recentpopularlog in

charlesarthur : scam   72

Basic apps are using Play Store loophole to overcharge users • Android Authority
Hadlee Simons:
<p>You don’t have to pay to get basic apps such as calculators and QR code scanners on the Play Store, but Google has pulled some basic apps for exploiting its trial period system.

<a href="https://news.sophos.com/en-us/2019/09/25/fleeceware-apps-overcharge-users-for-basic-app-functionality/">Sophos discovered over a dozen apps</a> that provide very rudimentary functionality, such as QR code scanning, photo editing, and GIF creation. But the security firm found that their sole purpose was actually to over-charge users.

According to the security firm, these so-called fleeceware apps take advantage of the Play Store’s trial period functionality in order to charge unsuspecting users. Sophos notes that once the app’s trial period ends, users are often charged an exorbitant subscription fee, ranging from €105 to €220 ($115 to $241).

The company says these developers routinely charge users, even if you’ve uninstalled the app before the end of the trial period.</p>


So the subscription scammers are there on Google Play as well as the App Store. "Fleeceware" is a lovely portmanteau. Kudos to Google for removing them. (I would have linked to the ZDNet original, but it was too wordy.)
google  subscriptions  app  scam 
21 days ago by charlesarthur
Beware the Apple iCloud phone phishing scam • Frequent Business Traveler
:
<p>Scammers have a new and improved way to fool people. A new phone-based phishing scam spoofing Apple’s official support number is likely to take a lot of people by surprise and result in those being called providing the scammers with sensitive information.

The call mimics an official Apple support call, displaying Apple’s logo, Cupertino address, and real toll-free number (800 692-7753). This is the same number, displayed as 800 MY-APPLE, when Apple customers request a call from the company.

Several FBT staffers have reported getting such calls in recent weeks. The calls are not identified by T-Mobile (the mobile operator used by our parent company, Accura) as “Scam Likely” even though it is clear that Apple’s number is being spoofed.

The automated message states that the recipient’s iCloud account “has been compromised” and that he should “stop going online.” The automated message then prompts the caller to dial a toll-free number with an 866 prefix for Apple support.

Typically, Apple’s automated system would prompt the caller to press “1” to be connected to Apple support.

I tried calling the 866 number, which was answered by a main greeting that told me I had reached Apple support and provided an expected wait time. The call was answered by a man with a vague Indian accent who, after asking the reason for my call, disconnected it.</p>


So much excess capacity in Indian call centres; seems like they've found a new version of their virus scam.
india  callcentre  virus  scam  icloud 
6 weeks ago by charlesarthur
How over 25 people got scammed into working at a nonexistent game company • Kotaku
Cecilia D'Anastasio:
<p>“Professionally inexperienced but passionate team manager looking for a hobby project to help support and manage,” [Brooke Holden] posted to a subreddit for assembling game dev teams. It was just a lark, yet a half dozen replies accumulated under the post. One in particular stood out, from an account with an active Reddit history on developer recruitment boards. The poster’s name was “Kova,” and he told Holden that his small team of three developers had recently ballooned into a 48-member operation that needed a manager “on everyone’s ass.”

Holden was exhilarated. On June 22, 2019, she signed a contract with Kova’s company Drakore Studios, accepting the position of junior production manager at $13 per hour.

There was just one problem: Drakore Studios didn’t actually exist.

Over the course of a month and a half, “Kova,” real name Rana Mahal, convinced at least 25 people to join a game studio that was not a registered company, and develop a video game to which he did not own the rights, in exchange for no pay. Six of them came forward to tell their story to Kotaku.

The story they told was one of deceit, exploitation, incompetence, and hope, and one fueled by gamers’ desperation to participate in an industry that has stoked their imagination, lifted their mood and forged friendships since childhood. It was a story of a boss who constantly told aspiring developers that their paychecks were on the way and that investors were just about to sink tons of cash into the company’s coffers, and that his high-placed friends at major game development studios were advising him throughout the process. The reality was quite different, and when Drakore unraveled, it unraveled fast.</p>
game  scam 
10 weeks ago by charlesarthur
Investigating some subscription scam iOS apps • Ivan Rodriguez's blog
<p>For some reason Apple allows "subscription scam" apps on the App Store. These are apps that are free to download and then ask you to subscribe right on launch. It's called the freemium business model, except these apps ask you to subscribe for "X" feature(s) immediately when you launch them, and keep doing so, annoyingly, over and over until you finally subscribe. By subscribing you get a number of "free days" (trial) and then they charge you weekly/monthly/yearly for very basic features like scanning QR Codes.

I've been trying to monitor apps that have these characteristics:<br />- They have In-App purchases for their subscriptions<br />- They have bad reviews, specially with words like "scam" or "fraud"<br />- Their "good" reviews are generic, potentially bot-generated.

This weekend I focused on five apps from two different developers and to my surprise they are very similar, not only their UI/UX but also their code is shared and their patterns are absolutely the same. A side from being classic subscription scam apps, I wanted to examine how they work internally and how they communicate with their servers and what type of information are they sending.</p>


There's nothing fishy in the actual code - all the bad behaviour is right there in front of you, with the scammy subscription stuff. Apps like this are skimming millions every year - probably every month - from Apple users, and Apple could, if it wanted, stop it in a couple of weeks. There's the nanny state, and then there's protecting people from exploitation. This is the latter.
apple  subscription  scam 
july 2019 by charlesarthur
UK regulator proposes ban on crypto-based derivatives • Financial Times
Philip Stafford, Cat Rutter Pooley and Martin Coulter:
<p>UK market regulators are planning to ban derivatives on cryptocurrencies for retail investors, warning it is “impossible” to value them reliably, and that trading them is “akin to gambling”.

A paper by the Financial Conduct Authority on Wednesday set out plans to prohibit the sale or marketing of derivatives linked to cryptoassets such as bitcoin and ethereum from early next year.

An 18-month study of the market by the watchdog concluded that cryptocurrencies could not be valued as easily as other volatile assets such as gold or orange juice.

In one example, the FCA found that two analysts using the same pricing model arrived, separately, at bitcoin valuations of $20 and $8,000. “This makes it impossible to reliably value the derivatives contracts . . . linked to them,” the paper said.

The ban would cover futures, options and exchange-traded notes, as well as contracts for difference — seemingly simple products that allow users to bet on whether prices will rise or fall. Consumers would avoid losses of £75m to £234m a year under the ban, the FCA said.</p>


That's also £75m-£234m that the scammers are going to try to get by other means, so watch out.
cryptocurrency  scam 
july 2019 by charlesarthur
Things got weird for the stablecoin Tether - Bloomberg
Matt Levine:
<p>A month later, according to Bitfinex’s and Tether’s lawyers, they started to worry that the money at Crypto Capital had maybe already been stolen, and that the $625 million that Bitfinex transferred to Tether in their Crypto Capital accounts might be worthless. A month later! As I put it on Twitter, “Bitfinex took $625m in real money at a real bank from Tether, and in exchange gave Tether back $625m in fake money at a fake bank.” Or as the attorney general’s office put it:
<p>That “credit” was illusory, though, since Bitfinex knew at the time that Crypto Capital was refusing or unable to process withdrawals or return funds. In effect, in November 2018 Respondents fraudulently shifted most or all of Bitfinex’s risk of loss of several hundred million dollars onto Tether’s balance sheet, but continued to represent to the market that tethers were fully “backed” by US dollars sitting safely in a bank account. They were not. </p>


Now, to be fair, Bitfinex and Tether deny that the money at Crypto Capital was stolen. Bitfinex put out a statement this morning saying that “the New York Attorney General’s court filings were written in bad faith and are riddled with false assertions, including as to a purported $850m ‘loss’ at Crypto Capital”:
<p>On the contrary, we have been informed that these Crypto Capital amounts are not lost but have been, in fact, seized and safeguarded. We are and have been actively working to exercise our rights and remedies and get those funds released. </p>


Also, to be fair, after they “grew concerned” about Crypto Capital in December, Bitfinex and Tether re-papered this transaction, reversing the $625m Crypto Capital transfer and instead characterizing the money that Bitfinex took from Tether as a loan (that Bitfinex will have to pay back with real money rather than with a ledger entry at Crypto Capital). On the other hand they also expanded the size of the loan to let Bitfinex take even more money from Tether.</p>


This is absolutely stunning, though completely expected. Tether has looked to me either like a money-laundering scheme or a scam or both for months. Seems like it might be the latter.
tether  bitcoin  scam 
april 2019 by charlesarthur
Man pleads guilty in $100m scam of Facebook and Google • Bloomberg
Chris Dolmetsch:
<p>Prosecutors alleged that Rimasauskas, along with some unidentified co-conspirators, helped orchestrate a scheme in which fake emails were sent to employees and agents of the two tech giants. The thieves pretended to represent Taiwanese hardware maker Quanta Computer. They told Facebook and Google workers that the companies owed Quanta money, and then directed payments be sent to bank accounts controlled by the scammers.

“Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme, but as he has learned, the arms of American justice are long, and he now faces significant time in a U.S. prison,” U.S. Attorney Geoffrey Berman in Manhattan said in a statement.

Dressed in tan prison clothing and speaking in Russian through a translator, Rimasauskas told the judge he took part in the fraud scheme from October 2013 to October 2015, posing as a Quanta employee, creating fake bank accounts in Latvia and Cyprus to receive the scammed proceeds, and signing fake contracts and documents that were submitted to banks to support the wire transfers…

…The scheme netted about $23m from Google in 2013 and about $98m from Facebook in 2015, according to a person familiar with the case, who asked not to be named because the companies haven’t been publicly identified by prosecutors as the victims.</p>
facebook  google  scam  fraud 
march 2019 by charlesarthur
Dirty dealing in the $175bn Amazon Marketplace • The Verge
Josh Dzieza:
<p>Last August, Zac Plansky woke to find that the rifle scopes he was selling on Amazon had received 16 five-star reviews overnight. Usually, that would be a good thing, but the reviews were strange. The scope would normally get a single review a day, and many of these referred to a different scope, as if they’d been cut and pasted from elsewhere. “I didn’t know what was going on, whether it was a glitch or whether somebody was trying to mess with us,” Plansky says.

As a precaution, he reported the reviews to Amazon. Most of them vanished days later — problem solved — and Plansky reimmersed himself in the work of running a six-employee, multimillion-dollar weapons accessory business on Amazon. Then, two weeks later, the trap sprang. “You have manipulated product reviews on our site,” an email from Amazon read. “This is against our policies. As a result, you may no longer sell on Amazon.com, and your listings have been removed from our site.”

A rival had framed Plansky for buying five-star reviews, a high crime in the world of Amazon. The funds in his account were immediately frozen, and his listings were shut down. Getting his store back would take him on a surreal weeks-long journey through Amazon’s bureaucracy, one that began with the click of a button at the bottom of his suspension message that read “appeal decision.”

…Sellers are more worried about a case being opened on Amazon than in actual court, says Dave Bryant, an Amazon seller and blogger. Amazon’s judgment is swifter and less predictable, and now that the company controls nearly half of the online retail market in the US, its rulings can instantly determine the success or failure of your business, he says. “Amazon is the judge, the jury, and the executioner.”

Amazon is far from the only tech company that, having annexed a vast sphere of human activity, finds itself in the position of having to govern it. But Amazon is the only platform that has a $175bn prize pool tempting people to game it, and the company must constantly implement new rules and penalties, which in turn, become tools for new abuses, which require yet more rules to police. </p>
amazon  marketplace  scam 
december 2018 by charlesarthur
iPhone 'Heart Rate' app on App Store attempts to scam customers out of $90 using Touch ID [since removed] • 9to5Mac
Zac Hall:
<p>Despite Apple’s strict review process for software distributed through the App Store, it’s still possible for malicious actors to take advantage of loop holes in the system to scam customers.

The latest example is a rather sophisticated and devious trick used by an app that claims to read your heart rate through your fingertip using Touch ID. In reality, the app (which is currently on the App Store) uses your fingerprint to authorize a transaction for $89.99 while dramatically dimming the screen to fool you.

