That's bizarre - someone tried to scam me in a similar way literally a few minutes ago.
I am selling something on a marketplace. Someone contacted me - they want to buy the thing I am selling. Do I still have it? I say yes. They say they are sending a GLS courier to collect the item. I figure they need the item fast - we are celebrating Christmas tomorrow. Why not.
The "buyer" sends me a link to a service supposedly offered by GLS, where GLS works as an intermediary - they collected the money from the buyer; when they collect the item, they will pay me. This is happening in the Czech Republic, and services like that seem plausible here. I do not know every detail of every delivery service offered here. The page looks just like an ordinary GLS page. I am in a hurry. I do not pay that much attention. I pause and check only when redirected to my bank's authentication page (this is the phishing part, obviously). Turns out GLS offers no such service.
I was closer to giving them what they wanted than I imagined possible. I was on autopilot until the last second. Not even my bank's login page surprised me that much - we have something called "bank identity" that lets you authenticate stuff by your bank ID. It is so convenient that I got used to it and I do it carelessly.
In Czechia, something called bank ID is commonly used to authenticate. The point is to verify it is you, for example when you sign a contract online, fill in tax returns online... stuff like that. The way it works is that you are on some site, you get redirected to your internet banking, you log in (that's what I meant by "bank details", I am sorry about expressing myself so clumsily), and your bank redirects you back to that site with confirmation that is you.
Do I need to verify my identity when someone wants to send me money? Who knows. This is the part that made me check. But I was close to not checking simply because it is habitual, and you do stuff like that automatically.
Nowadays, we are often dealing with systems we do not fully understand. You get redirected to some familiar login form, you log in, and you don't even pause. Well, at least I do it. I should be a lot more careful, apparently.
I dislike this as well, as this is conditioning people to not second guess why a third party website is sending you to your bank to login. As well as scam websites I've come across that mirror the authentication process down to every step you would have when using it for legitimate purposes.
Scam website>Scam Interact login parter>Scam web banking login> stolen bank credentials.
Honest question. Shouldn't this internet banking that offer authentication as a service do it via at least mandatory 2FA for log in. I would guess that way fake bank sites would be failing?
I dont have many banking relationships, using 2 banks and there is not even a password to remember, all login is done via authentication apps.
The entire social engineering of sending everything off to 3rd party is something that really irks me. The touted convenience of faster to deploy updates by using 3rd party rather than depending on local version updates has never been enough for me. It also was the sugar pill for switching to rent seeking SaaS to gain traction.
I don't want my web server dependent on anyone else's server/service being available or in any other way slowing down my user's experience.
The only service that I have no local solution is payment processing.
I am not sure I can agree with that. I almost got scammed, but isn't that my responsibility to check?
The thing is, those services really are useful. A lot of stuff that used to be complicated and required me to stand in line somewhere can now be done comfortably from home. Many good things can be abused, but that does not mean they should not be implemented. And you don't have to use it if you do not want to.
Also, I don't know how the scam works behind the login form that stopped me, but I think it would not have worked even if I had given them my info because there is 2FA - how would they overcome that hurdle?
It's an actually really good system, as the origin (aka the domain displayed in your URL bar) changes during the redirect.
The problem is the lack of user education as to what an "origin" is.
But assuming there is good user education, this is the proper way to do it. One (untrusted) origin redirects you to a trusted one with instructions to give it some information. The trusted origin asks for your authentication and tells you what the untrusted origin is requesting. If you approve, the untrusted origin only gets the very specific data it requested (and you approved) and nothing else.
The problem is using bank account for anything else than managing and transferring money. Confirming identity is a "convenience" no one asked for. Government services have their own authentication. Bank shouldn't know where and when you are accessing any other services, they _will_ use it for profiling or could even escalate into some KYC enquiry. Government should know only your IBAN. Connecting these dots for various service providers will never work in your favor.
I got several people wanting to send a courier last time I listed something on Facebook. Checking their pages, they were all from eastern Europe with no obvious connection to my city. Good to know the mechanics of the scam, I wondered what they were up to. Don't understand why Facebook couldn't have auto detected the messages though - seemed like a pretty major failure of marketplace that the majority of the messages I got were scams.
It's so easy to spot marketplace scams that I'm baffled people still fall for them.
Are you going to show up with cash on my doorstep (or another agreed upon location)? If yes, we can continue talking. If not, you are blocked and reported. End of story.
The article mentioned it was a listing specifically for a large item.
I get why someone might not show up on my doorstep if they’re buying a piano - they probably need to hire somebody and are themselves not going to contribute anything to the piano moving process.
But fully agreed that once you’re an inch off the “show up with money” path, everything is suspect.
That's even more of an indicator that it's a scam. You put a listing for something big/bulky/expensive on the internet and some person sees a couple pictures, thinks "good enough" and immediately wants to wire you hundreds of dollars? Without actually seeing it or making sure they aren't getting scammed? Nope, does not happen.
