Scamming Spammer Hooks the Wrong Person

CrypticSpawn writes "Read on SecurityFocus, a 55 year old woman spammed an FBI computer crime agent. She got caught mailing off a credit card scam to AOL users." Her scam targeted AOL users with messages saying their credit cards were refused during the last billing cycle, and linked to a false billing center page which demanded private information.

How gullable can people be?

[Quasar1999]

Really... We have just charged your credit card for 19.95... if you want to cancel the transaction, enter your card number, full name, and expiry date below...

With the same logic, phone someone up, and tell them that if they don't want to be 0wN3d, they should disable their firewall, and tell you their IP address...

The darwin award exists for those who kill them selves in stupid ways... we need to invent an award for idiots that fall for obvious scams like this.

Re:How gullable can people be?

[YanceyAI]

Actually, If you read the article, it says that they posed as AOL and said the card had been charge for a legitimate service, but the card was not accepted and they need to submit another card for processing. Seems to be a possible scenario for the average user who has online subscriptions that they normally pay online.

Re:How gullable can people be?

[skinfitz]

The darwin award exists for those who kill them selves in stupid ways... we need to invent an award for idiots that fall for obvious scams like this.

There is - it's called "Manager".

Re:How gullable can people be?

[Quasar1999]

I was thinking of a different scam I ran across... This one is still pretty transparent though, considering that AOL (and every other ISP I know) clearly state time and time again that they will never ask you for your password, credit card info, hell, even your name in an email.

Re:How gullable can people be?

[YanceyAI]

I did say "average" user.

:)

Re:How gullable can people be?

[Qzukk]

Amusingly enough my boss's wife (an OB doctor) got an email saying that her credit card was charged to cover up her child pornography web site and asked for a credit card number and expiration date. Given that her clinic's website doesn't have any child porn (not even the stupid "baby in the bathtub" kind that only scaremongers and D.A.s call child porn - every baby picture on the site was fully clothed), and the fact that it was asking for her CC# even though it claimed she was already charged, she showed it to me for laughs then deleted it.

Re:How gullable can people be?

Part of the problem is that the people who DO know about the workings of these sorts of things don't educate others on the matter.

Think about it, how many /.ers are frustrated with friends and family not understanding why they should patch regularly? Now, think of how many /.ers are completely ineffective at presenting a simple argument on an annonymous message board.

The fact of the matter is, most of us geeks just aren't good communicators and teachers when it comes to people outside of the community. We assume that the person we're educating has a modicum of understanding from the get go. What we need are more geeks who can communicate and teach effectively to the entire populace and help get the word out about such things.

Hell, if /. managed a series of funny and educational public service announcements, I'd be in seventh heaven.

Re:How gullable can people be?

[saden1]

Grandma has to pay here medical bills some how you know. I knew the older folks were desperate but not this desperate. I must say though I impressed by how sophisticated grandma and grandpa have become.

Re:How gullable can people be?

[silentbozo]

Grandma nothing. This woman is a professional scam artist and thief. Phishing is just a new way for her to scam targets en masse. I'll bet you she was kiting checks long before most of us were born...

Re:How gullable can people be?

[baywulf]

These criminals go to great lengths to trick people using cleverly parsed URLs, links back to the original website, etc. They also will have a plausable reason for entering the information. In one case, it was for ebay which I haven't used in a year. The email said that I haven't used the account in more than a year and they wanted to reregister and confirm my information. I almost bought it hook line and sinker until I realized that they asked for a lot of personal information such as back account and credit card number details all at one. I think this is were these guys get discovered... they get too greedy in trying to get your personal information and blow their cover.

Re:How gullable can people be?

[kfg]

Oh yeah? Well you,. . . ummmmmmmmmm, what I mean to say is. . .

NAZI!!!!!

Yeah, I think that's it.

Oh, wait. I can't talk now, there's an important message on the TV just for me and they're waving something shiney that goes "Ping!" It's not even $100, just 79 payments of $19.95.

Wow! I can afford $19.95

Gotta go.

KFG

Re:How gullable can people be?

Well, the churches are fillied with millions of gullible people...

Re:How gullable can people be?

[DrDebug]

The problem with your premise is that the people KNOW the difference between someone spouting crap and someone who knows what they are talking about. While /. generally has a lower noise to signal ratio, there are still those out there that don't know the difference.

Gullible? Yeah, everyone is, at least once.

Isn't that why these 'phishers' exist?

Re:How gullable can people be?

[HungWeiLo]

Actually, what many people don't know is that many businesses don't actually check the expiration date. I've worked with banks before and have discovered that a number of them do not validate the expiration date on credit cards. Blame the incompetent IT monkeys who slinged that code together.

Re:How gullable can people be?

[cmacb]

"The darwin award exists for those who kill them selves in stupid ways... we need to invent an award for idiots that fall for obvious scams like this."

Funny you should say that, my first reaction to this was that we should invent some new punishments for these scum-bags that at minimum involves removal of their reproductive organs.

Both the victims and the perpetrators of such crimes would seem to be a threat to our species.

Re:How gullable can people be?

[GlassUser]

I used to try. I got tired of hearing excuses like "that only happens in the movies", "I can always dispute the charges", and "Norton will protect me".

Re:How gullable can people be?

[NanoGator]

"The fact of the matter is, most of us geeks just aren't good communicators and teachers when it comes to people outside of the community. We assume that the person we're educating has a modicum of understanding from the get go."

That lack of understanding comes from lack of interest in understanding it. Computers are not exciting toys for everybody. In some ways, they are downright abstract. It's sort of like how you feel when your girlfriend babbles about Big Brother.

Re:How gullable can people be?

[the+unbeliever]

Blame the incompetent IT monkeys who slinged that code together.

Er, no. Blame the incompetent credit card companies who don't make it mandatory to validate expiration dates in a transaction.

Re:How gullable can people be?

[halr9000]

I just got a phone call three days ago from a scammer pretending to be my credit card company. He said we were 6 days late on our bill, "just give me your checking account number and I'll take care of things".

What kind of retard do you think I am? But I bet people fall for it...

Re:How gullable can people be?

[instarx]

All you slashdotters who scream "Darwin Aawrd" whenever someone get scammed have to remember that you have the advantage in knowing that it was a scam. Seems obvious to you because it IS obvious to you - you were told.

Professional scammers are often extremely smart, would make good psychologists, appear very honest and trustworthy, and are very, very good at separating people and their money. Scammers will do things like record office noise to play in the background to make their call sound like it is coming from an official call-center. They don't say "Hey, yuk,yuk will you give me your heh,heh credit card number? I'm from uh...oh yeah...the credit card company".

Re:How gullable can people be?

[rootyard]

"The darwin award exists for those who kill them selves in stupid ways... we need to invent an award for idiots that fall for obvious scams like this."

It is entirely the fault of the person who was scammed and not the person who sent the email. The spammer is just exercising his/her rights to part money from the foolish. When is western society going to start seeing things correctly? Someone or some repository should be commissioned to annually award a "Darwin" award to people who act stupidly. The scammer should be glorified. What the hell is the matter with everyone? Is it only Quasar1999 and myself who see things as they are?

Spammers and law enforcement

[ergo98]

I suspect that a vast majority of spams hit a large number of law enforcement inboxes - it isn't like spammers are selectively making hand-crafted to lists. Of the spams I get (of which there has been a marked increase in the past month), a good percentage are illegal or gray-legal pennystock pump and dumps, PayPal imitators attempting to get your information, or our good Nigerian friends looking for some assistance in rescuing their money.

Re:Spammers and law enforcement

[Detritus]

When I had a .gov email address, I almost never received spam, and it wasn't because my email address wasn't available to the spammers, or that the mail server was filtering out spam. I suspect that even the stupider spammers realize that spamming .gov domains is a bad idea.

Re:Spammers and law enforcement

And the only way that anything ever gets done about it is when an FBI agent gets spammed. Suddenly they take a personal interest. Nevermind the crap that millions of us have been putting up with for years.

Can you imagine calling up your local FBI office with a spam complaint? "Hi, I received a spam phishing for my credit card number. It's the tenth one over the past year, so it's obviously an ongoing and successful operation. Would you please check it out?"

Ha! They wouldn't give you or me the time of day.

How about "Hi, my DNS servers, along with thousands of others, are being used by the perpetrator of a large scale DDOS attack against 66.98.152.55 and a few other IPs in ev1.net space. It's been going on for months now. Would you please identify the perpetrator and prosecute them?"

Yeah, right. The only way they'd take any interest whatsoever would be if THEIR DNS servers were being abused.

Re:Spammers and law enforcement

[lgftsa]

.gov.au does not enjoy a similar reduction of spam. I'm happy to say that our users get a many and varied selection of crap every day.

FBI uses AOL

[vspazv]

I can't be the only one that finds it disturbing that the FBI uses AOL.

Re:FBI uses AOL

[yintercept]

I can't be the only one that finds it disturbing that the FBI uses AOL.

You mean you missed the Time/AOL/FBI merger?

Re:FBI uses AOL

[seriv]

I am surprised the fbi is able to function in the computer world at all. Their internal search was really bad for so long, and the fact that an FBI agent uses AOL comes as no surprise.
-Seriv

Re:FBI uses AOL

[emilng]

The first line of the article:
An Ohio woman whose credit card fraud schemes began to unravel when she unwittingly spammed an off-duty FBI computer crime agent pleaded guilty to a federal conspiracy charge Tuesday, and potentially faces years in prison.

off-duty FBI computer crime agent

Re:FBI uses AOL

[MosesJones]

They've given up on that name...

Now they are going for

"Investigation Time for America"

Re:FBI uses AOL

[Daniel+Dvorkin]

"You've got a subpoena!"

Re:FBI uses AOL

[InfiniteWisdom]

RFTA... oh wait this is Slashdot. My bad. But... ...when she unwittingly spammed an off-duty FBI computer crime agent...

The FBI probably doesn't use AOL. At least no reason to infer that they do from THIS article.

Re:FBI uses AOL

[TRS80NT]

Hey, give him a break. Maybe there's only dialup in his neighborhood and he happens to use AOL. He clocks out, and like the rest of us: some email, check the scores, a little pr0n, a little Slashdot...

Re:FBI uses AOL

[menscher]

I can't be the only one that finds it disturbing that the FBI uses AOL.

What I found more disturbing was that they don't have any clue about computers whatsoever. I interacted with them once to report progress on tracking an intruder, and to request help. They didn't understand anything I was telling them, since I was using advanced words like "DoS", "packet sniffer", etc. They asked me to mail them my logs... as in print them out an send them by post. They said they didn't have the ability to receive email.

Needless to say, I didn't bother. It was much more productive (and enjoyable!) to track the intruder myself, and make him suffer. ;)

Re:FBI uses AOL

Yeah, you seem pretty typical. High UID, n othing of value in the history. You're not a fan of the guvment, are ya? Not that the UID says much on its own, but damn if some of the stupidest crap on this site isn't posted by the Over 600s, to say nothing of the 700s.

Anyway, FBI agents are people too. As much as your dystopian fashionable hatred will not allow you to believe. They have family, the two story in some gentrified slice of suburbia, the works. Families like AOL.

In summary, go to hell.

Re:FBI uses AOL

[david@ecsd.com]

I don't use AOL, and I got (probably) the exact same e-mail. Curious, I followed the link and checked out what they wanted. If a person was naive (yes, there are plenty of naive people out there), then they'd fill out the secure form and the scammer would have their number; so my bet is we have an idiot scammer on our hands sending out their spam to non user@aol.com addresses rather than an idiot FBI special agent who's checking his personal e-mail while "on the clock."

Besides, L337 internet users bitching about the stupid aolers is passe.

