So I am in the business of social engineering people (with authorisation of course), and depending on who you speak to this could be interpreted as scamming, conning, or generally straight up manipulation. The reason I do this is to simulate a real world threat to see how people hold up and utilise the training they have had, as well as identify those gaps that need improving. Now I see alot of examples of real scammers and phishers in action, but rarely would I rate them as being very good, but I do appreciate they dont actually have to be that good to get decent results when they play the numbers game.
So why am I telling you this, well in July someone attempted to scam / commit online fraud against me, and I have to say it was one of the best approaches I have seen to date. So the aim of this post is to give some awareness, and to share the little story of how I wasted their time for the week and perhaps bring a smile to your face 🙂
So my story starts on the 1st July 2012 when I put my MacBook Pro up for sale on Gumtree. I did some searching around for how much they are selling for and wanted to avoid eBay fees so Gumtree seemed like a winner.
Soon after posting I received an email via Gumtree asking if the item was still for sale, and indeed it was so I replied confirming as much.
About 24 hours later the guy gets back to me saying he would like to buy the laptop and will be £20 towards delivery, and provided me a mobile number to call (
+447035920292). Now I did think this was a little odd as who in the UK tells someone else in the UK the country code, but hey I thought I would give him a call.
So I make the call and I speak to what I think was an African guy calling himself Francis Saine (fransaine101@gmail.com), hes English wasn’t great but I have sold things to foreign students before, and decided to set my paranoia to the side and see how it goes.
Now the next bit is the clever bit, so he asked me to send him a PayPal money request for £770 and he can then make the payment. I had never used this feature before, but as you are protected by PayPal I thought all is good.
My new friend Francis later in the day sends me an email letting me know the address the laptop will be sent to (a London address) which backed up part of the phone conversation we had. Another 24 hours later I get an email from PayPal informing me Francis has paid me, and the money will be released once I provided proof of posting. ALARM BELLS RINGING….. Fun Time 😀
Now as you can see this PayPal email is set so the response will be sent to service@paymentverifications.com which obviously isnt PayPal, so I decided to also check the headers and I saw this:
MIME-Version: 1.0 Received: by 10.224.184.75 with SMTP id cj11mr31753768qab.16.1341334634836; Tue, 03 Jul 2012 09:57:14 -0700 (PDT) Sender: shazad.sahak02@gmail.com
Now I got a couple of emails from the fake PayPal email dude and I have to say aside from this oversight it looked really really good. The clever thing is, because you sent a payment request, if you login to your PayPal account it says pending, and the phishing emails also confirm pending status, so the average Joe is going to fall for this.
About the same time I get an email from Francis telling me he has sent me the money, and that I must send the laptop tomorrow for Next Day Delivery before 1PM tomorrow, and its going to his sister as a Birthday present. So I assume they dont want to be waiting all day to intercept the laptop.
So what would you do in this situation? Well I am a nice guy, so I wrapped up the laptop as its a Birthday present and sent it in the post!!
Well at least thats what Francis thought, and thats what Shazad and his fake PayPal thought to. It took me a while but I eventually managed to create a Royal Mail Special Delivery tracking number that showed up as valid on the Post Office tracking page 🙂
Then I get an email from fake PayPal confirming I have sent a valid tracking number and I will get the funds in my account in 24 hours, wooohooo.
Now during this time, just so its clear I have informed Gumtree, PayPal, London Met Police and the eCrime center, so they can utilise the information I collect to possibly catch these guys in the act.
The next day about 3PM I get another email from fake PayPal saying that my tracker number does not appear to be authentic, I also guess the laptop is now 2 hours late being delivered so they are wondering if I sent it at all? Obviously I hadn’t sent it, so how can I send them a picture of the receipt to confirm the tracking? I make one 😀 takes about 45 mins and I send it off, fake PayPal are happy and confirm again my money is on its way 🙂
So at this point I have a phone number, some email addresses and a drop off address. I thought it would be handy to get hold of Francis’s IP address then I could find out his ISP and Country to aid the Police further. So I decided to Phish him myself 🙂
So I continued to exchange emails with him to build some rapport with him, and get him interested in other things I might be selling. He is interested in the iPad I have for sale, and he wants to see pics and get more info. So eventually he visits the fake site I spun up and I get his user agent info from the Apache logs 🙂 Sadly these guys are doing abit to protect themselves, looks like they are using anonymous proxies and routing traffic through a VPS in the US. Oh well it was worth a shot.
