Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scamming Spammer Hooks the Wrong Person

Posted by CowboyNeal on from the line-and-sinker dept.

CrypticSpawn writes "Read on SecurityFocus, a 55 year old woman spammed an FBI computer crime agent. She got caught mailing off a credit card scam to AOL users." Her scam targeted AOL users with messages saying their credit cards were refused during the last billing cycle, and linked to a false billing center page which demanded private information.

20 of 408 comments (clear)

  1. Re:How gullable can people be? by YanceyAI · · Score: 2, Informative

    Actually, If you read the article, it says that they posed as AOL and said the card had been charge for a legitimate service, but the card was not accepted and they need to submit another card for processing. Seems to be a possible scenario for the average user who has online subscriptions that they normally pay online.

    --
    Can I bum a sig?
  2. Earthlink users are getting similar spam by Cujo · · Score: 3, Informative

    I've had about 2 e-mails a day of this ilk with respect to my Earthlink account for at least 3 months. A similar scam is in work with respect to Paypal. You don't need to be a total dunce to fall for this, either. Just naive and not savvy with raw e-mail source.

    --

    Helium balloons want to be free.

    1. Re:Earthlink users are getting similar spam by Guppy06 · · Score: 2, Informative

      "I've had about 2 e-mails a day of this ilk with respect to my Earthlink account for at least 3 months."

      You know, there's a real easy way to stop that...

      Seriously, I find that challenge-response e-mail does to spam what Moz does to pop-ups.

  3. Re:How gullable can people be? by YanceyAI · · Score: 1, Informative
    I did say "average" user.

    :)

    --
    Can I bum a sig?
  4. See for your selves by littleRedFriend · · Score: 5, Informative

    AOL Billing center sample page.

    --
    IANAL, but imagine a beowulf cluster of in Soviet Russia all your belong are base to us welcoming the new SCO overlords.
  5. There are so many... by MisanthropicProggram · · Score: 5, Informative
    Let's see:

    I once received an email with a link that said that I needed to "update" my eBay account with a new: credit card #, my SSN, DOB. The funny thing is I never had an eBay account - ever.

    I was at a hotel in Houston one time and I wanted to use my calling card to call home. After following the directions listed on the phone a few times, i was redirected to some telco that I've never heard of, and someone came on the phone, asked for the number I was calling and my calling card number. He then asked for my PIN. I said no way. He then told me that he couldn't make the call. I hung up.
    Later, at the airport, my card worked perfectly. I wish I got the name of the telco that was blocking access to my long distance company so I could have filed some sort of complaint with the FTC.
    Is it common practice for hotels to block access to your long distance provider so that you have to use their company for help that they charge you for?

    I've gotten so paranoid, I've repeatedly hung up on legitimate calls. It's unfortunate, but this shit is hurting legitimate businesses and making it harder for us consumers to know if we're being taken or not.

    --

    There is no spoon or sig.

  6. Social Engineering by Detritus · · Score: 2, Informative
    Don't be so sure that you would never fall for such an obvious scam.

    I received an email that was purportedly from Citibank, saying that I had received a money transfer. It was slick. The scammer had gone to a great deal of trouble to make it look like a real email from Citibank. The associated web site also looked real.

    What tipped me off? The email asked for too much information, the scammer was being greedy. Examining the HTML source of the email revealed that the web site was in the wrong domain for Citibank.

    --
    Mea navis aericumbens anguillis abundat
    1. Re:Social Engineering by Detritus · · Score: 2, Informative
      According to Alex Salkever in BusinessWeek Online:
      A QUESTION OF JUDGMENT. In a study conducted earlier this year by MailFrontier, 40% of people who read a fraudulent Citibank e-mail were fooled into thinking it was real. "What we found is that the fraudsters have gotten smarter over time. It's very similar to spammers," says Budman.
      --
      Mea navis aericumbens anguillis abundat
    2. Re:Social Engineering by techt · · Score: 5, Informative

      No. The ones I've seen use this:
      http://www.myrealbankname.com:whatever@real IPaddre ssindotlessformat/

      The "www.myrealbankname.com:whatever" before the @ is not a URL, but a value sent to the real site which is denoted by the "realIPaddressindotlessformat".

      For example, cut and paste this into your browser:

      http://www.kuro5hin.org:section@1109654166/

      The above URL doesn't take you to Kuro5hin, it takes you to the Slashdot main page.

    3. Re:Social Engineering by marnanel · · Score: 3, Informative

      Opera warns you every time you try to access a site with a username in the URL - does Mozilla do this too?

      No, it doesn't yet. I agree-- it should. Mozilla bug 122445 tracks this issue. I suggest voting for it.

      (Copy and paste
      http://bugzilla.mozilla.org/show_bug.cgi?id=122445
      into your browser to go there; Bugzilla doesn't allow links straight from slashdot.)

