A New Scam


I just posted my old drill press on craigslist, because I got a better one.

Immediately, I got two messages that were nearly exactly the same: “Is the item still for sale?” – that’s a warning, right there. Someone who wants a drill press might take the time to refer to it as “the drill press” instead of “the item” (which the scammer can just cut&paste in).

I replied, “yes, it is.”

Immediately, I got another message: “in order to make sure u are not a scammer, I will send you a code; you can tell me the code and I’ll know you are for real.” Then, I got a code from google voice services, along with a message saying “This is your authentication code, do not share it with anybody else.”

Well, that sounds suspicious. “Do not share it with anybody else” is a clue from Google. So I google’d “scam authentication code do not share it” and it came back with a full description of the scam. [google]

The trick is that the scammer is trying to sign up a google voice ID with your cellphone number, so that they can make google voice calls or send texts using your number.

I replied with the link to the google explanation, called them “asshole” and deleted the messages.

A general rule is: never disclose anything that has anything to do with an authentication credential. It’s almost always a trick.

Back in the early days of the commercial internet, I remember when people like Eric Raymond were going around talking about how the internet was going to change everything, and make everything better. In fact, humans just dragged all their usual baggage: scammers, nationalists, intelligence operatives, and make-a-buck-quick operations into the new domain. I believe it was Raymond who called the internet “The New Library of Alexandria” – and, I liked the similie, at the time. Until its new denizens began squatting and taking a shit here and there, and making bonfires out of the books, skinning the unfortunate Hypatia, generally dragging everything down to the lowest common denominator. And, then, the marketing people showed up and spray painted “bullshit” on every surface, in blink-tag neon green paint. Humans are like some weird, stupid, animals that you can lead to water when they’re thirsty and the first thing they’ll do is shit where someone else is drinking.

Comments

  1. brucegee1962 says

    Of course, Eric Raymond is a bit of a troll himself (something of a Bell Curve fan, as I recall), so maybe as far as he’s concerned it worked out just fine.

  2. kestrel says

    Thanks for the heads up – I’ll have to tell my mother about this. She can fall for just about any scam and has done for years. I hate scammers.

  3. komarov says

    Is that voice ID thing trackable? It’s a google service after all. Maybe a neat law enforcement response could be to provide an ID to use against scammers. Anyone who spots the scammer, as you did, passes on an LE ID and [agency] can use the data to take a close look at the scammer and what they’re up to.

  4. Owlmirror says

    I replied with the link to the google explanation, called them “asshole” and deleted the messages.

    If you wanted to waste some of your time, and theirs, you could have rolled a d10 for however many digits, and offered the result as the “code”. When that fails for them, say “oops, my bad”, swap a couple digits, and offer that. When that fails, offer a plausible substitution (“sorry, my eyes play tricks on me!”), like “2” for “5”, or “6” for “9”. Etc.

    Hopefully, they would end up locked out of the account.

  5. aquietvoice says

    @Owlmirror:
    Sadly, if I remember this scam correctly, it’s not about getting you to send a specific code but to get you to send it with a specific device so they can steal the identity of that device – the code is just a gimmick.
    As such, no matter what code you sent it wouldn’t matter, even a fake one would work fine for their purposes.

  6. cvoinescu says

    aquietvoice @ #6:
    That sounds like a different scenario.

    In this one, it works like this: you sign up for Google Voice and associate an existing phone number with the Voice account. Google sends a random code to that number, you listen to it and give it back to Google. The fact that you know the code proves to Google that you own that phone number (or that you have a drill press for sale, take your pick). Then, they allow you to associate that phone number with your Voice account, so that when you call from Voice, they make caller ID show said phone number to the other party. Skype and some voice-over-IP calling card services do the same.

    This is the mass-market version of a much older scam, in which people with admin access to PBXes used to program their office phones to send fake caller IDs. This used to be possible (maybe still is) because the telephone company blindly accepted whatever ID the PBX said it was, without checking that it was one of the numbers allocated to that branch. A legitimate use would be for outgoing calls to display the 800 number of the business rather than the direct-dial number of that specific extension.

    Now, exactly what avenues of trickery a fake caller ID opens up, I don’t know. Marcus, do you think they are somehow able to engineer their way into also receiving your calls? Say, by pretending to be you and changing your phone service provider. Because that would be a whole lot worse.

  7. says

    cvoinescu@#7:
    Marcus, do you think they are somehow able to engineer their way into also receiving your calls?

    I don’t think they can do that, and they don’t want to, anyway. If someone gets angry and calls to yell at someone, they want me to be the person who picks up the call.

    Here’s where it gets nasty(er): if you have google voice signed up for a particular phone, you get its SMS messages and so does the phone. That means that you can sign a particular phone up using an SMS code, although the phone’s legitimate owner will know about it. Apparently this is how the Kpopers faked registering for the Tulsa, OK, republican rally. This technique can defeat SMS-based two-factor authentication.

  8. says

    Addendum:
    One other scam is being used on craigslist.

    You get an SMS and it suggests that we switch to email: “if you still have the item, email me at deaddrop@address.whatever
    What then happens is you get phishing attacks on your actual email, which is then exposed to the scammer. The phishing attacks could be a variety of things, including (since they know the craigslist listing and your email address) a fake email from craigslist asking you to log in and update something about your listing. Then, they have your craigslist credentials.

  9. Dunc says

    Here’s where it gets nasty(er): if you have google voice signed up for a particular phone, you get its SMS messages and so does the phone. That means that you can sign a particular phone up using an SMS code, although the phone’s legitimate owner will know about it.

    Yeah, this will be the main target I think… A lot of people are using SMS for 2FA. For example, until fairly recently it was the only 2FA option that PayPal supported. In fact, I only realised that they’d started supporting other options when I checked before writing this comment… You’d think they’d advertise it a bit better.

    If you’re currently using 2FA via SMS for PayPal, I’d recommending considering setting up an authenticator app instead.

  10. says

    Dunc@#10:
    If you’re currently using 2FA via SMS for PayPal, I’d recommending considering setting up an authenticator app instead.

    Definitely!
    In general, just not using the same password on more than one system goes a long way toward firewalling off these sorts of attacks, although things like paypal ought to be carefully handled.

    The entire security stack is, basically, garbage so the best we can hope for is that accessing our valuable accounts is more work than accessing someone else’s.

  11. Bruce H says

    Sad to say I fell for this not long ago. Fortunately for me, I immediately realized my error and was able to re-associate my phone number with my google voice number in short order. The scammer texted me with a curt “aww” and that’s the last I heard of it.

Leave a Reply