My hope is that when people become familiar with the tactics employed by scammers, they will be less likely to get ripped off. With this in mind, Id like to describe my recent interactions with miscreants who target sellers on Craigslist. Perhaps the details Ive gathered about the scammers operation will help curtail such activities.This encounter, which involved SMS messages, emails and a click, is a variation of a PayPal-themed overpayment scam that has been quite prolific in the recent years.
Working in a very rural area">The text message from 731-907-0226 arrived in response to my Craigslist post that advertised a furniture item for sale. Text me back at (7312777303 if you still have it, am interested. Text only">My name is Rick Smith. I am buying this as a surprise,I work with Turner Construction,we are currently working at a very rural area which makes it very hard for me to make phone calls. I have a Mover who will come for the pickup, I will be making the payment via PayPal that is the only payment option.">This message achieved two critical objectives for the scammer. First, the person began crafting a story that will later provide an excuse for asking the victim to wire funds to a third party. In addition, the scammer was establishing a reason why he could interact with me using voice calls. The supposed buyer was claiming to be in an area where voice calls didnt work. In another variation of a Craigslist-originating scam, scammers used the excuse of being on active">The scammer also requested my email address, so he could send me payment. He insisted that PayPal was the only payment method he could accommodate. As is common in schemes that target Craigslist users, the scammer didn">The scammers phone numbers above were associated with the VoIP company Bandwidth.com, which makes its virtual numbers available to other providers, such as Google Voice according to Phone Validator.
You are required to send the $680.00">Please check your email for the notification and instructions,but if you dont get the notification in your inbox please check the spam. PayPal must have sent you some emails by now, I think you need to follow some steps. please check both spam/junk and inbox and get back to me ASAP.">Indeed, my Hotmail inbox included a message with the subject Notification Of An Instant Payment From Rick Smith(brwnsmith20@gmail.com) x-hmca=none header.id=Email.transactionverifier@consultant.comX-SID-PRA: Email.transactionverifier@consultant.comSender: joylove270@gmail.comFrom: Service@PayPal.com email.transactionverifier@consultant.comDate: Sun, 30 Aug 2015 19:20:59 +0100Subject: Notification Of An Instant Payment From Rick Smith(brwnsmith20@gmail.com)">All emails">The notice listed the buyer">Rick Smith has made his intentions known to PayPal that he will like $680.00 USD to be sent to the recipients address below.You are required to send the $680.00 USD via Money Gram Money Transfer.">This was a setup for the overpayment scam, in which victims are persuaded to pay a third-party on behalf of the miscreant.
We are working with Money Gram on this transaction.">Despite the (fake) email confirmation of payment, no funds were actually deposited into the PayPal account I set up for such interactions. When I asked the buyer">As per the e-mail PayPal sent to me which is also similar to yours which i hope you receive, you will have to pay an upfront payment out of your pocket via Money Gram to the address given to you, and you will be given the information which is the Reference Number you will email to PayPal by replying to the confirmation mail from them regarding the details you have from Money Gram, you will receive the whole money in your account without any delay.">The fake PayPal message in my inbox clarified that I might not see the funds in my PayPal account until I sent money to the buyer">The money has now been deducted from the buyers account and is ready to be deposited into your PayPal account. Please reply this email directly with the Information needed from you. While funds are pending, the money belongs to you but is not available to spend or withdraw.">My name is Mellisa and it is my pleasure to assist you in regards to the transaction between you and Rick Smith. We cannot credit your account until you send us the transfer details, but I am very happy to be assigned to tell you that the transaction is 100% secure and legitimate, we want to use this medium to tell you once again that the amount of $1,680.00 USD has been made to your account by Rick Smith.">Go to any Money Gram Outlet close to your home">According to fake PayPals emails, I had to take one last step to complete the transaction: I had to send money via Money Gram to the buyer">I want you to know that i added an extra fee of $680 to the total payment which i need you to help send to the agent coming for pick up and it needs to be sent via Money Gram as thats the only way they can get it. I am sorry i should have informed you but i only got the urgent message from the pick up agent that they will need the funds before they can come to pick up when i was about making the payment. [...] I also added $100 the Money Gram charges.">Though my emails to the fake PayPal account Email.transactionverifier@consultant.com went unanswered, the scammer did respond from ric.smith222@gmail.com when I asked why he couldn">There is no money gram here to make the transfer and I tried more that 4 times making the transfer online but they keep on rejecting my card.">So, to receive payment for the item I was selling, I had to first send irrevocable funds to someone in Pennsylvania. In this case, the scammer requested funds via MoneyGram. Other variations of the scam that Ive seen asked the victim to transfer funds using Western Union.">Surf anonymously">Curious whether I could gather any information about the scammer, I emailed him (or her) a link to a benign image that resided on my temporary web server. In my email message to the scammer I asked for help making sense of MoneyGram">
GET /images/screenshot15.jpg HTTP/1.1Host: 104.131.115.41Connection: keep-aliveq=0.8Upgrade-Insecure-Requests: 1 WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Accept-Encoding: gzip, deflate, sdchq=0.8">The connection came from 208.31.49.29. This IP is on a /24 subnet assigned to Kaia Global Networks in the US, on the Sprint network according to Robtex. One Wikipedia page I found indicated that this subnet hosted CyberGhost VPN exit nodes. I downloaded this provider">Alas, the scammer was careful to obscure his origins by tunneling through the this Romania-based VPN service, which is designed protect your online privacy, surf anonymously and access blocked or censored content. According to my testing, CyberGhosts VPN doesn">The nature of my work">I searched the web for the artifacts exhibited by the scammer in the interactions above to assess the scope of the malevolent activities. I found a few complaints associated with the two phone numbers. They dated to 2014, possibly because these VoIP numbers were misused for other shady machinations (1, 2, 3) at the time. I saw no mention of ric.smith222@gmail.com, though joylove270@gmail.com was associated with several complaints that began in April 2014 and matched the pattern of this scam. At the time, Rick Smith">When I pivoted my search on Rick Smith,">2, The scammer">The earliest mention of the activities I observed and attributed to this scammer date to January 2012. At the time, the scammer used the email address brwnsmith20@gmail.comthe same address included in the body of the fake PayPal notification email that I received. The scammers target wrote that the scammer claimed to be on active duty in the military, using that excuse to explain why he could not speak on the phone or pick up the item in person. The scammer reportedly stated, Am not available to talk through phone due to the nature of my work.">This set of scams might be the work of a single miscreant. Its also possible that a group of scammers is using a common toolkit to prey on Craigslist sellers. Regardless, I">For more of my articles about onlinescams, take a look atHow Victims Are Redirected to IT Support Scareware Sites">Lenny Zeltser focuses on safeguarding customers IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.