Re:FBI uses AOL

[tds67]

You mean you missed the Time/AOL/FBI merger?

What? Oh great, I bet there's going to be listening devices in all those AOL CDs that I get in the mail from now on...

Re:FBI uses AOL

[Guppy06]

"I can't be the only one that finds it disturbing that the FBI uses AOL."

How else are they going to catch pedophiles?

Re:FBI uses AOL

[Paradise+Pete]

I too find it distrubing that FBI employees AOL using agents

Man, that is one crappy sentence. Distrubing, even.

Re:FBI uses AOL

[hankaholic]

Rumor has it that a few years ago when they were constructing a new FBI building in Pittsburgh, one of the FBI bigwhigs wanted to look into getting every computer in the building access through cable modems.

That's right, not shared access from behind a firewall which was connected through a cable modem, but he wanted to have one per system.

I say that this is a rumor because I heard it from an older gentleman who worked for the FBI (a big ham radio fan, as well) over lunch when he and my then-employer were swapping stories of cluelessness, and I'm not sure how close to implementing this setup they actually were. It's amusing nonetheless.

Re:FBI uses AOL

[jaysones]

You mean you missed the Time/AOL/FBI merger?

Yeah, it takes forever to convict and if you ever do get convicted, they kick you out after a few minutes.

Re:FBI uses AOL

[Schemat1c]

Rumor has it that a few years ago when they were constructing a new FBI building in Pittsburgh, one of the FBI bigwhigs wanted to look into getting every computer in the building access through cable modems.

Maybe it was to make the agents appear as regular users when undercover. Plus by having regular ISP accounts they would be the recipients of some of the email scams and be more aware of them.

Re:FBI uses AOL

[Random832]

High UID, n othing of value in the history.

one possible translation: Long-time reader, recent poster.

Re:FBI uses AOL

[Knetzar]

I'm just amused that this person posted as an AC...and as far as we know has no number yet.

Re:FBI uses AOL

[YOU+ARE+SO+SUED!]

Yeah, you seem pretty typical. High UID, n othing of value in the history. You're not a fan of the guvment, are ya? Not that the UID says much on its own, but damn if some of the stupidest crap on this site isn't posted by the Over 600s, to say nothing of the 700s.

And your UID?! Notihng, you're posting anon. Yep. pretty typical indeed. Anonymous Coward, nothing of value in the scrotal department. Not that you can generalise about AC's, but damn if some of the stupidest crap on this site isn't posted by the AC's.

At least the logged in trolls have the balls.

Re:FBI uses AOL

[hankaholic]

No, this wasn't for a computer-crime division, or anything meant for the technically savvy. It was intended for normal users -- think secretaries and PHBs, not kiddie-porn and online scam hunters.

bigger catch than just that

[ethelred]

An electronic trail of stolen AOL accounts and free Web pages led agents to raid the homes of a professional spammer and a credit card thief, both of whom snitched on Carr, naming her as the ringleader of the operation

She isn't the only one going down. But, sadly, there are still many more to go...

Re:bigger catch than just that

[nutsy]

a professional spammer and a credit card thief, both of whom snitched on Carr

Of course, this goes to show that there is no honour among spammers, either.

Phish

[apraetor]

Uh oh, looks like Phish has made the headlines AGAIN. Ah well.

--matt

People aren't what you'd expect

[Rosco+P.+Coltrane]

a 55 year old woman spammed an FBI computer crime agent. She got caught mailing off a credit card scam to AOL users.

What this story teaches us:

- Little middle-aged (well, quite ripe already) ladies are not to be trusted

- AOL users are idiots, since they are prime targets of even little middle-aged lady spamsters

- FBI agents too open AOL accounts, which is worrying in a sense

Re:People aren't what you'd expect

[d-man]

FBI agents too open AOL accounts, which is worrying in a sense

I would imagine that FBI agents have AOL accounts to track people who are attempting to commit computer crimes, since AOL is probably a very target-rich environment.

Re:People aren't what you'd expect

[Nykon]

Yes but keep in mind,just because the agent may be computer savvy, does nto mean his family is. Government workers don't always make us much as us tech-weenies, so chances are he probably uses what ever is the best for his whole family.

Re:People aren't what you'd expect

[sweetooth]

Makes sense except for one thing. The article clearly states this agent was OFF-DUTY! Implying of course that this was the agents personal method of Internet access.

Re:People aren't what you'd expect

[MegaManInferno]

Jeez, why do you keep saying the agent was off duty?
It dosen't matter if the agent wass off duty, this lady was commiting credit card fraud, which is aginst the law.

Re:People aren't what you'd expect

[sweetooth]

No, it doesn't matter if the agent was on or off duty in the context you are talking about however, that's not what the parent poster was talking about. The parent poster is saying that he bets the FBI uses AOL accounts to catch people commiting these types of crimes. Which may or may not be the case. What I was pointing out is that in this case the only reason the FBI is involved is because an Agent recieved the spam. The article specifically mentions that the agent was off-duty. This implies that it was the agents personal account. So, even if the FBI does use AOL accounts internally for the sole purpose of catching spam that doesn't apply to this instance, noe is your comment relavent to my reply. We were talking about if the FBI uses AOL to catch scammers, not whether the person was commiting a crime.

No wonder!

[l3prador]

No wonder I get so many email offers for Viagra and low-cost prescription drugs!

Re:No wonder!

[The+Fink]

Or larger breasts for that matter...

Re:Let em guess she was American ?

[Rosco+P.+Coltrane]

No, she was smart, she sent her scam mails to AOL users, who are notorious credulous computer idiots. She didn't send it to postmaster@homelandsecurity.gov. She was just unlucky that an FBI agent was on AOL too.

Earthlink users are getting similar spam

[Cujo]

I've had about 2 e-mails a day of this ilk with respect to my Earthlink account for at least 3 months. A similar scam is in work with respect to Paypal. You don't need to be a total dunce to fall for this, either. Just naive and not savvy with raw e-mail source.

Re:Earthlink users are getting similar spam

[ceejayoz]

Most of the large web communities are - they're easy targets.

eBay gets 'em a lot, I've seen some exceedingly slick ones.

Re:Earthlink users are getting similar spam

[Licinius]

That's nothing compared to what I get. Some person using a Road Runner account has been sending me, on average, 7000-9000 (yes, thousand) e-mails per week containing a virus/trojan or the like. I've contacted the RR abuse department twice already and they haven't done anything about it (and I gave them time, it's been about 2 months since I first contacted them). It makes me doubt that they'll do anything at all.

Does anyone know how I could block this guy from sending me e-mails? Not just in the e-mail client, but at the server level (or whatever) so I don't have to download all of his crap. Anyone at all? Please help.

Re:Earthlink users are getting similar spam

[EvanED]

How 'bout set up a filter that will automatically send all of these to the abuse department of both RR and the original source (if the headers aren't too forged)?

Re:Earthlink users are getting similar spam

[Guppy06]

"I've had about 2 e-mails a day of this ilk with respect to my Earthlink account for at least 3 months."

You know, there's a real easy way to stop that...

Seriously, I find that challenge-response e-mail does to spam what Moz does to pop-ups.

Re:Earthlink users are getting similar spam

[crucini]

First, how do you know the sender is "using a Road Runner account"? Are you going off the From: header? That's usually forged. Look at the Received headers, and see if the last server before yours is constant. If so, you have an easy criterion for blocking.

Second, you didn't specify how you're getting your mail. Do you run your own mail server? If so, add an ipchains/iptables rule to block the offending IP. If you're getting your mail via POP/IMAP from someone else's server, I don't see how you can do server-side blocking.

Re:Earthlink users are getting similar spam

[Licinius]

RR apparently monitors attachments for known virus/trojan/junk files and takes them out if one is found. Here's the text they put in to each of the messages:

ALERT!

This e-mail, in its original form, contained one or more attached files that were infected with a virus, worm, or other type of security threat. This e-mail was sent from a Road Runner IP address. As part of our continuing initiative to stop the spread of malicious viruses, Road Runner scans all outbound e-mail attachments. If a virus, worm, or other security threat is found, Road Runner cleans or deletes the infected attachments as necessary, but continues to send the original message content to the recipient. Further information on this initiative can be found at http://help.rr.com/faqs/e_mgsp.html.
Please be advised that Road Runner does not contact the original sender of the e-mail as part of the scanning process. Road Runner recommends that if the sender is known to you, you contact them directly and advise them of their issue. If you do not know the sender, we advise you to forward this message in its entirety (including full headers) to the Road Runner Abuse Department, at abuse@rr.com.

They said it was coming from a RR IP address, so I'm fairly certain.

Unfortunately, I'm not running my own mail server, I'm using a POP3 account, so I can't block like that myself. Is there any other way I could block a certain address?

Re:Earthlink users are getting similar spam

[WuphonsReach]

And unfortunately, since e-mail FROM addresses tend to be forged, you're spamming some poor joe with your challenge messages. (Or else you're generating an e-mail that's going to bounce.)

C/R systems just push the problem around... if the from domain could be trusted (ala one of the reverse-MX proposals), C/R systems would be a smarter bet.

Re:Earthlink users are getting similar spam

[Guppy06]

"And unfortunately, since e-mail FROM addresses tend to be forged, you're spamming some poor joe with your challenge messages."

Generally speaking, the challenges are issued once per e-mail address, not once per e-mail. If you send another e-mail while the system is still waiting for your response from the first one, you don't get another challenge.

Or, if the poor schmuck also has a c/r system, both c/r systems talk to each other while neither end user sees much of anything.

Re:Earthlink users are getting similar spam

[crucini]

Sounds like popfile would work for you. Unfortunately, as far as I can tell it must still download the spam messages before discarding them. At least that can occur silently in the background.

Hooks the wrong person?

[Zuke8675309]

The article makes it sound like she wouldn't have got caught if an FBI agent hadn't been a recepient of the email. I hope this isn't the case and that the FBI is taking a more pro-active attack on this kind of thing than what the article seems to say.

Re:Hooks the wrong person?

[hazem]

I think that is the case. From the article:

Carr's undoing began when an FBI agent in the Norfolk, Virginia field office received one of her e-mails in February, 2001, and launched an investigation.

Do you think anyone at the FBI would listen if you, an ordinary tax-paying citizen, called to report the same e-mail? They'd probably laugh and tell you that they were busy fighting *real* terrorists.

Re:Hooks the wrong person?

[ralphus]

She likely would have been caught at some point but it would require her being but when she is stupid enough to committ a crime RIGHT IN FRONT OF AN FBI AGENT, of course she's going to get caught quickly. Normally things transpire roughly as follows:

1. Scammer trying to scam a bunch of users
2. some subset of the users getting scammed
3. some subset of the scammed realizing that they were scammed and reporting it, or some of the bright non-scammed user reporting it
4. The FBI seeing the report
5. FBI deciding to take action
6. Following their internal investigative procedures
7. gathering evidence
8. making a case
9. prosecuting scammer

In the case we have here, a FBI agent gets in the loop directly and is able to jump into this process at step 6.

The scammer would have gotten caught eventually if she kept running her scam. She just got un-lucky in this case and was caught as a result.

Let me be the first to say

[NightWulf]

Ha-HA!

/nelson muntz voice

I mean really how stupid can you be to actually "phish" for credit card numbers now, that's so 1997. She should have become involved in a much safer fraud, like identity theft, penny stock pump and dump, or creating a company...sending a donation to the Bush election fund...getting 8 billion dollar contract for rebuilding iraq. Come on people, use your head!

Face of a scammer

[Saeger]

Whenever I hear about these scammer stories I often wonder what the face of scum looks like-- if maybe I could tell it apart from the average car salesman's. So I wonder if this 55 year old woman has got the permanently furrowed eyebrows (like most news anchors), and those squinty, contemptuous eyes.

