81 comments

[ 2.9 ms ] story [ 240 ms ] thread
> One of the main techniques, explains Wayne - a scam baiter who often works with Jill - is by leaking scammers' details and their conversation scripts online.

> The aim is for these to filter through to search-engine results, so potential victims will be alerted if they type in the scammer's name.

This helped me so much with apartment hunting. I caught multiple fake listings by just googling parts of the language.

What is the end game of a fake listing? Bait and switch? What does the scammer get out of it?
"I'm out of town right now, but if you send me the security deposit and first month's rent, I'll mail you the key."
I've seen a scam of the form "the property is in incredibly high demand, we need a deposit to secure a viewing".
(comment deleted)
Fill out this application before viewing. Application asks for: Legal Name, Current and past addresses, Phone number, Family Member Names (emergency contacts), SSN # (for credit check), Credit Card # (For application fee)

Basically, everything needed for identity theft

An ex was tricked out of about 900 bucks by one of these.

Person is moving to a new city, needs a place, but doesn't have the time or budget to travel and inspect in person. They play it safe by picking an upstanding, corporate looking listing... all they need to do is make a deposit...

They show up with suitcases to a building that's never heard of them.

A friend's girlfriend was successfully done out of ~$2,000 by sending the scammers a deposit for an apartment she thought she was leasing.

She was in Australia, I think. The apartment was in London. Of course she wanted somewhere to live as soon as she landed, so she had to do it remotely. Bad result.

For anyone who doesn't know, never do that. Get a hotel/hostel/airbnb for the first week, then actually go to places. Never take a place you have not visited.

Also in London, go private rental helps avoid the ridiculous agency fees.

I'm genuinely surprised anyone would take a place completely unseen. Even if you remove the possibility of being scammed like this and assume the place does indeed exist, there's so much potential for creative photography to hide problems. Not to mention noise, bedbugs, broken appliances etc.

Did people do this before the internet? It's amazing how a "corporate" looking website can convince rational people to be incredibly trusting.

So yeah, never do that.

If you're only going to be living there for six months it doesn't really matter.

I once rented a shitty apartment that I knew was shitty and could see was shitty. I needed some place to live right then and there and they weren't asking too much for rent. I wasn't planning on living there more than a year. Ended up living there two years due to medical issues delaying home buying but still don't regret living there at all.

Plus, you reserve hotel rooms sight unseen.

Just touring somewhere isn't going to help, you have to make sure the person who is showing you the apartment owns the apartment, look up real estate records and ask their the landlord's ID. I say this because there is plenty of cases where scammers will break into vacant buildings and "rent" them as long as possible. Heard of a story where a guy was living overseas for a few months and came home to a family living in his house which had been "rented out" by a scammer who broke in and changed the locks.
I believe in some states its not even a matter of saying "Hey this is my house get out" you have to go though eviction processes to remove them as well. What a mess.
Yes, absolutely. Tenantancy is usually established after around 30 days of continued occupancy and once they are tenants, even if they aren't paying rent, you can't legally kick them out without going through the proper legal channels.

There's even been cases of people posing as fake real estate agents to "rent" apartments. If your dealing with a real estate agent then ask for their ID like you would a landlord, and the license number, and look up their real estate license online.

A."security deposit plus first months rent" for an apartment that either doesn't exist or it exists but they don't own it.

Plus all the PII you put on the application is a bonus.

So you pay a "landlord" for an apartment, you show up with a moving truck to collect the keys, and the "landlord" is gone with your money.

Obligatory mention of the "Why Do Nigerian Scammers Say They are From Nigeria?" paper, which posits that scammers purposefully claim Nigerian nationality because their own time is so limited, and with costs of bulk email being so low, it's an efficient way to turn off everyone except the few who yet haven't heard of the Nigerian prince scam.

https://www.microsoft.com/en-us/research/publication/why-do-...

I'm also reminded of a story I read, I remember it being in a newspaper or long-form magazine, of someone who tried baiting a Nigerian scammer and it somehow leading to a dangerous physical confrontation, but am unable to find it via Google right now.

This guy tricked a scammer into getting a tattoo: http://www.419eater.com/html/okorie.htm
(comment deleted)
Unfortunately, what he actually probably did was to trick a scammer into threatening some poor local to get a tattoo.
I'm pretty skeptical of the story itself. Despite the many spelling and spacing errors, the "scammer" seems to have a really good command of English. The use of some rather "advance" phrases and word choices, the emails read like a native english speaker pretending to be someone who is bad at it.
English is the official language of Nigeria.
One tidbit I also heard or read somewhere, though I can't find a reference now, is that the poor grammar and misspelling is often deliberate. The theory behind it is that if a target is willing to overlook that, they're willing to overlook a lot of other stuff.
In addition to having wondered why Nigerian scammers associate themselves with an obvious (to me, and the 99% of general population they don't want to waste time scamming) scam, I've sometimes wondered why decent-size/well-known Chinese restaurants have such obvious typos and grammar errors when they could easily pay for a proofreader (if not have a family member/friend do it for free) to fix things up.

