Subliminal Hacking
The Art and Science of Social Engineering



Categories

July 22, 2012

Playing Nicely with Scammers … Wasting their time for giggles :)

So I am in the business of social engineering people (with authorisation of course), and depending on who you speak to this could be interpreted as scamming, conning, or generally straight up manipulation. The reason I do this is to simulate a real world threat to see how people hold up and utilise the training they have had, as well as identify those gaps that need improving. Now I see alot of examples of real scammers and phishers in action, but rarely would I rate them as being very good, but I do appreciate they dont actually have to be that good to get decent results when they play the numbers game.

So why am I telling you this, well in July someone attempted to scam / commit online fraud against me, and I have to say it was one of the best approaches I have seen to date. So the aim of this post is to give some awareness, and to share the little story of how I wasted their time for the week and perhaps bring a smile to your face :)

(Sadly all the images were lost in a hardware failure)

GumTreeScammers

So my story starts on the 1st July 2012 when I put my MacBook Pro up for sale on Gumtree. I did some searching around for how much they are selling for and wanted to avoid eBay fees so Gumtree seemed like a winner.

Soon after posting I received an email via Gumtree asking if the item was still for sale, and indeed it was so I replied confirming as much.

About 24 hours later the guy gets back to me saying he would like to buy the laptop and will be £20 towards delivery, and provided me a mobile number to call (

+447035920292). Now I did think this was a little odd as who in the UK tells someone else in the UK the country code, but hey I thought I would give him a call.

So I make the call and I speak to what I think was an African guy calling himself Francis Saine (fransaine101@gmail.com), hes English wasn’t great but I have sold things to foreign students before, and decided to set my paranoia to the side and see how it goes.

Now the next bit is the clever bit, so he asked me to send him a PayPal money request for £770 and he can then make the payment. I had never used this feature before, but as you are protected by PayPal I thought all is good.

My new friend Francis later in the day sends me an email letting me know the address the laptop will be sent to (a London address) which backed up part of the phone conversation we had. Another 24 hours later I get an email from PayPal informing me Francis has paid me, and the money will be released once I provided proof of posting. ALARM BELLS RINGING….. Fun Time :D

Now as you can see this PayPal email is set so the response will be sent to service@paymentverifications.com which obviously isnt PayPal, so I decided to also check the headers and I saw this:

MIME-Version: 1.0 Received: by 10.224.184.75 with SMTP id cj11mr31753768qab.16.1341334634836; Tue, 03 Jul 2012 09:57:14 -0700 (PDT) Sender: shazad.sahak02@gmail.com

Now I got a couple of emails from the fake PayPal email dude and I have to say aside from this oversight it looked really really good. The clever thing is, because you sent a payment request, if you login to your PayPal account it says pending, and the phishing emails also confirm pending status, so the average Joe is going to fall for this.

About the same time I get an email from Francis telling me he has sent me the money, and that I must send the laptop tomorrow for Next Day Delivery before 1PM tomorrow, and its going to his sister as a Birthday present. So I assume they dont want to be waiting all day to intercept the laptop.

So what would you do in this situation? Well I am a nice guy, so I wrapped up the laptop as its a Birthday present and sent it in the post!!

Packaage

Well at least thats what Francis thought, and thats what Shazad and his fake PayPal thought to. It took me a while but I eventually managed to create a Royal Mail Special Delivery tracking number that showed up as valid on the Post Office tracking page :)

POReceipt

Then I get an email from fake PayPal confirming I have sent a valid tracking number and I will get the funds in my account in 24 hours, wooohooo.

Now during this time, just so its clear I have informed Gumtree, PayPal, London Met Police and the eCrime center, so they can utilise the information I collect to possibly catch these guys in the act.

The next day about 3PM I get another email from fake PayPal saying that my tracker number does not appear to be authentic, I also guess the laptop is now 2 hours late being delivered so they are wondering if I sent it at all? Obviously I hadn’t sent it, so how can I send them a picture of the receipt to confirm the tracking? I make one :D takes about 45 mins and I send it off, fake PayPal are happy and confirm again my money is on its way :)

So at this point I have a phone number, some email addresses and a drop off address. I thought it would be handy to get hold of Francis’s IP address then I could find out his ISP and Country to aid the Police further. So I decided to Phish him myself :)

So I continued to exchange emails with him to build some rapport with him, and get him interested in other things I might be selling. He is interested in the iPad I have for sale, and he wants to see pics and get more info. So eventually he visits the fake site I spun up and I get his user agent info from the Apache logs :) Sadly these guys are doing abit to protect themselves, looks like they are using anonymous proxies and routing traffic through a VPS in the US. Oh well it was worth a shot.

This is really the high level story, I hope it brought a smile to your face, I know it did me just for wasting 6 days of these guys time overall, and I can only assume a wasted day hanging around in London for the laptop to arrive. As far as I know they didn’t get caught, but they didn’t get my laptop, and I am still waiting for fake PayPal to send me my funds, I keep asking but now they dont want to email me any more :)

So please take this blog post as a reminder that even people in the industry like us could fall prey to the scammers, but if we ID it early we can have abit of a play. Of course be careful what you do, as you dont know who these people are, or what resources they have available to them.

Be Sociable, Share!



    About the Author

    Dale Pearson
    has worked in IT since 1998, Infosec since 2004, and studied and performed hypnosis, mentalism etc since 2009. Dale is a full time social engineer and qualified hypnotherapist. He spends a great deal of time researching the various skills and techniques that make up the art and science of Social Engineering.





    1. Haha good work sir I did something similar but I used BeEF to track them

      nice read


    2. Jane

      You are one sneaky bastard – on our side thank god :-D


    3. Julie

      Loving it !


    4. Sean

      I was conned by the same guy today… £300 Ipad sent to some Nigerian scammers. You want to know what the police said? “There’s nothing you can do.” Want to know what Royal Mail said when I asked for the package back? “It’s against the law to remove a package after it’s in our hands.” I’m a student trying to make some money for a holiday and these scumbags have ruined that for me. I guess it’s my own fault eh… =’ (


    5. Dennis

      I am going through something similar. I’m selling an item on craigslist and researched scams so I’d be on the look out. And sure enough I get this paypal upfront payment without wanting proof of the item quality. To good to be true, It is. I took him up on his offer and got the “paypal” payment confirmation emial from the same email address. service@paymentverifications

      It’s an educational experience, and yeah i was hoping to be able to trip them up into getting caught. But judging by this blog, their skills are beyond mine.
      Thanks for the info and good luck!


    6. Charles

      Yep, definitly not caught yet: they just tried almost exactly the same with me. They gave me the address of a takeaway in London to send to: I thought it was just some guy trying his luck, but your post makes it seem like they’re actually more professional about it and probably won’t get caught out. Shame.


    7. dan

      hey,
      the same thing has just happened to my partner it was quite funny after reading this we pick apart her scam and just coz i can im going to name and shame her on here so people can keep an eye out for the name it KAREN CARTER hope this can help someone


    8. James

      Hi yes Karen carter gates is who wanted to buy my iPhone 5 I got the exact same thing they wanted me to give a tracking number to FAKE paypal and then the funds will be in my account!! they never was.



    Leave a Reply

    Your email address will not be published. Required fields are marked *


    eight × 6 =

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>