Note: some of the finer details of this story have been withheld as this is an ongoing crime, and I don’t want to lead anyone else to the personal details that have been stolen and are freely available online, or make the attacker aware of their mistake while there is still a chance to catch them.
Unearthing a scam
Last Monday I received a text message proposing to be from a well known messaging app. The text read a little like this:
You subscription has run out. To renew your subscription and verify your account for just X amount of money, follow this link.
Of course I instantly realised this was a phishing attack, but being an inquisitive web developer I decided to follow the link (after taking appropriate precautions) and see how this attack worked. When visiting the link I was greeted by a pretty legitimate looking form, collecting all the standard personal information as well as credit card numbers with security codes, and shockingly, the form also asked for a bank account number, sort code, and security question! Surely people don’t fall for this. Why would a messaging app need bank info as well as your credit card?
The form was hosted on a domain that was intended to look like the real equivalent, only it had a few letters replaced with similar looking ones. Pretty standard phishing tactics. I noticed the form was not hosted at the root of the domain. For demonstration purposes lets imagine this is the address of the scam: http://mylegitapp.com/form/
I wondered what was at the root of the domain (http://mylegitapp.com) and to my surprise I was greeted with the file structure of the server, and a single .zip file. This was obviously a mistake on the attacker’s behalf, the directory shouldn’t have been accessible, and as I’m about to explain, they definitely should not have left that zip file hanging around.
I couldn’t resist downloading the mysterious zip file to see what was inside. On opening the zip file I was astounded to find what looked like the code being used to run the scam 😲. The attacker evidently had very little technical knowledge, or is so confident they can’t even be bothered to cover their tracks in the slightest.
A few notes about the code:
- It was written in PHP, a programming language that powers a large part of the web
- It was messy and very unsophisticated
- Hilariously it had built in spam detection! It would check for expletives in the submissions and redirect the user to the real app website as soon as they were detected!
- The victims’ cards were never actually charged. This was all about stealing the details.
- There was a configuration file with instructions on how to set up the scam.
After a bit of poking around, I came to the conclusion that the attacker had probably purchased this scam pre-built off the dark web without much knowledge of how it works. All they needed to do was put their email address and a few other details in the config file and they would be good to go. This meant I now was pretty certain I had the attacker’s email address.
Looking through the code, I could see that after submitting all parts of the form, the stolen details would sent to the email address provided in the config file, and also stored in a log file on the server.
Whoops, I had accidentally downloaded stolen credit card and bank details!
The log file in the zip only contained one victim’s information, from September 2016, the time that the zip had been created. Needless to say, I was aware that the situation had gotten a little more serious.
Having access to the code, and now knowing its inner workings I could see where the live scam would be storing its victim log. I visited the address of the log in my browser, and there in front of my eyes, were the details of about 20 victims who had been scammed that same day!
The scam was active and apparently very effective! Most of the victims were elderly and had given away everything required to clear out their accounts!
I already couldn’t believe what I had found, but given the mistakes the attacker had already made I thought I’d try my luck and look up the WHOIS information for the domain name. When you register a domain name you are required to provide some basic information such as name, address and email etc. You can choose to hide this information from public view, but crucially, you have to opt-in to do this.
Unsurprisingly, it emerged that our attacker hadn’t done this. I now potentially had the email address, name, street address, and phone number of our attacker, as well as heaps of evidence to show them committing cyber crimes.
Trying to alert the authorities/pissing into the wind
At this point I had probably already dug around a little too much. It was time to pass on what I knew to the police, if they acted quickly they might be able to catch the attacker, and at worst they could inform the victims and prevent any money leaving their accounts.
A search along the lines of “Report cyber crime uk” lead me straight to the Action Fraud website: http://www.actionfraud.police.uk/ billed as “the UK’s national fraud and cyber crime reporting centre”.
Perfect! A division of the police specifically set up to handle this sort of thing. Nice to see the government taking cybercrime seriously…
I began by following the link to the online reporting tool they provide, choose to report “Online scams or viruses”, and began to answer the questions presented to me. Two minutes later I had reached the end of the form.