--

Re:Face of a scammer

[jasoncart]

http://images.google.com/images?q=Helen+Carr

Geez...

[Cytlid]

... sounds like she got off a lot easier than those caught sharing music via p2p programs. Either the FBI should hire the MPAA or anyone swapping music online should start credit card fraud, it sounds like the lesser offense.

Re:Geez...

[TooManyNames]

You've got your agencies mixed up there... I think you were possibly looking for the RIAA. Or has the MPAA expanded recently?

Re:Geez...

[Cytlid]

You've got your agencies mixed up there... I think you were possibly looking for the RIAA. Or has the MPAA expanded recently?

Same smell, different orifice. Next time I'll put *AA or perhaps (MP|RI)AA... ;oD

Re:Geez...

[Night+Goat]

Yeah, except this lady's getting a criminal record, whereas the people getting busted for swapping mp3s are just getting a civil tort filed against them. If you get a felony, your life is a lot shittier. Harder to get a job, you better believe it. And in some places you can't vote if you're a felon.

See for your selves

[littleRedFriend]

AOL Billing center sample page.

Re:See for your selves

[acidfast7]

Do poeple not catch spelling errors as a tip-off for an internet scam:

On the top of the form: ASTERIK?

What's a social insurance number (SIN)?

Do people actually fall for this?

Re:See for your selves

[Celt]

My fav line out of that page has to be this
"Your current information will be stored in a 256-bit encrypted protected server." :)

Re:See for your selves

[Dun+Malg]

AOL Billing center sample page.

Honestly, is amazes me that people fall for crap like this. It always reads like someone in bulgaria wrote it with with an English/Bulgarian dictionary. My favorite misspellings/miswordings are "asterik" and "social insurance number".

Re:See for your selves

[thinkninja]

Mine was:
"*Providing false or fraudulent information will be prosecuted to the fullest extent of the law*"

Re:See for your selves

[littleRedFriend]

Yeah it's amazing. The page wants to know all details, including your mother maiden name. I mean, come on this must be more obvious than Nigerian scam.

It also says: WARNING: Credit-card fraud is a criminal offense. For your protection all transactions are carefully monitored and logged including IP adresses, ISP, and other pertinent information.

Hilarious! Ironic?

If you do view source, you'll notice that the javascript used on the form is quite lame as well.

Re:See for your selves

[thrill12]

Now wait: even though this is a "sample" scam page, which does not "store" information, the access_logs should still simply reveal which page was requested including all variables GETted with it.
But luckily, us /.-ers are way too smart to fall for that...

Re:See for your selves

[akeyes]

Couldn't they at least use a current page as an outline for it? "Copyright (C) 2000 America Online, Inc. All rights reserved. Legal Notices Privacy Policy Try AOL 5.0"

Re:See for your selves

[Hadur]

Well, at least she got into the mindset of the standard AOL user... After all, where would we be without Frontpage and no-right-click scripts?

Re:See for your selves

[Snowdrake]

Except that, in what I thought one of the more masterful touches of scammery, it says persecuted, as in wronged.

Re:See for your selves

[andrewagill]

Or how about the Mr T Name Generator?

Enter your date of birth, Foo!

Re:See for your selves

[gklinger]

SIN = Social Insurance Number which is the Canadian equivalant of an SSN (Social Security Number). Perhaps the scammers were Canadian?

Re:See for your selves

[I+Be+Hatin']

Do poeple (sic) not catch spelling errors as a tip-off for an internet scam:

No, poeple don't. They're probably very used to seeing spelling errors on the Internet, so it doesn't phase them.

Re:See for your selves

[I+Be+Hatin']

Honestly, is (sic) amazes me that people fall for crap like this. It always reads like someone in bulgaria wrote it with with an English/Bulgarian dictionary.

So does your post. You're the second guy to respond to the parent saying "how come people don't pick up on the spelling/grammar errors?", and both of you had spelling errors in your posts! Not that most people know how to spell 'asterisk' anyway...

Re:See for your selves

[I+Be+Hatin']

"Webster's Revised Unabridged Dictionary (1913)"
Phase Phase, v. t. Cf. Feeze.
To disturb the composure of; to disconcert; to nonplus.
Colloq.

So fuckin' bite me, asswipe.

Re:See for your selves

[I+Be+Hatin']

Heh... it's not mine, though. I suppose I should change my sig so that it doesn't look like I'm claiming it, eh?

Re:See for your selves

[squiggleslash]

If you happily enter your name, social security number, and credit card, into a website that clearly doesn't need it, doesn't ask for it, and has "SAMPLE SCAM PAGE" written on it in huge flashing letters, then I think you deserve to have your details stolen!

Re:See for your selves

[crabpeople]

whats wrong with social insurance number thats spelled perfectly right. i have never had a company on the net ask me for my SIN tho..

Re:See for your selves

[Unregistered]

They're not even subtle. Card limit? Can you be more obvious it's a scam?

Re:See for your selves

[lgftsa]

Wow! There's people who've never heard of Rene Goscinny and Albert Uderzo? What a grey, joyless childhood they must have had.

Re:See for your selves

[Reziac]

That should be "doesn't *faze* them", since we're holding a spelling bee ;)

Re:See for your selves

[jonbryce]

Amateurs. They forgot to ask for the bank username and password / pin.

Re:See for your selves

[badzilla]

That page triggers my virus checker, I am alerted to presence of "Trojan JS.Cardst"

Re:See for your selves

[WWWWolf]

My favorite misspellings/miswordings are "asterik" and "social insurance number".

My favorite was "Verified at 11/2/103 12:22:41 P.M.". I thought I'd never see stuff like this again, but I was wrong =)

Re:See for your selves

[topdawg044]

Would be more believable if they learned the proper spelling of *asterisk*

Re:See for your selves

[Dun+Malg]

You're the second guy to respond to the parent saying "how come people don't pick up on the spelling/grammar errors?", and both of you had spelling errors in your posts!

People should expect/overlook spelling errors in something as ephemeral as a /. post. My point is, that something as important as a credit card info page by AOL would undoubtedly be proofread at least once, and thefact that it's rife with errors should have tipped them off that it was a scam. Cripes, I didn't say I was going to spell everything right in my post, did I? Get with the program, man.

Re:See for your selves

[I+Be+Hatin']

People should expect/overlook spelling errors in something as ephemeral as a /. post. My point is, that something as important as a credit card info page by AOL would undoubtedly be proofread at least once, and thefact that it's rife with errors should have tipped them off that it was a scam.

You're right, it should tip them off that it's a scam. However, most people have atrocious spelling skills, and so would miss some of these errors (esp. asterisk). Second, once you get used to reading over spelling errors (i.e. over IM, in email, on /.), it becomes easier to read over spelling errors all the time. I don't think that people have contextual spelling error detection (tm). Rather, I think people have one "mode" of reading, and that their tolerance for spelling errors is growing as they read more unedited material. So ultimately, I don't think that people even saw the spelling errors, thus it didn't tip them off.

Re:See for your selves

[I+Be+Hatin']

That should be "doesn't *faze* them", since we're holding a spelling bee ;)

Before correcting someone's spelling, you should check that they're actually wrong, Dan...

From http://dictionary.reference.com/search?q=phase:

phase

\Phase\, v. t. [Cf. Feeze.] To disturb the composure of; to disconcert; to nonplus. [Colloq.]

Source: Webster's Revised Unabridged Dictionary, (C) 1996, 1998 MICRA, Inc.

Re:See for your selves

[Reziac]

"Phase" in that context is a relatively new spelling, and is a mistaken use of a homonym, NOT as a proper alternate spelling. See http://dictionary.reference.com/search?q=faze -- and note spelling of the word from which it's derived: "Middle English fesen, to drive away, frighten, from Old English fesian."

And yes, I'm old enough to remember when "faze" was in common usage.

Re:See for your selves

[Dun+Malg]

My point is, that something as important as a credit card info page by AOL would undoubtedly be proofread at least once, and thefact that it's rife with errors should have tipped them off that it was a scam.

You're right, it should tip them off that it's a scam. However, most people have atrocious spelling skills, and so would miss some of these errors (esp. asterisk). Second, once you get used to reading over spelling errors (i.e. over IM, in email, on /.), it becomes easier to read over spelling errors all the time. I don't think that people have contextual spelling error detection (tm). Rather, I think people have one "mode" of reading, and that their tolerance for spelling errors is growing as they read more unedited material. So ultimately, I don't think that people even saw the spelling errors, thus it didn't tip them off.

Good points. I'm one of those people who can spell, so the idea that someone can look at a bunch of misspelled words and not notice sometimes strikes me as inconceivable. Of course, then I run into the same thing (in reverse) from guys at work when they find out I don't know how to play "futbol"....

Re:maximum of five years?

[dreadnougat]

You think that any of those countries has an exemplary legal system? You must be joking. Hear of William Sampson and those others caught in Saudi Arabia and framed for a crime they didn't commit? Know what they kill you for in China?

Re:maximum of five years?

[Dragon218]

you're not funny, so stop trying.

apathy in law enforcement

[SuperBanana]

Danger Will Robinson, Danger! Rant Ahead!

Read on SecurityFocus, a 55 year old woman spammed an FBI computer crime agent.

Great. So what about:

• the thousands of people getting ripped off daily on eBay
• the DDoS's against blackhole list services
• the thousands of script kiddies running loose

...? It seems like every day I'm reading about how some guy got screwed over and the FBI/SP/Local cops just didn't give a shit enough to do anything about it, whether it was technology related or otherwise, because it wasn't sexy enough. Crime is crime is crime.

Case and point, you can pretty much scam anyone outside of your state and get away with it because interstate fraud laws have a $5,000 'ground floor'. That single law is probably the most responsible for the prolific fraud we've ever seen, virtual or otherwise. I could loose $4900 tomorrow and the FBI won't do jack shit. Some FBI nerd gets a scam email any moron would know not to answer, and they call out the swat teams. Faaaaantastic.

It's like the local cops who don't give a shit if your laptop, your radio, etc were stolen and hundreds of dollars in damage done to your car. But, mind you, they've got all day to sit out on 'speed patrol'...

Re:apathy in law enforcement

[azav]

Let me respond to this with two points.

Crime is crime is crime but there is too much of it and not enough money/resources/people/time to stop it. So you go where your effort has the most impact.

Cops DON'T care about the little things because they have bigger ones to deal with. It's true. I had to track down a laptop thief myself (and I got my laptop back) because I knew the cops wouldn't do anything about it. When something of yours gets stolen, you need to get on it right away and get it back. Hire an investigator if you can. You've gotta take action yourself because you can't be sure that anyone else will look out for your interests like you will.

Re:apathy in law enforcement

[Xerithane]

I've had things stolen, and had a neighbor whose car was stolen, and had a boss whose car was broken into. You need to move to a better city, because this has been spanning 3 states and I've never had them not care.

Besides, you may want to learn the difference between a traffic patrol officer and a detective.

Re:apathy in law enforcement

[Radical+Rad]

I could loose $4900 tomorrow and the FBI won't do jack shit. Some FBI nerd gets a scam email any moron would know not to answer, and they call out the swat teams. Faaaaantastic.

I think you missed the point here. This con artist got caught. It is news because we can all take revenge on spammers vicariously through reading this. It feels better than the end of a bruce willis movie.

Re:apathy in law enforcement

[kfg]

Let the buyer beware is a maxim of age old wisdom that applie in all business dealings of any kind. If someone asks you for money, beware.

It is not a tenet of American law. Far from it. The tenet of American law is "Good faith," the exact opposite of let the buyer beware. Assumption of innocence until proven guilty, as it were, applied to civil matters, but the onus is not on the buyer to not get taken. Not getting taken is the legal assumption of the buyer.

