USPS Text Scammers Duped His Wife, So He Hacked Their Operation (wired.com) 61
Security researcher Grant Smith uncovered a large-scale smishing scam where scammers posing as the USPS tricked victims into providing their credit card details through fake websites. Smith hacked into the scammers' systems, gathered evidence, and collaborated with the USPS and a US bank to protect over 438,000 unique credit cards from fraudulent activity. Wired reports: The flood of text messages started arriving early this year. They carried a similar thrust: The United States Postal Service is trying to deliver a parcel but needs more details, including your credit card number. All the messages pointed to websites where the information could be entered. Like thousands of others, security researcher Grant Smith got a USPS package message. Many of his friends had received similar texts. A couple of days earlier, he says, his wife called him and said she'd inadvertently entered her credit card details. With little going on after the holidays, Smith began a mission: Hunt down the scammers. Over the course of a few weeks, Smith tracked down the Chinese-language group behind the mass-smishing campaign, hacked into their systems, collected evidence of their activities, and started a months-long process of gathering victim data and handing it to USPS investigators and a US bank, allowing people's cards to be protected from fraudulent activity.
In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers, says Smith, a red team engineer and the founder of offensive cybersecurity firm Phantom Security. Many people entered multiple cards each, he says. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States -- California, the state with the most, had 141,000 entries -- with more than 1.2 million pieces of information being entered in total. "This shows the mass scale of the problem," says Smith, who is presenting his findings at the Defcon security conference this weekend and previously published some details of the work. But the scale of the scamming is likely to be much larger, Smith says, as he didn't manage to track down all of the fraudulent USPS websites, and the group behind the efforts have been linked to similar scams in at least half a dozen other countries.
In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers, says Smith, a red team engineer and the founder of offensive cybersecurity firm Phantom Security. Many people entered multiple cards each, he says. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States -- California, the state with the most, had 141,000 entries -- with more than 1.2 million pieces of information being entered in total. "This shows the mass scale of the problem," says Smith, who is presenting his findings at the Defcon security conference this weekend and previously published some details of the work. But the scale of the scamming is likely to be much larger, Smith says, as he didn't manage to track down all of the fraudulent USPS websites, and the group behind the efforts have been linked to similar scams in at least half a dozen other countries.
Tainted evidence (Score:1)
Great work but, sadly, his evidence will most likely be deemed inadmissible in court because it was obtained via criminal means of hacking. The court won't care about his noble motives.
We should get the next best person now (Score:2)
Thank you Mr Smith, you have done your part.
I think this is where Damm Van comes in to kick some a$$.
Jurisdiction (Score:5, Informative)
his evidence will most likely be deemed inadmissible in court because it was obtained via criminal means of hacking. The court won't care about his noble motives.
(From the summary *):
The US court probably doesn't have jurisdiction where the perpetrators are most likely to be right now, to begin with.
So wether it's admissible in court or not plays zilch.
At best, the gathered information could be used to ask a few US-based companies to cancel a couple key services and close some accounts that the foreign gang was using.
(* I know that to not RTFA is peek /. , but at least going beyond the title and reading the summary could be worth doing sometimes. Yes, I know you'll lose precious seconds in trying to land a witty frost piss)
Re: (Score:2)
They could cancel the 438k credit cards and prevent the victims from losing money, as well as letting them know to change the details they can.
"The US court probably doesn't have jurisdiction where the perpetrators are most likely to be right now, to begin with."
There are authorities in China. They probably don't care and if you tell them and they do care you have to be good with seeing them in the next round of the bodies exhibit.
Re:Tainted evidence (Score:5, Insightful)
Its not about gathering evidence to use in court, its about gathering information that can be used to shut down web sites and domains, cut off access to services and accounts and give banks and credit card companies information to help them stop scam/fraudulent transactions.
Re: (Score:3)
If the chinese government wants to punish them they are screwed. Chinese authorities don't let little things like tainted evidence or even not having evidence stop them. But the Chinese government probably doesn't care so long as the victims aren't in China.
Re: Tainted evidence (Score:2)
Depends on the jurisdiction. "Fruit of the forbidden tree" is a thing in the US, but not everywhere in the world.
Re: (Score:2)
"Fruit of the forbidden tree"
I think you mean "Fruit of the poisonous tree [wikipedia.org]".
