A recent sophisticated scam... even Security Guys get caught out!

This week I was reached out to by some friends of mine, Mike & Rachel who had been scammed. For background, Mike is a seasoned IT security Guy, used to seeing scams, Rachel works in healthcare. Early this year Mike & Rachel got married, (I had the pleasure of being invited to their wedding). A week ago Rachel listed her wedding dress for sale on a number of different places, Ebay, Facebook Marketplace, Facebook buy swap & sell groups, Gum Tree etc. The dress costed well over 3K and it was being sold for 1.5K, a pretty good deal. The next day after listing to FB MarketPlace and the FB groups, she received a request from an interested buyer. Now before I go on, in case you haven't read my book, Facebook Marketplace and GumTree are absolutely rife with scammers and scams so you should always be weary when listing and buying from these sites!

They gave me permission to share the chat logs so I can show you which flags were there, but were just missed in the moment.

Of course this was exciting news for Rachel, she needed the money for some car repairs etc, the FB messenger chat log looks like this...

The lady 'Adriaan' made contact, with standard chatter and bargaining on price:

Now the sale advert had advised it was pickup only, as Rachel had no plans to go through the trouble of shipping such a massive dress. The conversation continued:

Rachel after receiving this request, went in and spoke to Mike asking if he can do a Paypal send request for the dress. This immediately flagged as suspect to Mike, Mike asked Rachel, "Why do they need paypal, and why does it need to be expressed?" Mike instincts and experience was kicking in at this point.

Now this is typical with scams, they always portray a sense of urgency and use strange payments, like paypal, money transfers, gift cards etc. They ask for express post to quickly receive the goods before they are detected and it have the scam shut down.

But Mike told me at the same time, Rachel thought maybe they just wanted buyer protection via PayPal which is why they wanted it that way (Which made sense to him), maybe they had a wedding coming up and something happened to their current dress, which is why the urgency, but was pretty confident he could suss it out if it was a scam. Mike Agreed to PayPal.

He sent a request to [email protected] (A now known fake or compromised mailbox) for $1600 via PayPal's request money function.

and received a notification from PayPal with the description he specified:

Next set of comms exchanged between Rachel and the scammer:

As you can see above the attacker is keeping the pressure on Rachel. Rachel advised the scammer that the request was coming for the money, and will send once the payment has been made.

At this point Rachel calls auspost to confirm the potential costs. The scammer continues hassling Rachel.

Rachel agrees to wear the cost if its over $100, because hey, she's got pretty much what she wanted for the dress.

I know a lot of us right now would be reading this thinking "I would of picked up on it for sure by now", but in the moment with emotions, for a lot of people it clouds their judgement.

Adriaan is back and keeping the pressure on:

She checks with Mike if he received the notification. Mike Checks his email (he is on his phone at the time).

Now at this point, I should flag out that Microsoft's Outlook mobile client is TERRIBLE for showing URL's of senders in the email pane. This is the email mike received, an absolute perfect match for the real email, no spelling or grammar mistakes, correct format. Note that under the subject line, the outlook client show's mike's email address not the attackers real address.

Reviewing the email further, mike see's no obvious phish signs, the transaction ID matches the one sent from the real PayPal on the original email, its going to a standard residential property (he looked it up on google street view)

And the rest of the email, all icons, logo's copyright, all standard stuff.

He checked PayPal, and the payment was showing as Pending. This is where mike's temporary lapse in judgement happened, it happens to all of us, were human. He told me he had done a really long day and was just exhausted, didn't sleep well the night before either, was sitting on the couch watching tv when this all went down, all common distracting and forgetful factors I hear about from people all the time.

In his temporary lapse of judgement he forgot to click the circle in outlook to show the sender details:

which would have shown this:

Scam domain of naver.com in use. Additionally, this was mike's first time using PayPal to request money, so although it showed as 'Pending' in Paypal he assumed it would take a little longer to appear after he received the notification (fatigue obviously at play here).

Within the same email he noticed it advised that he needed to reply with the tracking number for PayPal to release the funds. Ok makes sense he thought, he didn't know the standard PayPal process being a first time.

Only in hindsight did mike tell me he re-read the emails and it clicked, hey how did PayPal know it was for an item, it didn't ask for that during the money send request. Hindsight is a beautiful thing. Anyway back to the story.

Mike confirmed to Rachel the email arrived and Rachel let the scammer know it was received. The scammer then asked for the adverts to be taken down, which Rachel did.

The Shipping address was indeed listed in the PayPal email. Further comms:

Lot of classic social engineering in the chat. The next day, the scammer is back:

They are keeping the pressure on trying to get the package out asap. Package is prepped and taken to the post office by Rachel, cost for send is $136 bucks, this is at 10AM.