This is common. I've done it myself and had no problems. I want to buy some bulky item from another part of the country, I trust the seller, so I just wire them the money and tell them when my movers are going to show up.
Because like everything else in law, the lower charge becomes irrelevant in light of a worse offense. Breaking into someones home is burglary, but do it when someone is home and it becomes home invasion. Do it with a weapon and it becomes an aggravated charge.
At that point, nobody cares if you were trying to steal the silverware.
From the description, these are rent-a-scammers, who convince people that renting their all in one scam platform is a great deal. It probably isn't, or they'd be doing it themselves. It's a good deal if you place a premium on feeling clever from scamming people, and don't care about the risk of getting hit by the police, or by rival would-be scammers eager to show they're more tough criminals than you.
It's the lifecycle of a scam. Once it really isn't worth the effort anymore, it gets packaged up and sold to stupid kids.
This isn't any different from those seminars that teach you how to make money in real estate, forex, or similar. All you have to do is buy their books and attend their seminars and they teach you how to host your own seminars.
I had a bunch of those whenever I tried to use OLX - both on OLX messages and Whatsapp as well. Bot prevention is 0.
I know people who were successfully scammed as they think they are entering their card details to get money transferred by their card number.
The author has shared information that he had discovered the scammers are operating in Spain and Italy as well. So it is not specifically because of language similarity.
That's bizarre - someone tried to scam me in a similar way literally a few minutes ago.
I am selling something on a marketplace. Someone contacted me - they want to buy the thing I am selling. Do I still have it? I say yes. They say they are sending a GLS courier to collect the item. I figure they need the item fast - we are celebrating Christmas tomorrow. Why not.
The "buyer" sends me a link to a service supposedly offered by GLS, where GLS works as an intermediary - they collected the money from the buyer; when they collect the item, they will pay me. This is happening in the Czech Republic, and services like that seem plausible here. I do not know every detail of every delivery service offered here. The page looks just like an ordinary GLS page. I am in a hurry. I do not pay that much attention. I pause and check only when redirected to my bank's authentication page (this is the phishing part, obviously). Turns out GLS offers no such service.
I was closer to giving them what they wanted than I imagined possible. I was on autopilot until the last second. Not even my bank's login page surprised me that much - we have something called "bank identity" that lets you authenticate stuff by your bank ID. It is so convenient that I got used to it and I do it carelessly.
>> I hate scammers
Yes, me too.
I missed something: why do you as a seller have to enter your bankdetails?
That is the thing - you don't.
In Czechia, something called bank ID is commonly used to authenticate. The point is to verify it is you, for example when you sign a contract online, fill in tax returns online... stuff like that. The way it works is that you are on some site, you get redirected to your internet banking, you log in (that's what I meant by "bank details", I am sorry about expressing myself so clumsily), and your bank redirects you back to that site with confirmation that is you.
Do I need to verify my identity when someone wants to send me money? Who knows. This is the part that made me check. But I was close to not checking simply because it is habitual, and you do stuff like that automatically.
Nowadays, we are often dealing with systems we do not fully understand. You get redirected to some familiar login form, you log in, and you don't even pause. Well, at least I do it. I should be a lot more careful, apparently.
Canada checking in. We have the same system for authenticating with government services. https://www.interac.ca/en/verification/personal/sign-into-go...
I dislike this as well, as this is conditioning people to not second guess why a third party website is sending you to your bank to login. As well as scam websites I've come across that mirror the authentication process down to every step you would have when using it for legitimate purposes. Scam website>Scam Interact login parter>Scam web banking login> stolen bank credentials.
Holy crap! I would have thought Canada would know better than use this “Bank ID” method.
Honest question. Shouldn't this internet banking that offer authentication as a service do it via at least mandatory 2FA for log in. I would guess that way fake bank sites would be failing?
I dont have many banking relationships, using 2 banks and there is not even a password to remember, all login is done via authentication apps.
Login page redirects have become a big user security hazard it would seem - and OAuth is basically the culprit.
The entire social engineering of sending everything off to 3rd party is something that really irks me. The touted convenience of faster to deploy updates by using 3rd party rather than depending on local version updates has never been enough for me. It also was the sugar pill for switching to rent seeking SaaS to gain traction.
I don't want my web server dependent on anyone else's server/service being available or in any other way slowing down my user's experience.
The only service that I have no local solution is payment processing.
Holy crap. What a terrible system and I hope my part of the world never implements such forms of tech.
I am not sure I can agree with that. I almost got scammed, but isn't that my responsibility to check?
The thing is, those services really are useful. A lot of stuff that used to be complicated and required me to stand in line somewhere can now be done comfortably from home. Many good things can be abused, but that does not mean they should not be implemented. And you don't have to use it if you do not want to.
Also, I don't know how the scam works behind the login form that stopped me, but I think it would not have worked even if I had given them my info because there is 2FA - how would they overcome that hurdle?
Sorry, I was not clear. I was talking about having to use your bank for authentication/sign in.
It's an actually really good system, as the origin (aka the domain displayed in your URL bar) changes during the redirect.