The con is less effective on iPhones and iPads with Face ID (iPhone X and later and iPad Pro 2018), but iOS devices with Touch ID are still likely the majority of devices in use today.

Using a third-party app from the App Store to read your heart rate from the iPhone or iPad isn’t uncommon either. Apps like Instant Heart Rate: HR Monitor have long used the camera and flash to attempt to take heart rate measurements through the finger.

In the case of the ‘Heart Rate Measurement’ app currently on the App Store, the scam relies on a user not reading the dialog box that appears when a heart rate reading is attempted. The screen brightness drops to its lowest point and the black and white in-app purchase user interface is almost illegible compared to the bright red fingerprint icon that appears on-screen with Touch ID devices.

While the app clearly violates App Store policy for misleading customers with ridiculous in-app purchases unrelated to the app’s function, it’s possible that the trick used by the app was added after Apple’s app review process.</p>

Now removed. But that's super-sneaky.
apple  subscription  scam  appstore 
december 2018 by charlesarthur
Grifter journalist Jerry Ji Guo remanded in jail for alleged bitcoin long con • The Daily Beast
Kevin Poulsen:
<p>He bounced right into New York’s “Silicon Alley” tech startup community, scoring YCombinator seed funding for a group-dating service called Grouper that lasted eight months.

In the years since, according to his LinkedIn profile, the Chinese-American Yale graduate has been owner and head chef of a burger bar in Beijing and founded a “growth hacking” marketing firm in Atlanta. Last year he finally landed in the field he seemed born to occupy, cryptocurrency, launching a $2m ICO for a content-sharing platform he claimed had deals in place with American Idol and The Voice.

Now Guo is on a new adventure, potentially his last for the next 63 to 78 months. On Nov. 9, FBI agents in Puerto Rico arrested the self-described “serial blockchain entrepreneur” on wire-fraud charges for allegedly stealing over $3.5m worth of cryptocurrency from startups that hired him as a consultant.

On Friday a federal judge in San Juan ordered Guo’s transfer to San Jose, California, to face the eight-count indictment, which carries a sentence of up to 20 years in prison by statute, and at least five years, three months under federal sentencing guidelines.

At the center of the case is Guo’s career in the fast money world of initial coin offerings.</p>


Say no more - ICOs are of course grifter central. But some of the detail here in the indictments is amazing.
Ico  scam 
november 2018 by charlesarthur
Bitcoin giveaway scams are flourishing on Twitter. They're probably coming from Russia • Buzzfeed News
Jane Lytvynenko:
<p>A BuzzFeed News analysis of the Target and G Suite account hacks suggest the perpetrators may have been the same ones responsible for similar schemes back in March. BuzzFeed News examined the websites touted in the Target and G Suite promoted tweet scams and determined they share a web server that also hosts sites like btc-back.net, elonmusk.gift, and eth-giving.com.

While domain registration information for those scam sites is hidden, other sites hosted the server are registered to Russian names with associated emails, and Russian addresses. A QR posted in one of the tweets was hosted on a Russian domain. The server currently hosts 600 Russian and English-language websites for illegal pharmacies, escort services, and a business that promises to improve the levels of World of Warcraft characters. Many of them appear to be based in Russia.

“The phrasing of the tweet themselves seem to suggest a Russian or Ukrainian language actor,” Kalember said. The researcher has also examined phishing emails sent by scammers to marketing and social media managers, which ultimately help them post from verified accounts like @Target. According to Kalember, those emails also show strong connections to Eastern European actors.

Twitter declined a request for technical details on the promoted scam ads.</p>
bitcoin  scam  russia 
november 2018 by charlesarthur
Half of the crypto news outlets we asked would take cash to post our content • Breaker Mag
Corin Faife:
<p>The level of deception used was minimal: we created a fake email account, and claimed to be representing a PR company. There was no fake website or domain associated; it was simply a Gmail address with a profile picture found by image searching “Russian actor.” (I’m sorry to whoever he really is, but for our purposes this is Nikolay Kostarev, a Moscow-based PR agent.)

Next we compiled a list of blockchain media sites. This was by no means exhaustive, but to have a sense of the scale of the problem, we needed numbers. All in all, we reached out to 28 sites, and received a yes/no reply from 22 by the time of publication, with two inconclusive.

There were two main steps to the outreach process: first, using the ‘Contact’ or ‘Advertise’ links listed on the site, we sent an email to request price information:
<p>Hello,
I am representing a blockchain PR company from  Moscow, Russia,
and would like information on the rate for advertising on [WEBSITE].
Many thanks in advance,
Nikolay K.</p>


In response, we usually received a price list, or in some cases, a brochure of media rates. Usually this included information on buying banner ads, press release publication, or partnerships to create sponsored content.

If the outlet replied offering any of the above, we sent a further email with a proposal:
<p>Hello [NAME],
Thank you for the reply and information.
Many of my ICO clients want coverage written about them.
But some would like it to not be marked "Sponsored".
Is this possible?
Regards,
-NK</p>


Of course, the simple response to this should be “no.” Indeed, many outlets did respond to tell us that all paid advertising had to be clearly labelled, or to suggest that we opt for another form of sponsored post instead.

Sadly, those that took this route were in the minority.

Of the 22 outlets who replied conclusively, 12 of them—more than half the total—were willing to publish paid content without disclosing it as such.</p>


And yes, they also name and shame, with the prices demanded. Well done.
crypto  journalism  scam 
october 2018 by charlesarthur
Apple pulling high-grossing subscription apps with scammy offers off the App Store • Forbes
John Koetsier:
<p>Apple is systematically combing through the App Store's subscription apps looking for potentially confusing terms of service and pulling apps that look problematic, according to multiple mobile app developers.

The problem?

Scammy subscription apps charging users hundreds if not thousands of dollars.

I broke the story earlier this month and TechCrunch added more fuel to the fire this week.  Many subscription apps had a large "Free Trial" button with tiny print beneath it detailing the subscription terms, which often totaled hundreds of dollars a year in credit-card charges. Consumers who didn't read the fine print got caught with sometimes-significant fees.

A developer contact who had a similar app received the following notification from Apple, indicating that his app was being pulled due to its subscription process.

"It seems they are automatically pulling any and every non-big-name app that has a high IAS [in-app subscription revenue]," Albert Renshaw posted on Facebook.

The trial button is the key.

"They’ve been pulling apps and rejecting apps that have a massive button that says 'X days free” without the price inside that button," another developer said. "People don’t read the fine print and that's who they’re after. Before they were lenient but with the negative publicity they’re strict as hell now."</p>


Good. Scams deserve to get squashed.
scam  subscription  appstore 
october 2018 by charlesarthur
Sneaky subscriptions are plaguing the App Store • TechCrunch
Sarah Perez:
<p>Subscriptions have turned into a booming business for app developers, accounting for $10.6bn in consumer spend on the App Store in 2017, and poised to grow to $75.7bn by 2022. But alongside this healthy growth, a number of scammers are now taking advantage of subscriptions in order to trick users into signing up for expensive and recurring plans. They do this by intentionally confusing users with their app’s design and flow, by making promises of “free trials” that convert after only a matter of days, and other misleading tactics.

Apple will soon have an influx of consumer complaints on its hands if it doesn’t reign in these scammers more quickly…

…How are apps like QR code readers, document scanners, translators and weather apps raking in so much money? Especially when some of their utilitarian functions can be found elsewhere for much less, or even for free?

This raises the question as to whether some app developers are trying to scam App Store users by way of subscriptions.

We’ve found that does appear to be true, in many cases.

After reading through the critical reviews across the top money-making utilities, you’ll find customers complaining that the apps are too aggressive in pushing subscriptions (e.g. via constant prompts), offer little functionality without upgrading, provide no transparency around how free trials work and make it difficult to stop subscription payments, among other things.</p>


There's a scanner app which is raking in $14.3m annually by charging $4 per week, and uses a total scam to get you to sign up. Aren't people noticing this stuff on their bills?
apple  subscriptions  scam  appstore 
october 2018 by charlesarthur
Is the price of bitcoin based on anything at all? • Medium
Jeff Wise, writing back in August on the puzzle about Tether - the cryptocoin which claims to be back by a dollar for every "dollar" worth of Tether:
<p>The white paper that heralded Tether’s creation explicitly calls for regular audits. Without them, anyone buying Tether is effectively operating on faith. Think about it: you can barely rent an apartment without going through a credit check and proving you can cover the cost. You’d think the market would demand some concrete assurances about the issuance of $2.7bn worth of currency.

Let’s assume, though, that Tether really does have $2.7bn sitting in a safe somewhere. Where did it all come from? The most innocent answer is that some deep-pocketed investors decided they wanted to invest in cryptocurrency, but rather than simply buy some with dollars, they instead opted to buy Tether first and then use that to purchase the crypto.

Just why anyone would do that remains unclear, especially since, as UC Berkeley computer science researcher Nicholas Weaver has pointed out on Lawfareblog.com, “[O]ne has to believe that they did this even though these unregulated exchanges have a history of getting hacked, with customers losing their investments.”

A less innocent answer is that the investors couldn’t go to a banked exchange because their funds came from illegal activity, so they used Tether to turn their ill-gotten gains into untraceable crypto loot. In other words, money laundering.

Perhaps the most troubling answer for crypto investors is that Tether minted currency out of thin air, used it to buy other cryptocurrency, sold that cryptocurrency, and used the proceeds to create its reserves. That is, assuming the reserves actually exist at all.

In a sense, though, it doesn’t matter whether the money is in the bank or not. Tether’s terms of service state, “We do not guarantee any right of redemption or exchange of tethers by us for money.” Even if the money is in the vault, Tether holders have no claim to it.</p>

Increasingly I suspect that Tether/Bitfinex's official location in Panama means that it is a gigantic money laundering operation for, eh, shall we say drug cartel money? This would explain its occasional gigantic wafts of money, and its desperate search for a bank that will actually hold its reserves. And why it persists.
Bitfinex  tether  scam  cryptocoin 
october 2018 by charlesarthur
Model Tinder-scams men for date competition in Union Square • NY Mag
Madison Malone Kircher:
<p>When Misha arrived in Union Square, he found a small crowd gathered around the stage. [Natasha] Aponte had told him to meet her at the front. “I guess [the crowd] was mostly male, but that didn’t immediately register to me,” Misha told Select All. “As I was watching the DJ play booming techno on a Sunday I did think it was odd that that many people were staying around and paying attention so attentively instead of just stopping and walking on.”

David, another man who showed up for a date, said he realized something was up when “the guy next to me went ‘Are you trying to meet up with a girl named Natasha?’” Eventually, “everyone started realizing what was going on.” “I got there and a DJ was playing and I found out that hundreds of other guys were also waiting for Natasha,” Spencer said. “I walked away when I found out it was a scam.” He heard people booing as he left Union Square.

Aponte eventually took the stage with a microphone to reveal her con. “She walked on, stated and explained the situation, and validated her actions by saying, ‘Won’t this be a great first-date story!’” Misha described it on Twitter as “a hunger games speech about what it’s gonna take to date her.”</p>


Only a pity that she couldn't arrange them to fight to the death. No doubt someone will figure that out sooner or later.
tinder  scam  socialwarming 
august 2018 by charlesarthur
Vietnam confirms suspension of Bitcoin, cryptocurrency miner imports • Cryptocurrency News
Samburaj Das:
<p>Domestic businesses and individuals have stopped importing crypto mining equipment altogether since the beginning of July, according to the Ho Chi Minh City (HCM) Customs Department, as reported by Viet Nam News on Monday.

Officials from Vietnam’s largest city said individuals and firms had imported as many as 3,664 application-specific integrated circuit (ASIC) devices in the first half of 2018. 3,000 machines were notably imported by four enterprises involved in mining operations with the rest imported by individuals and organizations who did not include import tax codes, the authority said. A majority of the devices were revealed to be Antminer models, a brand of cryptocurrency mining equipment developed by industry giant Bitmain.

