This article is more than 1 year old
Fake broadband ISP support scammers accidentally cough up IP address to Deadpool in card phish gone wrong
A tale of Twitter fraudsters, an infosec biz boss, and a quest for one honeypot hit
Fraudsters masquerading as ISP support agents to phish payment card details have been unmasked – after they tried to scam a Brit infosec biz cofounder.
Kurtis Baron, director of the Cambridge-based penetration-testing outfit Fidus Information Security, told El Reg today how his cofounder Andrew Mabbitt received a private message from what appeared to be a legit Virgin Media customer support account on Twitter, a message that tried to harvest his bank card details.
The scam began when Mabbitt complained publicly to UK broadband giant Virgin Media on Twitter about a dodgy internet connection. A crook, operating a Virgin Media support lookalike account, clocked the gripe, and slid into his DMs asking for personal details to help out. Said details included things like confirming his card number.
"It was a very good attempt," Mabbitt said in his summary of the attack.
"It seems those behind the account(s) are watching for keywords in real time and sending these messages very quickly; exploiting both the speed of a reply and the frustration being held by the person writing the initial tweet."
Spotting the phishing attempt early on, our protagonist decided to play along with the ruse, giving the fraudsters a fictional name and address – in this case, the address being the Met Police, on Savile Row in London, and the name being Wade Wilson aka Marvell's potty-mouthed super-merc Deadpool.
Not realizing they were trying to con a comic-book antihero operating out of the capital's police HQ, the dimwit criminals proceeded to ask for payment card details. It was here that Mabbitt truly reeled them in, giving the scammers a dummy credit card number PayPal uses to let merchants test their payment systems. He also sent them links to a Fidus honeypot server for the miscreants to follow, revealing their public IP address (assuming they weren't smart enough to use something like Tor).
It was apparent at this point that Mabbitt was not exactly dealing with criminal masterminds. Still, the attackers were smart enough to not follow the first links he sent, and asked for a second credit card number when the test card details failed to authorize a charge. Mr Wilson had to go a bit deeper with his social engineering.
Four Brits cuffed in multimillion-quid Windows tech support call scam probe
READ MORE"Our intention here was clear, we wanted them to browse to an IP which we were hosting a webserver on to grab their IP address. Sadly, it wasn’t as easy as we had hoped so we had to lay some more groundwork," Mabbitt said.
"They were adamant they needed another card, we were adamant we were going to get their IP address. It became a back and forward exchange."
Mabbitt stepped up his game by claiming American Express was at fault, and crafted a fake Cloudflare error page, hosted by the honeypot server, and passed a link to that page to the crooks to try to prove that the credit-card company was having website issues. Even that, however, failed to convince them to click on his link.
Finally, Mabbitt faked a screenshot of an SMS message that appeared to come from American Express warning of potential fraudulent activity on his card, and sent the pic to to the scammers. The text contained a link to a honeypot-hosted page that apparently had more details about the fraud alert. Hoping to cancel the alert, and unlock the card, the criminals clicked on the link, and revealed their IP address to the Fidus honeypot.
"Never did I think we’d be faking both CloudFlare error messages and SMS’ to gain an IP address but we had come too far at this point to back out now," Mabbitt said.
At that point, Mabbitt pulled the plug, reporting the account and the IP address to Twitter and the Met Police. While the fate of the criminals is unknown, the lookalike Virgin Media Twitter account has since been suspended.
Let this be a lesson to would-be scammers. If you're going to resort to defrauding people with fake Twitter accounts, scope out your mark, lest you end up trying to con a comic book hero with a honeypot server and a Met Police address. Or, preferably, just don't even start. ®