However doofey it is to leave the keys in the ignition of your car it is your car and your keys. You may do with them as you will. Anyone who sees your keys in the ignition and takes your car is what we call "a thief."

When one party violates good faith that is called "fraud." If the fraud comes to various dollar amounts than various forces of law and penalties come in to play.

Failing to deliver promised goods when one has accepted payment for such and when one never intended to deliver such goods is fraud.

Lying about a payment you don't deserve in order to recieve it is fraud.

Both are "well orchestrated" scams. Both are equal in the eyes and ears of the law. Only the relative dollar amounts differentiate the two from that point on.

KFG

Re:apathy in law enforcement

[Anonnymous+Coward]

Maybe there wouldn't be so many "little scams" if the people perpatrating them couldn't be as sure as they can now that they won't be caught and prosecuted. Food for thought.

Re:apathy in law enforcement

[Artifakt]

The real cut off is higher than that 5,000 US$ limit. It costs the FBI about 15,000, on average, to persue a typical fraud case, and their internal auditing process pushes agents towards investigating cases that have a potential return, in fines and penalties, greater than that limit. This also applies to other departments, such as treasury, for the crimes they investigate, although the exact limit varies a bit. To tie this to another Slashdot favorite topic, now you know why the DCMA is so scary - the 150,000$ per violation limit on possible penalties means federal law enforcement will selectively investigate copyright violation ahead of wire fraud, mail fraud and even some extortion, evidence tampering or securities cases.

Re:apathy in law enforcement

[phorm]

Come to Canada, particularly BC. We're getting police enforcement cut, but an extra (at least) 100 officers coming into "traffic patrol" next year, coincidentally also when speednig fines are supposed to take a big jump.

Re:maximum of five years?

[azav]

You and I support the death penalty for spammers. If we could only convince the rest of the world.

Seriously, knock off a few spammers and see what happens.

They way they are being treated now, it looks like the law looks the other way. Spamming is several crimes. Misrepresentation, fraud and theft of services to start.

Logic 101...

[MosesJones]

Actually what it teaches us is

- Criminals don't wear stripes and sound like Cagney

- For any scam the best approach is to target the largest user group... more people means more idiots

- The FBI staff use personal email

This is exactly what you should expect, the FBI aren't a mixed race of mutant beings, and large crimes can be commited by pretty much anyone.

Re:Logic 101...

[bstadil]

Criminals don't wear stripes

Notice the Stripe on the Hat

Re:Logic 101...

[kidlinux]

Why is everyone associating the FBI agent's email use with the FBI??

"An Ohio woman whose credit card fraud schemes began to unravel when she unwittingly spammed an off-duty FBI computer crime agent..."
The article mentions the agent as being off duty. So first of all, this AOL email account is personal, and secondly, if this person wants internet access at home, they've got to get it somewhere, and why not AOL, it's a huge ISP.

"The FBI uses AOL, oh shit!" The FBI doesn't use AOL. People who happen to work for FBI might use AOL for personal internet access, but what the fuck does that have to do with the FBI??

However, come to think of it, the FBI having some AOL accounts as honeypots might not be a bad idea. AOL users are a good (and large) target for scams, so the FBI computer crime dept. might catch a few of them.

Re:Logic 101...

[Doctor+Crocodile]

- Criminals don't wear stripes and sound like Cagney

Not even Cagney & Lacey?....

There are so many...

[MisanthropicProggram]

Let's see:

I once received an email with a link that said that I needed to "update" my eBay account with a new: credit card #, my SSN, DOB. The funny thing is I never had an eBay account - ever.

I was at a hotel in Houston one time and I wanted to use my calling card to call home. After following the directions listed on the phone a few times, i was redirected to some telco that I've never heard of, and someone came on the phone, asked for the number I was calling and my calling card number. He then asked for my PIN. I said no way. He then told me that he couldn't make the call. I hung up.
Later, at the airport, my card worked perfectly. I wish I got the name of the telco that was blocking access to my long distance company so I could have filed some sort of complaint with the FTC.
Is it common practice for hotels to block access to your long distance provider so that you have to use their company for help that they charge you for?

I've gotten so paranoid, I've repeatedly hung up on legitimate calls. It's unfortunate, but this shit is hurting legitimate businesses and making it harder for us consumers to know if we're being taken or not.

Re:There are so many...

[eMartin]

After following the directions listed on the phone a few times, i was redirected to some telco that I've never heard of, and someone came on the phone, asked for the number I was calling and my calling card number.

Maybe a scammer just put his own sticker on the phone when he had the room before you. I doubt that housekeeping checks for that kind of thing.

Re:There are so many...

[S.Lemmon]

Ever wonder if maybe the person before you changed the instructions on the phone? It could be awhile before the hotel even noticed.

Maybe it was an attempt to route you through one of those scam phone "services". I know there were several other scams that involved tricking you into dialing some special number first.

Re:There are so many...

[Detritus]

Is it common practice for hotels to block access to your long distance provider so that you have to use their company for help that they charge you for?

Yes, and it's illegal.

Complaints should be filed with the FCC.

Re:There are so many...

[Elbow+Macaroni]

I had a similar thing happen to me, with the cell phones, some other company was attaching themselves into the middle of the signals and taking over legitimate business. And where is the government and law enforcement? Are they just too stupid to catch these criminals or what?

I meant they can't even control Verisign or the crap that goes on with domain names. But boy if you smoke a little marijuana they'll put you away for 10 years. That's real intelligent.

Re:maximum of five years?

[TheMidget]

Just one keyword to show you this is a bad idea: joe-jobs!

You don't wanna end up on the death-row because a particularly savvy spammer managed to pull off the perfect forgery with your name on it...

Re:maximum of five years?

[vicparedes]

Heh. If this person was your nanna, you wouldn't be bitching now would you? Think of all the goodies you'll get on your birthday and Christmas.

Re:maximum of five years?

[azav]

Please inform me about this joe-jobs thing.

Really. I don't know what it is.

Social Engineering

[Detritus]

Don't be so sure that you would never fall for such an obvious scam.

I received an email that was purportedly from Citibank, saying that I had received a money transfer. It was slick. The scammer had gone to a great deal of trouble to make it look like a real email from Citibank. The associated web site also looked real.

What tipped me off? The email asked for too much information, the scammer was being greedy. Examining the HTML source of the email revealed that the web site was in the wrong domain for Citibank.

Re:Social Engineering

[LearnToSpell]

I got one of those too, but I had my doubts when the email came from a dial-up in Germany. Oh, and my lack of a Citibank account.

Re:Social Engineering

[Detritus]

According to Alex Salkever in BusinessWeek Online:

A QUESTION OF JUDGMENT. In a study conducted earlier this year by MailFrontier, 40% of people who read a fraudulent Citibank e-mail were fooled into thinking it was real. "What we found is that the fraudsters have gotten smarter over time. It's very similar to spammers," says Budman.

Re:Social Engineering

[techt]

No. The ones I've seen use this:
http://www.myrealbankname.com:whatever@real IPaddre ssindotlessformat/

The "www.myrealbankname.com:whatever" before the @ is not a URL, but a value sent to the real site which is denoted by the "realIPaddressindotlessformat".

For example, cut and paste this into your browser:

http://www.kuro5hin.org:section@1109654166/

The above URL doesn't take you to Kuro5hin, it takes you to the Slashdot main page.

Re:Social Engineering

[ymgve]

Opera warns you every time you try to access a site with a username in the URL - does Mozilla do this too? I know for certain IE doesn't ;)

Re:Social Engineering

[techt]

As far as I'm aware, Mozilla doesn't do this. It is a good idea, though.

Re:Social Engineering

[marnanel]

Opera warns you every time you try to access a site with a username in the URL - does Mozilla do this too?

No, it doesn't yet. I agree-- it should. Mozilla bug 122445 tracks this issue. I suggest voting for it.

(Copy and paste
http://bugzilla.mozilla.org/show_bug.cgi?id=122445
into your browser to go there; Bugzilla doesn't allow links straight from slashdot.)

Re:Social Engineering

[Reziac]

How do you determine the dotless number?
Wondering if it would work to protect email addresses on websites from harvesting, when you can't obfucate them beyond what any browser can see (due to the client base you need to let contact you not having a technical clue).

Re:Social Engineering

[Random832]

given the IP a.b.c.d

the dotless form is a*16777216 + b*65536 + c*256 + d

Re:Social Engineering

[techt]

How do you determine the dotless number?

The dot-less number is a 32-bit unsigned integer.

Slashdot's IP is 66.35.250.150. Each number is an 8-bit unsigned integer. In binary it would be:

01000010.00100011.11111010.10010110

remove the decimals

01000010001000111111101010010110

convert binary to base 10

1109654166 is the answer.

If you need to do it on paper, this way may be easier:

66.35.250.150 =
(66 * (256^3)) + (35 * (256^2)) + (250 * 256) + 150 =
1109654166

Wondering if it would work to protect email addresses on websites from harvesting, when you can't obfucate them beyond what any browser can see (due to the client base you need to let contact you not having a technical clue).

While I don't know for certain since I don't know how the email harvester spiders work, I would think it probably wouldn't make a difference. You may try to use a disposable email address service like Sneakemail and generate a new contact address each time the older one gets too much spam.

Re:Social Engineering

[lpret]

I have to comment and say that I use Opera and it popped up with a message box saying that I was connecting to the address 1109654166 using the Username kuro5hin.org and was I sure of that?

Security in a browser does happen...

Re:Social Engineering

[kcb93x]

I googled for:

Dotless IP address -"Internet Explorer" (because IE came up too many times for the vulnerability in the first one)

and got:
http://www.google.com/search?num=100&hl=en&l r=lang _en&ie=UTF-8&oe=utf-8&q=Dotless+IP+address+-%22Int ernet+Explorer%22&btnG=Google+Search

(Note- check for the blank space(s) /. added to the above)

The following is taken from:

http://www.beesky.com/newsite/howto_dotless_ip.h tm l

How to make dotless IP URL's to amuse your friends

Web URL's like www.microsoft.com are merely alphanumeric representations of IP octets. What I mean is that for every hostname, like beesky.com, there is a corresponding ip address. In our case it is 198.88.0.2. A dotless IP is a 32-bit number (http://3327655938) that the IP stack resolves into its equivalent dotted IP format (198.88.0.2).

The dotless IP address, also called the "decimal address", can be easily calculated with this formula:

decimal=aaa*16777216+bbb*65536+ccc*256+ddd

If you get a url like http://3327655938/?key=5?index=beesky.rocks.com, just stick it in the first set of numbers, in this case 3327655938, into this form below to find out who it's really from.

Re:Social Engineering

[badzilla]

If you're bad at math and need a quick way to turn a numeric URL into a DNS-named one there is a handy tool ("decipher") at www.samspade.org

Re:Social Engineering

[WWWWolf]

How do you determine the dotless number?

Someone already posted the theoretical solution. Here's the practical solution:

perl -MSocket -e "print unpack("N",inet_aton('slashdot.org'));"

Wondering if it would work to protect email addresses on websites from harvesting,

Uh, please don't. It's more pain than it's worth - You don't see many people using IP addresses for E-mail, don't you? There may be reasons for that.

Re:Social Engineering

[Reziac]

Cool, thanks for the info!

It even looks logical, now that I see it written out. :)

Re:Social Engineering

[Reziac]

Aha, now I understand better. The converter would make the grunt work easier, yet :)

AFAIK the harvesters look for any string in nameAThostDOT* format, so I'd think anything to confuse that would help. I know most have gotten smart enough to work around additions like "nospam". So far I haven't found a *reliable* substitution for the AT sign that works at the *docsource* level (bots don't parse just the visibles!)

