Operation Chakra V: Call Center Scammers and your PII

Here we have another cautionary tale about off-shoring customer service when faced with the reality of Call Center Scams that commit fraud via Tech Support Scams and Government Impersonation. In this case, FirstIdea, an Indian company is charged with committing fraud against at least 100 victims from Australia and the UK. 

FirstIdea.us, according to their website, provides Debt Collection services for ADP, Aetna, Aramark, BASF, Bic, CareOne, CostCo, Horizon Blue Cross Blue Shielf, JPMorgan Chase, Kessler, Siemens, Sony, and others.

firstidea.us website "Our Clients" page

India's Central Bureau of Investigation (CBI) recently announced Operation Chakra V, which claims Microsoft Digital Crimes Unit, the US's Federal Bureau of Investigations (FBI), Japan's National Police Agency, and the UK's National Crime Agency (NCA) as partners. The Operation has had many focuses and has been ongoing for several months, including a bust of an Amazon-imitating call center today (10AUG2025).

One of the most significant findings was announced last month, as 37 were arrested with the announcement that 850,000 money mule accounts (8.5 Lakh) had been opened at 743 bank branches. That announcement pointed out a total disregard for KYC (India calls it Customer Due Diligence) and widespread failure to file STRs (Suspicious Transaction Reports.)

While there are dozens of articles that could be written about the successes of Operation Chakhra V, I want to focus on a ring-leader arrested in raids in Noida on July 7th. According to CBI's First Information Report (FIR) (similar to a Criminal Complaint in the US) Nishant Walia, Arjun Prakash, and Arjita Chopra were considered Significant Persons in a fraudulent Call Center operation.

Nishant Walia operated FirstIdea Solutions where Arjun Prakash was listed as a director. Nishant and Arjun were co-directors at several companies, including Marvello Infotech, FirstIdea Solutions, and DroidOne InfoSol.

Whistle-blowers who post on "Scammer.info" share more details and point out that Nishant's other company, Click Aurum, is also worth looking into.  In that chat thread, "Rogger" says they are "running outbound calling in UK, AUS and ask for cancellation and collect money from them. 

https://scammer.info/t/https-www-youtube-com-watch-v-xow1vct-whg/57340

While the date on the Scammer.info post shows Nishant Walia was "in the game" as early as May 2020, a UK court document actually puts the timeline even earlier.  In a case against one Baljinder Singh in a document dated 04JUL2019, we find that "Devine Technical Services Ltd" based in the UK was linked to "an Indian company which purported to provide online technical support for computer users." In that earlier case it is explained "The nature of the fraud was that computer users were made to think that their machines had been infected with viruses or had been subject to hacking and were encouraged to pay for the services of the IT support company."  Mr. Singh was charged with money laundering, receiving payments totaling  £300,188 from victims of the scam and forwarding the proceeds (minus his commission) to Nishant Walia in India. 

https://crimeline.co.uk/wp-content/uploads/2019/09/singh2019ewcacrim1428.pdf

Dozens of Indian media outlets shared the story of Nishant's arrest, calling him a "Key Operative" a "Kingpin" or a "Leader" of a "Cyberfraud syndicate." 

https://www.thehindu.com/news/national/cbi-arrests-key-operative-of-cyber-fraud-syndicate-targeting-uk-and-australian-citizens/article69788011.ece

While Nishant has been arrested by the CBI and charged with running a major fraud call center operation, Arjun Prakash claims to have moved to Hawaiian Gardens, California and began operating as the "Business Owner & Chief Executive Officer" of FirstIdea, sharing the firstidea.us website in his LinkedIn profile, but claiming to have worked their consistently for 9 years and 10 months (since October 2015) making it clear that this is the same organization.

According to business registration documents, Arjun left the company, opening a debt collection service in the US using the domain "firstidea.us" which he registered in 2015 using his personal gmail account (arjunprakash11@gmail.com) and later renewed using the company gmail (firstideasolutionsinc@gmail.com).  Clearly, despite resigning his directorship, Arjun was still part of the company.

linkedin.com/in/aazur (now deleted)

We have seen this pattern repeatedly where a company establishes an off-shore relationship for a business process operation that requires the sharing of #PII, and then operators of that same call center are subsequently accused of running fraudulent call centers.

Tech Support "pop-ups"

There is a new trap on the Internet that seems to be growing in popularity in the form of a Tech Support pop-up Window.  The first of these I saw was last Tuesday, March 24, 2015.

