This is a story of a sophisticated scam call I got this morning in Singapore — that you must read and protect your self from.
I have heard about the online money scams or tele-scams going on, here and there but this was my very first encounter in Singapore. And given the level of sophistication, I feel some innocent folks may fall for it. So, I must write about it.
Let’s start…
This morning my wife and I got a scam call in Singapore. They intended to get full remote access to our system. Initially, we thought this was a genuine call from concerned authorities. But, soon it became apparent — it was not. Their approach was sophisticated enough to make us believe
Some may get into their trap
I am writing this story hoping to share a first-hand account of what happened, explain some of the concepts and maybe
Help some readers protect themselves
Our backstory
I am an Engineer at Google. These days, I work in the area of optimised camera algorithms. I have a Bachelor’s degree in Computer Science and thus a fair understanding of networks and the general understanding of terminal commands.
My wife Nida — is a Strategy Analyst at Carousell. She has a Master’s in Urban Planning and a Bachelor’s in Architecture.
Both of us live in Singapore.
The fateful morning
It was a normal morning. I was taking shower to go to the office (yes that’s a thing now!).
I was almost done when my wife started knocking on the door — asking me to check this call. It was apparently from some technical guy from our internet provider — Singtel.
Let’s start with Nida’s account
The call came on my phone number, but my wife picked it up.
Caller: Hello, how are you doing?
Nida: I am fine, thanks! Who is this?
Caller: I am calling from Singtel Singapore office. Is any foreigner or international person using your Singtel connection?
Coincidently, we had some visitors from overseas the previous day. Nida was puzzled and curious at this point — what happened?
Nida: We have given hotspot connection to some of our friends yesterday, why?
Caller: No, I am talking about your Singtel Wifi connection.
Nida: No, not that I am aware of. Why?
Caller: We have seen a number of international connections from your wifi and they are running some suspicious activities under it.
At this point, Nida was both worried and slightly suspicious. She decided to defer the call to me.
Nida (to me): Hey can you check this out — there is a call from some Singtel guy, stating something fishy with our internet connection. Something like, some international folks are using our wifi and there are some suspicious activities.
As I mentioned before, I was just finished with my shower. So this comes as a bit of “Huhhh?”.
At this point I was thinking — some neighbour got access to our wifi password and somehow these kind folks detected it (“which is cool!”) and are helping us ban their IPs or will ask me to just change the password.
Then, I take the call
The caller explained similar things — some foreign folks got access to our internet. Also, they are doing some suspicious activities. We need to resolve this fast. He asked me if I had access to a PC. I said yes — I am still assuming this is about changing passwords or banning IP addresses and so on.
Caller: Is your system turned ON?
Me: Yes
Caller: Do you see the button on the bottom left, it has C….T….R….L
Being babysat was slightly annoying but then I thought this might be the standard protocol.
Me: Yes
Caller: Do you see a button to the right of it, it has 4 boxes.
Me: Yes, the windows button.
I was getting further annoyed!!!
Caller: Press that button and R button together
Me: Looks like you want me to run a command, but I am on Mac, what command do you want me to run.
Caller: Ok open terminal and press N…E…T…S…
Me: So you want me to run
netstat
I ran netstat
on my terminal but for some reason it failed with following error.
zsh: command not found: netstat
This was a fateful error! This command is supported on Mac terminals but I was doing some config changes in the past, which messed up the $PATH
environment variable leading to this error. I didn’t care to check further as I had another Windows PC where I knew I could run this on the same Wifi.
The good thing was, this gave me more time to process things.
Me: Let me open up my Windows PC to run this.
Caller: Ok!
For those who may not know, netstat
is a rather harmless command to run. It just shows the active TCP connections & ports to which “this” computer is listening to.
Me: Ok, I have started my windows system and run
netstat
. Now what?Caller: What do you see?
Me: I see a bunch of local connection, rest is loading. What is expected?
Caller: Do you see some
Local Address
andForeign Address
?Me: yes, so what?
Caller: You see a list of
Foreign Address
— these are IP addresses of foreign individuals accessing your internet and doing suspicious activities.
