Last week, a not-particularly-detail-oriented scammer inserted themselves into a complaint against an ISP that was publicly posted to Twitter. The scammer pretended to be the ISP – Virgin Media – and direct-messaged a reply, trying to weasel a credit card number out of the complainer…
…without noticing that the complaint was coming from an infosec company… that then tried to trick the scammer into clicking on a link that would snare the fraudster’s IP address…
…resulting in a round-robin “I think you need to click that AmEx link!” vs. “No, really, you need to send a different credit card number – this one’s not working!” back-and-forth.
The UK-based penetration testing and cybersecurity company, Fidus Information Security, posted this account from director Andrew Mabbitt after he attempted to turn the tables on the scammers.
It all started with Mabbitt’s publicly posted complaint directed at Virgin Media on Twitter, he writes:
Yesterday whilst complaining to Virgin Media on Twitter about my broken internet I encountered a very interesting scam attempt. Within minutes of posting a complaint I got two replies; one from Virgin Media themselves in a public message and another from somebody purporting to be from Virgin Media in my DM’s. [sic]
”Hi there,” said the polite (and fake) help desk
Here’s the prompt, seemingly helpful, seemingly “yes you’re really talking to Virgin Media” reply from the scammer:
Hi there. What’s your full name and address linked to your account so we can help you further with this please? ^BP
Nice try, Mabbitt thought, suggesting that the scammer must be watching for keywords in real-time in order to get fake help responses out fast – fast enough so that the person behind the complaint tweet is still hot under the collar.
The account that sent the scam message – @virginscmedia – was “obviously a huge give-away” that the message wasn’t legitimate, Mabbitt said. It’s since been suspended, but before it went bye-bye, its profile showed that it was created in January 2019. Rather a tardy timeline for a major media provider to create a presence on a major social media site like Twitter, eh?
Nor did the account have any followers. Nor was the account following anybody. Hmmm.
It’s… fairly obvious the people behind the account target everybody and anybody and are not very selective. After all, it’s fairly obvious from my Twitter that I work in Cyber Security.
He tried to test how gullible the scammer was. Specifically, Mabbitt responded saying the account was in his brother’s name: Wade Wilson (also known as superhero movie character Deadpool). Mabbitt also got meta and gave the imposters an address for London’s Metropolitan Police Service.
The scammer replied within 20 seconds, in full-on help-desk-speak:
Thanks for the information, Andrew. Please allow me a minute to locate the account so I can help. ^BP
So polite! Next, the phisher set the hook:
Before we proceed, for security purposes of your account please provide the card number, expiry date, csc & card holder name linked to the Virgin Media account. If you don’t have access to this card it can be any card registered to the address. ^BP
Pick a card – any card!
So that’s what Mabbit did: he DM’ed what was purportedly an American Express card’s details. Mabbitt noted that it was an “odd attack” to launch against Virgin Media customers, given that most pay by direct debit rather than attaching a credit card to their accounts. The AmEx card details were actually a set of test details provided by PayPal, he said.
The lying scammer: That card’s registered under the same address, right?
The lying security analyst: It is indeed.
A bit of a lag ensued, likely while the scammer tried to authorize a payment on the fake card. When it didn’t go through, the scammer tried to get another card out of Mabbitt.
After the card didn’t authorize for the scammers, they tried to persuade their would-be victim into handing over details to another card. At the same time, Mabbitt had rigged a DM with a link that he was trying to get the fraudsters to click on. The link led to one of Fidus’s sites, about penetration testing, that would have captured their IP address.
The scammer wouldn’t budge. Mabbitt kept telling them that they had to click the link, and that what they were seeing was probably an authentication step that the scammer needed to click on. No, how about you click on it and send a screenshot, the scammer proposed. Nope, busy with a client, no can do, Mabbitt said.
They were adamant they needed another card, we were adamant we were going to get their IP address. It became a back and forward exchange.
The fictional “Error 522”
After it became clear that there would be no clicking and therefore no captured IP address, Mabbitt says Fidus faked a Cloudflare error message, hoping the scammer would click on it.
Never did I think we’d be faking both Cloudflare error messages and SMS’ to gain an IP address but we had come too far at this point to back out now.
Finally, the fake SMS, “Error 522” message worked. The scammer swallowed the bait. And after it took them to a site for a security firm, the scammer must have finally realized that they’d been had:
After sending a fake SMS message we received a click on our web server. At this point the game was up as the IP linked back to our website and we never received a reply back.
Fidus reported all this to Twitter, which suspended the account. It also informed UK police, “in the hope some action can be taken against those responsible.”
Please don’t feed the phish
We’ve written about numerous people who’ve scammed the scammers in myriad ways.
In 2016, there was Florian Lukavsky, director of application security services firm SEC Consult and an expert at these things. He scammed a group of whalers – those are phishers who go after the biggest fish of all: company execs with access to cash – by playing them at their own game. He played along with their scam, then sent them an infected PDF that he claimed was a transaction confirmation but which harvested personal information including Twitter handles and Windows credentials from the attacker’s machine. Inflicting malware like that would be illegal for most of us, but Lukavsky was working alongside police and passed the information on to them.
We’ve seen people do things like draw out conversations to waste the crooks’ time. One guy even cooked up an autobot to do the work for him: he’d forward calls to it, thereby automatically (and hilariously) wasting the fraudsters’ time.
As far as Ivan Kwiatkowski goes, his modus operandi was to infect a tech support scam caller with Locky ransomware.
There are a few big problems with surreptitiously manipulating other people’s computers, whether it’s to seek revenge or to pretend to fix them. For one, it’s illegal in most places. But that hasn’t stopped nations from adopting their own versions of (government-sanctioned) attacks on attackers in what’s known as hacking back.
In the US, the National Security Council recently sanctioned the practice for the military, in spite of issues raised by the infosec community.
As far as Mabbitt’s attempt to get an IP address out of his would-be attacker goes, as far as I know, it doesn’t stray into the legally risky realm of inflicting malware on a scammer. We hope the police, armed with an IP address, find the fraud perpetrator. IP addresses can be spoofed, though, so that’s not a given. In fact, the potential for spoofing the origin of an attack is one argument against hacking back.
At any rate, it’s not surprising that a phisher jumped on Mabbitt’s publicly tweeted complaint. It might feel good to complain about a company in a public tweet, since you know that they’re likely to respond. But it also sets you up: scammers will jump at the chance to pretend they’re helping you when they know you’re frustrated because you’re venting publicly, for everyone to see.
Instead, go the DM route for your customer care needs, or use another similarly private channel. We don’t need scammers to know what technology we’re using, when it’s not working, and when we’re frustrated with it. The less they know, the safer we are.