Was that it? I had completed 3 multiple choice questions and reached the end of the form without the opportunity to provide any specific details about the crime I was trying to report!
It was clear this wouldn’t do so I started a live chat and explained the situation. Before I could get through most of the details the chat operator provided me with another link where I could provide a report and closed the chat.
Going to that link and navigating past the first few screens, it directed me to visit another site to perform the report. Gees, this was getting pretty long winded but I didn’t want to give up. Even while filling out these forms I could see new victims added to the log file.
The next series of tweets pretty accurately explain what happened when I followed this new link:
That probably would have stopped a lot of people trying to report a crime, luckily you can tell Google Chrome to continue to the site regardless. Doing so resulted in this:
I took a few minutes to bask in the irony of the situation I had unexpectedly found myself in… You couldn’t make this up if you tried!
I got straight back on the web chat and this followed:
A few points about this chat. Firstly, I’m pretty certain the initial person I spoke to was Ross. If so, he originally sent me the wrong link (unfortunately I didn’t save my first web chat).
At one point I accidentally pasted a link to a forum dedicated to selling stolen cards into the chat! Not something you want to do while talking to the police 😂. Some information in the code had lead me to this forum where I suspect the attacker has an account.
Ross was quick to try the old “its not me, its your browser” line. I’m a web developer and I hear this line all the time, I’ve probably used it myself more than once. It definitely wasn’t my browser!
The corrected link Ross sent me lead me right back to the form I have previously mentioned (pictured above) and now I was more than a little annoyed. I explained to Ross that the form doesn’t actually collect any specific information, he then directed me to another link: http://actionfraud.police.uk/report-fraud-about-you
What a wild goose chase!
I had actually seen this link earlier on, but had decided it wasn’t the correct place to file a report since it was titled “Report fraud about you”. This entire service is extremely confusing and hard to navigate. I make websites for a living and can usually find my way around even poorly designed sites, but this one had me stumped!
Anyway, for the umpteenth time I began to fill out another form. As you can see in the chat I was worried that it wasn’t going to let me give enough detail again. The first steps weren’t really relevant, it was asking very specific details of the attacker that I didn’t have and wanted to know things like exactly how much money had been stolen.
A simple email address would have been more than enough for me to provide the police with the details I had, instead I was forced to fudge the first pages of a form just so I could get to the free text field at the end 😤.
I spent over an hour detailing everything I knew in the summary box. Well, almost everything. This box had a 2000 character limit, so after writing the report I had to then go back and prune it to fit within the limit. As if this process couldn’t get any more painful!
Finally I was done. I had already used most of my evening but at least the police would have my report and I could rest happy knowing I had done my bit. I pressed submit on the form and……
This really was beyond a joke now. I had spent so long trying to report this I didn’t want to give up, but I could see I wasn’t going to have any luck reporting it with Action Fraud.
Next up I rang 101, the non emergency police number. I waited on hold for almost another hour before someone answered. They really aren’t joking about it being non emergency.
I finally got through and began trying to describe my evening to a cheerful police woman working for Sussex police force. I started to appreciate that this was a pretty hard situation to explain over the phone, especially when you are speaking to someone with nothing more than basic computer knowledge. She was very surprised I had told Action Fraud that I had access to stolen credit card details and all they did was repeatedly get me to fill out a form.
Having described everything the best I could in layman's terms, the police officer admitted she needed to get technical advice before knowing what to do next. Five minutes later she returned and said that the “technical advice” had told her I needed to be transferred to Merseyside police as that was where the domain was registered.
What had I gotten myself into? It was like I had entered some sort of never ending alternate reality wormhole, falling deeper and deeper into the void.
I explained that it didn’t really matter where the domain was registered, and that localised internet policing didn’t make much sense. She didn’t agree, so reluctantly I accepted the offer to be transferred and was put on hold again. Ten minutes later I get through to Merseyside police.
