Mastodawn

RipeFruit Oct 27, 2023

Brandon 👏👏 Brandoff 👏👏

Almost got scammed selling some stuff online. 🤙

Had a person send me their number as an interested buyer and told me to text them. I did (first mistake), and we arranged a meetup time. Then they asked if, for their safety, they could send me a six digit code (some of you already know where this is going) that I could repeat back to them to verify myself.

I said, "absolutely!" And sure enough, I got a Google Voice verification number. lol

If you're not familiar with the scam, shady people will take your phone number and try to create a Google Voice account with it. If you provide them with the 6-digit code that Google sends you, they can "verify" that they are you, and then basically use your phone number to run scams, commit fraud, etc. It's nasty business.

I called them out, blocked them, then reported them to the marketplace website and to the FTC--though, almost certainly, they were using the phone number of another poor soul to carry this out.

I used to work as a social engineer, running phishing campaigns (ethically, with consent lol), against Fortune 1000 companies to assess their level of vulnerability. Luckily for me, I was super familiar with this, but most of the people I told about it have said, "Oh, I probably would have fallen for that...", and even I set myself up for it.

So that is why I'm posting this. Please be aware of sketchy shit like this. If someone is asking you for a verification code over SMS or email, tread with EXTREME caution. Also, it's usually pretty shady if a stranger you're already chatting with wants to move to a new platform. Not always, but if someone emails or messages you on Facebook to ask you to text them, that's a little weird. I'd had legitimate buyers/sellers do that, so it's not unheard of, but it should put you on guard.

If you buy/sell/trade online frequently, it's a good idea to use a dedicated MySudo number, VOIP number, and/or a burner phone for that.

Stay safe out there, kids.

#Privacy #Security #Scams #Craigslist #FacebookMarketplace #eBay

TheJen Oct 22, 2023

@ADHDefy The old adage/warning "never let them take you to a second location" applies here. :)

Brandon 👏👏 Brandoff 👏👏Oct 22, 2023

@JenWojcik lol Yes, it absolutely does.

Barry Schwartz 🫖Oct 23, 2023

@ADHDefy @JenWojcik That’s what they do to trap Charlie Chan!

💜tahoe Oct 22, 2023

@ADHDefy every realtor I know gets texts saying they want to buy property and want to connect on WhatsApp. Most agents think it’s safe and connect with them but I always delete. Sometimes even people send messages in WhatsApp but the messages are so vague I don’t connect.

Brandon 👏👏 Brandoff 👏👏Oct 22, 2023

@tahoegirl Good on you for exercising caution. Like, sure, maybe you miss out on a potential sale, but the other possibility could be catastrophic.

Justin Derrick Oct 22, 2023

@ADHDefy I would have let them text me the number, then read it back wrong. I’d keep messing with them and wasting their time — the more time they spend with me screwing with their heads, the less time they have to scam someone else.

To that end, my record for one of those “Windows support” scams is just over an hour. When they started with “Your PC has a virus”, I asked “Which one? There are three computers in the house.” You could hear the guy salivate at the prospect of $$$.

Alison Meeks Oct 23, 2023

@JustinDerrick @ADHDefy Justin not all hero's wear capes! Good job you!

Owen 🇦🇺Oct 23, 2023

@JustinDerrick @ADHDefy Now there are deep fake AI scammers who record people’s voices when they answer scam calls so that they can then synthesise your voice and call other people you know using your voice to try and scam them. So it’s not recommended to engage with scammers at all anymore, don’t answer calls from contacts you don’t know or hang up immediately as soon as it starts to feel like a scam call. My voicemail message is spoken by Siri 😎

Jeff Caldwell Oct 22, 2023

@ADHDefy I got a message from an old friend's Facebook profile asking for my phone number. When I gave it to them they said they wanted to add me as a trusted contact. Pretty weird, considering we hadn't actually talked in about twenty years.

Brandon 👏👏 Brandoff 👏👏Oct 22, 2023

@trainingmontage Yeah, that's sketchy. 👀

Army Girl Oct 23, 2023

@trainingmontage @ADHDefy probably the scammer stole the account

Bornach Oct 22, 2023

@ADHDefy
Jim Browning showed how that confirm-a-code scam is used to steal iPhones using a victim's account
https://youtu.be/WEb6hWWMAaE
I keep getting these calls too. Was offered some free deal and then asked to read out a code which turned out to be for resetting the O2 account password

How scammers steal iPhones

YouTube

muxauy 🚴🇪🇺Oct 22, 2023

@ADHDefy everybody words their password reset emails as "somebody has requested a password reset for your account at X, if it wasn't you disregard", but phone 2fa messages still remain quite vague and don't mention scam/phishing risks at all 😔

Chancerubbage Oct 22, 2023

@lanzz @ADHDefy

What spooks me about 2fa are the times it has jumped at me unexpected out of the blue, seemingly from a trusted source.

Often it was probably due to a vpn being involved, using someone’s fast internet for some intensive purpose that had been set up for work from home.