As reported previously, Vietnam’s Ministry of Finance (MoF) first proposed the blanket ban in June after authorities in the nation increased their scrutiny into the domestic crypto sector following a nationwide ICO-fraud that reportedly conned an estimated $660 million from 32,000 domestic investors. The fallout led Vietnam’s prime minister ordering six government ministries, the police, and the central bank to investigate the scam.</p>
bitcoin  crypto  scam 
august 2018 by charlesarthur
UK university domains spoofed in massive fraud campaign targeting suppliers • HOTforSecurity
Graham Cluley:
<p>As <a href="https://www.actionfraud.police.uk/news/fraudsters-spoof-university-email-addresses-jul18">Action Fraud explains</a>, the criminals are using the bogus email addresses to commit distribution fraud.

Distribution fraud is where criminals make an order to a supplying company (often overseas) via email, posing as a well-known organisation. The ploy is often convincing because they will use an email address that looks similar to the genuine organisation and steal their branding.

Action Fraud says that in the current case, fraudsters are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk.

Placing orders for a large quantity of expensive products (such as food, pharmaceuticals, or IT equipment), the fraudsters will avoid payment in advance by using faked purchase orders, bank transfer confirmation documentation, or by giving the organisation’s real address for invoicing.

However, the criminals ask for the delivery to be made to an address that does not belong to the spoofed organisation, or in some cases will contact the delivery driver en route to give them a new delivery address.</p>


And why now? Because universities aren't in term time, and so there's less oversight of what's going on.
university  fraud  scam  web 
july 2018 by charlesarthur
2016: beware of Uber vomit scam, passenger says • Gothamist
Mike Moffitt:
<p>A New York City ride-share passenger was sickened to discover that Uber charged her $200 in addition to the fare in order to clean up vomit that she supposedly spewed over the car.

But Meredith Mandel told Gothamist that when she and her companions reached their destination in Williamsburg shortly before 1:30 a.m., they left the Uber vehicle without even a belch, much less puddles of puke.

When she saw the PayPal charge — $19 plus the $200 cleaning fee — for the two-mile trip, she naturally was outraged.</p>

Naturally. Just proving that this scam, highlighted here yesterday, isn't new at all. Though it has reversed the positions of power. In the old days, if you hurled in the taxi, it was tough for them to extract your money. Now it's easy; the harder thing is proving you didn't.
Uber  taxi  vomit  scam 
july 2018 by charlesarthur
Vomit fraud could make your Uber trip really expensive • Miami Herald
Catalina Ruiz Parra:
<p>The next time you use Uber, check your bill. The trip could turn out to be expensive — not just for the distance but for a type of fraud that is on the rise.

It’s called “vomit fraud,” a scam repeatedly denounced in social networks yet still taking place around the world.

And Miami, of course, is a common spot.

What is it? Passengers request Uber cars, which deliver them to their destination. So far so good.

But soon the passenger receives a note from Uber reporting an “adjustment” in the bill and an extra charge that can range from $80 to $150, depending on the driver’s degree of crookedness.

If you think that’s frustrating, you’re right. But the worst is still to come.

The passenger, unaware of what’s happening, tries to contact Uber. The only way to do that is through the “help” button on the company’s app or internet page.

The first reply usually goes something like this: “I understand that it can be disconcerting to receive adjustments to the tariff after your trip ended … In this case, your driver notified us that during your trip there was an incident in the vehicle and therefore a cleanup fee of $150 was added.”

The message is accompanied by photos of the alleged incident — vomit in the vehicle. The Uber driver had sent the images to the company, which considered them sufficient evidence to add the cleanup charge to the bill.</p>


I'd imagine the drivers just have a stock or multiple pictures that they send. (Does Uber check the EXIF data for the photo?) Or perhaps they throw some vegetable soup over it? Either way, Uber is caught in the middle - and regulators say it's not up to them.
uber  scam  vomit 
july 2018 by charlesarthur
How a cabal of romance writers cashed in on Amazon Kindle Unlimited • The Verge
Sarah Jeong:
<p>The fight over #Cockygate, as it was branded online, emerged from the strange universe of Amazon Kindle Unlimited, where authors collaborate and compete to game Amazon’s algorithm. Trademark trolling is just the beginning: There are private chat groups, ebook exploits, conspiracies to seed hyperspecific trends like “Navy SEALs” and “mountain men,” and even a controversial sweepstakes in which a popular self-published author offered his readers a chance to win diamonds from Tiffany’s if they reviewed his new book.

Much of what’s alleged is perfectly legal, and even technically within Amazon’s terms of service. But for authors and fans, the genre is also a community, and the idea that unethical marketing and algorithmic tricks are running rampant has embroiled their world in controversy. Some authors even believe that the financial incentives set up by Kindle Unlimited are reshaping the romance genre — possibly even making it more misogynistic.

A genre that mostly features shiny, shirtless men on its covers and sells ebooks for 99 cents a pop might seem unserious. But at stake are revenues sometimes amounting to a million dollars a year, with some authors easily netting six figures a month. The top authors can drop $50,000 on a single ad campaign that will keep them in the charts — and see a worthwhile return on that investment.

In other words, self-published romance is no joke.</p>


Jiminy. Great reporting.
amazon  kindle  unlimited  romance  scam  money 
july 2018 by charlesarthur
Hunting the con queen of Hollywood • Hollywood Reporter
Scott Johnson, with a fascinating piece about someone who impersonates high-level Hollywood studio execs over the phone and has fooled a stack of people in the business:
<p>The imposter works by using a combination of deceit, charm and intimidation to manipulate her marks. The victims travel to Indonesia on a promise of work and, once there, are asked to hand over relatively modest amounts of money at a time, up to $3,000 in some cases, to help cover expenses for things like car travel, translation, tour guides and fixers. A designated Indonesian "moneyman" arrives on a moped to collect the funds. Needless to say, the promised reimbursements never arrive. Over time, these small sums add up. All told, hundreds of thousands of dollars have been collectively stolen this way. "Even if they're bringing in $300,000 a year, that's a huge amount of money in Indonesia," says Kotsianas, who believes the same group is behind all of the cases.

At the center of the organization is the impersonator — a woman whose sophisti­cated research, skill with accents and deft psychological and emotional manipulation have earned her the begrudging respect of her victims and trackers. K2 investigators believe the woman is the "talent" of an operation that, while relatively small, may have legs on at least three continents, including the U.S., Asia and Europe. The victims come from all over — the U.K., Europe and the U.S. primarily — and represent a wide swath of creative industries: hairstylists, stuntmen, military advisers, photographers and cinematographers.

The Hollywood Reporter has obtained two separate audio recordings of the woman's voice, which has never been publicly disclosed. Both of the tapes date from an earlier incarnation of the scam, when the imposter was targeting makeup artists in the U.K. at the end of 2015 and early 2016. In one, she speaks in a distinct American twang, a flat, almost nasal intonation, berating her interlocutor (in this case, a victim's agent) about a missed flight. "To be very blunt with you, when I travel internationally, I use this number," she says, exasperated. "This number can be reached, it was registered 10 years ago. OK?"</p>


There's audio as well, if you want to hear how she sounds.
hollywood  scam  fraud 
july 2018 by charlesarthur
Download bomb trick returns in Chrome — also affects Firefox, Opera, Vivaldi and Brave • Bleeping Computer
Catalin Cimpanu:
<p>The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page.

Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked.

Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites. That technique used the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to initiate thousands of downloads one after the other to freeze Chrome browsers on tech support sites.

<img src="https://www.bleepstatic.com/images/news/u/986406/TechSupportScams/ChromeBug/Chrome_TSS.gif" width="100%" />

Google devs were made aware of this campaign, and they fixed the issue starting in Chrome 65.0.3325.70. But according to a reply in the original bug report of this issue, the problem has returned in Google Chrome 67.0.3396.87, released on June 12.

"This is broken again in 67.0.3396.87," said the user who spotted the problem. "[I] stumbled upon this issue by a malicious redirect to a scam site that froze my browser," he added.

Other users confirmed his findings that the recent Chrome releases are now susceptible to download bombs again. But the issue is also more widespread than initially thought. Jérôme Segura, the Malwarebytes security expert who first analyzed this issue in February, points out that Firefox is also affected.</p>


Amazing how long-lived this tech support scam is. I was writing about it in 2010, and it wasn't new even then.
techsupport  scam  chrome  firefox 
july 2018 by charlesarthur
In the world of cryptocurrency, even good projects can go bad • NY Times
Nathaniel Popper:
<p>In one of their many promotional posts on Medium, the Envion team wrote: “As financial regulators across the globe look to regulate I.C.O.s and protect investors, Envion serves as a model for a compliant crowdsale that operates with the same transparency and integrity of traditional financial markets.”
A current spokesman for the founders, Laurent Martin, said problems had begun even before the project started fund-raising late last year, because of the chief executive the founders brought in, Matthias Woestmann.

According to Mr. Martin, the founders gave Mr. Woestmann what they thought was temporary control of their shares in the company. Mr. Woestmann later refused to give them back, and then diluted the shares of the other owners, providing him with control of the money that was raised.

Mr. Martin said the problems that had come up since then were not caused by the I.C.O. structure. Instead, he said, they are a result of Mr. Woestmann’s tactics and his refusal to give back ownership of the company.

“Envion did something truly unique in the way they protected investors,” Mr. Martin said. “It’s unfortunate that each of these bulwarks is being tested.”</p>

I know I link to a lot of negative stories about cryptocurrencues; that’s because there are so many of them and this sector is so busy, with billions of dollars poured into projects which have zero hope of going anywhere. And it’s not venture capital money; it’s individuals’. It’s also a honeypot for scammers.

I hope people will come to their senses, but the lure of something for apparently nothing is too tempting.
cryptocurrency  scam 
may 2018 by charlesarthur
Pray for the souls of the people sucked into this dating site hell • Gizmodo
Kashmir Hill:
<p>Earlier this year, the media got very excited about Trump.dating, a site for the pro-Donald set that promised to “make dating great again.” Much of the media coverage was critical: The site only allowed users to conduct heterosexual searches; the male-half of the couple originally featured on the homepage had a child sex conviction; and its creator didn’t seem to actually exist.

Despite all this, the site attracted over 250,000 members, according to its media liaison, Sean McGrossler. He told me over email that 15% of those members paid for accounts, starting at $24.99 per month, which would mean the site has made a not immodest $1m over the last few months.

Perhaps it’s no surprise, then, that NeverTrump.dating launched weeks later. It got its own round of news articles, despite being founded by a “political startup” called the “American Liberal Council” that only seems to exist on Facebook, where it mostly posts liberal memes in the style of a Russian misinformation account. (The account hasn’t posted since March and did not respond to messages.)

Intrigued by the attention these sites were getting, Alexandra Mateescu, a researcher at Data & Society Research Institute, decided to sign up, not to date a political partisan but to see who was actually on the sites. When she began looking for single men in New York City, where she lives, the results immediately struck her as odd. According to the site, there were lots of Trump supporters in her liberal hometown, and they were racially and ethnically diverse, which surprised her. Few of them referred to Trump in their profiles, though, which seemed strange given the site they’d joined. She wanted to find out more about these people, but she couldn’t message them without purchasing a membership, which she didn’t want to do, so she and a few friends tried to find the members elsewhere on the web, by using a tried-and-true method of many an online dater: reverse image-searching profile photos to see where else they appeared.

This led Mateescu to people who were not the ones described in the profiles.</p>


It turns out both sites used a "turnkey dating solution" which claims to do dating sites for "almost any niche". (She tried but was blocked from doing one for journalists.) It all looks reaallly sketchy.
scam  dating 
may 2018 by charlesarthur
Inside Amazon’s fake review economy • Buzzfeed
Nicole Nguyen:
<p>One morning in late January, Jake picked up the box on his desk, tore through the packing tape, unearthed the iPhone case inside, snapped a picture, and uploaded it to an Amazon review he’d been writing. The review included a sentence about the case’s sleek design and cool, clear volume buttons. He finished off the blurb with a glowing title (“The perfect case!!”) and rated the product a perfect five stars. Click. Submitted.

Jake never tried the case. He doesn’t even have an iPhone.

Jake then copied the link to his review and pasted it into an invite-only Slack channel for paid Amazon reviewers. A day later, he received a notification from PayPal, alerting him to a new credit in his account: a $10 refund for the phone case he’ll never use, along with $3 for his trouble — potentially more, if he can resell the iPhone case.

