[conspire] Trolling for fraud victims

Nick Moffitt nick at zork.net
Wed May 26 00:18:57 PDT 2021


I use a firefox extension called "Cookie Autodelete".  This ensures that the moment all tabs for a given site are closed, any cookies or stored data sent to my computer by that site are flushed.  It has configuration settings to allow me to set expiry to the life of the overall browser session or (for sites I genuinely want to stay logged in to, such as resources for work or my own sites or sites I trust like Metafilter) to allow them to last forever.

The result of this is that I get a fresh "We know nothing about you" set of recommendations from YouTube every time I visit.  (I have other means of being notified when a channel I enjoy, such as Tom Scott's, Technology Connections, or PhilosophyTube, has updated.)  At one point there were some high-profile scam-the-scammer channels featured prominently in this default list.  And of course once I clicked one, I'd see recommendations for more until I closed that tab.

The videos focus heavily on revenge exacted against these boiler-room operators, who are likely merely the fingers of a larger pan-exploitative operation, but their approaches are:

	1. Wasting operator time.  Every minute you spend pretending to be hapless while they root around in a playground VM you've given them...well, that's another minute they're not scamming someone genuinely at risk.
	2. Tracing details of the operations.  Very often the boiler rooms have a lot of back-chatter going on in the background in another language.  Since these channels are live-streamed, there's a text-chat audience who can pipe up and say "I just heard them say in [Urdu/Ukrainian/Uzbek/whatever] they'll want you to send money to a mule named Jennifer!"  Sometimes these turn into multi-episode seasons where they track down the destinations of their fake payment parcels to the mules (many of whom are victims who were led to believe that the scammers are also some kind of service to help them get restitution for an earlier scam!).
	3. The door goes both ways.  Most of the scammers who access victims' computers don't have the best IT security themselves, and these remote desktop applications often have an FTP-ish connection back to their machine for some reason.  Some of these (edited) videos spend about 60% of their runtime showing the presenter acting helpless and confused, talking in circles while deleting the scammer's own files.



On 25May2021 05:51pm (-0700), Rick Moen wrote:
> Someone I know was _very nearly_ catastrophically taken by one of these.
> It's designed to outrage the recipient into calling to 'cancel' the 
> overpriced and unrequested alleged billing.  Why?  I'll get to that in a
> moment.
> 
> First, notice that the alleged "Order Confirmation" doesn't state my
> name, or even a partial credit card number of how I allegedly agreed to
> pay this alleged billing.  That's because this is the usual broadcast
> scam, and they didn't even know anything about me.
> 
> The near-victim I was talking about:  I happened to be there when the
> near-victim telephoned the scam mail's (in that case) area 866 telephone
> number, reaching a boiler-room operator, and complained that he or she hadn't
> ordered anything, let alone some outrageously overpriced service.  This 
> is where the social-engineering magic occurs:  The boiler-room operator 
> _very nearly_ convinced the intended victim to install remote-desktop 
> software, which he claimed would be necessary to cancel the "service".
> 
> This would have been absolute ruin for the victim, as the bad guys would
> now be able to get into absolutely all of the victim's financial,
> medical, and personal affairs invisibly as if the bad guys were the
> victim.  The victim would have had an epic security meltdown, and 
> was _right about_ to do as requested when I said 'NO.  UNDER NO
> CIRCUMSTANCES SHOULD YOU EVER DO THAT."
> 
> The intended victim did not even have any comprehension of what
> remote-desktop software does, or why it should be relevant to cancelling
> an erroneous billing.  (It isn't.)  And this is how the scam works:  
> Anyone who's so inattentive as to call them _may_ be inattentive enough
> to hand over total control of the person's computing to malign
> strangers.
> 
> In this case, the person got to within a few mouse clicks of that.
> 
> 
> ----- Forwarded message from Billing Team <francinadelessio010 at gmail.com> -----
> 
> Date: Tue, 25 May 2021 18:16:56 +0000
> From: Billing Team <francinadelessio010 at gmail.com>
> To: "rick at linuxmafia.com" <rick at linuxmafia.com>
> Subject: Order Confirmation
> 
> 
> 
> 
>    Alternate text
> 
> 
>    Dear rick at linuxmafia.com,
> 
>    Thank you for your purchase through GeekSquad . This email is to inform
>    you that your annual subscription with GeekSquad is renewed. Here is an
>    overview of your purchase:
> 
>    Invoice Details:
> 
> 
>    Invoice ID: 87456T147106
> 
>    Invoice Date: 25th May 2021
> 
>    Payment Method: Online
> 
>    [1]Download invoice as PDF
> 
> 
> 
> 
>    Your Purchase:
> 
> 
> 
>                                Alternate text
> 
> 
> 
> 
> 
>    Protection360
> 
> 
>    $229.90
> 
> 
>    Sub-total
> 
> 
>    $229.90
> 
>    Sales tax (VAT)
> 
> 
>    0.00
> 
> 
>    Total
> 
> 
>    $229.90
> 
> 
>    To upgrade/cancel your subscription, please contact our customer
>    service desk given below. (Working Monday-Saturday, 8AM – 8PM EST)
> 
>    +1(850)220-0033
> 
> 
>    Sincerely
> 
>    Team GeekSquad
>    [1280px-Geek_Squad_logo_%28old%29.svg.png]
> 
> 
>    IMPORTANT: Please do not reply to this message or mail address. For any
>    issues, please reach our Customer Contact Centre
> 
> 
>    ©GeekSquad Ltd. All Rights Reserved
> 
>    [2]Terms & Conditions | [3]Unsubscribe
> 
> References
> 
>    1. file://localhost/tmp/mutt.html
>    2. file://localhost/tmp/mutt.html
>    3. file://localhost/tmp/mutt.html
> 
> ----- End forwarded message -----
> 
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire



More information about the conspire mailing list