Slashdot Mirror
Scamming Spammer Hooks the Wrong Person
CrypticSpawn writes "Read on SecurityFocus, a 55 year old woman spammed an FBI computer crime agent. She got caught mailing off a credit card scam to AOL users." Her scam targeted AOL users with messages saying their credit cards were refused during the last billing cycle, and linked to a false billing center page which demanded private information.
Really... We have just charged your credit card for 19.95... if you want to cancel the transaction, enter your card number, full name, and expiry date below...
With the same logic, phone someone up, and tell them that if they don't want to be 0wN3d, they should disable their firewall, and tell you their IP address...
The darwin award exists for those who kill them selves in stupid ways... we need to invent an award for idiots that fall for obvious scams like this.
---
Programming is like sex... Make one mistake and support it the rest of your life.
I suspect that a vast majority of spams hit a large number of law enforcement inboxes - it isn't like spammers are selectively making hand-crafted to lists. Of the spams I get (of which there has been a marked increase in the past month), a good percentage are illegal or gray-legal pennystock pump and dumps, PayPal imitators attempting to get your information, or our good Nigerian friends looking for some assistance in rescuing their money.
I can't be the only one that finds it disturbing that the FBI uses AOL.
An electronic trail of stolen AOL accounts and free Web pages led agents to raid the homes of a professional spammer and a credit card thief, both of whom snitched on Carr, naming her as the ringleader of the operation
She isn't the only one going down. But, sadly, there are still many more to go...
Remember: If you buy anything from spammers, you have a small penis.
No wonder I get so many email offers for Viagra and low-cost prescription drugs!
The article makes it sound like she wouldn't have got caught if an FBI agent hadn't been a recepient of the email. I hope this isn't the case and that the FBI is taking a more pro-active attack on this kind of thing than what the article seems to say.
... sounds like she got off a lot easier than those caught sharing music via p2p programs. Either the FBI should hire the MPAA or anyone swapping music online should start credit card fraud, it sounds like the lesser offense.
FLR
AOL Billing center sample page.
IANAL, but imagine a beowulf cluster of in Soviet Russia all your belong are base to us welcoming the new SCO overlords.
Danger Will Robinson, Danger! Rant Ahead!
Read on SecurityFocus, a 55 year old woman spammed an FBI computer crime agent.
Great. So what about:
...? It seems like every day I'm reading about how some guy got screwed over and the FBI/SP/Local cops just didn't give a shit enough to do anything about it, whether it was technology related or otherwise, because it wasn't sexy enough. Crime is crime is crime.
Case and point, you can pretty much scam anyone outside of your state and get away with it because interstate fraud laws have a $5,000 'ground floor'. That single law is probably the most responsible for the prolific fraud we've ever seen, virtual or otherwise. I could loose $4900 tomorrow and the FBI won't do jack shit. Some FBI nerd gets a scam email any moron would know not to answer, and they call out the swat teams. Faaaaantastic.
It's like the local cops who don't give a shit if your laptop, your radio, etc were stolen and hundreds of dollars in damage done to your car. But, mind you, they've got all day to sit out on 'speed patrol'...
Please help metamoderate.
Actually what it teaches us is
- Criminals don't wear stripes and sound like Cagney
- For any scam the best approach is to target the largest user group... more people means more idiots
- The FBI staff use personal email
This is exactly what you should expect, the FBI aren't a mixed race of mutant beings, and large crimes can be commited by pretty much anyone.
An Eye for an Eye will make the whole world blind - Gandhi
I once received an email with a link that said that I needed to "update" my eBay account with a new: credit card #, my SSN, DOB. The funny thing is I never had an eBay account - ever.
I was at a hotel in Houston one time and I wanted to use my calling card to call home. After following the directions listed on the phone a few times, i was redirected to some telco that I've never heard of, and someone came on the phone, asked for the number I was calling and my calling card number. He then asked for my PIN. I said no way. He then told me that he couldn't make the call. I hung up.
Later, at the airport, my card worked perfectly. I wish I got the name of the telco that was blocking access to my long distance company so I could have filed some sort of complaint with the FTC.
Is it common practice for hotels to block access to your long distance provider so that you have to use their company for help that they charge you for?
I've gotten so paranoid, I've repeatedly hung up on legitimate calls. It's unfortunate, but this shit is hurting legitimate businesses and making it harder for us consumers to know if we're being taken or not.
There is no spoon or sig.