I can't use a disposable because I have clients that may be years between contacts and the old email has still got to work, and since I get every people using which browser, js obfuscation is no good either (aside from that I hate js). Even more, I resent being pushed out of my own namespace by spammers, and changing my email is the point where I dig in my heels -- kinda like, if someone steals your identity, should YOU have to change your name??

Hmm, there's a thought... wonder if forging someone else's email address as part of a spam header could be bent into identity theft for the criminal courts? :D

Re:Social Engineering

[Reziac]

Ya know, I'd completely forgotten about samspade.org -- thanks for the reminder!

Re:Social Engineering

[Reziac]

Thanks! I see you've encountered the evil slashdot space before as well :)

[reads beesky info] Oh -- some people might have applied a patch to cure the behaviour?! In that case, not useful for a mailto since it'll fail with some systems. :( Oh well, it was worth a thought.

However, I'm glad I asked, since from all these replies I've actually learned useful stuff.

Re:Social Engineering

[Reziac]

[laughing] Ah, a perl junkie :) Interesting, tho -- archived for reference.

As to email addresses, per info someone else posted a link to, seems some folk might have applied a patch that disables dotless lookup, so no good to me anyway -- I want to find something that works in EVERY client from the most braindead antique to the latest and greatest, since that's the gamut my clients use, and I can't be locking anyone out due to "minimum technical requirements".

Tho IS there some reason why IP addresses are not used for mail? I've seen it done in spam, tho that doesn't exactly count as a legit use.

Re:Social Engineering

[WuphonsReach]

Possibly under a fraud law?

Joe-jobs and domain forging are at least combatable via technology. It merely requires that the DNS system provide answers to the two following questions:

1) Has this domain restricted which IPs are allowed to send e-mail on behalf of this domain?

2) Is the IP address of the server that is currently talking to my SMTP server on that list?

There are at least (4) proposals on the table currently (see my signature) for eliminating the ability to forge domains. It won't solve the spam problem, but it will at least put a serious dent in the problem.

Re:Social Engineering

[Reziac]

That's kinda what I was thinking, since identity theft boils down to fraud (you can CALL yourself anything you like, so long as there is no intent to defraud).

Yeah, ISTM if email was merely confirmed as coming from where the header claims it does, a lot of the really obnoxious spam, and related thefts of services, would go away. ISTM if it's done right, it need not endanger anonymous remailers, either. I don't know enough about the technical side to make intelligent suggestions [g] but how about this: Merely confirm each individual hop in the chain -- but the next hop doesn't need to know anything about the previous hop; only that the immediately previous sender was the system it claimed to be.

Re:Social Engineering

[WWWWolf]

Tho IS there some reason why IP addresses are not used for mail? I've seen it done in spam, tho that doesn't exactly count as a legit use.

The same reason DNS is used in general: IP addresses are difficult to remember and they can change, while DNS names are easy to remember and can be made to point just about everywhere.

And there's also the benefit of using MX records...

Re:Social Engineering

[Reziac]

Oh, that's too obvious :) I was thinking only of the part of the mailto link that non-snoopy people don't see anyway. Problem being, yeah, who knows when ELN will up and change their mail servers, or if I'd hit a bad one (of the 18 or so, last I knew for sure), etc.

What's the "benefit of using MX records" ?? (Getting out of my territory here :)

Re:Social Engineering

[WWWWolf]

What's the "benefit of using MX records" ?? (Getting out of my territory here :)

Mail for one domain can be handled by another. I don't know the specifics since I haven't looked at it that much, but it's probably something along the lines of "Mail for scienceguy@research.example.com is actually handled by mail.example.com".

Re:Social Engineering

[Reziac]

Ah, okay, I know what you mean, even if I didn't know the acronym :)

Re:hm

[annielaurie]

Wanna bet?

Read this. Be sure to read all the way to the end for fairly positive proof that the guilty party was, indeed, a woman. In fact, it was a woman-owned, woman-run, all-female spam gang.

Regards,
Anne

it gets better

[monkeySauce]

The 22 year old guy she was working with thought he was breaking the law with a 20-something hottie instead of this 55 year old overweight felon from Akron. He must feel pretty stupid about now.
this story has more detail

Re:it gets better

[lgftsa]

From the linked article - Agents did learn that victims live all over the world, including three in Virginia Beach, one in Chesapeake and one in Newport News. None was identified in court.

OK, everyone together(just the chorus):

It's a small world after all
It's a small world after all
It's a small world after all
It's a small, small world

Unfortunately it is the case

[frovingslosh]

The article makes it sound like she wouldn't have got caught if an FBI agent hadn't been a recepient of the email. I hope this isn't the case and that the FBI is taking a more pro-active attack on this kind of thing than what the article seems to say.

The FBI clearly knows this kind of thing is going on, but they can't be bothered to do their job and protect US citizens (to be fair, they are too busy snooping on us and reading our private communications). Heck, you could have reported stuff like this and there would have been no follow-up at all. They only bother to go after someone like this when they piss them off and send the spam to an FBI agent.

Re:Unfortunately it is the case

[GMontag]

Same thoughts I had.

I used to send crap like this to the FTC all of the time, but now I just send it to them if I accidentally open one instead of deleting. If I am using AOL I ureport the spam using the AOL utility. Does not seem to slow it down one bit.

Re:Let em guess she was American ?

[MillionthMonkey]

She didn't send it to postmaster@homelandsecurity.gov.

I bet postmaster@homelandsecurity.gov gets plenty of spam...

Postmaster, Instant Pleasures ........ TYcw4ixg
Hey Postmaster! We were waiting for you last night
Postmaster, v^iagra is cheapest here............2qx3
postivic@homelandsecurity.go v, thanks for your purchase
100% satisfaction guaranteed on inkjet cartridges, postmaster xd ds jj1esdzzb
Postmaster, get home delivery of V a l i u m and V i a g a r a
Postmaster You could have money coming blackbody
posman, Tired of deleting spam? egmgsdoptoreoq
postmaster, Government grants are easier to get than you think

Re:Here is more info on her

[monkeySauce]

She appeared in federal court in Virginia but she is from Akron, Ohio so you're linking to someone else's contact info.

so it's only an issue if it's personal?

[binarybum]

I don't get it. Is this all it takes to get spammers busted? Can I just forward the scams and spams I get to this guy and have all these people caught? Why did this only become an issue when it was a personal attack on someone in a position of power to do something about it. What about the rest of us, how can we fight back? And more importantly why isn't the FBI doing more to attack spammers other than when they're personally feeling the heat?

Re:so it's only an issue if it's personal?

[Patrik_AKA_RedX]

You could try, but probably the spammer will sue you for redistributing its copyrighted material.

Re:so it's only an issue if it's personal?

[KillerHamster]

Can I just forward the scams and spams I get to this guy and have all these people caught?

Good idea. Let me know how that works.

Re:Let em guess she was American ?

[ljavelin]

Sorry, but it is incredibly naive of you to assume that only "computer idiots" fall for these scams.

They are very convincing... stealing all the branding of a legit informational email. I'll tell you, my mom and dad just cannot tell the difference between http://www.citibank.com/signup/account.jsp and http://www.citibank.com@192.168.0.1/acct.jsp.

These scams can be compelling to people who don't understand that ALL email should be untrusted, and that all URLs within email should be untrusted, and that all forms that you fill out should be untrusted.

Re:Let em guess she was American ?

[Rosco+P.+Coltrane]

Well okay, you're right actually. I really should have written "computer users". There are a lot of people who get scammed with snail mail too and they're not necessarily idiots.

What's wrong with FBI having an AOL account!?

[drkrool]

Absolutely nothing! Maybe they have an account to monitor what happens on AOL.

I don't know why /.ers freak out when they hear AOL.

Re:What's wrong with FBI having an AOL account!?

[Nintendork]

"Maybe they have an account to monitor what happens on AOL."

The FBI agent was off-duty.

-Lucas

Re:What's wrong with FBI having an AOL account!?

[drkrool]

Your account doesn't go away when you are off duty. Maybe he was just checking his mail at home.

Re:What's wrong with FBI having an AOL account!?

[Catnapster]

One more time: "AOL is the Special Olympics of ISPs".

55 year old woman going down?

[Fubar411]

Hmmm, I think I have that spam around here somewhere. Not my thing though...

Comment removed

[account_deleted]

Comment removed based on user account deletion

But why..

[adeyadey]

does it take for a spammer to mail the FBI direct before they take action? Surely they must be aware of the volume of scam emails we *all* get, and be taking action anyway?

Its like waiting for a police station to be burgled before the police take action..

Some of these frauds are pretty blatent (penis enlargement pills etc), you dont need to be sherlock holmes to track them..

Re:But why..

[jpetts]

Some of these frauds are pretty blatent (penis enlargement pills etc), you dont need to be sherlock holmes to track them..

Are you saying Sherlock Holmes' little friend was really called Johnson, not Watson?

Re:But why..

[Dhalka226]

does it take for a spammer to mail the FBI direct before they take action? Surely they must be aware of the volume of scam emails we *all* get, and be taking action anyway?

Proof, probably. I believe I just read a few days ago that they caught (one of?) the people responsible for those Nigerian money scams, so it's not like they don't ever persue things first. But it's tricky on the Internet to track people down reliably. Somebody accused of bringing down computers in a shipping port was just accquited, saying that somebody had installed a trojan on his computer that did the job and which subsequently deleted itself. It's hard to prove otherwise.

Re:But why..

[rhyno46]

Come on...you know this isn't the only spam message this agent gets!

I bet most agents get spam in their government mailboxes (unless the gov't uses something like www.postini.com).

Re:maximum of five years?

[anubi]

A "joe-job' is what its called when a spammer encodes someone's ( the 'joe' ) address who the spammer would like to cause immense harm to in the 'reply-to' field of his spam message.

Millions of spam go out, and the named joe gets hit with all the ire and bounced-mail replies. His ISP usually becomes quite upset with him as well, and he's left trying to explain to everyone that he doesn't even know what the hell is going on.

Its a really neat way of framing somebody on the internet - making it appear to all the outside world that 'joe' did it, when in reality joe was completely uninvolved.

Oops...

[Pan+T.+Hose]

I think everyone (not only "spammer") had such an "Oops" in her career. I remember when we counterattacked CIA agents scanning our network... I saw a host slowly and randomly syn/fin/null scanning (something like nmap --randomize_hosts -Tparanoid but with -sS, -sF and -sN changing randomly -- a custom patched nmap or something like that) our hosts, so I answered with directing a broadcast-magnified traffic to its class C (something like "smurf" but with custom tools using UDP and TCP as well as ICMP packets) to disable the offending host, having absolutely no idea that I saturated the backbone of ISP used by a CIA covert operation. Imagine my surprise when I saw agents knocking on my door... Fortunately after I described some of my techniques and explained to them that I am a security professional, not a cracker, they let me go but if I wasn't working for the government at that time I probably wouldn't write this now. I wonder what stories other slashdotters can tell about their biggest "Oops!"

Re:Oops...

[geekoid]

let see, what did I do with the memo I was supposed to forward to the FBI, oh well, it can wait until Sept. 12th.

Re:Oops...

[bluGill]

You might suggest to them that next time you will be more careful - if you knew it was government snooping in your private network you would have called the newspaper. The CIA can't legally do this to any US citican, and no police force can do this type of invesitgation without a warrent. The so called patriot act doesn't give everything away.

Of course this doesn't apply if you are in any other country, though you may have a different set of rights that would applly.

smart lady

[ratfynk]

"Her scam targeted AOL users" nuf said

Password Checker!

[dolo666]

You wanna know how gullable people are? As a joke last year, I coded a little password checking program, at my site. Users could check their password against a list of a million common English words, to see if their passwords were secure. There was a database with a million words in it, and each time someone put in their password, the site would tell them if it was in the list. It would also tell them that if they are stupid enough to give out the password to just anyone, then it's certainly not secure!