      --
      GROGGS: alive and well and living in
    4. Re:Social Engineering by badzilla · · Score: 2, Informative

      If you're bad at math and need a quick way to turn a numeric URL into a DNS-named one there is a handy tool ("decipher") at www.samspade.org

      --
      "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
  7. it gets better by monkeySauce · · Score: 5, Informative

    The 22 year old guy she was working with thought he was breaking the law with a 20-something hottie instead of this 55 year old overweight felon from Akron. He must feel pretty stupid about now.
    this story has more detail

  8. Re:Here is more info on her by monkeySauce · · Score: 2, Informative

    She appeared in federal court in Virginia but she is from Akron, Ohio so you're linking to someone else's contact info.

  9. Comment removed by account_deleted · · Score: 2, Informative

    Comment removed based on user account deletion

  10. Re:maximum of five years? by anubi · · Score: 2, Informative
    A "joe-job' is what its called when a spammer encodes someone's ( the 'joe' ) address who the spammer would like to cause immense harm to in the 'reply-to' field of his spam message.

    Millions of spam go out, and the named joe gets hit with all the ire and bounced-mail replies. His ISP usually becomes quite upset with him as well, and he's left trying to explain to everyone that he doesn't even know what the hell is going on.

    Its a really neat way of framing somebody on the internet - making it appear to all the outside world that 'joe' did it, when in reality joe was completely uninvolved.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

  11. *bzzzzt* by devphil · · Score: 4, Informative


    I hear you on the FBI thing. But consider: somewhere a just-not-worth-the-taxpayer's-money line has to be drawn. The FBI is seriously understaffed. (Go figure. The technologically astute are too proud to work for a measly $35K FBI salary, investigating tech crimes. Nooooo, gotta be making glamourous six-digit salaries on high-visibility programming projects.) But anyhow, the reason I'm posting is...

    It's like the local cops who don't give a shit if your laptop, your radio, etc were stolen and hundreds of dollars in damage done to your car. But, mind you, they've got all day to sit out on 'speed patrol'...

    Unless you live in Andy Griffith Town, the officers who sit on speed trap duty are not the same ones who investigate theft. Different division, different rules, different salaries, therefore a different allocation of officers/resources/time/budget.

    A traffic cop "sitting all day" on watch costs less than an investigating agent spending even half a day looking for stolen laptops chock full o' pr0n. It's harder to hire investigative officers and detectives, it's more expensive to train them and pay them.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  12. Re:Let em guess she was American ? by lizrd · · Score: 2, Informative
    @ is a valid character in any url. Anything preceeding the @ sign is considered as a username and the part following the @ sign is the url that it will be used for. The actual useful application for this is in ftp:// urls. For example, you might use a url like ftp://warez:mp3@riaa.org/metallical.mp3 do download Metallica mp3z from the riaa. In the example above warez would be used for the username and mp3 for the password. Since the vast majority of http:// type urls don't require a username and password, it just gets thrown away by your browser since it wasn't needed. It's a very common tactic in spam e-mails.

    Now you know that. I know that, but most people don't and it would still be pretty easy to convince someone to visit The Linux kernel website (I think that /. may have sanitized the misleading like, it should read http://www.kernel.org@3632843893/ copy and paste it yourself to find out) and find themselvse at freebsd.org instead. It all comes back to the first rule of Spam, "Spammers Lie.", when in doubt, see rule 1.

    --
    I don't want free as in beer. I just want free beer.
  13. Re:wouldn't work for long by Anonymous Coward · · Score: 1, Informative
    I learned at Mervyn's that major credit card companies tend to eat the cost of the fraud.

    Not true. Merchants who accept bad cards tend to eat the cost of fraud. Credit card companies will charge anything where the billing address matches, but even if you're overly anal and you get a chargeback, odds are good that you the merchant are eating that fraud.

  14. innumerable people fall for it by dioscaido · · Score: 2, Informative

    I once received one of those pay pal credit card scam SPAMs, and snooped around the server which hosted the credit card acceptor script. The script wasn't an index.* file, and directory listing was enabled, so I was able to see all the files on the account. There were only two, the script and the resulting credit card database.

    There were easily 1,000 credit cards with full name and addresses and even social security #. Do not underestimate how gullible people on the internet can be.

    I reported the site to the host, and not surprisingly it took about a week to get the thing offline.

  15. Re:conversation with my credit card company by Skuld-Chan · · Score: 2, Informative

    Do you realize that the person you talked to is probably a wage slave working in an outsourcing company you may have never heard of in a country you've never been too? In most cases the agent you talked to probably had no way of actually communicating that request with the actual company they represent.

    I work in such a company - while I don't work on a financial contract there are several in the office I'm in for banks everyone of you has heard of.

    In many countries they don't have as many privacy laws as the US does. Also some call centers are operated out of prisons (search google for twa and prison sometime). Definately something to think about before your company outsources ehh? Think about the potential for abuse. I'm an honest person - but I know for a fact I could collect well over 32-50 valid email addresses/credit cards and phone numbers per day if I wasn't.