Jake is not his real name. He — along with the four other reviewers who spoke to BuzzFeed News for this story — wanted to remain anonymous for fear Amazon would ban their accounts. They are part of an extensive, invisible workforce fueling a review-fraud economy that persists in every corner of the largest marketplace on the internet. Drawn in by easy money and free stuff, they’ve seeded Amazon with fake five-star reviews of LED lights, dog bowls, clothing, and even health items like prenatal vitamins — all meant to convince you that this product is the best and bolster the sales of profiteers hoping to grab a piece of the Amazon Gold Rush. Meanwhile, sellers trying to play by the rules are struggling to stay afloat amid a sea of fraudulent reviews, and buyers are unwittingly purchasing inferior or downright faulty products. And Amazon is all but powerless to stop it…

…Amazon won’t reveal how many reviews — fraudulent or total — it has. But based on his analysis of Amazon data, [ReviewMeta CEO Tommy] Noonan estimates that Amazon hosts around 250 million reviews. Noonan's website has collected 58.5 million of those reviews, and the ReviewMeta algorithm labeled 9.1%, or 5.3 million of the dataset's reviews, as “unnatural.”</p>


If it can be gamed, it will be gamed. If it can be gamed for money, it will be gamed for money. The problem is limiting the scale. Plenty of stories here of scammy products, honest products scammed, and the scammy reviewers.
amazon  review  scam 
may 2018 by charlesarthur
Yes, it’s bad. Robocalls, and their scams, are surging • The New York Times
Tara Siegel Bernard:
<p>In an age when cellphones have become extensions of our bodies, robocallers now follow people wherever they go, disrupting business meetings, church services and bedtime stories with their children.

Though automated calls have long plagued consumers, the volume has skyrocketed in recent years, reaching an estimated 3.4 billion in April, according to YouMail, which collects and analyzes calls through its robocall blocking service. That’s an increase of almost 900 million a month compared with a year ago.

Federal lawmakers have noticed the surge. Both the House and Senate held hearings on the issue within the last two weeks, and each chamber has either passed or introduced legislation aimed at curbing abuses. Federal regulators have also noticed, issuing new rules in November that give phone companies the authority to block certain robocalls.

Law enforcement authorities have noticed, too. Just the other week, the New York State attorney general, Eric T. Schneiderman, warned consumers about a scheme targeting people with Chinese last names, in which the caller purports to be from the Chinese Consulate and demands money. Since December, the New York Police Department said, 21 Chinese immigrants had lost a total of $2.5m.

Despite these efforts, robocalls are a thorny problem to solve. Calls can travel through various carriers and a maze of networks, making it hard to pinpoint their origins, enabling the callers to evade rules. Regulators are working with the telecommunications industry to find ways to authenticate calls, which would help unmask the callers.

In the meantime, the deceptive measures have become more sophisticated. In one tactic, known as “neighborhood spoofing,” robocallers use local numbers in the hope that recipients will be more likely to pick up.</p>


Why would you have a landline phone at all in the US?
robocall  phone  scam 
may 2018 by charlesarthur
Google broke up a Vietnamese con scheme after an employee was scammed buying a Bluetooth headset • South China Morning Post
Jillian D'Onfro:
<p>When a Google executive found a high-end Bluetooth headset selling at a steep discount on the company’s shopping site earlier this year, he didn’t consider that the deal may have been too good to be true.

He ordered the product and waited. And waited. The expected delivery date passed. He tried calling the website’s customer service number. It was disconnected. The headset never arrived. The money was lost.

In reality, the merchant wasn’t based in the U.S., as its website indicated. Google Shopping had redirected the buyer to a bogus seller, who took the Google employee’s credit card information with no intention of ever sending out a headset.

The prospective buyer kicked the case over to his co-workers to start an investigation. But instead of simply banning the bad actor from listing new products, Google Shopping’s trust and safety team initiated a global probe that ultimately tracked down 5,000 merchant accounts wrapped up in a sophisticated scheme to defraud users.

“I think we caught them right at the tip of when they were trying to scale up,” Saikat Mitra, Google Shopping’s director of trust and safety, told CNBC.</p>
google  shopping  fraud  scam 
may 2018 by charlesarthur
We tracked down the SaveDroid motherfscker and need your help • Crypto Briefing
Adam Selene on the followup to that "cryptocurrency exit scam" which featured yesterday:
<p>Crypto Briefing tracked Yassin Hankir's location to an Egyptian resort town.

UPDATE: By now, many of you will know that Savedroid perpetrated what they consider to be a giant prank designed to illustrate that exit scams are a part of the crypto market.

Here’s the deal.

When you take $50m in funds that are raised by investors who believe in your project, you don’t then pretend to disappear with that money.

What happens if you do? People start looking for you.

Yassin Hassir may consider himself a genius for drawing the eyes of millions to his stunt. But to his investors, he caused them anxiety, pain, and distress.

RULE ONE – NEVER, EVER, EVER TREAT YOUR INVESTORS WITH A LACK OF RESPECT.

Hassir broke that rule. And while there are those who will criticize Crypto Briefing for trying to help those investors track down their money, and the man who claimed to have stolen it, we are proud of our response.

We took the trouble to search for hours online to match a photo to a location in Egypt. We called the police in Frankfurt. We did what we could to be part of the REAL community – the kind of people you’d want on your side if this had been the real thing.

As to the prank itself? Not so clever. Not so funny. And having dragged his company’s name through the mud, not so good for Hassir’s investors.

We will not be removing the original article, printed below, because we are – as we say – proud to be acting in the best interests of our community.</p>

Hassir posted a photo of a beach and an Egyptian beer online; the community pored over photos of beaches in Egypt, and tracked him down to his hotel. He says it's a PR stunt. The equivalent of running with scissors while lighting matches in a firework factory.
Crypto  scam  ico 
april 2018 by charlesarthur
Another scam ICO? Savedroid founder exits with $50m to chill on a beach • Cryptovest
Hunain Naseer:
<p>In what is either a joke in very bad taste or another ICO exit scam, the founder of Savedroid ICO Tweeted ‘Over and out’, with a picture of himself at the airport and then chilling on a beach.

<img src="https://i.imgur.com/5DjGURF.png" width="100%" />

It is believed that the ICO raised around 40 million Euros, or $50 million USD via the token sale, claiming that they will build a smart, A.I managed application which would automatically invest user funds into profitable ICO portfolios. There were also claims of a cryptocurrency credit card, but it seems all that is gone now, with the official site displaying a Southpark meme.</p>


Even if this isn't a scam - just a joke - why would anyone put any money into these ridiculous things? Why why why.
cryptocurrency  scam 
april 2018 by charlesarthur
The biggest Black Lives Matter page on Facebook is fake • CNN
Donie O'Sullivan:
<p>For at least a year, the biggest page on Facebook purporting to be part of the Black Lives Matter movement was a scam with ties to a middle-aged white man in Australia, a review of the page and associated accounts and websites conducted by CNN shows.

The page, titled simply "Black Lives Matter," had almost 700,000 followers on Facebook, more than twice as many as the official Black Lives Matter page. It was tied to online fundraisers that brought in at least $100,000 that supposedly went to Black Lives Matter causes in the U.S. At least some of the money, however, was transferred to Australian bank accounts, CNN has learned.

Fundraising campaigns associated with the Facebook page were suspended by PayPal, Donorbox, Classy, and Patreon after CNN contacted each of the companies for comment.
The discovery raises new questions about the integrity of Facebook's platform and the content hosted there. In the run-up to Facebook CEO Mark Zuckerberg's testimony before Congress this week, Facebook has announced plans to make the people running large pages verify their identity and location. But it's not clear that the change would affect this page: Facebook has not said what information about page owners it will disclose to the public - and, presented with CNN's findings, Facebook initially said the page didn't violate its "Community Standards."</p>


It's that last sentence that's the killer. Hope Mark Zuckerberg's prep for his Congressional hearing is going well.
facebook  blacklivesmatter  fake  scam 
april 2018 by charlesarthur
ICO quality: development & trading • Medium
Sherwin Dowlat:
<p>This is a high level look above a market cap of $50m only, as an initial attempt to improve on the reporting we have seen to date on percentage failed ICO’s. We will continue to develop our research in this area and produce a more in-depth study in coming months.

We break down ICO’s into groups, with the following definitions:
• Scam (pre-trading): Any project that expressed availability of ICO investment (through a website publishing, ANN thread, or social media posting with a contribution address), did not have/had no intention of fulfilling project development duties with the funds, and/or was deemed by the community (message boards, website or other online information) to be a scam.
• Failed (pre-trading): Succeeded to raise funding but did not complete the entire process and was abandoned, and/or refunded investors as a result of insufficient funding (missed soft cap).
• Gone Dead (pre-trading): Succeeded to raise funding and completed the process, however was not listed on exchanges for trading and has not had a code contribution in Github on a rolling three-month basis from that point in time.
• Dwindling (trading): Succeeded to raise funding and completed the process, and was listed on an exchange, however had one or less of the following success criteria: deployment (in test/beta, at minimum) of a chain/distributed ledger (in the case of a base-layer protocol) or product/platform (in the case of an app/utility token), had a transparent project roadmap posted on their website, and had Github code contribution activity in a surrounding three-month period (“Success Criteria”).
• Promising (trading): Two of the above Success Criteria.
• Successful (trading): All of the above Success Criteria.

On the basis of the above classification, we found that approximately 81% of ICO’s were Scams, ~6% Failed, ~5% had Gone Dead, and ~8% went on to trade on a exchange.</p>

Of that 8%, most are dwindling. Hey ho.
Bitcoin  crypto  scam 
april 2018 by charlesarthur
Google bans bitcoin adverts in cryptocurrency crackdown • The Guardian
Samuel Gibbs:
<p>Google will ban all adverts for cryptocurrencies, including bitcoin and initial coin offerings (ICOs), as it seeks to “tackle emerging threats”.

The ad ban will come into force from June as part of a clampdown on unregulated financial products. Google’s director of sustainable ads, Scott Spencer, said in a <a href="https://www.blog.google/topics/ads/advertising-ecosystem-works-everyone/">blogpost</a>: “We updated several policies to address ads in unregulated or speculative financial products like binary options, cryptocurrency, foreign exchange markets and contracts for difference (or CFDs).”

Google said its ban includes cryptocurrency exchanges and wallets. The company will also begin blocking some gambling ads, such as those for services using virtual items worth real-world money, known as skins betting, as it seeks to “combat new threats and improve the ads experience online”.

The move follows similar bans made by advertising rival Facebook, which banned all cryptocurrency and ICO adverts in January after finding that many were being used to scam potential investors.</p>


What none of the stories about this explain is why they're waiting until June to do it. It's March now. That's three months of jolly scamming for the jolly scammers, who will surely ramp up their efforts knowing there's a deadline.
google  crypto  advert  scam 
march 2018 by charlesarthur
Cryptocurrency scammers of Giza make off with $2 million after ICO • CNBC
Arjun Kharpal:
<p>Investors who spoke to CNBC all described a common experience with the ICO in question: They thought the project was legitimate until warning signs began to appear, including a falling out with the company's sole supplier, a lack of correspondence from its supposed founders, and failed attempts to recoup the lost funds.

The apparently well-orchestrated scam centers around a mysterious individual called Marco Fike, the COO of Giza. Among the eight investors, partners and former employees of Giza interviewed by CNBC, all claim they have never seen Marco Fike's face.

The ICO was for a supposed start-up called Giza, which claimed to be developing a super-secure device that would allow people to store cryptocurrencies.

It carried out its ICO in January and drew investors for several weeks after. One person who put money into the project told CNBC that they invested ether that was equivalent to $10,000 at the time, and another said they had put in around $5,000 worth of ether.

At the beginning of February, Giza had raised and was holding more than 2,100 ethereum coins, which at the time were worth around $2.4 million. All but $16 worth of those ethereum coins are now missing.

But after putting in money throughout January and into February, many who had invested began to become suspicious of the project.