People would show up and type in something that looked like a real password, and then type in another password as a message to me -- along the lines of Fuck You on a Silver Platter, Asshole.

Hackinthebox.org posted the site and a pile of gullable flies* showed up to check their passwords. I'm guessing people from HiB would send the site to other unsuspecting people, as a joke. Thing is, eventually some pretty scared people were emailing me. I took it down after while. It was getting to be more annoying than fun.

There is always someone out there who is greedy or scared enough to be scammed online -- it's just sad when it happens to someone you know.

* flies: a fly is someone who gets stuck in the web, and a spider is someone who owns it.

Re:Password Checker!

[rawg]

That's nothing. I wrote a pop up window that looked like a windows dialog. It said something about you were disconnected, please type in your username and password to continue. I would log all the usernames and passwords to a database with their IP address. I was getting about 10 a week.

People are really stupid.

Re:Password Checker!

People are really stupid.

And some are dickheads who abuse a little bit of programming knowledge. Oh, what a wonderful world!

Re:Password Checker!

[strike2867]

Whats the point of knowing programming and having an IQ higher than room temperature if you cant abuse it?

Re:Password Checker!

[Aliencow]

On my site I had a fake Hotmail recovery page that I supposedly "grabbed from hotmail.com and saved just before they removed it"...

It had the style of a Hotmail page, and you had to enter "your" Hotmail account address, then another address to get the password emailed to... then the script would email the hotmail guy saying "Some bitch at blabla@email.com tried to steal your password.." .. and I had so many freaking hits.

Re:Password Checker!

[weave]

People enter their passwords into other sites all the time. Basically, enter your email address and password and we'll collect your pop mail for you.

All you have to do is set up a free webmail service and starting collecting the info and seem legit.

Even if the site operators (and their sys admins) are legit and honest, you have to wonder if they encrypt that data and protect it. Even if encrypted, it still has to have a way to decrypt it to send it over the wire (almost always in plain text) to some other site's pop server.

Re:Password Checker!

[herrvinny]

Cool. Could I get a copy of that million word db?

Re:Password Checker!

[dolo666]

I may post it sometime. I'll msg you if I do.

Re:Let em guess she was American ?

Good guess. I never would have figured that out. Well, except for the part where it says she is from OHIO!

This never happens anywhere else. Except for all those countries that collapse because so much of the population is taken by a single scam! Albania

Re:Let em guess she was American ?

[kfg]

There are certain items of the arcana that are only available to the wise. Ok, some MCSEs know them too, but only a few.

Do wish to have arcane knowledge and be the envy of your 133t friends? How on earth those spammers, well know for deep knowledge of the darkside, produce a cent sign when it isn't on the keyboard?

You (sir/madam) have been carefully selected as one the few who have what it takes to secret forces and such power right at your fingertips!

Don't be a clueless dork anymore. Just send $19.95. Your seat at the table of the Illuminati is waiting. . . for you (sir/madam)!!!

KFG

I don't think we should prosecute these people

[TLouden]

They help to get rid of the idiots that fall for that shit. Let them improve our spicies.

Re:I don't think we should prosecute these people

[zerOnIne]

i still think that Curry is amonth the greatest of our spicies.

Re:I don't think we should prosecute these people

[snarkh]

Your judgement is completely immature.
I know some extremely intelligent people who fell for things like that.

It is not about how smart you are, rather it is
whether you choose to belive certain things or have the experience to tell the scam from the real thing.

Fraud-ian slip

[neirboj]

"Entering Fraudulent information is against the law. If done so on this form you are now hereby notified that AOL will persecute, fine, and charge anybody trying to commit fraud with our accounts.

persecute:

1. To oppress or harass with ill-treatment, especially because of race, religion, gender, sexual orientation, or beliefs.
2. To annoy persistently; bother.

*bzzzzt*

[devphil]

I hear you on the FBI thing. But consider: somewhere a just-not-worth-the-taxpayer's-money line has to be drawn. The FBI is seriously understaffed. (Go figure. The technologically astute are too proud to work for a measly $35K FBI salary, investigating tech crimes. Nooooo, gotta be making glamourous six-digit salaries on high-visibility programming projects.) But anyhow, the reason I'm posting is...

It's like the local cops who don't give a shit if your laptop, your radio, etc were stolen and hundreds of dollars in damage done to your car. But, mind you, they've got all day to sit out on 'speed patrol'...

Unless you live in Andy Griffith Town, the officers who sit on speed trap duty are not the same ones who investigate theft. Different division, different rules, different salaries, therefore a different allocation of officers/resources/time/budget.

A traffic cop "sitting all day" on watch costs less than an investigating agent spending even half a day looking for stolen laptops chock full o' pr0n. It's harder to hire investigative officers and detectives, it's more expensive to train them and pay them.

Re:*bzzzzt*

[SIGBUS]

The technologically astute are too proud to work for a measly $35K FBI salary, investigating tech crimes.

I wonder how many people are out there who would love to do so, but don't want to end up being called upon to enforce laws they consider unjust, like the DMCA, laws against recreational drugs, etc.

For that matter, how many are turned off by the possiblility of being used as political enforcers rather than law enforcers?

Re:*bzzzzt*

[Mr.+Droopy+Drawers]

Sure pal, I'll bet there's people out there both qualified and willing to do that job for $35K.

Maybe you've noticed, the RIAA and MPAA lawsuits have been civil, not criminal, cases. These companies aren't in it for people to go to jail. They want $$.

FBI tech engineers are going after the hackers breaking into systems and are investigating cases such as this. You'll notice they started investigating this case more than two years ago.

Re:*bzzzzt*

[weave]

A traffic cop "sitting all day" on watch costs less than an investigating agent ...

It'd be nice if these traffic cops could instead patrol some areas and catch someone in the act or at least prevent crime through high visibility.

The only time a police car cruises through my neighborhood is when it's responding to a call.

Re:*bzzzzt*

[Niet3sche]

Actually, most FBI folks are college graduates. This means that they're entitled to a GS-7 rating pretty much right off the bat. Also, if they go the Special Agent way (e.g. physical/mental/visual/auditory acuity testing, and carrying a firearm), that'll pump them up and put them in line for even higher GS pay grade designations. Consider:
SysAdmin: $??? If you can get work, I've seen anything from $28K/year up.
NetAdmin: $???
Programmer I: $50K/year ... for ever. If you don't get laid off next Thursday.
FBI Agent (GS7): $35,158 for the first year, terminating in $45,706 after year 10.
FBI Special Agent (GS10, say): $47,360/year 1; $61,570/year 10.

Now ... let's consider this: say that you're good at what you do, and your section decides that you need a cybersquad ... let's say this happens 5 years in:

Year1: GS7
$35158
Year2: GS8
$38937
Year3: GS8
$40235
Year4: GS9
$43006
Year5: GS9
$44440
Year6: GS10 (they promote you to lead the squad)
$47360
Year7: GS10
$48939
Year8: GS11 (you get off your butt and get a MS)
$52035
Year9: GS11
$53770
Year10: GS12
$62366
Year11: GS12
$64445
Year12: GS12
$66524
Year13: GS12
$68603
Year14: GS12
$70682
Year15: GS12
$72761
Year16: GS12
$74840
Year17: GS13
$74163
Year18: GS13
$76635
Year19: GS13
$79108
Year20: GS14
$87639

Then you're free to do whatever you want; you've got a government pension at this point. You also have job security and so on. Maybe people WON'T want to work at the FBI for $35K/year, but I was looking at the FS paygrade (for a Network Security Officer / Foreign Service) and they were STARTING out at $56K/year or so. Also, if you're good in the FBI, it is my impression (if you have clued-in people above you) that you can rack up a nice living for yourself - to the tune of taking an appointment directly at a GS13 grade ($74,163 base) out-of-the-box.

Everything listed here is the BASE appointment pay. And, of course, don't forget the simple truth these days: it may be the case that a person is choosing between taking a "measly" $35K/year ... and $0/year. ;)

Head here for the actual pay grad table:
http://www.opm.gov/oca/03tables/html/sf.as p?

Re:*bzzzzt*

[oh]

I hear you on the FBI thing. But consider: somewhere a just-not-worth-the-taxpayer's-money line has to be drawn. The FBI is seriously understaffed

But how do you cost a crime? If you lose $500 from a stolen Credit Card, well, it's hard to justify a months worth of police time to track down the cuplrit.

But if say 1,000 people were each defrauded of $500, that half a million dollars obtained illegaly. But each complaint is only $500, too small to be investigated.

Makes you think, doesn't it.

They have geeks too!

[mabhatter654]

The FBI has "geeks" and like many other geeks in the world just aren't deemed "fit" to talk to outside people! That's what the "lower" scoring field agents are for...duh. It's all about the food chain people.

That said, even FBI people get to go home sometimes [and contrary to /. opinion they aren't all hot-n-horney doctors or 1-900 addicts] and some of them probably even use AOL. This spammer just mailed the WRONG person. but you're right, normal FBI guys wouldn't have even noticed that the spam was a scam. or that it rhymes!

Originally a Canadian scam

The lady should have modified the scam a little bit, because it looks like the original scam was against Sympatico users in Canada. That explains the SIN. More reading

conversation with my credit card company

[3ryon]

me: I've received 3 scam e-mails today which are trying to get me to give up my credit card number. Do you have a special card number I can give them that will set off an alert when someone attempts to use it, so that you can apprehend these people?

CC Company: No, but that sounds like a great idea.

me: Yes. Now do something about it.

What do you think the odds are that the idea ever got past the person I talked to on the phone?

Re:conversation with my credit card company

[SnprBoB86]

That is a nice idea, but problem is that obnoxious people will often enter the card number for legitimate sites just to give them a hard time.

Re:conversation with my credit card company

[geekoid]

haha, I was talking to an Executive ofr a CC company at a financial event and suggested the same thing. He thought it was a good Idea to. that was 9 years ago.

based on that, I'd say the odds are pretty damn slim.

Re:conversation with my credit card company

[Reziac]

Actually, there are poison numbers in some credit card databases, that if are used, will redflag that as being stolen-card activity. I don't recall the details, but this was used back in the era when they mailed blacklists to merchants, who then had to manually check your card against it before they were allowed to take it. (1970s-80s)

The problem with the general public having its own poison number for inputting into scam forms, is that someone with a grudge could input said number into legit forms, and cause all manner of legal havoc.

Re:conversation with my credit card company

[Kashif+Shaikh]

You could do something:

1) Apply for a new credit card(you don't wanna do this with your existing CC)
2) Once you receive your CC and have activated it, report that you lost your CC after some time.
3) Your CC Company will mark your old CC as lost/stolen(they take this issue very seriously and will ensure your CC is marked invalid).
4) Give this the now 'stolen' CC number to email scammers...an include the three digit security number on the back.

Now its upto the CC company to track fraudulent CC use. Don't know what the CC company will do if they do find their hitman.

Re:conversation with my credit card company

[Skuld-Chan]

Do you realize that the person you talked to is probably a wage slave working in an outsourcing company you may have never heard of in a country you've never been too? In most cases the agent you talked to probably had no way of actually communicating that request with the actual company they represent.

I work in such a company - while I don't work on a financial contract there are several in the office I'm in for banks everyone of you has heard of.

In many countries they don't have as many privacy laws as the US does. Also some call centers are operated out of prisons (search google for twa and prison sometime). Definately something to think about before your company outsources ehh? Think about the potential for abuse. I'm an honest person - but I know for a fact I could collect well over 32-50 valid email addresses/credit cards and phone numbers per day if I wasn't.

