Introduction

Hello and welcome to Hacker Public Radio, I’m Edward Miro and for this episode I decided to record on a personal experience I had recently helping a client catch a Craigslist Scam. This will be part two in my series I’m calling “Information Security for Everyone”. As with most of the content I publish in the world of INFOSEC, my goal is to present the information in a way that a majority of people can get value from and anyone can play this for a friend, colleague or family member and make it easy for the non-hackers in our lives to understand. This particular episode shows a powerful way social-engineering can be implemented to steal money from unsuspecting victims and I will break down a few main points and red flags to look out for at the end.

A couple weeks ago I was sitting with a client when she asked me offhandedly if I’d ever sent a Moneygram before. I told her I had and ask curiously why she wanted to know. She explained that she was very excited to be adopting a puppy from online and she needed to send $350 USD to the service that ships pets across the country. This immediately caused my hacker-sense to start tingling so I probed a bit more about the transaction.

I asked if she had spoken to the seller on the phone, and she said she hadn’t. I said that seemed weird, but she assured me that the seller said it had to do with her religion. I wasn’t aware of any religious prohibitions to speaking on the phone that also allowed using Craigslist, but okay. I told her that that seemed a bit fishy to me. She asserted that she thought it did too at first, but she knew it was legit because she wasn’t sending the money to the seller, it was being sent to a third party pet transportation company that the seller had had contact her. She even showed the website of the company on her cell phone, which to be blunt, to my eyes looked extremely janky. I asked her if we could sit down for a few minutes and take a look at a few details before she sends anyone any money. She reluctantly agreed and really wanted this puppy.

The first thing I asked to look at was the emails back and forth from the seller. I checked Google and all other major social media sites for the sellers name. No matches. Couldn’t Google the sellers email address due to the Craigslist email relay system. This in and of itself might be okay, we all use pseudonyms online sometimes and Craigslist is a site you might not wanna use your real name. Fine.

She then showed me the email thread with the shipping company.

The first strange thing I noticed from the emails was the link to the pet shipping company. The name didn’t match the URL in the link. You’d think a business would be able to get their own name right. I also saw that if you Googled the name given by the shipper, it’s extremely similar to a legitimate pet shipping company and indeed that legit company comes up as the first site found due to Google “fixing” our query. When you go to the link in the email however, the site itself was terrible to my eyes, but not to my client who is not as seasoned as I am at catching scams. I also showed her that the “company” didn’t have any social media presence. At all. No Facebook, Twitter, anything. Also the email address that was contacting her was reallylongcompanyname@outlook.com

She also told me she had spoken to the shippers on the phone and I asked if she still had their number. She did, but she told me she couldn’t ever get through when she called them and they’d always have to call her back. I asked for the number and called it on my phone. It was a Google Voice number! Not only that it was set to screening mode. She also told me when he did call her, he was rude and tried to get her to hurry up and send the money. I told her I was 100% confident this was a scam and I advised her to not go through with the deal.

At this point she was extremely unhappy, but felt it was still a legitimate transaction because she had pictures sent to her of not only the puppy, but of the puppy in the shipping crate at the shipping company waiting for payment to be shipped. She explained that it’s not like it was a person trying to sell dogs or from a puppy mill. It was a lady giving it away for free and the money was for was the shipping. She just didn’t see why a scammer would go to the trouble of doing that and felt the pictures were authentic. I asked her to save all the images to her device and then showed her a site she could use to do reverse image searches. Before she did it, I asked her if she agreed that if this wasn’t a scam those pictures wouldn’t exist anywhere on the internet. She agreed and each of the pictures was found at least 9 other places online. Her heart sank and she didn’t have any further rebuttals to my concerns. She knew it was a scam and I just saved her from losing at least $350 USD. Not to mention that the scammer would have also asked for more money later for “shots” and “insurance”. Who knows how far they might have gotten.

So here are the main red flags:

• Seller wouldn’t talk on phone
• Seller name didn’t seem legitimate
• Name of shipping company didn’t match URL in email
• Googling company name shows close match with legitimate company
• Company website very poorly designed and implemented
• Company has no social media presence
• Email address of contact at company using generic email address and not a legit domain
• Contact at company could only call her and she was never able to make inbound calls
• Phone number of company was Google Voice number
• Reverse image searches showed “proof” photos unoriginal

A few of the tricks used by the scammers in this scam to make it more successful:

• Listed as adoption versus a sale to alleviate concern
• Handed off to “second party” to build legitimacy
• Use cute puppy pictures to appeal to emotion and overrule suspicion
• Counted on target not paying attention to detail
• Shipper established a sense of urgency

She was very thankful and I told her to be very careful when anyone from online ever asks her to send money. I told her in all likelihood this was probably one person the whole time, hence why the person adopting out the dog “couldn’t talk on the phone”. They were also probably not even in this country as we know many of these scams aren’t. She did say that the shippers English wasn’t good. I also told her to make she shares this experience with all her friends and family. I always feel the best way to handle someone getting caught in a scam is to be on their side and never shame them. We are all susceptible to scams and social engineering and the best way to proceed is to empower them to share what they’ve learned. I also sent her a link to an article on the BBB site about these very types of scams that I’ll also link below. She was shocked how similar her experience was to the ones explained on the article.

Well, thank you for taking the time to listen to my experience helping a client avoid getting caught in the all too common Craigslist scam. I hope this will help any non-hackers in your life and like I say in all my podcasts, I don’t claim to know all there is to know and love feedback and any opportunities to learn more or collaborate with others in the field. As with most of the research and articles I’ve written in the past, these are geared toward standard users in a business setting and are meant to be a jumping off point for further research and to be a foundation for cyber security 101 level training classes. If you like what I do, and want to have me come speak to your team, or just wanna chat, feel free to email me.

Thank you and have a great day!

Links:

https://www.bbb.org/article/investigations/14214-puppy-scams-how-fake-online-pet-sellers-steal-from-unsuspecting-pet-buyers-a-bbb-study

https://www.rover.com/blog/internet-dog-puppy-scams/