Yesterday whilst complaining to Virgin Media on Twitter about my broken internet I encountered a very interesting scam attempt. Within minutes of posting a complaint I got two replies; one from Virgin Media themselves in a public message and another from somebody purporting to be from Virgin Media in my DM’s.
It was a very good attempt. It seems those behind the account(s) are watching for keywords in real time and sending these messages very quickly; exploiting both the speed of a reply and the frustration being held by the person writing the initial tweet.
The account itself is obviously a huge give away that the message is not legitimate, for those who check it, but it’s also fairly obvious the people behind the account target everybody and anybody and are not very selective. After all, it’s fairly obvious from my Twitter that I work in Cyber Security.
Anyhow, there’s no greater feeling than absolutely wasting a scammers time and leading them into a rabbit hole so that’s exactly what we did.
Firstly we wanted to ascertain whether the user on the other end had any common sense and was checking validity of addresses being given to them before putting our plan into action. What better name and address to give than Deadpool and a London Police Station?
I got a reply within 20 seconds and knew we were going to have a little fun with them.
At first we assumed they were hoping to gain addresses and names to perform account takeover attacks against Virgin Media accounts but their true intentions became obvious pretty quickly.
It’s an odd attack to launch against Virgin Media customers because most payments are handled by direct debit, meaning there wouldn’t normally be a credit card attached to the account. Nonetheless, we went along with it using a set of test credit card details provided by PayPal .
It went silent for a little while after this – I assume they were trying to authorise a payment somewhere. Annoyingly I don’t have a screenshot of the next part as Twitter has deleted the account and associated messages but they had forewarned me I would get a verification code and to provide this to them for verification; their attempt at bypassing American Express SafeKey.
Our intention here was clear, we wanted them to browse to an IP which we were hosting a webserver on to grab their IP address. Sadly, it wasn’t as easy as we had hoped so we had to lay some more groundwork.
They were adamant they needed another card, we were adamant we were going to get their IP address. It became a back and forward exchange.
Slowly we made it clear they’d be losing their oppertunity at receiving more credit card details from us
At this point we expected we’d have no luck so we faked a CloudFlare Error in the hope they’d click the link and check themselves.. if only if was that easy…
Never did I think we’d be faking both CloudFlare error messages and SMS’ to gain an IP address but we had come too far at this point to back out now.
Alas, after sending a fake SMS message we received a click on our webserver!
At this point the game was up as the IP linked back to our website and we never received a reply back.
We reported this all back to Twitter, who’ve since suspended the account, and Police in the UK in the hope some action can be taken against those responsible.
Until next time, scammers.
~ Wade Wilson