Re:conversation with my credit card company

[sn00ker]

In many countries they don't have as many privacy laws as the US does.

The US has privacy laws? You mean the ones that allow companies to sell the information they collect on you, without your permission? And the ones that have no requirement for companies to protect said information against theft by outside agencies?
Yes, those're mighty impressive laws.

If you want to see privacy law, try looking at New Zealand's Privacy Act, or some of the European legislation. The US may as well not bother pretending they have any privacy legislation, because all it does is lull people into a false sense of security.

Re:conversation with my credit card company

[Skuld-Chan]

In the US we can at least sue said companies for privacy violaitons. I wonder what would happen if a New Zealand or US company outsourced to a company in some south pacific island who was also turning around and selling that information to spammers, and telemarketing companies?

Re:maximum of five years?

[LearnToSpell]

The Joe Job

Re:Bad argument

[EvanED]

But you can fix things for the future.

You can't reverse all of the punishment, but you can reverse part of it.

Re:Mod up

[kfg]

But he needs an editor, or at least a nap.

KFG

businesses cause these problems

[treat]

By providing no way to authenticate themselves in a secure manner and by contacting their customers asking for sensitive information. Happens to me all the time. I never got a scam attempt that was even remotely plausible.

On some occasions I have said I would call back so that I would be sure of their identity, and they get upset. (Yes, from a legitimate business calling for a legitimate reason).

Why must society slow evolution?

[SnprBoB86]

Caveman eats poisen berries, caveman dies. Friends of said caveman discover berries were to blame for death, note that no one should ever eat the berries. Another caveman comes along, fails to read the large warning signs posted outside the forest. He eats the berries and dies. Original caveman's friends laugh. The End If you ask me, such obvious scams shouldn't be shut down. Instead they should be allowed to eliminate societies stupider members. -SniperBoB-

Re:Why must society slow evolution?

[geekoid]

So I guess when you go buy a car, they can lie to you all they want, and if your ignorant, it's your own damn fault?

Re:Why must society slow evolution?

[EinarH]

Funny, but you forgot about the other side of the story.
Some years later a evil caveman starts his "sell non-working stone stone axe" scam. Victims of the scam rise up against the life treathening sales practise and use real stone-axes to chop up scam-caveman.

Re:Why must society slow evolution?

[strike2867]

Unfortuantely this doesnt eliminate societies stupider members, the Darwin Awards do.

Um, Shouldn't he have got this ON THE JOB

[superultra]

So, the obvious question is: why can't they catch these people on-duty? Why does it take a spam email directly to an FBI agent to get action?

Re:Um, Shouldn't he have got this ON THE JOB

[jd_esguerra]

Why does it take a spam email directly to an FBI agent to get action?

Because there is a lot of crime to choose from. Hell, if you have to pick one, why not pick the one that irritates you the most.

Re:Let em guess she was American ?

[nnnneedles]

"go crawl back into the whole you came from"???

It's hole, you moran!

Aggregation vs.single-time losses

[coyote-san]

There's a serious disconnect in the priorities of law enforcement, but the correct response is far from clear.

Consider three cases - a single loss of $10k, a hundred people losing $1k, or 10,000 people losing $100.

There's no way the $100 loss would be investigated by any law enforcement agency, but it's the largest loss by far. Meanwhile the single loss of $10k is the smallest aggregate loss by far, but most people are going to really feel that loss while the $100 loss is usually (but not always) easily absorbed.

Does this mean that the $100 loss should get highest priority? I would say not... but then again a single complaint may be the tip of the iceberg on losses affecting many people.

There's no easy answer... but ignoring the cumulative loss or the coarsening effects on society on certain offenses (e.g., how my anger at clearly fradulent spam has colored my perception of ALL flyers, handbills, etc.) isn't the right answer either.

Spamers lack imagination.

[arose]

Why email millions of inteligent people, when all you need to do is to set up an "Free IQ" test, that delivers results via email...

Re:Spamers lack imagination.

[Skuld-Chan]

Just like Scientology!

DEATH!

[FatSean]

Nah...not death. But everyone she and her loser friends scammed should get a free punch on each of them. I'd knock a few teeth loose.

Re:DEATH!

[jd_esguerra]

I'd knock a few teeth loose.

She's from Akron, OH. She probably doesn't have many teeth left. ;-)

Re:DEATH!

[Dimensio]

What do you mean "Nah"? Yes, DEATH. I'm sick and tired of getting these e-mails, ESPECIALLY when I don't have an AOL account.

These people are scum-sucking bottom-feeders. They live by exploiting the computer-illiterate and using theft of service and trespass to chattel to send out their attempted fraudulent communications. The only deterrant that will work is rigourously enforced capital punishment.

Re:Let em guess she was American ?

[russx2]

"It's hole, you moran!" It's moron, you idiat!

Re:maximum of five years?

[geekoid]

I clicked www.brycchouse.org link, and it seemed like a scam. I meant it is in the root directory, says they need money for some 'Non profit' thing, but doesn't say what it is, exactly.

I AGREE

[rhizome]

And another thing...why is she only having to plead guilty to *conspiracy*? It's ridiculous!

Re:Let em guess she was American ?

[Knife_Edge]

http://www.citibank.com@192.168.0.1/acct.jsp

What is the deal with this, anyway? I've never seen an URL like this before. Looks like a combination of an URL and an email address. Obviously what is happening is that the link actually leads to the ip address and not www.citibank.com. However, I realized this only because of the context of the conversation here, not because I knew what it was beforehand.

Is the reason you can still use www.citibank.com because on that IP address (which is fake) there is a listening web server that accepts connections for www.citibank.com, even though it is not really www.citibank.com?

Man, this might have fooled me, and I'm considerably savvier than the average person. I might have wondered about the odd domain in the browser. Doing a DNS lookup of the real www.citibank.com would give away the scam, but generally I assumed that domains cannot be hijacked this way.

Someone with less knowledge of computers would be most unlikely to think the `@` symbol was anything more unusual than anything else in a domain name. Let's stay ahead of the scammers, people. Inform your less experienced friends and relatives.

wasnt just to aol users

the spam wasn't just sent to aol users, i got one of these and I've never owned an aol account.

Re:maximum of five years?

[Maserati]

How about this ?

http://www.snopes.com/inboxer/outrage/darkprofit s. asp

Hah!

[Solokron]

You gotta love the fact she blatently had a field entitled "credit card limit". lol!

wouldn't work for long

[KalvinB]

Eventually the scammers would figure out what numbers were red-flagged and not use them. All they would need is a CC account and they'd be right on top of the fake numbers just like every other customer.

I got a very official looking e-mail from "PayPal" asking for all my information. Then I noticed the URL and that my password wasn't getting asteriked and typed in "howwouldyouliketogotoprison" in the entry fields and hit submit. I also e-mailed PayPal and within minutes the site was gone. I doubt I was the first to report it.

Credit Card companies already have a solid way of dealing with crime. You watch your statement and if something is fishy you report it. What you have is a statement summary. The CC company has far more information at their disposal as companies that take cards have to submit lots of info to get an account.

The CC company can get just as much information a week or two after the fact as they can "during" the committing of the crime. It's not like they can call up the place that's taking the card and say "hold that customer." Especially since most CC fraud is committed through on-line shops.

Some moron years ago bought more e-mail space at Yahoo with my CC. I called up Yahoo and asked them to tell me if that purchase was applied to my account. No. And when was the last time I bought something on Yahoo for my account? "Over a year ago." And it was for hosting. I never had to pay a dime and the charges were reversed quickly. Since they bought themselves a personal account tracking down who did it would be trivial. And wouldn't even matter since it's non physical property. Yahoo just needed to cancel the account my CC was used on and everyone that matters is happy.

I learned at Mervyn's that major credit card companies tend to eat the cost of the fraud. The customer gets their money back and the store the fraud occured at gets their money. Which actually works out better since now the CC company is the only entity taking on the crook. Instead of (not) being sued a million times by all the victims, they're sued and jailed for one massive crime.

The employee probably thought it was a great idea, told his supervisor, and his supervisor walked him through their tried and true method and explained why your method was flawed.

Ben

Re:wouldn't work for long

I learned at Mervyn's that major credit card companies tend to eat the cost of the fraud.

Not true. Merchants who accept bad cards tend to eat the cost of fraud. Credit card companies will charge anything where the billing address matches, but even if you're overly anal and you get a chargeback, odds are good that you the merchant are eating that fraud.

Re:wouldn't work for long

[swfranklin]

I learned at Mervyn's that major credit card companies tend to eat the cost of the fraud. The customer gets their money back and the store the fraud occured at gets their money.

Nonsense. The merchant takes it in the shorts in most instances. The merchant is only protected in very limited situations - pretty much when shipping a physical product, with proof of delivery, to the recorded billing address of the credit card. Otherwise the merchant is charged back for the fraudulent purchase.

And in case anyone wonders about the name...

[Dimensio]

The "joe" comes from the name of the first well-known incident of this happening. His name was Joe, and he lost his website because his clueless ISP couldn't figure out that he wasn't responsible for the spam run.

What is it with the pump and dumps?

[Sycraft-fu]

I swear, these peopel are the stupidest. I've never got a pump and dump spam, but we get them as faxes all the time. They, of course, have bogus removal information but one problem: We are the operators of the phone switch at the university. If we get annoyed by it, and I'm near that point, we can get the source numbers from the switch and go after these people. You can spoof out the fax source on the fax itself, but the switch always knows the real source number.

Re:Bad argument

[EvanED]

So in other words, if you were innocent, you wouldn't care if you were executed or put in jail for 25 years then released for the next 25 until your natural death?

Re:Let em guess she was American ?

[lizrd]

@ is a valid character in any url. Anything preceeding the @ sign is considered as a username and the part following the @ sign is the url that it will be used for. The actual useful application for this is in ftp:// urls. For example, you might use a url like ftp://warez:mp3@riaa.org/metallical.mp3 do download Metallica mp3z from the riaa. In the example above warez would be used for the username and mp3 for the password. Since the vast majority of http:// type urls don't require a username and password, it just gets thrown away by your browser since it wasn't needed. It's a very common tactic in spam e-mails.

Now you know that. I know that, but most people don't and it would still be pretty easy to convince someone to visit The Linux kernel website (I think that /. may have sanitized the misleading like, it should read http://www.kernel.org@3632843893/ copy and paste it yourself to find out) and find themselvse at freebsd.org instead. It all comes back to the first rule of Spam, "Spammers Lie.", when in doubt, see rule 1.

Re:Bad argument

[Eccles]

It's not fundamentally different from any punishment - once you lock someone up for a period of time there is no way for that person to ever get that time back - even if they are innocent and later released and exonerated.

But you haven't lost everything. In Maryland, an man has been found innocent after 27 years in prison, and pardoned by the governor. He can now seek redress; a person in a similar situation received $45K per year of prison.

Not wonderful, but it sure beats having the governor come to your grave and say "Oops!"...

Re:maximum of five years?

[crabpeople]

"Think of all the goodies you'll get on your birthday and Christmas." oh boy mommy! 3 inches of some guys wang!

Forward to your representative

[zpok]

Why not forward all the spam you get to the nearest politician that represents you, with the simple message:
"Could you please do something about this?"

Of course, this politician could try and stop you, but imagine the media attention this would get...

BTW after some rigorous pruning of unnecessary accounts and scrambling my email addresses on the internet, I'm down to 2 spams a week (which get caught by mail.app's excellent spam-filter).

Sure it would

[bluGill]

Discover, (for sure, I think the others do or did) offers a one time card, aimed at online purchases. You go to Discover, login to your account, and ask for a one time card, and they give you a number, linked to your account, but only good for one use (I've never done it, but you might be able to specify a credit limit too). If anyone at the company you order from steals your number it does them no good because the card number is cancled first.

