Landon EppsJun 14, 2023

🚨PSA: Uber Eats Scam🚨

There’s a scam being run on Uber Eats and I got hit.

* Brand new bicycle delivery “driver” acct
* They use GPS spoofing to fake being at the dropoff
* They message you once, then ignore you for 30 minutes
* Can’t call, their phone number is fake
* They mark your order delivered
* Uber support instantly dismisses it
* Can’t call Uber, no phone #

This WaPo reporter was scammed twice and wrote a summary:
https://nitter.net/chrisd9r/status/1666900028848308224

🚀 and/or tell ppl to stop using Uber Eats

Chris Dehghanpoor • chrisd9r.bsky.social (@chrisd9r)

Anatomy of an @UberEats scam: Bike courier "picks up" order. They idle @ pick up spot after picking up. 10-25 min later, GPS suddenly shows they're @ delivery location. Order's "delivered" - but nowhere to be found. Here's how it works & why it's bad for drivers & customers

Nitter
Show threadLandon EppsJun 14, 2023
I hate that this looks like an engagement tweet, but I feel like the message here is super important and non-tech people won’t understand the GPS spoofing part of the scam unless they’re already aware of what it looks like.
Show threadLandon Epps
Here’s my full writeup that I shared with the reporter
Jun 14, 2023 at 2:06amWeb
Show threadMike NicholsJun 14, 2023
@landonepps Any good articles/videos on how scammers are able to spoof GPS for something like this? I've never heard of it, but now I'm curious.
Show threadLandon EppsJun 14, 2023

@mikenichols Whatever I got hit with is probably not public. I know Uber tries to detect this, so I’m guessing the scammers are using a new exploit.

But here’s one for iOS: https://github.com/Schlaubischlump/LocationSimulator

I think the scammers are most likely using a rooted Android device or a hacked app.
Here’s some Android apps that people are selling(?) that do gps spoofing:
https://youtu.be/hfos8ZpLIl8
https://youtu.be/6_IqzZCCqOw

GitHub - Schlaubischlump/LocationSimulator: MacOS application to spoof / fake / mock your iOS / iPadOS or iPhoneSimulator device location. WatchOS and TvOS are partially supported.

MacOS application to spoof / fake / mock your iOS / iPadOS or iPhoneSimulator device location. WatchOS and TvOS are partially supported. - GitHub - Schlaubischlump/LocationSimulator: MacOS applica...

GitHub
Show threadMike NicholsJun 14, 2023
@landonepps Ah! So they're liking creating their own app/web-service that uses Uber's APIs? Obviously we don't know for sure, but I was thinking they were still using the Uber app itself somehow.
Show threadLandon EppsJun 14, 2023

@mikenichols I’m not entirely sure. It looks like the Android examples I found are a separate app that sets the gps location in the OS and this gets passed through to the actual Uber app.

But it’s also possible that they also patched the Uber app to remove spoofing detection. I don’t think it’s purely a hacked Uber app because that would be incredibly hard to implement.

Show threadMike NicholsJun 14, 2023
@landonepps Ah I see, yeah it would be really hard. This is really interesting though, thank you for sharing the details! I'm no security expert, but I've always been curious about what we/companies can do to prevent scams. There are so many!