Scammer, Meet Hacker: Part 2

Posing as a target in a job scam to see how deep the rabbit hole goes…

In part 1, I started playing a scammer’s game to learn more about how it would play out. Where we left off, I had managed to get ‘hired’. It seemed impossible to fail in this task, as all the scammers’ plans seem to hinge on things that could only happen after I was hired. Here, in part 2, we’ll get into what some of the scammers might have had in mind.

The scammers aren’t mad at me yet, but we’re getting there…

Guess what everyone!? I’m hired!!! Wow, all my dreams are coming true.

Wait… how many jobs do I have now?

Red Flag #4: They welcome me to a different company (red in the image, we’ll call them “Secure Access Company” from here on out).

Wait… I thought I was interviewing for The IT Company?

No matter, I just ignore this extremely large discrepancy to continue the conversation, and they don’t seem to notice.

Interesting they ask about MYOB, which is an Austrailian company.

Better throw in a few more emojis, just to let them know my mind is at ease. Notice how they flip back and forth between The IT Company and Secure Access Company. This leads me to believe that they are also trying to scam potential employees of Secure Access Company.

From this point the scammer asks me about my experience with a bunch of equipment and software, and of course I tell them I’m familiar with all of it. They go on to tell me…

Red Flag # 5: I need to purchase special equipment from their preferred vendor and they will reimburse me.

Of course, I just tell them that all of this is fine, just to keep the process moving along. I can only imagine what they are thinking of me right now.. “What a gullible idiot this Kyle Bubp is!”

They asked for my mailing address and phone number, to which I gave them our business address and a Google Voice number I made on the spot. After all, I want to receive my check!

After that, they email me my “Offer Letter” and tell me I’m supposed to report to work at 8am EST 8/31/17 (it was 9am earlier in chat, but no matter). I happily oblige.

Wow, what a polite scammer.

Step 3: Thanks For the Offer Letter

I was hoping to get to this point, because I wanted to see what I could grab from the offer letter’s metadata (if anything).

The email also asked me to send either a driver’s license or passport, but I want more of their information, so I stalled with a tactic that I’m hoping will divulge some of that info.

Yeah… give me an address or phone number, please.

Again… they send me something from Secure Access Company and mention a Carolyn Osborne, a name that has never come up before. I searched around LinkedIn and ran some Google dorks to try to correlate “Carolyn” with Secure Access Company, but didn’t come up with much.

These scammers are all mixed up and have red flags out the yin yang, but I’m happy to ignore them to carry on the exercise.

Red Flag#6: The offer letter is riddled with typos, grammatical errors, and other nonsense.

Notice that they claim The IT Company “offers insurance, retirement, and savings products.” Hmm… Not the last time I checked.

Step 4: PDF Analysis

Now that they’ve sent us something, let’s see what we can pull.

Running it through Didier Stevens’ pdf-parser.py tool, we get some more information. This info can also be obtained by just using strings, but pdf-parser.py better organizes the output.

PDF version corresponds to Adobe Acrobat 8.
Can the source country be gleaned from this BaseFont?
And here we have creation information.

It looks like it was created on the day of our correspondence (08/30/2017) at 4:50:31pm with a -5 Time Zone (EST). I received the PDF at 5:55pm, EST. The Author is listed as SAMSUNG, and the creator is listed as PScript5.dll, which is part of the Microsoft PDF print driver. This PDF was likely created with Microsoft Word, on a Samsung laptop, running Windows.

Step 5: “Sign” the “Employment Agreement”

Since I wanted to see how far we can go, I just scribbled a fake signature on their fake employment agreement and sent it back to them. I’ve also taken the time to find someone via LinkedIn who works at Secure Access Company to inform them that their company’s name and likeness may also be part of this scam, along with an offer to assist them any way we can.

After they received it, they now want to give me a direct deposit for “reimbursement” of the equipment I’m supposed to purchase. Sure. I even get a previously unmentioned sign on bonus! Wow!

Again, they are after the details for direct deposit, and again, I try to get some more information from the scammers to identify them. I make up a story that my bank won’t accept direct deposit without knowing where it’s coming from (bank and account number).