The 22 year old guy she was working with thought he was breaking the law with a 20-something hottie instead of this 55 year old overweight felon from Akron. He must feel pretty stupid about now.
this story has more detail
Sorry, but it is incredibly naive of you to assume that only "computer idiots" fall for these scams.
They are very convincing... stealing all the branding of a legit informational email. I'll tell you, my mom and dad just cannot tell the difference between http://www.citibank.com/signup/account.jsp and http://www.citibank.com@192.168.0.1/acct.jsp.
These scams can be compelling to people who don't understand that ALL email should be untrusted, and that all URLs within email should be untrusted, and that all forms that you fill out should be untrusted.
I think everyone (not only "spammer") had such an "Oops" in her career. I remember when we counterattacked CIA agents scanning our network... I saw a host slowly and randomly syn/fin/null scanning (something like nmap --randomize_hosts -Tparanoid but with -sS, -sF and -sN changing randomly -- a custom patched nmap or something like that) our hosts, so I answered with directing a broadcast-magnified traffic to its class C (something like "smurf" but with custom tools using UDP and TCP as well as ICMP packets) to disable the offending host, having absolutely no idea that I saturated the backbone of ISP used by a CIA covert operation. Imagine my surprise when I saw agents knocking on my door... Fortunately after I described some of my techniques and explained to them that I am a security professional, not a cracker, they let me go but if I wasn't working for the government at that time I probably wouldn't write this now. I wonder what stories other slashdotters can tell about their biggest "Oops!"
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
You wanna know how gullable people are? As a joke last year, I coded a little password checking program, at my site. Users could check their password against a list of a million common English words, to see if their passwords were secure. There was a database with a million words in it, and each time someone put in their password, the site would tell them if it was in the list. It would also tell them that if they are stupid enough to give out the password to just anyone, then it's certainly not secure!
People would show up and type in something that looked like a real password, and then type in another password as a message to me -- along the lines of Fuck You on a Silver Platter, Asshole.
Hackinthebox.org posted the site and a pile of gullable flies* showed up to check their passwords. I'm guessing people from HiB would send the site to other unsuspecting people, as a joke. Thing is, eventually some pretty scared people were emailing me. I took it down after while. It was getting to be more annoying than fun.
There is always someone out there who is greedy or scared enough to be scammed online -- it's just sad when it happens to someone you know.
* flies: a fly is someone who gets stuck in the web, and a spider is someone who owns it.
There are certain items of the arcana that are only available to the wise. Ok, some MCSEs know them too, but only a few.
Do wish to have arcane knowledge and be the envy of your 133t friends? How on earth those spammers, well know for deep knowledge of the darkside, produce a cent sign when it isn't on the keyboard?
You (sir/madam) have been carefully selected as one the few who have what it takes to secret forces and such power right at your fingertips!
Don't be a clueless dork anymore. Just send $19.95. Your seat at the table of the Illuminati is waiting. . . for you (sir/madam)!!!
KFG
I hear you on the FBI thing. But consider: somewhere a just-not-worth-the-taxpayer's-money line has to be drawn. The FBI is seriously understaffed. (Go figure. The technologically astute are too proud to work for a measly $35K FBI salary, investigating tech crimes. Nooooo, gotta be making glamourous six-digit salaries on high-visibility programming projects.) But anyhow, the reason I'm posting is...
Unless you live in Andy Griffith Town, the officers who sit on speed trap duty are not the same ones who investigate theft. Different division, different rules, different salaries, therefore a different allocation of officers/resources/time/budget.
A traffic cop "sitting all day" on watch costs less than an investigating agent spending even half a day looking for stolen laptops chock full o' pr0n. It's harder to hire investigative officers and detectives, it's more expensive to train them and pay them.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
me: I've received 3 scam e-mails today which are trying to get me to give up my credit card number. Do you have a special card number I can give them that will set off an alert when someone attempts to use it, so that you can apprehend these people?
CC Company: No, but that sounds like a great idea.
me: Yes. Now do something about it.
What do you think the odds are that the idea ever got past the person I talked to on the phone?
Kind thoughts do not change the world
No. The ones I've seen use this:l IPaddre ssindotlessformat/
http://www.myrealbankname.com:whatever@rea
The "www.myrealbankname.com:whatever" before the @ is not a URL, but a value sent to the real site which is denoted by the "realIPaddressindotlessformat".
For example, cut and paste this into your browser:
http://www.kuro5hin.org:section@1109654166/
The above URL doesn't take you to Kuro5hin, it takes you to the Slashdot main page.