The problem is the lack of user education as to what an "origin" is.
But assuming there is good user education, this is the proper way to do it. One (untrusted) origin redirects you to a trusted one with instructions to give it some information. The trusted origin asks for your authentication and tells you what the untrusted origin is requesting. If you approve, the untrusted origin only gets the very specific data it requested (and you approved) and nothing else.
I’ll repeat what I said above/below: Sorry, I was not clear. I was talking about having to use your bank for authentication/sign in.
The problem is using bank account for anything else than managing and transferring money. Confirming identity is a "convenience" no one asked for. Government services have their own authentication. Bank shouldn't know where and when you are accessing any other services, they _will_ use it for profiling or could even escalate into some KYC enquiry. Government should know only your IBAN. Connecting these dots for various service providers will never work in your favor.
I got several people wanting to send a courier last time I listed something on Facebook. Checking their pages, they were all from eastern Europe with no obvious connection to my city. Good to know the mechanics of the scam, I wondered what they were up to. Don't understand why Facebook couldn't have auto detected the messages though - seemed like a pretty major failure of marketplace that the majority of the messages I got were scams.
Someone is probably afraid to be too effective at filtering them out, as it would nuke their numbers. (Engagement/messages sent? Who knows)
If most of the traffic is scams, it’s not like they can remove it without something showing up in their metrics after all.
Search, and USPS ‘spam’ mail has a similar problem.
It's so easy to spot marketplace scams that I'm baffled people still fall for them.
Are you going to show up with cash on my doorstep (or another agreed upon location)? If yes, we can continue talking. If not, you are blocked and reported. End of story.
The article mentioned it was a listing specifically for a large item.
I get why someone might not show up on my doorstep if they’re buying a piano - they probably need to hire somebody and are themselves not going to contribute anything to the piano moving process.
But fully agreed that once you’re an inch off the “show up with money” path, everything is suspect.
That's even more of an indicator that it's a scam. You put a listing for something big/bulky/expensive on the internet and some person sees a couple pictures, thinks "good enough" and immediately wants to wire you hundreds of dollars? Without actually seeing it or making sure they aren't getting scammed? Nope, does not happen.
This is common. I've done it myself and had no problems. I want to buy some bulky item from another part of the country, I trust the seller, so I just wire them the money and tell them when my movers are going to show up.
Hey, only a hundred ish for a piano? Even if 1/2 the time it’s a scam, that’s still a pretty good deal.
This is how overall marketplace trust dies and the overall industry collapses though.
This is how I do it as well, gumtree or marketplace. I Still have to deal with the spammers messages and reporting
The ‘beauty’ of the Internet is how scalable it is. Both for good, and for evil.
Even if you get .01% success rate, if it costs so little to reach 1M people, you’ll do well.
> It's so easy to spot marketplace scams that I'm baffled people still fall for them.
That's survival bias. There are some you can't spot.
You missed their point. It's cash on the barrel head or counterparty is presumed to be a scammer. If you follow that rule you'll never be scammed.
> If you follow that rule you'll never be scammed.
until you get robbed, kidnapped or forced to do a bank transfer.
you just named multiple things that are not a scam
How not? The robber never intended to finish the deal.
Because like everything else in law, the lower charge becomes irrelevant in light of a worse offense. Breaking into someones home is burglary, but do it when someone is home and it becomes home invasion. Do it with a weapon and it becomes an aggravated charge.
At that point, nobody cares if you were trying to steal the silverware.
[dead]
None of those things are a scam.
Awesome work. Entertaining read. Много поздрави!
Good work!
As noted, it probably won't change anything, but scammers are a lot more sophisticated, these days, than they used to be.
From the description, these are rent-a-scammers, who convince people that renting their all in one scam platform is a great deal. It probably isn't, or they'd be doing it themselves. It's a good deal if you place a premium on feeling clever from scamming people, and don't care about the risk of getting hit by the police, or by rival would-be scammers eager to show they're more tough criminals than you.
It's the lifecycle of a scam. Once it really isn't worth the effort anymore, it gets packaged up and sold to stupid kids.
This isn't any different from those seminars that teach you how to make money in real estate, forex, or similar. All you have to do is buy their books and attend their seminars and they teach you how to host your own seminars.
If only there were authorities that would take actions to track down these scammers with as much zeal as they track down pirates...
I had a bunch of those whenever I tried to use OLX - both on OLX messages and Whatsapp as well. Bot prevention is 0. I know people who were successfully scammed as they think they are entering their card details to get money transferred by their card number.
If anyone here has done a similar reconnaissance operation - I am curious how much time does it roughly take ?
Why am I not surprised that Russians are behind this scam?
because their similarity in language with Bulgaria helps performing convincing scams
The author has shared information that he had discovered the scammers are operating in Spain and Italy as well. So it is not specifically because of language similarity.
[flagged]
Russian is not a race.
Neither is "Mexican", yet saying something like "All Mexicans are <negative quality>" would be an unequivocally racist statement.
[flagged]
[dead]