Norton Scam

While reviewing some pharmaceutical spam web pages, we were suddenly forwarded to the page:

alert.norton.com.pctechhelpforyou.com/index-15mac.html

Immediately after this page rendering, a pop-up window is repeatedly displayed insisting that we need to call the telephone number 1-888-884-7058, ringing a bell each time the window is displayed.  The pop-up is so insistent that it is very difficult to get past the pop-up to close the browser.

Despite the fact that this pop-up is warning me about my APPLE COMPUTER, the original trigger that we encountered was in a Windows 7 Virtual Machine.

Looking at the source code for the page we see that we are dealing with JavaScript that has several tricks, including "right-click disable" and an annoying command "window.onbeforeunload = PopIt".  Actions such as "document.onmouseup" and "document.captureEvents(event.MOUSEDOWN)" help to keep control of the window, making it nearly impossible to close the browser, which also sets itself to appear in the Center of the screen, obscuring other opportunities to deal with the warning.

iPad / Mac Pop-ups

This weekend, I found myself looking at a very similar variant, this time on an iPad, where it was even more difficult to get rid of the pop-up!

Because of the lack of mouse or keyboard on the iPad, this version of the browser pop-up was especially hard to deal with.  The pop-up prevented me from being able to exit Safari!  In the end, it was necessary to power off the iPad, power back on, and then use the "Settings" tab to clear my history and settings.  By default an iPad Safari browser returns you to the most recently visited page, which unfortunately was this pop-up!

As I explored this version, I found that the current domain was hosted on the IP address 198.143.166.36.   This same IP address was also hosting a great number of other suspicious domain names,which began to show up on March 9, 2015, according to the Passive DNS service from Internet Identity.  Checking several of these domains on the Apple forums indicates that victims are charged between $150 and $399 to clean-up an imaginary malware attack.

• mac-issue-online.com -- https://discussions.apple.com/thread/6684596 (800 680 4131)
• apple-alert-online.com -- https://discussions.apple.com/thread/6850245
• safarisecurityissue.com -- https://discussions.apple.com/thread/6516787
• mac-security-alerts.com -- https://discussions.apple.com/thread/6897787
• online-window-security.com -- (Windows - see below)
• window-system-error.com -- suspended (why only this one??)
• mac-pc-alerts.com -
• safarisystemalert.com
• online-system-alerts.com
• safarialerts.com
• window-security-issues.com
• instantcomputerfix.com -- https://discussions.apple.com/thread/6669786
• techcarelive.com -- https://discussions.apple.com/thread/6527487
• safarisystemissue.com
• online-warning-support.com
• quickbo0ks.com
• iexpertstech.com
• ixperts.net
• joinremote.me
• i-xperts.us

 The last several of the links on that page appear to belong to a company that does support for Intuit Quickbooks, however "JoinRemote.me" is a remote control tool.  When the telephone number is called, the tech support person walks the customer through entering a tech support code by visiting "JoinRemote.me":

When that is done, the customer service technician is provided remote control access to the computer to "clean it up."

A friend from MalwareBytes has documented similar scammy behavior where a tax-season Intuit helper website ends up charging for a malware removal.  See Jerome's blog here:  https://blog.malwarebytes.org/fraud-scam/2014/03/the-tax-season-tech-support-scam/. 


By reviewing the Apple Discussion boards, we also saw evidence that several other people were struggling with these pop-up messages:

 

http://discussions.apple.com/thread/6889380/ 

 

https://discussions.apple.com/thread/6885911/ 

 Continuing to explore through the Apple discussion forums, we found evidence that this was also discussed back on September 2, 2014 in this post by Carlton Chin:

 

https://discussions.apple.com/thread/6516975 

The September file had a different domain name, and a different telephone number, but could it be shown to be the same scammers?  Was applesecurityalert.com on 1-866-782-9808 related to safarisystemissue.com on 1-800-632-9078?

Back to Passive DNS to try to find out.

According to the Internet Identity Passive DNS system, AppleSecurityAlert.com was hosted on the IP address 50.87.153.101 beginning on August 8, 2014.

That IP address ALSO hosted i-xperts.us, ixperts.net, joinremote.me, and quickbo0ks.com, all of which were also found on both the August/September IP (50.87.153.101) and the March 2015 IP (198.143.166.36).

Several of the attack sites that share these IP addresses are Microsoft imitators rather than Apple.  One example is "online-window-security.com" pictured below:

 

Imitating Microsoft Security Essentials

Bottom line - anyone seeing one of these pop-ups suggesting that a telephone number be called for support is DEFINITELY dealing with a scammer and should terminate the session immediately.