Wouldn't be hard to go a step further and modify this so that you can get a random number which is linked directly to the fraud department, whoever uses it suddenly finds all the numbers used (including numbers from suckers who fell for the scam) are invalid. Needs some strong proof that it is fraud though. Otherwise someone will eventially try to discredit legitimate venders this way, wasting time... (Amazon is likely honest enough that you couldn't discredit them, but things of a tiny startup just trying to make a go of it)

FBI computer crime agent on AOL

[use_compress]

I love how an FBI computer crime agent is using AOL.

Well...

[Pan+T.+Hose]

You might suggest to them that next time you will be more careful - if you knew it was government snooping in your private network you would have called the newspaper. The CIA can't legally do this to any US citican, and no police force can do this type of invesitgation without a warrent. The so called patriot act doesn't give everything away.

You are right, it could've been a great news but, well, let's just say that none of us would've liked the newspapers to know about that incident. They spied on us without a warrant but not without a reason, if you follow my drift. Fortunately all of us agreed to just forget about the whole "cyber-battle," as they called my defensive DDoSing counter-attack and their own counter-counter-attack (quite harmless to my network, I might add -- except the "real world" part).

Re:Well...

[toomuchPerl]

Without a warrant but not without a reason? Sorry, I don't follow your drift.
Take this as flamebait if you must, but why the hell are you bragging on slashdot?

I find this tripe of yours pompous and boring. If you are involved in anything of this nature, you wouldn't be shouting about it on slashdot.

(ducks)I see that you have bipolar disorder. :P
You're apparently some sort of boastful security consultant. Whatever, man. If you want to prove it somehow, then put up, otherwise shut up.

Hey, if they are women then...

[screwdriver]

maybe they CAN enlarge my penis!

So gullable they think that...

[frenchgates]

gullible is spelled gullable.

Re:So gullable they think that...

[benzapp]

Is your self esteem so poor that you must resort to correcting people's spelling of an archaic and illogical language?

At least in your own head you ar far better than the rest of us... Enjoy it.

Re:So gullable they think that...

[frenchgates]

Just as the programmers who read Slashdot feel it is appropriate to correct a mistake in a c++ code snippet, I feel it is appropriate to correct frequently made grammar errors in a language I am familiar with. Conflation of "Lose" with "Loose" spring immediately to mind. Don't worry. I am totally aware of the fact that encouraging proper speech is an antique endeavor and doomed to failure. It does surprise me that you, an avowed Fascist who believes in "cultural standards", would balk at a little linguistic discipline. By the way, please enlighten me as to what living human language isn't archaic and illogical?

innumerable people fall for it

[dioscaido]

I once received one of those pay pal credit card scam SPAMs, and snooped around the server which hosted the credit card acceptor script. The script wasn't an index.* file, and directory listing was enabled, so I was able to see all the files on the account. There were only two, the script and the resulting credit card database.

There were easily 1,000 credit cards with full name and addresses and even social security #. Do not underestimate how gullible people on the internet can be.

I reported the site to the host, and not surprisingly it took about a week to get the thing offline.

Re:Let em guess she was American ?

[droleary]

Sorry, but it is incredibly naive of you to assume that only "computer idiots" fall for these scams.

No, that is instead an incredibly accurate statement. The dirty secret is that 90% of users are "computer idiots", despite their feeling otherwise. It's just like how the vast majority of people think they're above average drivers.

They are very convincing... stealing all the branding of a legit informational email. I'll tell you, my mom and dad just cannot tell the difference between http://www.citibank.com/signup/account.jsp and http://www.citibank.com@192.168.0.1/acct.jsp.

Then that would then make them computer idiots. But that shouldn't even matter. It should be a simple issue of common sense. These scams contain any number of logical fallacies, mostly in the use of threat and authority in an attempt to be convincing.

These scams can be compelling to people who don't understand that ALL email should be untrusted, and that all URLs within email should be untrusted, and that all forms that you fill out should be untrusted.

In other word, compelling to idiots. And not just computer idiots, but general idiots. This whole thing has nothing to do with computers. If someone calls on the phone claiming to be from Citibank and demanding information, do you just give it to them? What if it's just a guy on the street in a suit with a name tag that says Citibank and a clip board? The email is no different a scam.

A lot of people like to bitch and moan about patent stupidity when someone tags "on a computer" to an old idea, but here you are trying to claim there is a significant difference between email and other types of social contract. That is just not the case. If your parents fall for a "give me your credit card number or spoooooooky bad things are going to happen!" scam, they are idiots. If you fail to acknowledge that, the problem might just have a genetic component.

Much bettter

[dameron]

I just have to say that preying on the stupid just doesn't sound like that big of a crime to me. At worse you've deprived them of subscribing to the Weekly World News and giving their money to televangelists. Actually, considering how many people get to rip off these people while giving out tax deductions, I'm thinking we should have the entirety of regular spammers be punished by serving as human anti-spam bots for really slow mail servers.

-dameron

-dameron

Re:Much bettter

[microbox]

Have you ever read teh Weekly World News? If not, you should, it's a great read.

How many of you thought that I was some gullible fool that believes in wild tabloid press? You my friends should all read the WWN before you decide what it is. Maybe you'll laugh out loud, and wonder why anybody could think it's real - oh, that's the joke =)

You can't be smarter than the average Joe if you just go along with the crowd!


There is No Sig

Light punishment?

[EvilStein]

"Carr's sentence will be determined by the amount of fraudulent charges racked up on the stolen credit card numbers -- with a maximum of five years. But the guidelines also dictate that each credit card be valued at a minimum of $500.00, a formula that helped boost Carr co-conspirator George R. Patterson's sentence to 37 months in prison, according to Patterson's attorney."

That's it? 37 months in prison for her cohort.
Yet the RIAA is trying to hit people for $150,000... and Ashcroft wants "hackers" sentenced as terrorists and put in jail for LIFE.

Want to stop identity theft? Jack up the jail term..big time. 3yrs in jail for stealing a ton of credit card numbers is pretty weak.

Its all so simple

[BigDocJayster]

Darwin Awards: People who kill themselves

Dilbert Awards: People who support spam

sigh. Can I have some points for -trying- to be funny?

Re:maximum of five years?

[Harinezumi]

Sending her to prison for 5 years sounds about right. Just have to make sure they send her to a men's prison.

Re:Bad argument

[John+Courtland]

Why would you? Have a great time getting any sort of real life started at the age of 50 or so. He might get a couple tens of thousands of dollars. Wow, big compensation. He's an OLD MAN now.

They owe him half of a lifetime. He should never have to work, never have to worry. He paid the debt of a murderer, and now he's probably going to get shafted around until he dies.

There is some kind of joke in there...

[SuperKendall]

Somewhere in the combination of a woman flashing and a pair of "Demotivational" posters in the background, there is a really funny joke.

Perhaps that was her recruitment technique... or a demotivator of a different sort.

not to mention...

[real_smiff]

...that it doesn't 'remove them from the species' or whatever, it just makes them a bit poorer AND encourages these people to try it again.. maybe on you! and waste some of your time. bit like all this slashdot posting.

Re:Bad argument

[hkmwbz]

So he should have been executed for his own good? Wow, that is certainly a fresh look at capital punishment...

Re:Bad argument

[John+Courtland]

I would rather die than be locked away for 27.
Especially for a crime I didn't commit.

Re:Bad argument

[hkmwbz]

Good for you! But shouldn't this be up to you rather than the government? Maybe you would prefer to die, but not everyone thinks alike.

ummm..oww

[jman101101]

I think it just adds insult to injury in saying the woman was 55 I mean the police could say it was a man 19-27 but 55 P.S.(shut up) am i the only person who got an email for a guy asking how to steal a car.ithougt it was spam till nobody knew what i was talking about.

Re:Bad argument

[John+Courtland]

Not quite the point I was trying to make. I don't think he wanted to die, even though he was stuck somewhere for half a lifetime. But even though he is released, he isn't going to be compensated. I say that the punishment he recieved is the same as being put to death. At that point, it would be the same to me.

Why doesn'

[Futurepower(R)]

100,000 FBI agents are spammed 10,000 times each in their personal email boxes every year with illegal schemes. When U.S. citizens call the FBI to report the attempted crimes, the FBI representative just laughs.

What is the real purpose of the FBI if it isn't to investigate crime?

Re:Bad argument

[EvanED]

And the point the parent was trying to make was that while it might be the same to *you*, you are probably in a very small minority. I, for instance, would *much* rather be released after time in prison than be put to death.

Re:Bad argument

[John+Courtland]

I made the original point in the first place, so it's all just one big happy misunderstanding :)

Not just AOL -- Comcast also targetted

[kiwimate]

Two days ago I found a similar e-mail in my inbox which essentially followed the same lines, but was directed at Comcast users. It stated that there had been a problem with my billing credit card, which could be due to any of the following list of plausible-sounding issues, and directed me to click on a hyperlink to rectify the problem. As it happens, my Comcast account is provided by work as part of my on-call requirements, and they pay all the bills. The scary part is, even looking at the header, everything appeared to resolve to a Comcast address (I think it was comcast.biz), except for one little address which was a Qwest address.

Comcast already knows about it; you can see their (extremely not obvious) warning here.

Well, FWIW

[blach]

...the security professional appears to be polish, thus not likely an American citizen.

heh

[ailaG]

i used to change nicks to "nickserv" on dalnet and other irc networks. people didn't get their password requests and yet msg'd me their passwords.. which is okay, but when i msg'd them fake server replies, even ones that looked like passwords, none of them got it! :) and then they blocked these nicks, because of people like me ;) (for the record, i never used any of these passwords)

I forgot about the evidence

[Pan+T.+Hose]

Without a warrant but not without a reason? Sorry, I don't follow your drift.

Too bad. I've already said too much. Please stop asking.

Take this as flamebait if you must, but why the hell are you bragging on slashdot?

I find this tripe of yours pompous and boring. If you are involved in anything of this nature, you wouldn't be shouting about it on slashdot.

You find my comments "pompous and boring" and yet you waste your precious time reading them and replying to them? Might I suggest you getting a life maybe? Or is that your hobby to answer "pompus and boring [comments]" asking people "why the hell are [they] bragging on slashdot" every time you find something especially boring? What an exciting hobby. I do really wish my life was so exciting.

(ducks)I see that you have bipolar disorder. :P

Yes, I have bipolar disorder. Do you find it funny? Do you realize how much does it tell about your intelligence? It also somehow explains the rest of your comment.

You're apparently some sort of boastful security consultant. Whatever, man. If you want to prove it somehow, then put up, otherwise shut up.

But of course. Let me prove everyting I write on Slashdot, just like all of other fellow slashdotters do. Please give me a mailing address so I could send you video tapes and timestamped Snort logs proving that what I'm saying is true. I'm sorry I forgot to click this little "attach the evidence" button next to "submit" and "preview." Please take no offense but what are you nuts?!

I think the CIA should stop watching Bond movies

[dbIII]

I remember when we counterattacked CIA agents scanning our network..

What on earth were they doing on your network? What did the court order say? In most countries that sort of behaviour could only be carried out after they had convinced a magistrate to let them do it. Since a group like that has a lot of control over domestic policy and an enormous influence on foreign policy, they should be under the control of the judicial system.

Disclaimer - a US intelligence agency made some ineffectual effort to depose the prime minister of my country in 1975 (he was going to go anyway, so all the US got out of it was bad press and an embarrasing court case), and I live in a country that is a very loyal ally of the USA.

Re:maximum of five years?

[dreadnougat]

They forced a confession out of him, which is to say, they fabricated one. Think about that: they fabricated a confession. They framed him. They tortured him until he read it for them on video. You think that's a good system?