It seems every bit like a man in the middle attack. Everytime. I don’t feel any bit more safe.

And now businesses hire out ‘text’ communications to contractors I’m certain are scraping the backend for info

@ADHDefy I sold an iPad last year and like 3 people tried to pull a zelle scam on me. Jokes on them though because my bank doesn't support zelle lol

Brandon 👏👏 Brandoff 👏👏Oct 22, 2023

@the_skotts Yeah, this same "buyer" initially asked about venmo and I was like, "cash only." lol

RealGene ☣️Oct 22, 2023

@ADHDefy
If you want to buy what I'm selling, you meet me in front of the police department, and bring cash.

Bytebro 🇬🇧 🇺🇦 🇬🇱Oct 22, 2023

@ADHDefy Helpful stuff. Good work.

Seph Harrison Oct 22, 2023

@ADHDefy Always wondered about this, I sell on Facebook, and have gotten people wanting me to text them, but I refuse as FB ostensibly provides some guarantees for Marketplace transactions so long as the sale is handled on FB or FB Messenger. That said, I use a GVoice number in the first place to protect my real info (as well as a fake name and special email address).

jbr Oct 22, 2023

@ADHDefy Social engineering at it’s best. Larger companies should diversify their traditional 6 digit auths to be associated specifically with their brand. Would really cut down on this.

Demian Oct 22, 2023

@ADHDefy I’m missing something here. How can they send you the 6 digit number? Wouldn’t that come from Google? (Referring to “Then they asked if, for their safety, they could send me a six digit code (some of you already know where this is going) that I could repeat back to them to verify myself.”)

Brandon 👏👏 Brandoff 👏👏Oct 22, 2023

@dgodon You are correct. They initially asked if they could send it to me (which I assumed meant it would come from them), but then I got a text from Google with the auth code, which was the giveaway.

Demian Oct 22, 2023

@ADHDefy thanks for the clarification.

Bernd Oct 22, 2023

@ADHDefy I had a hard time at first understanding the number thing. So they didn't actually send you a number themselves, but initiated a Google authentication, using your phone number, that had Google send the verification code to your phone?
Sorry, I'm a bit slow today.

Brandon 👏👏 Brandoff 👏👏Oct 22, 2023

@hopfgeist No worries, you got it exactly right. 👍

Dieu Oct 22, 2023

@ADHDefy how do they make it look like the code is from them? They simply don't and hope you won't pay attention to that, I guess?

Brandon 👏👏 Brandoff 👏👏Oct 22, 2023

@hllizi Exactly. A lot of times, they will find some way to create a feeling of a time constraint, so the victim will feel rushed and skip over details like that. They may also come up with a more clever excuse to explain it away or something. In this case, they were just relying on me to not think anything of it, which also works in a surprising amount of cases.

Dieu Oct 23, 2023

@ADHDefy thanks, that makes sense

🌟ジギーくん Oct 22, 2023

@ADHDefy @ashleyspencer This may be good for you to be aware of.

LuciaG Oct 23, 2023

@ADHDefy We got a new fridge last year and we listed the old one “free to whoever hauls it away”. Immediately got somebody who was very conversational and convincing in the initial interaction. Coincidentally I had just read an article about scams and when they asked to send me a code I knew what was up and was so irritated. I really wanted that old fridge out of my kitchen 😂

Brandon 👏👏 Brandoff 👏👏Oct 24, 2023

@LuciaG Right? The worst part for me was that I just wanted to sell the damn thing. lol Like, they didn't get my data, but they got my time and my hopes up. 😭

Janne Ojaniemi Oct 23, 2023

@ADHDefy reminds me of a scam with online banks. Person goes to fraudulent bank website, and log in with their username and password. The bad guys take the credentials and log in to the real bank. Real bank then asks for one time code the person has on their key code list. The criminals then ask for that same code on the fraudulent website. Customer provides it, and criminals then enter it to the genuine website, and gain access to the bank.

Brandon 👏👏 Brandoff 👏👏Oct 24, 2023

@Janne_O We used to run that one all the time when I was a social-engineer. Our team would make a copycat website, host it on our own malicious server, and register a a very closely named domain. We had some wild tricks to make it all look pretty legit, even under a little bit of scrutiny.

It's not terribly common to see effective ones like this, because they take a lot of time, planning, money, research, etc., so the ones you usually come across are (thankfully) not very convincing a lot of the time. They can be pretty tricky, though.

Michika Oct 23, 2023

It seems to me that Google shouldn't be able to commandeer my phone number under any circumstance. How is this allowed by the big carriers?

Carl (He/Him)Oct 23, 2023

@michika @ADHDefy

It's a Google Voice number they're stealing. Pretty much required that Google have access to Google Voice ....

Michika Oct 23, 2023

@nitpicking @ADHDefy

"shady people will take your phone number and try to create a Google Voice account with it"

Unless the OP is mistaken, he's talking about your phone number being used, not your existing Google Voice number.

