fraud for the sub situation so you know

we kind of have a party about actually getting people's money back because to be honest I feel getting that little old lady's money back is some of the best things ever you know you get you get their database you call the little ways saying hey this was a scam you're in I just refunding all your money back to your card that is probably the best thing where I have had doing this but again we still have we can fight back well we can do systemization such engineering or just be a dick reason I say be a dick is course maneuver the most use phone system is 3cx it looks nice is very pretty is designed

for someone that doesn't want to use COI yeah we're doing phone system CL is kind of a pain in the ass but there was one great exploit in version 15 oh that lets you download the whole backup it without credentials I didn't reach out they did fix the vulnerability actually insanely amount of time they report about to me two days later saying it was resolved and pushed out in the next update but simply you can go to backup get their backup file and the cool thing is these aren't encrypted you cannot encrypt these so but also presentable yeah this will be URL I'm not gonna lie remove after remove everything after list and then you get a list like this

so the cool thing is again you don't need you don't need credentials at all to download these so you see where it says download ID basically you get the ID so if we want to get do this backup right here I cannot draw if you want get this back up right here tapping the ID it'll start downloading great then you'd open up the XML file it's super easy just open up a XML file that has random letters and numbers of sound secure but again it's legitimately not encrypted here's username and password for Aven that's it you now own the whole phone system and if they even have the proper and by sensing for this phone system you

can even set up a backup phone system or a failover phone system and just have all calls out to your new phone system they won't even notice the difference you know I'm sitting acceptance all their traffic on your network hey you're cool you're good then so with this information we just do this sit back relax and let the fun go on but the years just some simple ways we actually can do some of this material these are simple ways we can actually get these guys offline get people's money back in more information the easiest way I will say to start getting all this information these guys just don't care they want money so you can

easily probably get get them to install TeamViewer on their computer and just give them the get the idea password start doing the selling file transfer a lot of people that they've actually scammed or some of them have even started using SQL services like on AWS cool thing is AWS actually it's a great policy if you're doing illegal activity on their soft on their services yeah they'll shut you down reporter yeah who knew so I like to do a little bit of a live demo here just in just some ways if we actually do get access to some of their internal systems how we can actually screw them over so I am going to that I don't care about Inc shut up

so I see I can have a soft phone running over here the weird thing about 3cx is you you really don't configure it yourself you basically get a configuration file so if I open up sublime here's the configuration file shows everything it has everything in here you can have as long as you get this configuration file you've now on that ascension it is an admin essentially you can even log in to the software so I have to dear my soft phone and I have t-mobile digits this is not my phone number this is not a valid forum I ain't cancelling this line as soon as I get out this talk so if you want to call it or text it

fantastic I don't care it's gonna be gone he's now my phone numbers to play that phone numbers displayed to the whole entire world fantastic so one simple way I found that you can actually go ahead and do this whenever I was actually doing Fiverr for this I use lightsail I just closed it when I say was a simple way to get VPS is running on Amazon so had this demo here cost $5 they don't need to know that but basically you can just go ahead and make a new instance on Debian go back over here and let's look at some of the essentials you'll see this one is registered and if we go in here the

weird thing that makes me go crazy is this that is one of these simple ways I have found to actually help so if I change this from nine one one two oh one one eight nine nine seven two five three so so that's the easiest way to remember it you seeing it and it's like oh it's your head forever but you know it's not the emergency service is your emergency services so now we have that new caller ID if I simply just want to go to a five nine nine seven nine sixteen eighty six if you're like me I am NOT going to answer a phone call from that number is that I don't think we're getting roaming

charges are like international calling fees like what the hell is that or sometimes you can actually even get it to do caller ID so sometimes if you do this FBI Los Vegas you actually pulling this phone number here and actually you look like you're called from the FBI who's my mr. FBI phone call no one so that's one way you can actually stop this if you get access to your phone system make a failover change your caller Ids is fantastic you can even make your own ascension and start even getting into the reception cool have a Las Vegas area code or here but you can actually give me a nurse that trunks cancer accept rent service

you have full access to SEP trunk cool you can even add yourself into the call queue so you start getting their phone calls you actually start getting phone calls at your reception and if you still use fax make a fax machine I don't know who uses fax it's absolutely stupid but then again you can also get done with the logs see all whoo let's see you who you've called or see who they've called and if I go here if I really want to screw them over if I really want to [ __ ] with them I want to dial this number again and I can actually look here I can actually see a see status so you see what their

status is can make them do not disturb and if I access to the supervisor portal I could actually even go ahead and disconnect their phone call over and over and over again or join the call barge them off and be done with it well those are some simple ways we can screw these guys over I will give you my contact information up crap I'm not having a good morning you know script here this is my contact information if you need me reach out to me email complaints do not call that phone number that is for the FBI unless you really want to get arrested but tweet at me if you have any questions and now be more

than happy to help you guys out thank you you can and up here with your mom pls one of our sponsors and I guess that said I need questions right now we have a minute one question all right thank you all we'll start here in about five minutes [Applause]