"Everything was fine, until that company that was meant to develop their device came out on the internet and said that Giza has cut ties, and it seems to be a scam and they might not be developing anything. Then things started looking fishy," an investor named Chris, who wished to keep his surname anonymous, told CNBC by phone.</p>


Fools and their money: new method found to induce parting.
ico  crypto  scam 
march 2018 by charlesarthur
The great big Spotify scam: did a Bulgarian playlister swindle their way to a fortune on streaming service? • Music Business Worldwide
Tim Ingham:
<p>Our sources tell us that this data, within Spotify’s analytics, was pretty consistent: around 1,200 monthly listeners, with some variation, were hitting play on each ‘Soulful Music’ song.

So let’s bring all of this information together:

• A Bulgarian individual or collective managed to run at least one third-party playlist – ‘Soulful Music’ – which generated so much revenue in September 2017, it landed at No.35 on Spotify’s global 100 chart. (We actually have a testimonial from a further trusted source that ‘Soulful Music’ went on to break the US Top 10 in late September, but we haven’t seen the evidence.)<br />• However, ‘Soulful Music’ had less than 1,800 followers at the time.<br />• What’s more, each of its 467 tracks were only attracting around 1,200 monthly listeners apiece.

Considering these numbers, how on earth could ‘Soulful Music’ beat down branded efforts from Sony, Universal and Warner to become one of the biggest playlists in the world?

There are only two possible answers to that question.

Soulful Music could – cough, splutter, sneeze – have been a completely legitimate niche playlist which was simply so addictive, 1,800 people just kept playing their way through it over and over and over.

Or – and this rather strikes us as the more likely scenario – an individual in Bulgaria set up circa 1,200 Spotify accounts, which continually played these 467 tracks on a loop, on random (thus why some songs had slightly different play counts to others).

In order to generate enough revenue to hit Spotify’s US Top 15 playlist rankings, all of these accounts must have been paid-for, premium subscriptions.

And it’s here that the genius of the (potential) ‘scam’ starts to become clear.

Let’s say that our friend the Bulgarian had laid out the money to purchase 1,200 premium accounts.

That would take a lot of work; they’d have to create individual email addresses and identities for each one.

It would also be expensive. A nice easy calculation shows why: 1,200 X $9.99-per-month would mean an outlay of $12,000 per month (although this could be reduced by family plans and other discounts).

That’s the monthly outgoings.

Now let’s work out the potential monthly revenue generation.</p>

Spoiler: it's a lot bigger. (It's a LOT bigger.) And I bet family plans would be the way to go in setting up the paid accounts, cutting outgoings by 80%.
Spotify  scam 
february 2018 by charlesarthur
Tech support scammers find new way to jam Google Chrome • Malwarebytes
Jérôme Segura:
<p>It happens too fast to see how it works, but you may be able to spot it with a powerful enough machine and if you try to close the tab early on. That code triggers a very large number of downloads in rapid fire, which causes the browser to become unresponsive within a few seconds, and unable to be closed via normal means.

The primary targets for this particular browser freeze are Google Chrome users on Windows. Other browsers will get their own landing pages, abusing other HTML APIs. Considering that Chrome has the most market share in the browser category, this is yet another example of the desire for threat actors to deploy new social engineering schemes.

Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker. As a last resort, the Windows Task Manager will allow you to forcefully quit the offending browser processes. Malwarebytes users were already protected against the redirection mechanism used in this attack.</p>

The dialog shows 2,601 downloads - which blocks you from closing the tab. (UI failure.) These scammers are hiring some skilled programmers.
Techsupport  scam 
february 2018 by charlesarthur
Why ads keep redirecting you to scammy sites and what we’re doing about it • Vox
Winston Hearn, who - like you probably did at some point recently - found himself diverted to a scammy site when he’d clicked on what seemed like a safe page:
<p>another engineer and I became curious about what exactly was happening to cause the redirect and annoy all users served the malicious ad. We dug in and were extremely surprised that the frigging thing could not be more simple. When the ad landed on the page there were about three lines of code. That code creates a link just like you click to go to any page on the web then waits seven seconds before triggering a click on the link which causes the browser to redirect you. That’s it. Why seven seconds? Most likely to avoid security tools that actively scan sites to try and detect ads like this, although that is just speculation on my part.

Let me be extremely clear: we hate these malicious ads with the fire of a thousand suns and are working actively to keep them off of our sites. We use automated services that regularly scan our sites trying to find malicious ads. We work with ad-selling partners to try to ensure the ads that are sold and served on our sites are high quality. And Vox Media’s AdOps team is constantly monitoring social media, email and Slack for reports of anything that seems questionable (not just malicious).

Despite all this, malicious ads like this pop up every few months. After this recent round, we started investigating what else we can do to prevent these ads from harming your experience on our sites. The ideal solution would be for ads to be delivered to our sites in a safe way that prevent things like this. Google allows advertisers to treat these safer options as opt-in, which means nothing currently prevents scammers from sneaking in ads that cause App Store or gift card redirects.</p>
Ad  scam  malvertising 
january 2018 by charlesarthur
The BitConnect Ponzi scheme has finally collapsed as exit scam becomes evident • NewsBTC
JP Buntinx:
<p>Thousands of people bought into this scam and some of them may have even made money. Most users, however, probably never got their money out of this program whatsoever. That is only normal, as over 95% of all trades were conducted on the native BCC exchange. When a currency’s developers also run the main exchange, you know things are not always going to end well.

To put this into perspective, the BitConnect price has dropped by a lot. Over the past week, it went from nearly $400 all the way to $27. Such a steep decline seems to confirm the developers finally completed their grand exit scam. It is also possible they used the ‘stolen” Bitcoins to crash the current market. Whether or not that latter part is a conspiracy theory or the sheer reality, remains to be seen. It is evident the BCC exchange had access to a lot of BTC, though. Either way, it seems this Ponzi Scheme is gone for good, which can only be considered to be a good thing.

Furthermore, it seems the project’s subReddit is no longer accessible. Rather than leaving it open to the public, it is now completely private. No one who isn’t “approved” can’t access this subreddit or see what is being posted there. A very worrisome turn of events for the people still waiting to get their money out. They were warned dozens of times about this Ponzi Scheme, though. Anyone who lost money due to BitConnect only has themselves to blame. It is a harsh reality, but that’s what people get for falling for snake oil practices.</p>


Thousands of people. Blaming the victim seems a little extreme here, but bitcoin (and associated) has been the venue for Ponzi schemes almost from the inception; here's <a href="https://www.theguardian.com/technology/2013/jul/24/bitcoin-alleged-ponzi-fraud">a piece I did back in 2013</a> about a similar scheme.
bitcoin  ponzi  bitconnect  scam 
january 2018 by charlesarthur
The anatomy of a pump and dump group • Bitfalls
"Bruno":
<p>Pump and dump (P&D) schemes are a common occurrence in the cryptocurrency world.

They most often happen in Telegram or Discord (chat programs) groups in which several thousand people buy a specific shitcoin (a crypto token without a value or future) at the same time in an attempt to artificially inflate its value. This value increase is called the pump while the selling of this now expensive token to naïve bystanders is the dump phase.

In this article, we’ll take a look at the anatomy of one such smaller P&D group…

…When the organizers buy a coin before telling everyone, that’s what’s called a pre-pump. For example, in the group we were watching for this post, the OAX coin was announced with a pump start due at 23:00. But if we look at its graph, the pre-pump is obvious:

<img src="https://bitfalls.com/wp-content/uploads/2018/01/11.png" width="100%" />

The graph clearly shows the organizers having loaded up on the coin 20 minutes earlier. This allowed them to start dumping on their group’s members immediately on start time at 23:00. The reason they were able to move the market by themselves was because this coin had a total trading volume of 2 Eth on HitBTC, which meant even half an ether could move the needle.</p>


Anyhow, to the moon, etc.
bitcoin  scam 
january 2018 by charlesarthur
'Sexy girl' bots scam ¥1 billion from dating app users in China • That’s Beijing
Gary Bailer:
<p>In possibly the oddest news story to have come out of China so far this year, police recently revealed that chat bots posing as bodacious babes have scammed dating app users out of a collective fortune.

The investigation began last August, when Guangdong police picked up on an app asking users to pay to view pornographic videos that, alas, did not exist.

From there, the investigation expanded to apps run in 13 provinces across China. As of January 8, over 600 individuals had been arrested and 21 companies shut down in cities including Beijing, Guangzhou, Shenzhen, Hangzhou, Changsha and Wuhan.

On the dating apps they formerly operated, some of the so-called single women were in fact chat bots programmed to flirt with users, especially ones that were new to the platform.

In at least one case, Sixth Tone reports, app users could exchange a few messages with a 'sexy' bot before being asked to upgrade to VIP status for RMB200. </p>


This is the oddest story out of China so far? Then again it's only the 10th.

Basically, though, <a href="https://www.rollingstone.com/culture/features/scammers-and-spammers-inside-online-datings-sex-bot-con-job-20160201">Ashley Madison but a bit more low-rent</a>.
china  scam  bots  dating 
january 2018 by charlesarthur
Americans are receiving unordered parcels from Chinese e-criminals - and can't do anything to stop them • Forbes
Wade Shepard on an e-commerce method called "brushing":
<p>Chinese agents shipping ridiculous amounts of hair ties to [Pennsylvania resident Heaven] McGeehan is merely an unscrupulous way for them to fraudulently boost sales and obtain positive feedback for their clients' products on e-commerce sites.

Basically, a "brushing" firm somehow got hold of McGeehan’s name and address - she imagines this happened from placing legitimate orders on AliExpress, the international wing of China’s Alibaba - and then created user profiles for “her” on the e-commerce sites that they wish to have higher sales ratings and favorable reviews on. They then shop for orders via the fake account, compare prices, and mimic everything an actual customer would do, before finally making a purchase from their client's store. When delivery is confirmed, they then leave positive reviews that appear to the e-commerce platform as "verified."

The hair ties that McGeehan receives are more than likely not the actual items the Chinese brushers are leaving reviews for. Basically, they are low cost stand-ins for the real products. It doesn't really matter what is shipped in the packages in this case, as the person receiving it has nothing to do with the exchange. But at least McGeehan is actually receiving packages that contain something. I’ve also been receiving reports from unsuspecting and often confused people in the U.S. whose mailboxes are being filled with parcels from China which contain nothing.

Due to the unbalanced pricing policies of the United Postal Union and subsidies from the U.S. Postal Service, it costs people in China virtually nothing to ship small packages to the U.S. That, combined with the super cheap price they pay for the junk they ship, makes brushing a quick and cost effective way to move up the sales rankings - which means everything for e-commerce merchants.</p>
china  ecommerce  scam 
december 2017 by charlesarthur
$99/month is a steal for CloudApp for iMobile • bylr.net
Dan Byler was browsing for an iOS-native cloud service and came across a thing called "CloudApp":
<p>The Setup Instructions info link goes to Apple’s own iCloud support site. And in case it’s hard to read, the app basically lists iCloud’s services as its list of features.1

But hey, it’s cheap! Only $99/month!

I nearly fell prey to the scam myself: while screenshotting the app, I accidentally subscribed (because of the way TouchID is integrated into the home button – and the home button is part of taking screenshots):

<img src="http://bylr.net/3/wp-content/uploads/2017/11/IMG_0262.jpg" width="100%" />

Fortunately, I know how to cancel iTunes subscriptions, but I’m sure a lot of the app’s users don’t.
<img src="http://bylr.net/3/wp-content/uploads/2017/11/IMG_0263.jpg" width="100%" />

I reported the app to Apple on November 26, but as of writing this (three days later) the app is still live in the App Store. Perhaps this helpful review of the App Store Review Guidelines will help inform whether this app is legitimate, according to the current rules:

<em>1.1.6 False information and features, including inaccurate device data or trick/joke functionality, such as fake location trackers.</em></p>


Not available in the UK. Unclear whether it's still available in the US.
apple  app  scam 
november 2017 by charlesarthur
This dog sits on seven editorial boards • Atlas Obscura
Kelsey Kennedy:
<p>An associate editor for the Global Journal of Addiction & Rehabilitation Medicine, Olivia Doll, lists some very unusual research interests, such as “avian propinquity to canines in metropolitan suburbs” and “the benefits of abdominal massage for medium-sized canines.” That’s probably because Olivia Doll is a Staffordshire terrier named Ollie who enjoys chasing birds and getting belly rubs. In all her spare time, Ollie also has sat on the editorial boards of not one, but seven, medical journals.

Ollie’s owner, Mike Daube, is a professor of health policy at Australia’s Curtin University. He initially signed his dog up for the positions as a joke, with credentials such as an affiliation at the Subiaco College of Veterinary Science. But soon, he told Perth Now in a video, he realized it was a chance to show just how predatory some journals can be.

“Every academic gets several of these emails a day, from sham journals,” he said. “They’re trying to take advantage of gullible younger academics, gullible researchers” who want more publications to add to their CVs. These journals may look prestigious, but they charge researchers to publish and don’t check credentials or peer review articles. And this is precisely how a dog could make it onto their editorial boards."</p>
journals  scam 
november 2017 by charlesarthur
Tech support scammers abuse native ad and content provider Taboola to serve malvertising (updated) • Malwarebytes Labs
Jerome Segura:
<p>A large number of publishers – big and small – are monetizing their sites by selling space for companies that provide so-called native advertising, cited as more effective and engaging than traditional banner ads.

Indeed, on a news or entertainment site, users are more inclined to click on links and articles thinking that they are one and the same, not realizing that those are actually ‘sponsored’ and tied to various third-party providers.

Rogue advertisers have realized this unique opportunity to redirect genuine traffic towards their own infrastructure where they can subject their audience to whatever content they wish.

Case in point, we caught this malvertising incident on MSN.com, the Microsoft web portal that attracts millions of unique visitors. While clicking on a story promoted by Taboola – a leading global discovery platform which Microsoft signed a deal within 2016 – we were redirected to a tech support scam page. The warning claims that our computer has crashed and that we must call a number for immediate assistance.

The fraudulent page cannot be closed normally because it uses code that repeats the warning indefinitely. Unfortunately, this is enough to scare many folks and trick them into calling what they think is Microsoft support. Instead, they will be dealing with fake technicians whose goal is to extort hundreds of dollars from them.</p>


People think they're clicking through to a story; instead they hit this crap.
malvertising  techsupport  scam 
october 2017 by charlesarthur
Why it took Google so long to end shady rehab center ads • Bloomberg
Michael Smith , Jonathan Levin , and Mark Bergen:
<p>Anti-Google sentiment was palpable at the Austin conference [in May], especially after [Google contractor Josh] Weum [who had advised on the best AdWords to use to attract people seeking opioid addiction treatment] told the crowd that it was hard for Google to cut off shady treatment providers unless someone tipped off the company. 

As the discussion wound down, Jeffrey Lynne, a lawyer in Boca Raton, Fla., had heard enough. Lynne, who specializes in advising addiction treatment centers, stood up and accused Google of not only enabling a dirty business but actively profiting from it. “Google has a fundamental responsibility to stop making money hand over fist by jacking up these ad prices because of an algorithm,” Lynne said, drawing applause from the crowd. “We need you to step up to the plate,” he said. “Because people are using you to human-traffic our children.” 

Weum, who hawked AdWords products for two years at a myriad of industry conferences, including several on addiction treatment, says he was shocked by the sense of outrage from people in the Austin hotel ballroom. “It really felt like I was being blamed for it,” he says. “I felt the full brunt of the anger with patient brokering.” One man sitting next to Weum on the same panel, Dan Gemp, wasn’t surprised. Gemp is chief executive officer of Dreamscape Marketing LLC, a Columbia, Md., company that specializes in running ad campaigns for addiction treatment providers. He’d filed multiple complaints with Google about treatment center operators who did such things as hack his clients’ websites to hijack potential patients.</p>


The writers estimate that Google could have been pulling in around $1bn annually from these ads. But they also point out that people have been complaining to Google for ages about scams and crooks. The Verge writes a story and next week, poof.

There also seems to be a lesson here about big online advertising companies, self-service ad systems, and the lack of a tight customer feedback loop.
google  addiction  scam  rehab  adwords 
september 2017 by charlesarthur
Exclusive: Google is cracking down on sketchy rehab ads • The Verge
Cat Ferguson:
<p>Around the country today, marketers in the $35bn addiction treatment industry woke up to an unpleasant surprise: Many of their Google search ads were gone. Overnight, the search giant has stopped selling ads against a huge number of rehab-related search terms, including “rehab near me,” “alcohol treatment,” and thousands of others. Search ads on some of those keywords would previously have netted Google hundreds of dollars per click.

“We found a number of misleading experiences among rehabilitation treatment centers that led to our decision, in consultation with experts, to restrict ads in this category,” Google told The Verge in a statement. “As always, we constantly review our policies to protect our users and provide good experiences for consumers.”

Google is the biggest source of patients for most treatment centers. Advertisers tell Google how much they want to spend on search ads per month, which keywords they’d like those ads to run against, and then pay Google every time someone clicks on their ad.

While many treatment centers market themselves ethically, there are also significant numbers of bad actors using deceptive and even illegal tactics to get “heads in beds.” [Early in September] The Verge published a story <a href="https://www.theverge.com/2017/9/7/16257412/rehabs-near-me-google-search-scam-florida-treatment-centers">uncovering how marketers use the internet to hook desperate addicts and their families</a>, from hijacking the Google business listings of other treatment centers to deceiving addicts about where a treatment center is located.</p>


All credit to Ferguson and The Verge for the original, important, story which seems to have grabbed Google's notice - though now read on for the Bloomberg detail about it.
google  rehab  scam 
september 2017 by charlesarthur
App that paid users to exercise owes nearly $1m for not paying users to exercise Gizmodo
Rhett Jones:
<p>In the capitalistic nightmare we live in, everything has to be a transaction. So, when Pact launched its fitness app that let you make money for working out—or else pay a fee for failing to do so—it seemed to be the perfect motivational tool. There was just one problem: The company apparently wasn’t that great at paying up, and was it too good at collecting fees.

On Thursday, the <a href="https://www.ftc.gov/system/files/documents/cases/1523010pactcomplaint.pdf">FTC announced</a> that it has settled its complaint against the makers of Pact for failing to live up to their agreement with users. A $1.5 million judgment will be partially suspended based on Pact’s apparent lack of funds, the FTC writes, but Pact will be required to pay out $948,788 to customers who were wronged by the company.</p>
ftc  app  scam 
september 2017 by charlesarthur
How spammers, superstars, and tech giants gamed music • Vulture
Adam Raymond:
<p>A few weeks after the release of Kendrick Lamar’s “Humble,” the hard-charging lead single on his fourth album Damn., the song landed at No. 1 on Billboard’s streaming chart. It’s been on the chart ever since, never falling below No. 3 as users have played it more than 291 million times on Spotify alone.

And that’s just the streaming total for Lamar’s version. His hit song has also been a boon for Spotify’s parasitic underbelly — the coverbots and ripoff artists who vomit out inferior versions of popular songs every week, flooding the website with dreck that only succeeds when users are misled. No one would willingly listen to King Stitch’s “Sit Down, Be Humble,” a third-rate cover of Lamar’s original, but the track has been streamed more than 300,000 times thanks to Spotify’s broad search results and a clever title designed to confuse those who don’t know the song’s real name.

On a website with more than 100 million active daily users, there are plenty of ways to game the system, be it for attention, or, if the streams pile up enough, profit. And the frauds cashing in on the latest hot single are hardly alone. A bevy of unknown artists have found ways to juice their streaming totals, whether it’s covering songs from artists who don’t allow their songs on Spotify, or uploading an album of silent tracks, each precisely long enough to generate a fraction of a cent for the artist…

Even Spotify is reportedly gaming the system by paying producers to produce songs that are then placed on the service’s massively popular playlists under the names of unknown, nonexistent artists. This upfront payment saves the company from writing fat streaming checks that come with that plum playlist placement, but tricks listeners into thinking the artists actually exist and limits the opportunities for real music-makers to make money. Spotify did not respond to questions about the accusation, but this is not the first time Spotify, which pays minuscule streaming fees, has been <a href="http://www.digitalmusicnews.com/2016/03/21/why-artists-pull-their-music-from-spotify-but-not-youtube/">accused of bilking artists</a>.</p>
spotify  music  scam 
july 2017 by charlesarthur
State Supreme Court judge loses $1M in real estate email scam • NY Daily News
Laura Dimon and Grahan Rayman:
<p>A state Supreme Court judge was scammed out of more than $1 million after being fooled by an email she thought had been sent by her real estate lawyer, the Daily News has learned.

Acting State Supreme Court Justice Lori Sattler, 51, was duped while trying to sell her apartment and buy another, sources said.

On Friday, Sattler told police she’d gotten an email June 7 from someone she believed was her lawyer, sources said.

The person claiming to be the lawyer told her to send money to an account. She followed the instructions and wired $1,057,500 to that account, sources said. The money was then sent to Commerce Bank of China, sources said.</p>


Probably using methods <a href="https://www.bleepingcomputer.com/news/security/the-nigerian-spammers-from-the-90s-have-moved-on-to-keyloggers-and-rats/">as detailed here a few days ago</a>.
email  scam 
june 2017 by charlesarthur
How to make $80,000 per month on the Apple App Store • Medium
Johnny Lin noticed a top-grossing app which had decidedly dodgy behaviour:
<p>Touch ID? Okay! Wait… let’s read the fine print:

“Full Virus, Malware scanner”: What? I’m pretty sure it’s impossible for any app to scan my iPhone for viruses or malware, since third party apps are sandboxed to their own data, but let’s keep reading…

“You will pay $99.99 for a 7-day subscription”

Uhh… come again?

Buried on the third line in a paragraph of text in small font, iOS casually tells me that laying my finger on the home button means I agree to start a $100 subscription. And not only that, but it’s $100 PER WEEK? I was one Touch ID away from a $400 A MONTH subscription to reroute all my internet traffic to a scammer?

I guess I was lucky I actually read the entire fine print. But what about other people?

Step 3: It’s All Starting to “Ad” Up… to Profit

It suddenly made a lot of sense how this app generates $80,000 a month. At $400/month per subscriber, it only needs to scam 200 people to make $80,000/month, or $960,000 a year. Of that amount, Apple takes 30%, or $288,000 — from just this one app.

At this point, you might still be in disbelief. Maybe you’re thinking: “Sure, just 200 people, but still, it seems highly unlikely that even one person would download this scammy looking app, much less pay for it.”

Maybe you wouldn’t download it. I certainly wouldn’t. But I’ve also never clicked on a Google Ad, yet Google somehow rode Adwords to $700bn today.</p>


By the time you read this I expect this app will have been removed from the App Store, because this article was on Daring Fireball, and Apple people read that. But it should prompt a review of subscription apps - especially those racing up the App Store from unknown developers.
apple  scam  appstore 
june 2017 by charlesarthur
How fast will identity thieves use stolen info? • FTC
Ari Lazarus:
<p>If you’ve been affected by a data breach, or otherwise had your information hacked or stolen, you’ve probably asked yourself, “What happens when my stolen information is made public?” At the FTC’s Identity Theft workshop this morning, our Office of Technology staff reported on <a href="https://www.ftc.gov/system/files/documents/public_events/987523/ftc-leakeddataresearch-slides.pdf">research they did to find out</a>.

First, they created a database of information about 100 fake consumers. To make the information realistic, they used popular names based on Census data, addresses from across the country, email addresses that used common email address naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet or a credit card).

They then posted the data on two different occasions on a website that hackers and others use to make stolen credentials public. The criminals were quick to pounce. After the second posting, it took only nine minutes before crooks tried to access the information.</p>


The research slides really repay some reading: attempted credit card purchases running to thousands of dollars.
ftc  research  scam 
june 2017 by charlesarthur
FTC cracks down on internet tech support scams • Engadget
Jon Fingas:
<p>The Federal Trade Commission isn't letting up in its quest to rid the world of tech support scammers. Officials have <a href="https://www.ftc.gov/news-events/press-releases/2017/05/ftc-federal-state-international-partners-announce-major-crackdown">launched a legal campaign</a>, Operation Tech Trap, in a bid to crack down on frauds that rely on a mix of web pop-ups and phone calls to frighten you into paying up. The effort includes four fresh complaints (in Alabama, Colorado, Florida and Ohio), two settlements (in Connecticut and Florida) and charges against seven people -- two of which have already pleaded guilty. It's as much a public show of the FTC's might as it is a significant bust, but many of the perpetrators were particularly insidious.

In most cases, the scams produce fake alerts that claim your PC is infected or hacked, and urge you to call a toll-free number for help. They sometimes even include a countdown to make it seem like your files will vanish if you don't act. If you're spooked enough to call, you promptly talk to telemarketers posing as technicians (usually from Microsoft or Apple) who will insist your system is compromised and offer to either repair or protect your system if you pay hundreds of dollars.</p>


Scammers going to scam.
ftc  scam 
may 2017 by charlesarthur
The man behind Fyre Festival comes with a list of expensive, unfulfilled promises • Buzzfeed
Salvador Hernandez:
<p>Billy McFarland's company promised two luxurious weekends of music in the Bahamas, lush accommodations, and delectable food. What they got was the fiasco people now know as the Fyre Festival, where they were instead given disaster relief tents and lunches served in styrofoam boxes.

"It's a very, very tough day for all of us," McFarland told BuzzFeed News in a phone interview Friday.

McFarland described what he said was an ambitious project that quickly grew to be bigger than what the 300-person staff could handle on the island of Exumas.

But the college dropout from New Jersey has a knack for promising lavish and luxurious services aimed at rich and elite clientele, often falling short on what was pledged.

Three years before the disastrous Fyre Festival, McFarland launched a credit card company and private club dubbed Magnises, taking cues from the exclusive American Express black card. But with wealthy young socialites years away from the spending power of the black AmEx, the Magnises card was aimed at a younger audience.

The card, launched in 2014, promised tickets for hard-to-get-in-to shows, clubs, and events with the social elite for a $250 annual fee, but members told Business Insider the company often delivered tickets late, for the wrong date, or not at all.</p>


If you didn't drink deep on Friday or over the weekend, this is all the schadenfreude you'll need for the week ahead. More reading at <a href="http://www.vulture.com/2017/04/fyre-festival-ja-rule-postponed.html">Vulture</a> and <a href="http://nymag.com/thecut/2017/04/fyre-festival-exumas-bahamas-disaster.html">NYMag</a> ("I worked at Fyre Festival. It was always going to be a disaster").
fyre  scam 
april 2017 by charlesarthur
Phony VPN services are cashing in on America's war on privacy • Motherboard
Nicholas Deleon:
<p>Don't look now, but online scammers are already hard at work taking advantage of newly signed legislation that allows Internet Service Providers to sell your online privacy, including your web browser history, to the highest bidder without your consent.

I received an email yesterday from a purported Virtual Private Network (VPN) provider called MySafeVPN claiming to be affiliated with Plex, the streaming media startup that I've written about many times in the past. The email led with ominous marketing speak alluding to "recent changes to US privacy bills, UK privacy laws, and more," asserting that Plex users concerned about their ISP gaining access to their download history should, you know, sign up for their VPN service. How convenient.</p>


It wasn't affiliated with Plex. And so it goes on. Scammers pick up quick on this stuff.
scam  vpn 
april 2017 by charlesarthur
QR code scams highlight security weaknesses in China's wallet apps • Tech In Asia
Eva Xiao:
<p>The QR code rules supreme in China. You can pay for almost anything with it: street food, toilet paper, a lobster dinner, a foot massage. You can even use it to socialize. At networking sessions, it’s not uncommon to scan someone’s WeChat QR code instead of giving them your business card.

But after an incident last week involving fraudulent QR codes and US$13 million of stolen money, the security of China’s most popular offline-to-online tool is coming under fresh scrutiny.

“Some criminals paste their own QR codes over the original ones to illicitly obtain money, as ordinary consumers simply cannot tell the difference,” wrote China Daily, a state-owned English media site, in an op-ed.

“That is why we are powerless to prevent QR codes from being used for fraudulent activities, and that is precisely why the enterprises using QR codes should assume their share of the responsibility for protection.”

This isn’t the first time that QR codes have been used for malicious purposes in China. Essentially a link, QR codes can be used to infect smartphones with viruses, which then let the fraudster steal money from a victim’s mobile wallet, such as Alipay. Methods are sometimes even more direct – unsuspecting victims, expecting the payment to go to a shopkeeper or a service provider, will be tricked into transferring money via QR code.

More recently, a spate of scams have been linked to the country’s bike-sharing craze. Users normally can scan a code to unlock rental bikes; by attaching their own QR code to the bike, fraudsters can fool bike riders into transferring US$43 – the same amount as Mobike’s required deposit – to their account.</p>


Surprised this hasn't happened more widely. Seems like an obvious scam.
qr  scam 
march 2017 by charlesarthur
I am going to eradicate the inbound Windows Support scam • Jolly Roger Telephone
"Roger":
<p>I’m getting ready for a major initiative to shut down Windows Support. It’s like wack-a-mole, but I’m getting close to going nuclear on them. As fast as you can report fake “you have a virus call this number now” messages to me, I will be able to hit them with thousands of calls from bots. It’s like when the pirate ship turns “broadside” on an enemy in order to attack with all cannons simultaneously. I’ll calling it a “Broadside” campaign against Windows Support and the fake IRS.

There are A LOT of moving pieces to getting this working. One of them is letting you hear the calls as they happen. This is a little post to test the html for the posted recordings. I really need to write a WordPress plugin to do it. For now, I have a script that generates this raw HTML for me to post here. Anyway, please enjoy these experimental calls and we can anticipate the day when these call centers are all gone because of one pirate attacking them safely from off-shore.</p>


He's pretty determined. <a href="http://jollyrogertelephone.com/about/">His about page is quite a read</a> too.
windows  scam  support  telephone 
february 2017 by charlesarthur
Ad fraud scheme cost advertisers at least $3 million per day • AdAge
George Slefo:
<p>A complex ad fraud scheme has been siphoning $3 million to $5 million per day since October from the largest U.S. brands and media companies, making it the most profitable and advanced operation seen by the industry to date, according to a new report from WhiteOps, an anti-ad fraud security firm.

By comparison, other large, well-known ad-fraud attacks garnered $200,000 to $900,000 a day, WhiteOps said.

A group of Russian hackers were behind the attack, creating more than half a million fake users and 250,000 fake websites to pull off the scheme, according to WhiteOps. Bots, which are used to mimic human behavior to dupe advertisers in paying for impressions never seen by humans, were used to view some 300 million video ads a day, according to the report.

Collectively dubbed "Methbot" by WhiteOps, the bots scammed publications like the Huffington Post, The Economist, Fortune, ESPN, Vogue, CBS Sports and Fox News, the company said.

Overall, about 6,000 publishers were hit, according to the report. Social media websites weren't immune to the attack, either, as platforms like Facebook were also hit, it said.

WhiteOps said it would not release the names of the brands affected by the attack.</p>


Bad idea. We should know which brands were affected, because they should know we know we're being overcharged. Advertising costs are reflected in end-user prices. It would also make the brands more careful.

<a href="https://twitter.com/jason_kint/status/811255519755137024">According to Jason Kint</a>, the money spent is about the same as the video revenue for the 80 most trusted premium publishers. This was really bad.
ad  scam  fraud 
december 2016 by charlesarthur
One more sign the world is shrinking – eBay is for suckers • Matthew Sag
Matthew Sag:
<p>
If you live in an economy where officials are corrupt, contracts are hard to enforce, and trust is scarce, everyday transactions are burdensome and time-consuming. If you don’t want to get scammed, you either deal with people you know, people your relatives know, or you deal with repeat players who have an interest in their reputation. Lack of trust makes market small and transaction costs high.

The wonderful thing about eBay when it first arrived was that it freed so many people from the tyranny of small markets. eBay provided a marketplace where trust was built on reputation and feedback and the size of markets was only constrained by the cost of shipping.

Recently, however, eBay has reengineered its services so that buyer trust is based on a seemingly absolute guarantee that the seller will always lose in any dispute.

No one should be surprised that unscrupulous buyers use eBay to commit fraud on unsuspecting sellers. What surprised me was the extent to which eBay now facilitates this fraud through its “buyer protection program”. In October this year I listed a very slightly used iPhone 6S for sale on eBay and was quite satisfied when it eventually sold for $465. This satisfaction was short-lived, however, as I came to realize that I had been taken in by an eBay scammer.</p>

And how. The item was particularly valuable, but the way Sag was bamboozled is a salutary lesson.
Ebay  reputation  scam 
december 2016 by charlesarthur
The Dubai Overpayment scam • Event Photography London
Paul Clarke got an approach to do a week's photography for a wonderful amount of money:
<p>Some things made lots of sense – the language, though imperfect in its English, was like so many similar approaches. The venue was real enough, and one I’d worked in before, and I gleefully sent my new friend in Dubai a link to those photos, along with a quotation note for 5 days shooting.

You need something to really pin the mark down in a con – something to clinch things. I’ve seen enough Hustle to know this almost always involves an appeal to greed. But I couldn’t see it now. And there it was – they only wanted 5 hours a day of coverage – 10 to 3. A bit weird, that, but hey, I was quoting full day rates. Even given generous provision for set-up and pack-down time, this was going to be a relatively light workload for a tasty paycheck. I was IN!

“Just what we’re looking for” – came the swift reply – “can we book you? In fact, we’re so keen to get everything confirmed now we’ve found you, with your wonderful experience of that venue, that we’d like you to invoice us now, in full, for the work.”

This gets better, I thought. I tapped the name of the events company into Google, just out of interest to see where they were. Got a few links with very similar names (variations on “Emirates”, “Events”, and “Agency”; couldn’t be bothered to look into all of them, so left it). I’d asked for a phone number, and they’d sent one – with the right country code – I checked. But I didn’t ring it.</p>


You can be smart and be conned. It involves a big overpayment being made with a fake/stolen cheque; the excess payment is then reversed - by you! - and then the fake/stolen nature of the cheque comes to light (after you've paid out the money, because banks are sloooow at this stuff), and the bank reverses the stolen amount out of your account. Suddenly you're a lot poorer. Beware.
overpayment  scam 
november 2016 by charlesarthur
Tech support scams target victims via their ISP • BBC News
Jane Wakefield, on a new wrinkle on the depressingly old "tech support" scam, which used to just involve cold-calling, but now includes audio messages which identify your ISP and say your machine is infected - which would scare the willies out of most non-techie people:
<p>How do scammers know your ISP?
In the case of cold calls it may just be a lucky case of guessing a common ISP but in the case of pop-ups, there is an altogether cleverer way for fraudsters to glean information that can help them.

How it works
• Big ad networks allow users to win ad space on websites by bidding at a particular price
• Criminals are taking advantage of this to place adverts which are infected with a single "bad" pixel
• This pixel can redirect users and infect them in the background when they are browsing on a perfectly legitimate site - they do not even need to click on the ad
• The malware in the ad redirects users to a website in the background - invisible to the user - which checks their computer and discovers their IP address
• From the IP address it is easy to find out which ISP owns which IP address
• Victims will be served a pop-up tailored for their specific ISP which warns them their computer is infected and gives them a number to call

Fraudsters do still use cold-calling but their methods here have also become more sophisticated - instead of a vague description of themselves as a Windows Support agent, many are now claiming to represent legitimate ISPs, with very believable answers when they are challenged.</p>
techsupport  scam 
june 2016 by charlesarthur
Tech support locker scam poses as failed Microsoft Update • The Register
John Leyden:
<p>Cybercrooks have put together a new scam that falls halfway between ransomware and old school browser lockup ruses.

The new class of “tech support lockers” rely on tricking users into installing either a fake PC optimiser or bogus Adobe Flash update. Once loaded the malware mimicks ransomware and locks users out of their computers. Unlike Locky, CryptoWall and their ilk it doesn’t actually encrypt files on compromised Windows PCs, however.

Jérôme Segura, a senior security researcher at Malwarebytes, said “tech support lockers" represent a class of malware more advanced than browser locks and fake anti-virus alerts of the pre-ransomware past.

"This is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC,” Segura <a href="https://blog.malwarebytes.org/cybercrime/social-engineering-cybercrime/2016/05/tech-support-scammers-get-serious-with-screen-lockers/">writes in a blog post</a>. “No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it."

One strain of tech support locker employs a subtle piece of social engineering trickery by waiting until a users restarts their computer before confronting users with a fake Windows update screen. Users are told their computers can’t be restarted normally supposedly because of an “expired license key”. Thereafter a screen locks a user out of their computer in an attempt to trick marks into phoning a support number, staffed by scammers.</p>
microsoft  scam 
may 2016 by charlesarthur
Theft of Kickstarter-raised funds • Peachy Printer
Ryland Grayston:
<p>On September 20th 2013 me and my investor David Boe launched a <a href="https://www.kickstarter.com/projects/117421627/the-peachy-printer-the-first-100-3d-printer-and-sc/posts/1572573">Kickstarter campaign for the Peachy Printer - The World’s First $100 3D Printer</a>. The campaign was a monumental success, raising $651,091 from 4,420 backers in just 30 days.
 
It is important to note that David’s role in the company was Business Administration & Financial Management, while my role was Product Development & Technical Team Management. David hired an Accounting and Financial Consulting firm to assist in the management of Peachy Printer's finances. I was confident that with my partner David, and a reputable firm watching the business end of Peachy, I had delegated the right people to ensure things were done properly, so I went to the shop and buried my head into R&D.
 
Peachy Printer Inc. was not established until November 6th of 2013 - weeks after the campaign had ended. At the time of incorporation myself and David each held equal shares in the company as 50% owners. Due to the fact that the Kickstarter campaign was over before Peachy Printer existed as a corporation, we did not have a corporate bank account set up to receive the funds. As a result, David’s personal account was set up to receive the funds. David promised to hold the Kickstarter funds in trust until the company account had been created. After the company account was in place, our bank manager recommended that we move the money in smaller chunks to avoid having our funds tied up if something were to go wrong with the transfer. David then transferred $200,000 to cover initial operating expenses.
 
It was David’s responsibility to transfer the remainder of the funds to the corporate account. This was never accomplished. Instead, the funds remained in David’s personal account, and by March 5th - just five months after receiving the funds - he had spent every penny. The total amount of stolen funds - $324,716.01 

David claims that he intended to pay the money back before I could realize it was gone, but evidently he failed to do so.</p>


Evidently. Grayston is now encouraging people to get the Canadian police to investigate.
3dprinting  kickstarter  scam 
may 2016 by charlesarthur
January 2014: Malicious use of the HTML5 Vibrate API » Terence Eden's Blog
This was Eden writing just over two years ago:
<p>There is a new API in town! HTML5 will (soon) let you make the user's device vibrate. What fun! Obviously, it's useful for triggering alerts, improved immersivness during gameplay, and all sorts of other fun things like sending Morse Code messages via vibration.

At the moment, Chrome (and other Android browsers) ask for permission before accessing features such as geo-location, camera, address book etc. This is a security measure to prevent your private information leaving your hands without your knowledge.

At the moment, accessing the HTML5 Vibrate API doesn't trigger an on-screen warning. Its use is seen as pretty innocuous. Because, realistically, the worst it can do is prematurely drain your battery. Right?

I'm not so sure.</p>


He was right not to be sure. Comments from this year show that this is indeed being used by scammy ads. (It's supported on Chrome for desktop and mobile, not on Safari for desktop or mobile; you can <a href="http://caniuse.com/#feat=vibration">check your browser's capability</a>.
html5  scam 
march 2016 by charlesarthur
Uber riders say they were charged massive cleaning fees for messes they never made » BuzzFeed News
Leticia Miranda:
<p>Uber customers are warning others to be wary of using the ride-hailing app after they say they were charged hundreds in vehicle cleaning fees for messes they claim they never made.

Jordan Hunter, a 22-year-old senior at University of Texas, says she and a group of friends were left stunned after a six-mile Uber ride in Austin left them with a triple-digit bill for what Uber said were cleaning purposes.

The group of six friends took an Uber home early on Saturday, Feb. 7, Hunter told BuzzFeed News. The friends were irritated by the surge pricing, but were willing to cough up the $68 it would cost to get home safely.

After arriving home, the friends were shocked to see they had been charged an additional $100 for a cleaning fee.</p>


Sounds like drivers figuring out a way to make some extra cash on the side. If there's a wrinkle, people will find it.
uber  scam 
march 2016 by charlesarthur
Data broker defendants settle FTC charges they sold sensitive personal information to scammers » Federal Trade Commission
<p>“LeapLab purchased sensitive information, including Social Security and bank account numbers, from pay-day-loan websites, and then sold that information to entities it knew had no legitimate need for it,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.  “That allowed scammers to steal millions of dollars from people’s accounts.”

In its <a href="https://www.ftc.gov/news-events/press-releases/2014/12/ftc-charges-data-broker-facilitating-theft-millions-dollars">complaint, the FTC alleged that the defendants collected hundreds of thousands of loan applications</a> submitted by financially strapped consumers to payday loan sites. Each application contained the consumer’s name, address, phone number, employer, Social Security number, and bank account number, including the bank routing number.  

The defendants sold 95 percent of these sensitive applications for approximately $0.50 each to non-lenders that did not use the information to assist consumers in obtaining a payday loan or other extension of credit and had no legitimate need for this financial information. In fact, at least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case  – used the information to withdraw millions of dollars from consumers’ accounts without their authorization.  </p>


Classy. It's a $5.7m judgment, but suspended.
ftc  data  scam 
february 2016 by charlesarthur
"By my ATM skimmers!" » YouTube
My Russian is nonexistent, but this is reckoned to be someone who builds ATM skimmers touting for work. See for yourself. Also, it's scary how hard it is to spot.

<iframe width="560" height="315" src="https://www.youtube.com/embed/LZ0GWwmLgeI" frameborder="0" allowfullscreen></iframe>
fraud  scam  atm 
december 2015 by charlesarthur
Driven to death by phone scammers » CNN.com
Wayne Drash with an in-depth report (though mute the video) about what Britons would call the 419 or "forward fee" scam - where callers say you've won tons of money but have to send them money to get it released:
<p>More than 200 Jamaicans a year are killed in connection with lottery scams -- a fifth of the killings in the island nation, which has the dubious distinction of being among the most violent countries per capita in the world.

Scammers who sell names and numbers to callers expect a cut of their profits; if they find out they're being cheated, they'll hunt down and kill the caller or a member of his family. Other killings occur when rival gang members steal caller lists.

"It's a cancer in the society," says Luis Moreno, the U.S ambassador to Jamaica. "Gangs escalate armed competition with each other over who is going to control these lists and who is going to get the best scammers, the best phone numbers, the best phone guys. Even children as young as 10, 12 years old are tied in as couriers."

In June, a 14-year-old was dragged out of his home and machine-gunned by gang members connected to the scams. The same fate befell a 62-year-old grandmother in July. Two American women were wounded in August at a nightclub when a gang member opened fire on a rival who owed him money. The rival was killed.

"These gangs are often indiscriminate," says Bunting, the national security minister. "When they come looking for their target, if they don't find him, they will shoot members of his family to essentially send a message."

The average Jamaican makes about $300 a month. The top lottery scammers boast of bringing in $100,000 a week. They share videos of washing cars with champagne and show off by setting fire to thousands of dollars in cash…

Lottery scamming sprang up between 1998 and 1999 when legitimate American and Canadian call centers set up operations in Montego Bay. Young Jamaicans were trained on how to empathize with customers.

No one could have known how those skills would result in today's flourishing scam business.</p>


Unintended consequences, indeed. Just as Indian PC scam calls arose from British companies setting up call centres there.
scam  jamaica 
october 2015 by charlesarthur
Scary internet scam becoming disturbingly common » TidBITS
Randy Singer:
While the legions of Mac viruses still haven’t appeared, there is a new nasty out there that takes advantage of this paranoia. It isn’t a virus, a Trojan Horse, or any other sort of actual malware. Instead, it’s more like a phishing scam, using social engineering to get you to do something that the bad guys want you to do. It does it by scaring the willies out of you, and it is becoming disturbingly common. Some call it “scareware” or “ransomware.”

What happens is that you visit a Web site and seemingly have your browser maliciously frozen. You’ll find that you can’t quit, nor can you navigate away from the page by clicking the Back button.

Next, a page or pop-up appears telling you any of a number of stories (often tailored to your location), perhaps that your Mac has a problem or has illegal material on it, or that your data has been encrypted by some malevolent entity.


The real culprit: a (non-destructive) Javascript hack. But if you follow the scam instructions, you will have a real problem.
javascript  scam 
july 2015 by charlesarthur
[Update: Indiegogo Investigating] Indiegogo continues to have no standards, allows $50,000 flex-fund campaign for vaporware modular smartphone » Android Authority
David Ruddock:
While it has served as a legitimate platform for fans to support products and content they genuinely believe in and want to see become a reality, it is also ripe for scamming and incompetence. Case in point: Fonkraft, <a href="https://www.indiegogo.com/projects/fonkraft-modular-smartphone#home">a $50,000 Indiegogo campaign</a> that allegedly will culminate in the production of a Project Ara-style modular smartphone.

To date, the flex-funded (as in, even if it doesn't reach the goal, the project still gets what money was raised) campaign has amassed over $25,000 from people who probably know no better, with over 130 phones funded by supporters. The team behind the campaign? Literally two people, neither of whom state where it is they previously worked (no LinkedIn profiles, either - or any easily locatable social media profiles - surprise!), what specific experience they have in the phone industry, or how they plan to build a phone with two people and $50,000.... or less, since it's a flex-fund campaign. For the record, Ubuntu wouldn't even build a regular phone for less than $32 million.

Also, these guys provide literally no insight on how their product would actually work in a technical sense. You just have to believe!


Incredible that IndieGoGo lets people keep money raised even if it doesn't reach the goal. It's an open invitation to those with absurd optimism or bad intent.
indiegogo  scam  crowdfunding 
april 2015 by charlesarthur
Be wary of ‘order confirmation’ emails >> Krebs on Security
If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.

An “order confirmation” malware email blasted out by the Asprox spam botnet recently.
Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25.
scam  email 
december 2014 by charlesarthur
FTC shuts down massive “PC cleaner” scam >> Gigaom
Jeff John Roberts:
On Wednesday, the FTC and the State of Florida <a href="http://www.consumer.ftc.gov/blog/ftc-cracks-down-tech-support-scams?utm_source=govdelivery">announced</a> court complaints against dozens of individuals and companies that reportedly swindled over $120m from consumers, many of them seniors.


While these type of scams have been around for years, the court documents provide an especially clear picture of how the scams work.

According to the FTC, the crooks typically try to hook the victims with an internet ad that promises a free scan for virus or malware. That scan inevitably detects a “problem”…


It's depressing how impossible this scam is to root out. It's a modern form of the penny stock pump'n'dump.
ftc  scam 
november 2014 by charlesarthur
eBay and an email scam >> BBC News
Rory Cellan-Jones:
For several years now I have been running an annual auction of gadgets in aid of the BBC's Children in Need appeal.

The gadgets are review units supplied by some of the big names in tech, and they fetch some good prices. This year one of the products was the new Blackberry Passport smartphone, and I was delighted to see that, after an intense bidding battle, it went for £410.

Then the winner contacted me to ask for my PayPal details and some further photos of the item. This seemed mildly curious - other winners just clicked and paid - so I had a closer look at the buyer.

He was called Tommy, gave an address in London which I couldn't find on a map and had only joined eBay the day before making the bid. I sent him a message requesting payment but also forwarded his message to eBay to see if there were grounds for concern.


The critical element in this is email, and how hard it is to validate an email's origin. Cellan-Jones was suspicious, but many others would not have been. And, as he points out, email programs should be smarter at spotting phishing. There's a huge space waiting for someone to solve it.
scam  email  paypal 
november 2014 by charlesarthur

Copy this bookmark:





to read