Brandon 👏👏 Brandoff 👏👏Oct 24, 2023

@michika Yeah, It's kind of a "call forwarding" deal, but it's actually more than that as you can make calls, send texts, etc. from a web browser using the associated number. It's a pretty wild concept, I'm not sure exactly how they're able to offer that.

Michelle (she/her)

🇵🇷Oct 23, 2023

@ADHDefy Oooh I never heard of this. Super clever. Thanks for posting

Brandon 👏👏 Brandoff 👏👏Oct 24, 2023

@Diami03 Yeah, it's a clever scam. In the wrong hands, they can do a lot of damage.

Dan Jenkins Oct 23, 2023

@ADHDefy someone tried to do this with creating an O2 (mobile phone network provider) the other day!

They were trying to tell me id won something though and tried telling me i could tell them the number even though the sms quite clearly states “don’t do it” 😂 o2’s text is great though!

Army Girl Oct 23, 2023

@ADHDefy I sell on Marketplace and have seen so many variations on this and other scams. Most frequently now, they start a dialog, say they are nearby but have to send their brother for the item. End of scam they don't have cash must get your Zelle or whatever. Say cash only and they disappear.

DeckerEgo Oct 23, 2023

@ADHDefy I just had to help someone who did fall for the scam. If anyone else needs to help someone recover their number, Google actually makes it fairly easy via https://voice.google.com/u/0/regain

Larry Clapp Oct 23, 2023

I'm unclear on how this code is even supposed to prove anything. People like Google use it to prove you own the # you've told them, but in this case the attacker *is already chatting with you* so what is the point, even theoretically? It seems nonsensical on the face of it.

Brandon 👏👏 Brandoff 👏👏Oct 24, 2023

@lclapp Yep. There is a logic gap in here. The way they phrased it, I initially thought they would text me a code and then when I met them, I would repeat the code to prove I was really the person they were chatting with. Then it quickly became apparent what they meant. lol

DePingus Oct 23, 2023

@ADHDefy If they're getting to the part where Google sends you the 2FA code, doesn't that mean they have your username and password?

Brandon 👏👏 Brandoff 👏👏Oct 24, 2023

@DePingus They don't need my creds. They create a new account with their own creds, just using my phone number.

🔻 aetios 🇪🇺Oct 23, 2023

@ADHDefy very interesting, i work in security too, I'm going to save this casus, maybe even try to incorporate it with awareness campaigns. thanks for sharing!

Out of curiosity, got any fun stories to share about the phishing campaigns you ran? We are now running a campaign that involves a document download.

Brandon 👏👏 Brandoff 👏👏Oct 24, 2023

@[email protected] That's awesome! We did a lot with malicious documents. Those were always fun. Is the payload like a RAT?

As far as fun stories, I don't think I ever did anything too wild. We snuck into a building once, which was really fun. We did a lot of experimental research stuff, too, which was always cool even when it didn't pan out.

We did build a wicked password cracking server and put it to good use. We cracked a password of a dude high up at this one company that was extremely embarrassing. We always obfuscated the passwords in the reports we submitted, so no one at his company found out his password, but he was in the meeting with us when we disclosed that we knew what it was, which was amazing. lol

🔻 aetios 🇪🇺Oct 24, 2023

@ADHDefy We're starting small on this one and dropping a garbage document but next time I want to try to make it a (dummy?) RAT...

Seán Fenian Oct 24, 2023

@ADHDefy Is it prudent to preventively set up a Google Voice account FIRST even if you don't actually use it? Does that prevent someone else from doing so?

MikeOhYeahThatMike Oct 24, 2023

@ADHDefy Someone tried to run the same scam on me recently when I posted about a lost pet. Luckily they were extremely sloppy so I didn't fall for it and the pet turned up, so a win all around.

sunshine Oct 24, 2023

@ADHDefy omg thank you! Some idiot tried to hit me with this a couple of months ago and I grokked that it was a scam but I couldn't figure out what the scam was, since the attacker had essentially no information about me besides my cell # and a CL listing. Mystery finally solved.

Gord Oct 24, 2023

@ADHDefy Excellent points, but this is also why I have dozens of burners.

John1000uk Oct 24, 2023

@ADHDefy thanks really appreciate your advice.

David Pollak Oct 24, 2023

@ADHDefy @wendynather when one of my cats went missing, my son posted a “missing cat” flyer online and someone tried scamming him like this.

He kept the scammer engaged for 2 hours typing in the wrong number of digits, wrong numbers, etc. basically, he DoSed the scammer. Finally, he got a message in Chinese that google translated was not at all polite.

nantucketlit Nov 4, 2023

@ADHDefy I have never heard of this scam before, thank you for sharing.

Androcat Nov 24, 2023

@ADHDefy It is astounding to me how many legitimate companies also have unsafe practices like this.

Like, phone company calls me up to update the terms of my subscription, and then they want me to verify myself by telling them stuff.

That's so unsafe, and I always tell them to send it in an email instead. They never do, though.