Posing as a target in a job scam to see how deep the rabbit hole goes…
In part 2, our involvement became more than just a chat, and the scammers started trying to get some money out of me in earnest. Their persistence is as impressive as their lack of attention to detail is bewildering. You’d think scammers this organized and prepared would be able to keep the name of a company straight, especially when they’re supposedly a hiring manager for said company. If we accept the idea that attackers are only as sophisticated as they need to be, the average victim must not notice that the name of the business changes, chooses not to challenge the scammers on the discrepancy or is just so desperate for the job and money that they don’t care.
Here, in part 3, the scam leaves the virtual world and enters the physical. Let’s dive in.
Step 10: How scammers make money from thin air
The process of how a totally fake, made up check, can become real, spendable US dollars, and in the process, ruin the victim’s day (or week, or month!).
After emailing me a .pdf of a fake Chase check, of which I was supposed to deposit via mobile banking, the scammer wanted to know if I had deposited the money.
After thinking of a few way’s I could “provide proof,” in the end, I just used Google Chrome’s developer tools to change all the values on my bank’s balance page. Added their super legit “CHASE CHECK” and threw in some Taco Bell and some Walmart for legitimacy as well. I figured showing them a large balance would also entice them.
This ‘evidence’ was enough to convince the scammer that I truly deposited the check, and now it was time for me to buy my materials from their “trusted vendor.” They also asked me to keep $200 of the fake money for myself, as a sign on bonus (how sweet)!
Of course, the next step is to actually buy the equipment, so I pushed the scammer on where I should go to purchase this equipment. I was thinking they would have some spoofed online store where you purchase items, but never receive them. To my surprise, it was much less elegant.
That’s right folks, Walmart Pay. They want me to do a Walmart transfer of the money in two chunks. This is where it gets interesting, and I have to be careful about the details I reveal here.
In order to use Walmart Pay, you have to send it to a named person, removing the anonymity of the scammer’s game. The scammer instructs me to send it to a woman residing in Ellenwood, GA. At this point, my OSINT bells start ringing and I start looking for information on this woman. I ended up finding her contact information, including address, her occupation, job title, and business location.
I presume this woman in Georgia is simply a runner for the scheme. She probably gets a cut of the money and then sends the rest to the scammer.
At this point, I sent everything to both the FBI as well as the police and sheriff of Ellenwood, GA. While the local municipalities didn’t respond, the FBI’s IC3 did.
Unfortunately, I can’t reveal too much more at this time. I’m meeting with the FBI soon to discuss the details of the entire scheme, after which, I hope to be able to reveal a positive outcome.
Meanwhile, the scammer would not leave me alone! After I told them that I was going to Walmart to send the money, they texted, called, and kept trying to chat with me on Hangouts. It’s a good thing I gave them a Google Voice number and not my real number!
I tried to do a reverse lookup on the number they were calling/texting from by using some tools like SpyDialer. Unfortunately, it looks like they are just using a spoofed VoIP number, so I couldn’t glean any data from this.
So How Does The Scammer Get Paid?
Throughout the course of this, this scammer tried 3 different ways to get paid.
- Get my account number and routing number to then draft money out of my account. (I denied them this.)
- Get my online banking information. (I denied them this.)
- Send me a fraudulent check, ask me to deposit it, then in some way request some of the money back. (This is the route they were forced into.)
The IT Company’s Response
I had the pleasure of speaking with Paul Sponcia, Principal and CEO of The IT Company, in regards to this type of scam. He said that the IT Company was first notified of this about six months ago and have been working with the local FBI field office and IC3 since then to try to combat it. Unfortunately, this type of scam is hard to stop, as there are extradition laws and other barriers that make it difficult to track down and prosecute the scammer. Paul mentioned that he knows of at least one victim who suffered monetary damages from this scam, as the scammers completely wiped out his bank account (which has since been shut down). So, knowing that there wasn’t much they could do, Paul took a unique approach to combat the scammers:
More than likely, if you are about to be hired by a company, you’re going to visit their website. So, Paul put up this alert on their site, that not only educates the potential victims, but also let’s their customers know they are being proactive, as well as letting the scammers know “we’re on to you!”
In addition to this, The IT Company published a blog to educate and inform others about the scam, and what to do if you think you may be a victim. We find that education is the best approach to securing organizations, and it’s refreshing to see that others are taking that approach as well.
Unfortunately, I did not receive a reply from the Secure Access Company, but I’m hopeful that they did receive my message and are taking similar actions to prevent people from falling victim to this scam.
This is not a new type of scam, but it was the first time I’ve heard of a scam like this, and was surprised that it is so successful. We’ve provided tips and red flags throughout the article, but in the end, when in doubt, just pick up the phone and call the HR department of the company. You may get bounced around a few times, but the time lost is better than money lost to a scammer.
If you ever find yourself as the victim of something like this, report it immediately to IC3. The sooner the better, as you may be able to get your money back: https://complaint.ic3.gov/default.aspx
Were we able to make a difference? I hope so. Obviously, the IT Company took proactive steps to prevent future “prospective employees” from being scammed. As far as working with law enforcement, I found it interesting that although I had a full timeline of events, details, and screenshots, the local law enforcement did not take interest in the info I provided. Thankfully though, I have an excellent relationship with someone at the local FBI field office, and she was very responsive. As mentioned, I’ll be meeting with them soon to go over everything and hopefully come up with ways to prevent others from falling into this trap.
Truth be told, this is an incredibly hard scam to stop because most of the scammers live in countries in which we have no extradition treaty. So, even if I knew the scammer’s name and address in Eastern Europe, the FBI could likely do nothing to bring them to justice.
In conclusion, aside from all of the red flags pointed out throughout the series, it’s very important for organizations to make acquaintances with local and federal law enforcement before an incident. Having those relationships means you have someone to call the minute you suspect something suspicious. This can be the difference between getting your money back or losing it all to an overseas bank account.
About Savage Security
Savage Security is a cybersecurity research and consulting firm, founded by industry experts with over 30 years of combined experience. We are trusted advisers for our customers, whether providing market services to improve their products, or building defensive strategies to secure their environments.
Interested in any of our consulting, market or subscription services? Drop us an email (info at SavageSec dot com) or go old school and give us a call at (844) 572–8243.
Our website and brochures go into more detail on how Savage Security can help you with your security needs or research project.
This is a Security Bloggers Network syndicated blog post authored by Kyle Bubp. Read the original post at: Savage Security Blog - Medium