None of the information I had given Sussex police was passed on, so I had to explain everything again from scratch. This time the police officer I spoke to said he would take a report and we spent the next hour painstakingly going over everything I knew from the beginning.
Phonetically spelling out URLs over the phone is not my idea of a fun Monday evening.
The police officer I had spoke to was very helpful and I was satisfied he had done a good job of creating the report. He said something along the lines of “Holy shit, this is pretty juicy isn’t it” and promised me that I would receive a follow up call once they had looked into it.
I stressed to him, that it needed to be acted upon quickly. The attacker could realise at any moment that they have left their scam insecure and fix their mistake. All the evidence would disappear and we would no longer know who the victims were.
Twenty four hours passed and no contact from the police. During this period I saw another 20 people added to the attackers logs. For some reason the attacker also appeared to start another instance of the scam on the same server.
I decided to see how much stolen credit card info would sell for on the dark web and apparently you can get around US $30–$40 for good quality info. Not a huge amount, but that meant that already there were 600ish dollars worth of card details sitting in these logs. Of course the real value is surfaced when the cards and accounts are actually used to make purchases.
Forty eight hours passed and still no contact from the police, and still more and more people were falling victim. I was aware scams like this existed but I never had any idea how effective they are! I wrongly assumed people were pretty savvy these days about entering banking information on sites.
Unfortunately most of the victims appeared to be elderly. I can imagine a lot of them had been told to download the app in question by their grandchildren.
I faced a bit of a moral dilemma at this point. I had handed this over to the police, but I was sat there with a front row seat watching daylight robbery. If you were watching someone get mugged on the street would you intervene?
I had access to the code and knew exactly how it worked, so myself and a work colleague began thinking of ways we could disrupt the scam. By doing so we were entering a legal grey area. If we were to enact any of our plans it could also be construed as hacking, and as far as I am aware, hacking in any shape or form is illegal in the UK. Even when you are trying to take down a scum bag scammer.
We started to develop a tool to disrupt the scam, but haven’t yet used it. Unlike the attacker we didn’t want to make any mistakes. Supposing we weren’t dealing with a script kiddy from Merseyside, and we had actually uncovered a hardcore Russian hacking circle, we didn’t want anything leading back to us.
Thursday morning, on my way to work my phone finally starts ringing with a call from Merseyside police. Great, its been three days, longer than I had wanted but at least they would have had chance to digest the report and can now do something about it.
Hello Mr Maxted, its Officer something something here, I believe you have been having trouble with a website?
Not exactly how I would have put it but go on…
We have looked into the case, and we can confirm you are going to need call Action Fraud.
👎 👎 👎 👎 👎 👎 👎
It was lucky I didn’t drop my phone. Four days after the whole episode had begun and I had gone full circle. If you believe in reincarnation I was just reborn as a fly.
I find it hard to get angry at the police when I know they are so chronically underfunded, but I felt like I had just walked into a police station, explained to them I had witnessed a murder, to then be told I was in the wrong department!
Why should I have to speak to Action Fraud again? Couldn’t Merseyside police pass the information on themselves?
I couldn’t help getting angry when you think that our government is constantly finding ways to expand state surveillance powers under the guise of improving cyber security. Snoopers charter, and more recently talk of banning encryption are all perfect examples.
This debacle proves that the police don’t need more tools to fight these crimes. They can’t use the existing ones the have! All these new powers do is remove every day citizens’ liberties, and make the web less secure!
As for the scam? Well it’s still active and stealing cards. I have noticed the attacker clearing out the log file a few times now. This probably means they have already sold a few sets of details.
From Friday until the time of writing, another 20 people have had their cards and bank details stolen, the oldest of whom is over 80.
I’m unsure of the next action. As I said I could easily take this down myself, but I would be breaking the law in doing so, and would risk exposing myself to the attacker. Hopefully by writing this post someone with experience in this area or the relevant authorities will notice and help put a stop to this daylight robbery.
Update 26th July 2017: