My parents' independent gas station in rural western Ohio (in a town of sub-1000 population, albeit on a state route that sees significant commuter traffic) was targeted for a voice phishing scam over the last week. A caller left voice messages to multiple recipients (we're not sure how many, but it seems like at least double-digits) purporting to be the gas station and asking to settle-up unpaid bills via credit card over the phone. I didn't get to hear any of the callers, unfortunately. The call-back number they left wasn't the gas station's number, nor was the caller ID the gas station's number.
At first I felt like it was probably a small-time local scammer. Then I thought about how close we are to being able to run this entire scam using fully automated means (including voice assistant software and an LLM to talk to the callers, probably with a human in the loop for handing exceptions). I assume we'll see a rash of these kinds of scams targeting local businesses once the tool kits to run them become widely available.
The idea of building up the automation to run that scam sounds like fun. I wouldn't actually do it but somebody with fewer moral scruples absolutely will (or, rather, probably already has).
Voice phishers are looking for people to say "yes" and read numbers. Just say no!
Does that really even matter anymore, now that we can generate anyone’s voice saying anything?
Follow the same steps for callers whose voice you don't recognize, before giving any financial information or reading any codes, call the person back using a verifiable good number.
All I’m saying is that if I were a scammer, I wouldn’t bother tricking someone into saying a specific thing. I’d just use gen AI. I’m definitely not arguing against “call the person back using a verifiable good number.” If everyone did that, we’d hear about a lot less fraud.
There are some idiotic banks now using "voice verification" such that capturing your voice may be of value to fraudsters.
Unfortunately it's generally impossible to get your bank to stop using insecure authentication mechanisms except by changing banks, and good luck with that because it sure seems like practically all banks can eventually be convinced to give away your funds to someone with your personal information and the ability to sim swap you.
It is neat like with Twilio you can produce that audio file for the voicemail with XML but yeah I have no drive to screw someone over myself
I have gotten a few of those "Apple" phishing attempts. They really look legit. My Apple ID got compromised, many years ago, and people try to use it, from time to time.
However, I am pretty up on the state of my accounts, so I won't follow up on them.
The only people who ever call me, from Apple, are the Developer Support folks, and that's usually to castigate me, for stepping on some soft spot, or in response to me reaching out to them. I totally ignore calls from numbers that I don't know; a rare privilege.
I got a vociemail from Kaiser Permanente just yesterday, telling me I owed for a recent medical visit. The voicemail went on, citing some (probably fictional) laws that allowed them to start garnishing my wages immediately for unpaid medical debt. ... I've never been to Kaiser in my life, not even the parking lot. LOL
Wait until you get a medical bill after an expensive procedure. You'll get 6 bills from a bunch of different doctors and facilities, you'll have no idea who any of these people are, and none of the amounts billed match up to what your insurance says is owed or was paid. They can't or won't explain what the costs were, or why some portion of it was covered or not. It'll take a whole day to reconcile everything after talking to multiple billing departments, and your insurance company.
And that's why the scam they are trying to pull on you works for a lot of people. It's too much headache to deal with all of it and fight it, and usually you're still sick or recovering and won't have the mental power to deal with it, or notice that it's even a scam.
> I totally ignore calls from numbers that I don't know; a rare privilege.
When I am not totally busy, I usually accept them and put myself on mute and put the phone down.
They typically waste a minute saying 'hello, hello?' before hanging up, while I keep working. (Alas, I get a lot of spam calls.)
Your method probably leads to more calls since your number will be marked as active if you pick up
They usually spend a minute cursing my mother in a language I don't understand, but they aren't organized enough to note that my number is a huge waste of time.
Occasionally, when I'm bored, I actually tried to engage with them, but they immediately hang up, when they notice I don't speak Mandarin; and my attempts at Nihao haven't convinced anyone so far.
For context, I'm in Singapore, and I suspect the vast majority of these spam calls are manned by PRC people.
I get tons of these on my Canadian VOIP number, even I don't live in Canada. I can't decide if it's because they know a Mandarin phishing will hit 5% of Canadians so it's worth the effort to spam everyone or if it's because they know who I am and that I can speak passable Mandarin, which is somewhat creepier.
Canadian here who can barely get past ni hao... My voice mail from SPAM tends to be Mandarin, so I think it's a shotgun blast to the 5%
As an American with a Texas area code, I noticed a wave of Chinese-language† spam - I recall reading that it was some sort of scam involving threats of deportation, maybe? But it settled down after a few weeks. Maybe their targeting got better, or maybe enough word got around the Chinese-speaking community to make the scam unprofitable.
† - I have on idea which language specifically was being spoken. Probably Mandarin, but how would I know?
> and my attempts at Nihao haven't convinced anyone so far.
Try some Nihao’s and then say you’ll go get grandma or something. You’re just the child answering the phone for your immigrant parents that always forget that the call is on hold.
They immediately hang up. And I don't sound like a child on the phone.
Funnily enough, I am an immigrant parent myself here.
I have two numbers in the same area code, one work and one personal.
I mess with them on the personal line but never the work. (Ok, that’s slightly different than answering vs not).
Informally, I don’t see a difference and this is after years of this hilarious activity.
Pickup but silence might end up being better than letting one's voicemail grab it. Would make for an interesting study.
My phone has an automatic response button, which lets the caller talk to a computer voice. They never have much to say after I press that.
I think if you pick up but are silent it's still (mostly) fine.
I would think those who answer the calls are automatically placed on a list as this person answers and your number is sold as such.
Personally I have the "Silence Unknown Numbers," feature on my iPhone always toggled on. All unknown ..not in my contacts already..I never hear or see calling.. I might see I missed their call but my mind ignores missed call.
Overall if I dont know you well your not in my iPhone contacts ..getting to know new folks they are given my Google voice number which is only for texting.
My phone number is already on multiple lists like that; I get a minimum of three spam phone calls a day. I don't think that answering or not-answering is going to make a significant dent.
> Personally I have the "Silence Unknown Numbers," feature on my iPhone always toggled on. All unknown ..not in my contacts already..I never hear or see calling.. I might see I missed their call but my mind ignores missed call.
I have a young child, in school and after-school activities; I don't want to risk missing a relevant phone call, as well as phone calls from actual doctors & such who need to get in touch with me. (And I can't easily whitelist every phone number some given office/person might end up using to reach me.)
I'd love to do this but too often a call is made by an unknown number to me in response to an action, e.g i requested a dishwasher repair via email, i was called to schedule it by the contractor it was assigned to by my landlord. If i ignored that call it's likely a game of chasing them back up and potentially navigating PBX systems, etc
I find that caller-id works pretty well for these kinds of expected unknown calls for me. But that might just be a Singapore thing? (Or perhaps it's an Android thing, and Google looks up the number? Not sure.)
They can leave a voicemail.
I just have a number with a rare area code and then block everything from that code using NumberShield, the iOS app. I usually have a few voicemails to delete but I don’t really notice the calls.
I do have to laugh at security, though, since many banks and trading companies just call you direct. I’ve definitely received incoming calls that I hesitate about not continuing. Fortunately, I’m not too confident in my skill to detect a phisher so I always go online to find the official account to call.
If they can redirect my call then I’m doomed but often it’s exactly a completely normal call. They were just calling to make sure the wire I set up was intentional. Come on, dude!
There are so many non-techy folks that are getting run over by phishers. If tech workers can also be targeted, the rest really have no hope.
I really wish someone would make movies or enticing thriller series out of these post-mortems. There are some good stories to be told, plus it would help the most vulnerable to be better prepared..
We’ve lost control of the telecom system. The fact you can’t trust caller id and bad actors aren’t banned still astounds me.
Finland passed a law that simply forbids forging caller IDs and forced telecoms to implement it in 2024.
https://ficom.fi/news/combatting-scam-calls-and-smss-how-fin...
Yep, we need the equivalent of DMARC, DKIM, and SPF for the telecom system. We solved it for email, feels like we should be able to solve it for telecom.
I really hate any system that relies on the telecom system for any sort of verification. I hate every website/app/whatever that doesn't let you disable SMS verification as a "backup". So many places that offer (and even force) 2FA just let you bypass your authenticator with SMS verification.
This exists. https://en.wikipedia.org/wiki/STIR/SHAKEN
Yes. Now tell me how I can determine the stir/shaken attestation level of a given incoming call to my iPhone before I answer it.
(The answer in my experience is: you can’t, and next, nobody knows what the different attestation levels mean, and many legit calls still come in without any attestation)
It’s like if browsers only told you that https was enabled after you POSTed your credit card number to the remote site.
And it does work, despite what people will say. My carrier blocks outbound phone calls from caller IDs of number we don't own. The next step will be to for carriers to start refusing calls that don't pass attestation.
My carrier is GoogleFi, and I still get several phone calls a day with my cellphone's area code as the incoming number. (At least, it makes it easier to ignore those calls. I really wish I could program my phone to automatically reject any calls from that area code if it's not in my phone book.)
It exists.
It's utterly ineffective to the scale of attack.
It’s still being deployed. Or more precisely, it’s now mandatory and the service providers which haven’t implemented it are in the process of being forcibly removed from the PSTN: https://natlawreview.com/article/fcc-cracks-down-are-you-rea...
The US telecoms industry has supposedly been "fighting phone spam" for well over a decade. I can tell you it's simply not working.
The system will die, if not from the abuse than from rejection by individuals, businesses, and organisations. And I suspect we'll never again have a single universally-accessible voice comms system again.
Email has similarly been slowly dying for similar reasons.
STIR/SHAKEN isn't helping much either. The carriers are all about that sweet, sweet revenue...
The FCC is fixing this: https://www.fcc.gov/call-authentication
This is really a case where PSAs/ads could actually help.
The targeted old people still watch TV, and * hearing* the actual fraudulent pitches will be far more educational than reading about it.
You're totally right, but I also wonder what you could even say in 30 seconds? Don't trust the person on the phone who sounds exactly like your grandson? There's so much nuance to explain.
"The Beekeeper"
The relative ease with which called-IDs can be spoofed seems to be one of the major "tools" with which scammers can gain the trust of their victims (or trick other systems into believing that they are the victim). Most of the non-technical folks I know will also more or less blindly trust a caller-ID. Fortunately, many scammers (at least here in Europe) are still calling you claiming they are interpol following up on your Paypal account being breached whilst a +233... number shows on your phone.
>> In Tony’s ordeal, the crooks appear to have initially contacted him via Google Assistant, an AI-based service that can engage in two-way conversations.
This type of scam has been going on since the early 2000's.
Back in the day when I was a fresh faced high school kid working for a mom and pop wireless shop, criminals would use the NAD rely system to call dealers like the one I worked for. They'd offer credit card payment for phones without any service on it ask for it to be mailed to a PO Box. Back then, companies like Verizon subsidized their phones so to buy a phone without any service on ran $500+ and we rarely, if ever sold phones without service on it since that's how me made our money.
As soon as a new model phone would come out, it was like clockwork. We'd start getting relay calls everyday for about a week. Once they figured out we weren't a mark, they'd stop.
Kind of interesting thieves are just utilizing newer technology for the same type of scam.
True the underlying scam is the same, but the operating costs have gotten quite a bit cheaper. Before one person could only call one target at a time, today with a good SIP trunk a single person can target thousands of numbers a day and not even have to be present. It can be just a background task running on their desktop while the scammer goes to their normal 9 to 5.
I have been receiving various spam texts under the pretext of USPS has lost my mails and would like to reaffirm my address to them. The scammers are pretty smart to build an identical looking to site USPS (pretty easy if they copy CSS but change the endpoint for form submissions). Those with the keenest eyes and a bit of commonsense can dodge these types of phishing.
Tbh at least iPhone iMessage protects even the less knowledgeable from just blindly clicking through these links.
I’ve received at least a half dozen of these in the past week. Every time, the link is disabled so you actually have to copy and paste the url into safari. In fact the scammers even helpfully include instructions for someone to scam themselves in the text message. Here’s one of the most recent ones:
> (Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it, and get the latest logistics status) Once your verification is completed, we will arrange delivery again within 24 hours. Have a great day from the USPS team!
Any time you get a message purporting to be from the USPS saying there's a delivery problem and you need to pay a small fee to fix it, it's a scam. Block and report.
Royal Mail legitimately use a custom link shortener at ryml.me, which doesn't help confusion.
> Included in the message was a link to a website that mimicked Apple’s iCloud login page — 17505-apple[.]com.
So... the main culprits are the idiots that hide the page URL in the name of user friendliness?
Presumably this is more relying on the prevalence of subdomains and for users to not notice that 17505-apple[.]com is not the same thing as 17505.apple[.]com
I am glad this kind of reporting happens but I am sad it is needed. This type of crime is violent in nature. I would rather be mugged than have this happen to me. Being mugged just gets you hurt but this can destroy you and your family.
It’s worth pointing out the incongruity of calling online theft “violent in nature” and then directly comparing it to mugging, which works off the threat of implied violence.
You clearly understand the difference between violence and mere deceit. The fact that this isn’t a violent crime is probably relevant to its popularity, since recruiters don’t have to filter for people who are willing to resort to violence in the face of resistance.
My takeaways
1. The prime target list is people with crypto accounts. You can steal from them much more easily than the real banking system. The guys who got Mark Cuban must have been super pumped until they only got 40 grand.
2. Remote Teams of thieves who scam remote people over the phone tend to be morally lax enough to steal from their teammates and so the teams only last a few weeks. Which is weirdly opposite to the advice for bankers which is crimes occur less when WFH
3. Why did I not get the domain “commandandcontrolserver.com” - that’s cool!
4. This is so easy to fall for. But it’s fairly hard to steal “real” money, and honestly we should pressure banks to make it even harder - something along the lines of “want a loan, visit a branch in person” and similar fraud reduction choices. Criminals are showing us the way - they target easy to steal / easy to get away crypto - so run in the opposite direction
The FTC estimates overseas internet/telephone scammers stole an estimate $122 billion dollars from Americans in 2022, virtually all of it in traditional banking.
Have any data to suggest that these 'crypto' attacks are within two orders of magnitude of that?
This particular scam is targeting crypto users, for sure, but to some extent that's a "who has money" proxy. Other scamming groups do things like use property records merged with personal information leaks to target people who own expensive real-estate.
I don't intend to argue that a bunch of crypto stuff and practices aren't gravely insecure, but if you think you're going to be safe by not using it... you're just wrong. And good practices, e.g. with Bitcoin, may be significantly more secure against these kinds of remote scammers than a bank account is.
I think a better lesson is that any inbound communication is a danger and should be avoided when possible and treated with great scrutiny otherwise.
I see they carefully avoided the cringy word vishing.
Is that something only taught in those lame corporate security training videos?
Phishing over styrofoam cups connected by thread: styshing.
Phishing over carrier pigeons: poopshing.
Phishing over SNMP fault messages from a router: switshing.
Phishing over telegraph: morshing.
Phishing using smoke signals: smoshing.
Phishing using interpretive rhythmic movements and postures: danshing.
Phishing over apartment entry system: buzzhing.
Phishing future generations using malicious messages locked in a time vault: fyushing.
Phishing using a conventional rod, nylon line, bait and hooks: unironically, fishing.
... and other attacks you should watch out for!
Some of these tactics are really clever.
For now, much of this can be avoided by always hanging up if you receive a call from google, apple, etc, and then--if you really thing there's something going on--contact them via an official way documented on their website.
Of course, they try to catch people off-guard as they did Mark Cuban.
When I tell my bank or broker if I should get a call that I'm going to hang up and call back on their main number, they always understand and support it.
My bank has an indicator on the app help page that says "yes, you really are speaking to us" or "anyone calling you and pretending to be us is a fraudster".
> KrebsOnSecurity recently told the saga of a cryptocurrency investor named Tony who was robbed of more than $4.7 million in an elaborate voice phishing attack.
> Stotle’s messages on Discord and Telegram show that a phishing group renting Perm’s panel voice-phished tens of thousands of dollars worth of cryptocurrency from the billionaire Mark Cuban.
> Cybercriminals involved in voice phishing communities on Telegram are universally obsessed with their crypto holdings, mainly because in this community one’s demonstrable wealth is primarily what confers social status. It is not uncommon to see members sizing one another up using a verbal shorthand of “figs,” as in figures of crypto wealth.
Seems like this is all players playing each other.
Does this stuff also affect normal people who have real money in the bank and not digital Chuck E Cheese tokens? I don't think my 401k provider has a one-click "bankrupt yourself" button.
I run a cybersecurity company and I’ve had drinks with Krebs at various events over the years. He’s the real deal, digging up dirt on the people who ruin everything for everyone and risking his life in the process for a minuscule payoff. I don’t know why he does it; I suppose it’s just the journalist’s passion. A really nice guy in person too.
As a testament to his effectiveness at digging out the various online scammers, Akamai "had to" boot Krebs off of their service - the criminal gangs wanted him and his website out of the picture, and directed enough DDoS volume to overwhelm Akamai's ability to handle the load.
IIRC Google intervened and offered to put him behind their shield system. Which I think tells more about Akamai than anything else. (Krebs's website address resolves to a Google network space.)
In a fit of irony, even sometime after that event, Krebs's website still sported Akamai's DDoS protection service ads.
Unless you have direct 1p knowledge Im very skeptical of framing that as a capability or capacity problem (“had to” “overwhelm” etc). Im very confident it was purely an effort vs benefit discussion. Which isnt too hard when the benefit is an intangible good will.
Ive worked for a very large CDN, and Ive both unilaterally removed a customers access and involved in even more awkward “inviting them to use another provider more suited to their use case” discussions with account managers, PMs, legal, etc. There are a multitude of unsurprising reasons those things happen, even for credible and legitimate paying customers. It was _never_ because we were “overwhelmed.” However attracting a high operational burden or cost burden would certainly play in to the _business decision_.
As a trivial example a transparently online gambling site with nominal jurisdiction somewhere difficult in asia may generate very legitimate traffic and even pay their $20 or $200 bill. But that revenue isnt worth the cost of scaling up our network edge all across the AP for unmetered junk bits directed at their distribution, burning goodwill with peers when _their_ network gets blown up, or driving more operational and security load as their gambling site competitors employ more novel and bigger attacks. Simply put not all business is worth it, and you dont have to accept all customers. Part on reasonable terms when possible and apply by relevant laws. Thats the actual obligation.
While I don't have immediate first-person knowledge, the event and decisions were widely reported at the time.
https://www.zdnet.com/article/krebs-on-security-booted-off-a... -- note the quote, in particular
https://www.theregister.com/2016/09/26/google_shields_krebs/ -- "could no longer shield the site without impacting paying customers"
Krebs's own post from the time does not reference the business decisions, only the technical aspects: https://web.archive.org/web/20160922124922/http://krebsonsec...
"without impacting paying customers"
Every company I've worked for has certain clients/customers that the company would (for various reasons) be better off financially to no longer have those clients/customers. At some point, those internal conversations become much less awkward as every realizes the reality of the situation. Those companies that had to undergo bidding processes usually fixed the glitch at that time by making very noncompetitive bids.
Even worse in health insurance.
This all makes sense. But then since Google is not a benevolent entity either, why did Krebs make sense as a customer for Google and not for Akamai?
Very good PR that will get shared in the groups like this one, where some of us are in decision making tables for purchasing such products?
To be fair to Akamai, they were providing their services to Krebs free of charge.
Sure, as a business decision it must have made perfect sense at the time - Akamai had bigger (paying) customers to protect. But that doesn't make the optics around it any less terrible.
The message they were telegraphing with their combined actions was effectively: "We protect some of the largest corporations on the planet... but do not have the resources to keep an individual journalist and blogger online. Your business could be next."
Whoever made the decision to pull service to Krebs should have also thrown their weight around to get those ads off of Krebs's website, because the compound outlook must have been hideous. (How do you get your ads off of a website without causing any more animosity? You quickly renegotiate an exclusivity deal and then choose not to run any ads at all on it.)
Heavy is the head that wears the crown (or offers mitigation services advertised on a cybersecurity website)
If Akamai can't (or won't) serve Krebs, I'm not sure I would want my business to pay them.
Can't edit now, but a point to this I'd like to add: 'serve' could absolutely mean best-effort (ie: filtered, moved, null routed, whatever). I don't intend for compulsory weathering-of-the-storm (for the sake of PR), but rather... recognition that this is part and parcel with The Business.