At this point, I was 100% sure — its a scam.
For those who may not know
Local Address
onnetstat
result shows the IP address and port information of the local end of the connection — the connections starting from an application on your computer.127.0.0.1
points towards a local IP address.Foreign Address
onnetstat
result shows the address and port number of the remote end of the connection. A very naive example would be if an application was directly accessinghttps://blog.minhazav.dev
it may show something like185.199.108.153:8080
on theForeign Address
.
It doesn’t point towards any foreign individual — 100%!
How does the rest of scam works?
At this point, I knew they are not authentic folks from Singtel. But I was curious about what they wanted and what else tactics would they employ.
And this turned out to be the most interesting part of their modus operandi (and something new — I learned that day).
Me: How did these people get access to our internet?
Caller: You probably were accessing some website where they infected you with a malware.
Me: Hmm, and how do I fix this?
Caller: Do you have any remote access software installed, I can help fix this.
Caller: If not, I can help you install one
LOL!! This is something I would never do — give full remote access to my computer to some shady guy!
Seriously, never do this! Unless you know the person on the other side of the call.
Don’t let anyone install random apps or make any arbitrary changes to your computer.
Me: That’s asking a lot. How do I know you are an authentic Singtel person.
Caller: Sure, I can verify I work for Singtel.
Caller: To verify, nn your terminal please run A….S….S…O…C —
assoc.
I didn’t know what this command was supposed to do and at this point — I am not going to run arbitrary commands on my system anymore. Particularly, one that this guy tells me. So I looked it up.
I stumbled upon this very good article. Reading this gave me the extra 150% assurance of the scam.
ASSOC is a command that displays the program and/or functionality ASSOCiated with a specific file type.
There is a certain unique ID that shows up in the result which is frequently misrepresented by scammers as being a unique identifier of the victim’s system and/or a license ID for the Windows operating system.
On its own, it’s a harmless command. Just that in the end it shows a serial that has a unique ID, which is not unique to individuals — it’s common to all windows systems.
Me: Ok, I just ran it. What now?
Caller: When we setup your internet connection, we setup a unique license key in your system. You must be able to see a license key at the bottom of the result.
Caller: Let me look it up for your account on our side, please give me a moment.
I consider this part a bit sophisticated and obscure at the same time. But, this could get unsuspecting or even partially suspecting folks to believe the caller a bit more.
Caller: …..
Caller: Is it 8…8…8…D…C…A…6…0….
Caller: …. D…0…6…2
I was both surprised and angry at this tactics.
Me: hmm ok, it’s correct. But I can’t give you remote access — can you send folks to our home to fix this?
C: No, because we are overloaded with this thing?
Me: What thing?
Me: What thing?
Me: Hello?
Call disconnects and that’s the end of that call!
Important notes for readers
These are probably known to you. In case they are not — please pay attention.
- Never ever, ever .. give remote access to your system to any stranger who calls you. Even if they claim to be Obama.
- Don’t run arbitrary commands that you are not aware of. Most commands can be harmless — but even without remote access, they could instruct you to install Malwares and get you to give it admin privileges.
- It goes without saying, don’t give any password or PIN or OTP or credit card info to anyone on call.
- If you are not sure about such calls, get more context by calling the authentic service center numbers that were given to you by the company during installation.
In our case, there was one obvious signal I missed since I took this call from my wife directly. The call came from this number — +60-75076255
.
+60
is the telephone extension code for Malaysia. While, it’s not unrealistic for Singtel to set up offices in Malaysia — I would be much suspicious of international calls stating these things. It’s probably easier to operate these scams outside of the jurisdiction of the victim’s country.
What did we do next?
I reported the issue on https://eservices.police.gov.sg/homepage.
And then I decided to write about this
I hope people don’t fall for this kind of scam.
I am publishing this article outside of paywall — so more and more folks can read it.
If you found this article helpful or useful, please share it widely for more coverage. If you had similar experiences, please share — I’d like to help share the word on this matter!
This article is very much outside of my original niche — high performance coding, computational photography or general software engineering. Feedbacks are highly welcomed.
Thanks!