"Fruit of the forbidden tree" has an entirely different context.
Re: (Score:2)
Great work but, sadly, his evidence will most likely be deemed inadmissible in court
I do not know if this is true, we need a lawyer. Smith was not working for a Law Enforcement Agency, so make it will be allowed.
Re: (Score:1)
You may not be able to use that part of the evidence, but the actual operation probably does a lot more that wasn't touched, such as wire fraud for transferring the funds after the credit cards were used, posing as a federal (USPS) agent. That's why you generally get multiple charges on these kinds of events, even if some need to be dismissed, there will be others that stick.
Re: (Score:2)
*crosses eyes* some real dunning-kruger energy here
I got a text like that (Score:3)
It was obviously a scam, I am amazed anybody fell for it.
Re:I got a text like that (Score:5, Insightful)
It's only obvious to those of us who are in the IT industry / are deeply cynical and look hard at the email address being used etc etc. Most of the population are relatively ignorant and trusting; this is, on the whole, a good thing as the world works better as a result.
Despite being cynical and in IT, I fell for a scam once. It happened to refer to a delivery from a genuine company that I had received. After submitting the form I realised my mistake and had an embarrassing conversation with the security people at my credit card provider. Happily they were able to resolve the issue and didn't even feel the need to issue a new credit card. So let's not victim blame and remember that many computer users are older people who have no reason to be distrusting and probably nobody to warn them.
Re:I got a text like that (Score:5, Insightful)
It's not, strictly speaking, a matter of trust: It's a question of "How does a credit card help the 'mailman'?" instead of asking, "How do I make this 'problem' disappear now, Now, NOW?" Then, the answer is obvious. You say you fell for it, but you realized quickly, the questions didn't relate to the problem. I imagine you failed to ask a similar question, "How does a credit-card help the package I already have?".
Re: I got a text like that (Score:5, Informative)
Re: I got a text like that (Score:2)
No, but I play one on TV
Re: (Score:2)
For me, it was an Y! account. Ugh.
Re: (Score:2)
I got one of these, and it was a text. You can't easily see where a link in a text goes. Or maybe you can, but since smartphone don't come with an instruction manual I certainly don't know how to do that. But it's obviously a scam because I was not expecting any package. If I had been expecting a package I would not have expected any texts regarding it, official business doesn't happen on phones when you're my age or have my skepticism.
Rush (Score:5, Interesting)
I am amazed anybody fell for it.
You're in a rush. Baby is screaming in the background, you're leaving tomorrow for vacation with the whole family and haven't even starting packing yet.
You actually have a genuine order that you're waiting delivery of.
Your article that you absolutely need before departing is delayed (with the poor tracking giving some generic "in transit" status).
This is an article from abroad, import tax is likely to be involved, and you know it's going to be complicated.
You finally receive an e-mail from the postal services asking you for the CC (for the import tax?)
e-mail visually looks like all the other from the postal service,
but in your rush you forget to check the parcel's tracking number (or it's shipped through some el-cheapo service that change tracking number 3 times along the way(*) and your post service support for such weird tracking is broken anyway)
and you don't check the destination URL which is actually your-post-service-com.actually-else.ru or worse, an actually hacked server belong to the same group à la wordpress-blog.your-post-service-com/hacked (This is way normally you never click buttons on e-mail, even genuine ones, but always navigate from the log-in page of the service. But today you're in a hurry, and clicking the short cut is tempting, and the official server is a pain to navigate **)
Also because you're in a hurry you didn't pay attention to some tell tale details, like the e-mail telling you to urgently pay the import tax or your parcel is going to be destroyed within a week,
or the import tax being ridiculously low (***),
(or depending of where you live, the wrong language/dialect and/or currency if your country of residence has multiple of those).
Obvious scams are only obvious to somebody who can calmly sit down and think it through, not completely in a rush.
Sound's like a very contrived example?
Hey, guess what Cory Doctorow him-self got scammed by abusing an "in the rush" situation [pluralistic.net].
(*): That's actually the case with some cheap Ali Express shipping options.
(**): My mom's bank has a web interface that is as fuggly as early hotmail dot com. She's not stupid, so she never clicks e-mail buttons. But it means that she needs to skype me or my brother for help whenever she needs to navigate this mess to find some function.