Tryhard.

At this point, I wanted to keep stringing them along to see if I could get more info out of them to give to IC3, the FBI’s Internet Crime Complaint Center. I didn’t respond for a while and they got pretty persistent. At one point they even called me, via voice call, through Hangouts. I didn’t answer.

Step 6: Provide “Direct Deposit Details”

By now, it’s Saturday, and they are still bothering me for account information. Thankfully for me, I didn’t need to give them actual account information, as there are multiple payment processing services that share test accounts. I elected to use one from ChargeOver and throw in a different name just to see what happens (surprise, they didn’t notice or care). I also continue to press the story of “my bank needs to know where the money is coming from.”

They didn’t give up the account number, but they did say that the payment would be coming from either Chase or SunTrust. This could be valuable information for IC3.

Step 7: Online Banking Credentials

Next, they start asking me to log into my bank, and I continue to stall, telling them that I don’t use online banking. They get pushy and tell me that I need to go to my bank and set it up. I ask what for… and they tell me they want my username and password to my online banking.

There are so many red flags, I’m starting to lose count, but I think that’s Red Flag #7.

One thing that’s interesting, is that they try to enforce my trust in them by telling me that IC3 already knows about this, and they are totally ok with it.

“IC3 is cool with it.”

Step 8: Where’s My Money?

It seemed the scammer had forgotten about me over Labor Day weekend, so I sent them a message this morning asking about my check.

They ask me about my mobile deposit limits, presumably not to trip off any alarms and to see how much they can scam me out of. I just made up $5,000, it seemed believable enough.

Soon, I receive an email with a PDF with an image of a check. Again, they get The IT Company and Secure Access Company confused, and but Secure Access Company’s name and address on the check:

The routing number is legitimately the Chase routing number, I’ve blurred the account number for security purposes in case it was legitimate, but after running it through VerifyValid, it turns out a fake.

Again, taking the PDF and using pdf-paser.py, we can get some of the creation information.

Take note of the creation time. This one is different. They are in UTC +2 and they just used an online tool to change a .jpg of a fake check into a PDF. I’m not sure why they would go through that effort, other than perhaps a PDF looks more legit.

Now, which countries are in UTC+2?

From www.worldtimezone.com. Notice any familiar Eastern European countries?

After sending the check, the scammer tried to call me via Hangouts again. I ignored the call and let them know I was out running errands. They then give me instructions on how to deposit it:

Interesting. I assume this is to prevent any friction from bringing in such an obviously fake check into a physical branch. Mobile deposit probably gives a little more leeway as far as bad/blurry pictures, and the advantage to the scammer of the teller never seeing the physical check.

Step 9: Report It

At this point, I took all the information I had and filled out a pretty lengthy IC3 Complaint form. I’m not too sure where I can take it from here, and I suspect the scammers will try to get in touch with me on Monday (9/4/17) to continue to get credentials to an account/bank that doesn’t exist.

We’ve also reached out to both The IT Company and “Secure Access Company” to offer our assistance if they need it, turn over any information we have on the scammers, and answer any questions they may have.

Finally, we’ve reached out to Chase’s fraud department to report the account number associated with the fake check.

And… we’re done, right? Not quite.

At this point, I was thinking the game is over, I got what I needed to report the scam to the interested parties, so I told them the gig was up and that I knew it was all a scam. However, this didn’t deter them (which I’m guessing is due to a language barrier) and they ask me what I’m going to do with the check.

Part 3, the last and final chapter in our adventure…

…will be published next week. In part 3, the scam leaves the virtual realm and enters the physical. Things get real. We also get a response from The IT Company’s CEO and summarize all the ways the scammer attempted to make money through these interactions.


Scammer, Meet Hacker: Part 2 was originally published in Savage Security Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Savage Security Blog - Medium authored by Kyle Bubp. Read the original post at: https://blog.savagesec.com/scammer-meet-hacker-part-2-2c422ccf6599?source=rss----8fb937e95e56---4