Maybe they/partners couldn't weather the storm. Report on it; Engineering blogs are all the rage. Being a CDN involves more than serving well-traveled bytes, getting paid, or touting how big of a reseller you are. Cat must chase mouse! Krebs is arguably the best customer for this; not e-commerce (can endure the worst outcome - no service) and has domain expertise.
If I enter a protection scheme with someone who - after all - isn't all that tough... why would I/anyone continue? The internet is a big place.
I didn't realise Krebs was a person, I thought it was a collection of people using a unified moniker. To your point though, we're lucky to have 'unreasonable' people like him, I know I don't have the courage
His first name is Brian. That’s his picture at the top. I can’t think of any other groups or organizations that have the persona of a single person. Can anyone point to an example? Genuinely curious about this.
I always thought Krebbs was a cybersecurity firm organized like a lawyer's or dentist's office, where there is one senior person on the cover but they are rarely involved with individual pieces of work. Crazy to learn it is just one person actually, they do a lot of good work.
Does "Nicolas Bourbaki" count?
This is IMO an excellent example, and the one I came to post.
Previously, McAffee (John McAfee) and Norton (Peter Norton).
Peter Norton also put his photo on the box of AntiVirus.
What about Kaspersky?
As it happens, Kaspersky was founded by three people, two of which are Kaperskys.
For my mind they also haven't really traded on the 'individual security hero come to save you' person(which Norton definitely did in the early years).
I'm not parent, but at some point McAffee could refer to either the person or the company in the past.
Whenever I read a Wolfram blog post that floats to the HN frontpage, I'm never certain if the post is entirely the effort of just Stephen Wolfram, or is a group effort.
That Cringely guy who used to post an IT column.
Cringely used to be a house name (cf. https://en.wikipedia.org/wiki/Pen_name ) until one particular writer who had done most of the work managed to wrest it away for his use (https://en.wikipedia.org/wiki/Robert_X._Cringely )
Previously, Ray Wenderlich.
We don't know but some argue Banksy could be a team effort by now, part of the allure of anon work
Same with Shakespeare, though that might’ve been disproven
I always felt Banksy was a collective of artists.
Banksy is one person but he does have a team that executes most of his projects for/with him.
How do you know?
There's multiple interviews from over the years with people that worked very closely with him, including the person who was his publicist for a long time (or a very similar role, I forget exactly). You can obviously decide that it's all part of some long game of deception but it's just not needed. No one is trying to arrest him here and they haven't seriously wanted to for over a decade, he's become an institution like baked beans.
There’s video of the creation of the death of a phone box piece in his documentary and it was indeed a team of a few people.
Well, for one, he can't film himself installing, e.g., fake artworks in the greatest museums in the world, as he did.
And, for those who don't know, he is from Bristol, England, the home of the band Massive Attack. I've been digging their music lately, especially their songs with the late Sinead O'Connor.
I think it’s on the down low when that’s done.
Mavis Beacon.
Happens in some artistic fields. Rodin didn't personally sculpt all of his sculptures. He directed the effort, but it was too much work for one person. I've seen Tom Clancy novels continue getting published even though he died over a decade ago. I think there are living authors doing the same thing, farming out production to ghost writers and just signing their name to the end product.
There are famous examples in advice columns, sort of. I don't know that any of them have ever been written by different people at the same time, but they've maintained stable personas and names even as the writers have moved on or died. The original founder of the Dear Abby column was famously the twin sister of the second iteration of Ann Landers and they feuded for the rest of their lives over it. They're both dead now but the columns go on using the same byline name.
The "Tyler Durden" author on ZeroHedge.
Using that name specifically has a bit of a different connotation than a generic one with no previous association like "Brian Krebs", though. If anything, it would be _more_ surprising to find out that someone going by the name Tyler Durden was just a single, regular person rather than something else going on.
Anything Elon Musk owns?
trump
He also doxxes random people just because their tool got abused as malware.
There's a German community donating thousands to cancer research each year because "fuck Krebs" (Krebs means cancer in German).
Pr0s js crypto miner?
Seems like a lot of work and upfront capital. I suppose the VC ride is truly over.