(***): I know that scammer ask first for ridiculously low sums in order to not trigger bank's full verification, but if you think that my postal service could charge "EUR 1,29"... you're two order of magnitude too low, and not even the right currency.
Re: (Score:2)
Unfortunately, domestic mail doesn't recognize international mail until it clears customs. There are international tracking services and they usually recognize when a parcel is given a new tracking number (in the international sorting centre).
Good practice. Because banks use a page-template (with a fixed URL), you should be able to bookmark the desired functions: They won't work until she is logged-in.
Re: (Score:3)
Re:I got a text like that (Score:5, Funny)
* you're
Re: (Score:2)
It's an interesting epistemic question: take any given person across the spectrum of intelligence, then ask them if they are above average or not. How many of them answer correctly, and how many are deluding themselves? How would they even know?
Re: (Score:2)
But for a single person, most people are, in fact above average. Of course the same can be said for most people being below average.
Re: I got a text like that (Score:2)
Welcome to Lake Wobegon.
Re: (Score:2)
Re: (Score:2)
For every lock, there is a key. For every human, there is a scam that works.
You wouldn't fall for this one, but there is certainly a way to hack your brain, too. We've all been scammed, one way or another.
Trust me, you are not immune.
Re:I got a text like that (Score:4, Insightful)
It was obviously a scam, I am amazed anybody fell for it.
Yes, I was going to start this exact thread, but you beat me to it. I know my IQ is far below where I'd like it to be, but I only need to know 2 things, that the email describes some crisis or negative thing to scare me, and a link to click. I simply don't click the link, and send the email directly to trash. That isn't that hard, and I don't think requires an IQ much above room temperature. How these people click their way thru life and get taken advantage of is a mystery to me too.
A bit tougher is an email supposedly from a friend with a link to show some photos he's taken or other mildly interesting thing without the attempt to scare me. That's harder. Any more, I send an email, "Hey Jim, did U send this?" Or sometimes I am certain it's bogus 'cuz I haven't heard from the guy for 7 years. But wow, people don't seem to think any more than they watch where they're going when walking across the street or driving a car. Look at Facebook Videos and see people apparently driving cars and riding motorcycles while sleeping, and plowing into stopped traffic without so much as glancing at the brake pedal or lever. Good grief, it's amazing how people don't drown from looking up into a rainstorm like some birds are said to do (but the birds are actually much smarter than that.)
Re: (Score:1)
A slyer mechanism for scams is the one the former gov. of Maryland, Hogan, is pulling with the help of his political party; the goal is to get you to help them buy the election. They send you a check for $35 and then ask for a donation to Hogan for $35 and claiming it will be matched by his political party. It is a despicable ploy. The issue is not that it offended me (it did). The issue is they believe it is okay to buy an election. Acid test: ask yourself what the founding fathers of America would think a
Re: (Score:3)
The number of people who experience things that they had previously thought they were "too smart" for or "too hardworking" or "too wealthy" or "too nice" for or .. whatever, is in the billions. The point is, it's very easy to say "That wouldn't happen to me" but it ultimately means fuck all. You'll know how it happens after it happens to you, because it would be under a set of circumstances that is useless for you to contrive. The empathetic and frankly, correctly logical thing to do would be to assume you
Re: (Score:3)
There are tons of people out there whose lives do not revolve around technology though and just don't think of it the way most users on this site do.
In other words, when you spend considerable time using computers there will be things that seem like complete common sense to you that just arent to an awful lot of people.
Re: (Score:2)
It would be easier to recognize scams if legitimate companies stopped using e-mail marketing services to fulfill their requests.
I regularly get e-mails from companies I know, but when I look at the links in their messages, they have heavily encrypted queries and use something like "serve-stuff.serve-ad-marketservices.com" as the domain. Yeah, like I'm going to click on that.
Everybody is responsible for this mess, and nobody cares. Sometimes I feel that there's no sense of ethics at all in this industry.
Re: (Score:2)
Obvious to me. But let's say someone is 30, and they use the phone all the damn time, they even PAY for stuff using the phone. Official business being done by phone seems normal to them. Also, they get an Amazon delivery every freaking day, because they're under 30 and don't know how physical stores work.
