Thursday, May 16

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be.

Many people turn toward online classified sites to buy and sell items online.  This example starts with kijiji.ca which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a "Samsung Galaxy Note 2" returns a posting from today with someone selling one for an unreasonably priced unit.



$125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location.

About an hour passes before I get a response from what appears to be a legit seller.


Notice no answer to the questions I asked, but a friendly pointer at where the unit came from and how I could get one for the same price.  What is biddycacts.com though?  Well this online penny auction site claims to allow for purchases way below the value of the items being sold.



Including a not-so-obvious but intentionally generic newsreel video.

https://www.youtube.com/watch?feature=player_embedded&v=OK9mUVAPTMY

That's when I get the second email from another email account with the exact same content and a link to a different URL but same exact site.  bidcactus.com.

Ok so even now I'm suspicious and I do a little digging into the DNS registration information, YouTube account posting the videos and the posts on Kijiji related to the items.  All appear to be somewhat anonymous and scammy.

Switching mindsets to that of the people behind this scheme.  What might be going on here?  Here is one likely scenario:

  1. The scammers setup the fake bidding site and youtube accounts and probably twitter and email accounts too.  Including fake items and auctions.
  2. They post a few ads on local advertising sites for desirable items for too-good-to-be-true prices.
  3. Setup a script to auto-reply to inquiries about the items from legitimate buyers with links to the scam site.
  4. Ask for registration from the user which includes an email address and password.
  5. Use this email address and password to attempt to access the email provided.  Any that work add them to the list of people that scam messages are sent from.
  6. If the user is gullible enough to bid and pay for items using a credit card or paypal, this is free cash.
  7. Wait a week or two then switch to another email address, URL, payment gateway etc
  8. If the scammers were really nefarious they could also extract all of the email from the user and likely use it to conduct additional fraud or ID theft.

Simple scams like these are obvious to critically minded people, but with so many people online exposed to this how do we find out about them?  Plus what's to stop more from springing up all the time.

Three lessons for people:
1.  If something looks to good to be true, it almost always is.
2.  Follow safe browsing practices.  Be patient and don't rush into giving anyone your information or registering with unknown sites.
3.  If you fall for a scam, tell people about it and register it with local law enforcement (http://www.rcmp-grc.gc.ca/scams-fraudes/index-eng.htm), Internet Crime Compliant Center (http://www.ic3.gov/default.aspx), and google's phishing report (http://www.google.com/safebrowsing/report_phish/).


Post a Comment