This is really the high level story, I hope it brought a smile to your face, I know it did me just for wasting 6 days of these guys time overall, and I can only assume a wasted day hanging around in London for the laptop to arrive. As far as I know they didn’t get caught, but they didn’t get my laptop, and I am still waiting for fake PayPal to send me my funds, I keep asking but now they dont want to email me any more 🙂
So please take this blog post as a reminder that even people in the industry like us could fall prey to the scammers, but if we ID it early we can have abit of a play. Of course be careful what you do, as you dont know who these people are, or what resources they have available to them.
Haha good work sir I did something similar but I used BeEF to track them
nice read
You are one sneaky bastard – on our side thank god 😀
Loving it !
I was conned by the same guy today… £300 Ipad sent to some Nigerian scammers. You want to know what the police said? “There’s nothing you can do.” Want to know what Royal Mail said when I asked for the package back? “It’s against the law to remove a package after it’s in our hands.” I’m a student trying to make some money for a holiday and these scumbags have ruined that for me. I guess it’s my own fault eh… =’ (
I am going through something similar. I’m selling an item on craigslist and researched scams so I’d be on the look out. And sure enough I get this paypal upfront payment without wanting proof of the item quality. To good to be true, It is. I took him up on his offer and got the “paypal” payment confirmation emial from the same email address. service@paymentverifications
It’s an educational experience, and yeah i was hoping to be able to trip them up into getting caught. But judging by this blog, their skills are beyond mine.
Thanks for the info and good luck!
[…] Image taken from http://www.subliminalhacking.net/2012/07/22/playing-nicely-with-scammers-wasting-their-time-for-gigg… […]
Yep, definitly not caught yet: they just tried almost exactly the same with me. They gave me the address of a takeaway in London to send to: I thought it was just some guy trying his luck, but your post makes it seem like they’re actually more professional about it and probably won’t get caught out. Shame.
hey,
the same thing has just happened to my partner it was quite funny after reading this we pick apart her scam and just coz i can im going to name and shame her on here so people can keep an eye out for the name it KAREN CARTER hope this can help someone
Hi yes Karen carter gates is who wanted to buy my iPhone 5 I got the exact same thing they wanted me to give a tracking number to FAKE paypal and then the funds will be in my account!! they never was.
I was Scammed by a Gregory P. Carter today.
Supposedly works for Ernst & Young
ggcarter79@gmail.com
BE CAREFUL.
Loved the article. Wish I had the ability to turn the table on this person.
same thing and same email guy happen to me exept I wasn’t seller smart and have lost my phone my guy called himself Darren butt. but same email as francis saine . fucking sucks that I lost my phone, any chance you know how to get even with this lot.
Fran, your best action is to contact action fraud and provide them with the details and tell others about what happened so they don’t become a victim also.
I literally just got conned by the same guy the other day, and it is the most infuriating thing. Did you at any point find out any information that would help the police? Such as his IP address to then find out his ISP? ANYTHING at all would help. Thanks so much,
Kay
I don’t have the information anymore, I provided the information to the police at the time, but I believe they didn’t have the resources available to investigate further.
Just provide all the information you have, but sadly they don’t have the resources to look into these sorts of crime it seems.
Thanks for posting this! This jerk butt just tried to do that to me on ebay. Im very familiar with ebay and paypal so as he gave me the “oh Im very busy and need you to overnight it and I cant check my ebay that much” spew I knew something was up. Sure enough I have 2 emails I got at 4am this morning from this service@paymentverifications.com email saying its pending and to ship the item. Still trying to figure out how to handle it, I reported it to ebay so far. Glad you posted this though so people can be aware!