So they ARE expecting a package, which feels normal, and someone wants payment, which seems inconvenient but normal, and it's via text instead of mail, phonecall, or email, which is great because they ONL
Re: (Score:2)
Same, I've seen at least one within the last month. Blocked/reported. I used numlookup and it was a cellphone not a VOIP # that sent it.
Re: (Score:2)
It was obviously a scam, I am amazed anybody fell for it.
Not me, these were Cell Phone txt messages and many people have they payment info linked to their Cell.
So a person in a hurry with kids screaming/fighting could very easily press "Yes OK", not thinking about what they are doing. It is way too easy for people to make payments these days, almost impossible to get a refund.
obviously a scam - why it works (Score:3)
It was obviously a scam, I am amazed anybody fell for it.
Part of the problem is many legitimate entities send messages that look like scams. How many times do you get an email from company X saying please log into your account and here is the link to X.com? How many times do you get phishing training at work and the training involves following a link and to the training and entering your employee training and then YOU get in trouble for trying to blocking the website because HR actually did send the email?* How many times do you get a call from your bank/credi
Re: (Score:2)
I almost never get an email saying to log into my account that is legit. And never with text. You can ignore it all; if it is from a legitimate financial institution then they will send an actual mail letter. Unless you foolishly signed up for some online-only service which do exist but I hope smart people avoid them. After all, such institutions KNOW that any such email goes into the spam folders automatically, and they KNOW it is an unreliable communication method.
Re: (Score:2)
It was obviously a scam, I am amazed anybody fell for it.
The thing is, these sorts of scams hit people at different points in life.
If you’re already anxiously waiting for an urgently needed package, a message like that might hit you when your guard is down because you’ll do anything to make that package arrive sooner. Over on Nextdoor, we saw neighbors who’ve been annoyed at the various mail carriers leaving the “you weren’t home” notices when they were waiting at home for the package, so these scams played right into the preco
Re: (Score:2)
99.999% of people who receive it will throw it away as it's either a scam, or irrelevant to their lives at the moment (e.g., they're not expecting a package).
It's the 0.001% - likely someone who IS expecting an international package, which they known needs payment, that will likely fall for it. They are expecting a package that needs some money paid on it.
You can do the same with any other company - the vast majority of people will toss it - knowing i
Coming up next. (Score:2)
Re: (Score:2)
Only if he doesn't post about politics online- then DoJ is coming with CFAA charges.
In a virtuous society this man would be a hero.
How dumb can people be..... (Score:3)
Re: (Score:2)
That's my question, too. How did this guy's wife "inadvertently" enter her credit card details? Most of the time people STUPIDLY enter personal details in response to these scams.
USPS is somehow designed to enable scams (Score:2)
You know how people are getting rocks in the mail and such? Somehow the scammers are able to trick the USPS into accepting a package WITHOUT IMAGING IT. They claim they sent you something, you even get a delivery notification with a tracking number, they send some rocks to someone else under that tracking number AND TO THEIR ADDRESS, and then when it gets delivered YOU get a notification FROM USPS saying that the package was delivered. eBay (or whoever) also gets it and the transaction is recorded as comple
Re: (Score:2)
How do they get paid if I never gave anyone my credit card number?
Re: (Score:2)
The nature of the scam is that you order stuff, you get a notification from USPS with a tracking number and your address, but then when the package is accepted it is for some reason not photographed and yet it passes through the system (where the labeling is automatically photographed for routing purposes, but then supposedly not stored) without you ever being able to view the images of the package, and then it winds up delivered to some other address. And instead of the thing you ordered, it contains rocks
The hosting services who backed this operation (Score:4)
Alibaba - 494 domains
Cloudflare - 524 domains
nxdomain/servfail - 97 domains
I'm not surprised even a little bit.
Re: (Score:2)
If you are a citizen of the US.. (Score:2)
Pay attention!
Should have rm'd them instead (Score:2)
First sign of suspcious activity ... (Score:2)
You need a phone number? Here's my Western Electric Model 2500 land line Go ahead and text me, if you can. Legit services (my bank, for example) have no problems sending security codes to me.
Whaaa! It's an emergency! Then it'smy fault for not arranging delivery with some allowance for delay. How did we ever live before technology could yank our (very short) leashes?
He should have (Score:2)
The old "live by the sword, die by the sword".
Chinese you say? (Score:1)