Mike replies on his phone to the PayPal email with the tracking number (that Rachel already sent to the attacker)

Now it should be obvious to you reading this blog, that these emails are being created by the scammers on the fly, very very fast, and timed really well with the social engineering happening via Facebook messenger (at the same time), a two pronged approach encompassing, basically, 2 people and the scammer.

The conversation continues, note the scammer never answers Rachel's questions about when her wedding is etc:

At this stage Mike is finally back in front of his PC. At this stage Rachel is chatting with Mike and he advises he sent the number. Then gets another email arrive from the scammer. This time mike is in front of his pc and can pick up everything in the one pane. Such as the dodgy domain, the non-formatted email etc.

You would think the scammers would put in more effort into these next emails like they did the PayPal emails.

The penny drops for Mike. Oh Crap.

He immediately does a whois on the domain naver.com, its a dodgy domain out of Korea:

Damn!

While mike investigates he gets another email come in, in the same format, masquerading as PayPal. Dodgy text and graphics, no logos, same domain etc. This one is saying:

We are really sorry for the late response. We encountered a little problem while crediting your PayPal account, you have a pending payment of $1,600.00 AUD but??we have a problem crediting your PayPal account with that amount because your account is not a premium business?account, your?PayPal account has a small limit of an amount that can be deposited into it therefore you are required to quickly expand the limits of your PayPal account to enable your account to have a fund maximum limits.?

You can take this few steps to expand your limit:

?Contact the last payer of your account, Adriaan Van Zyl, to send in an additional payment of $950.00 AUD so that your account limit can be expanded, as soon as this is done, we will credit the total amount of $2,550.00 AUD into your account immediately without any further delay.

Note: that an alert has also been sent to Adriaan Van Zyl, regarding the $950.00 AUD additional payment he has to send to you, we will secure this transaction with high priority so that neither the buyer nor the seller will lose their funds in this transaction.

?Mike immediately calls Rachel in. As she walks in the room, she says "hey I just got this from the buyer..." Mike tells her to immediately cease all comms with the scammer, and that they need to get the shipment cancelled right away!

He tells Rachel that if money was sent, he would of received an email like the below from paypal.com confirming that a payment was received, which didn't happen.

Now, the scammer is back at it, with the 2 pronged attack, claiming he got this email from PayPal and has advised they will send the extra money if Mike and Rachel promised to send it back... they are going after the extra money on top of the goods it seems, and if Rachel agreed, they would have surely sent another fake email saying payment has been made, and get the victim to transfer the money to them, then they have both the goods and the cash.

You would think at this point the scammer would know they are on to him/her. Mike explains this all to Rachel and she drives down to the post office immediately while mike is on the phone to AusPost, whoe ever can get through to them first (this is 2PM at this stage). Its typically a 20 min wait to talk to auspost Rachel told me.

The jig is up.

Mike got through to AusPost, they advised that they have been seeing a massive influx of these types of scams in this format. A stop and hold request is logged, unfortunately Rachel missed the pickup of the package by 30 mins, it was picked up only 30 mins before she arrived at the post office, so now its in transit, and AusPost advised that once its in transit, there is no guarantee it can be stopped. Both Mike & Rachel assumed it could get stopped because it hadn't yet reached the melbourne Depot etc. An anxious wait overnight. The next day mike checked his app and the package had arrives in South Australia, WTF! Rachel called Auspost and confirmed the package had indeed been stopped but not reflected in the app.

Lucky for these two they are only $136 out of pocket, instead of $3,136 if they got the dress as well. Unfortunately, these sort of attacks are really commonplace, the scammers are getting faster, more efficient and better at what they do, just have a look at the scam stats from ScamWatch for last year. Reading this, you can see how older folk and pensioners get so easily scammed, when the attacks are at this level of sophistication. To avoid being scammed like Mike and Rachel here is my guidance:

• When dealing with payments and payment emails, try do it via a pc/laptop rather than a phone.
• Do purchasing and selling in the morning when you are the most awake and aware (to avoid any lapses in concentration).
• Always verify the domain the email comes from.
• Look out for urgency in the communication with the buyer.
• Lookout for requests to Express Post items.
• Trust your instincts, if it doesn't seem right, it probably isn't.
• If your listing items, get the funds sent via a BSB/Acc transfer only.
• Where possible use more reputable services such as Ebay for selling goods.
• Don't send anything without receiving said funds.
• Be weary of Facebook marketplace and gumtree scams.

Here are the IoD's (Indicators of Dodginess) to look out for:

• naver.com
• [email protected]
• [email protected] (probably an innocent victims account hacked)
• 16 The Strand Larges North Adelaide, 5016 S.A, Australia (This address has been reported to the police and border force as handling stolen goods)

Please like and share this article to help spread the word about scams and to help educate people as to what they need to be on the lookout for!

#danweis #hackproofyourself #scams #paypalscams #auspostscams #marketplacescams #facebook #facebookscammers #facebookscams #scamwatch