Obviously, a restaurant owner does not face the same cost scenario as the Nigerian scammer (nor is he/she trying to scam people), but i wonder if these restaurant owners simply don't care. Or perhaps they are OK with having obvious errors in the menu because it lends to the authenticity of the restaurant (even as it plays into mainstream stereotypes). I imagine I would look differently at the hole-in-the-wall places I eat at if their menus' English were as immaculate as P.F. Chang's.

Not your main point, but the thing that seriously impressed me about PF Chang's is that if you have a couple of food allergies, they custom-print a menu of all the things you can eat.
Also why they commonly include misspelled words.
I thought that was to get past the email scam filters (that look for certain words).
It's also great for children. My five year old overheard me baiting a scammer on the phone and expressed great interest. He'll be sitting in on the next call, and participating once I'm convinced he understands what's going on.

I _think_ the outcome will be that he'll be much better equipped to deal with social engineering as an older child and adult.

Be sure to explain to him the difference between someone objectively doing harm, and someone he simply doesn't like.
To those downvoting, I'd love direct feedback. I'm not precious about my parenting style. Well, no more precious then I am about anything else I take seriously.
You honestly have to ask why you shouldn't include a five year old in scam baiting?
I expect the "once he understands" bit to take at least a few years.
The og scam bait crew: http://www.419eater.com/html/trophy_room.htm

I don't think this crew is ethical.

Genuinely curious. Why dont you think it's ethical? Do you feel they should stop?

I ask as I feel they are doing a public service. As far as I know they dont approach anyone and let people approach them. They then waste their time and make them jump through hoops in usually fairly harmless ways that reduce the likelihood of the scammers doing genuine harm.

This crew got some of baiters to get tattoos [self mutilation] and are into public shaming.
> I take great care in protecting my online persona, [...] I don't use any of my real-life information. All of my characters are based somewhere 100 miles away from where I live.

That's a pretty accurate indication of where she actually lives, provided that information can be combined..

The people who would have the time & resources to do that have far easier ways to derive that information.

Also, The BBC found them. "CNN" could easily go setup an "Interview".

Not it is always the same town 100 mi away.
If it's clearly a scam I tell them I need them to hold on for a minute. Then I mute the phone and get back to work. They generally stay on the line for 5-10 minutes. Wastes very little of my time, wastes a bunch of theirs (hopefully raises the cost of the scam a little and gives them less time to scam others). Not sure if there's any security risk in leaving the line open on my end that long, but it's my weapon of choice in fighting back a little.
Maybe you could automate a few different takes on "oh sorry, just a few more minutes" or "I'm getting my bank account info, it's in the other room" to repeat on loop every 3 minutes or so.

Create a very long MP3 and hit play.

Or use the bot linked below... of course this has been before :)

I used to enjoy getting calls from Windows Support. My favorite was when their rep told me to open the Event Viewer and I asked, "What's the hostname? We have several computers at home and it sounds like it's important I get to the right one right away."

The rep didn't know what a hostname was, so I explained that it's your computer name and it normally shows up in the error logs that every PC automatically uploads to the Windows Support team. She didn't see any hostnames, and I told her there was a new kind of malware attacking support centers and deleting hostnames from their logs to prevent people from getting proper support. And her computer was probably infected!

I offered to help with some troubleshooting steps and mentioned that I had a diagnostic program she could download to inspect and repair her PC.

She sounded just about ready to go for it, but then her supervisor came on the line. I explained to both of them again about this new malware and how we could repair it. And then they hung up on me! How ungrateful...

That's magnificent. Imagine getting them to install ransomware on their own PC while you walk them through the process... almost definitely illegal, but funny as heck.
Awhile back there was a guy that got them to open whatever that month's variant of cryptoware was. IIRC it's on youtube.
I've recently become inundated with small business line of credit calls and no amount of asking them to remove my number worked (in fact, seems to have made it worse).

On the last call I decided to use a fictional name and spent 15 minutes chatting with the woman about how much I enjoyed living in Albuquerque, New Mexico, and how hard I had worked to set up my first fast-food fried chicken restaurant and that, yes, I absolutely wanted to add a couple more locations to prove that the American dream was still alive and well.

I felt like we really connected.

Unfortunately when she called up the person who I assume was the lead buyer and tried to transfer the call - a "Mr Gustavo Fring" from "Los Pollos Hermanos" who was excited to expand his business with fast cash - I received a short burst of expletives before they immediately hung up.

Nobody has called back since but I've got a few more characters ready for when they do.

This guy created a voice bot that wastes scammers and telemarketer's time.

http://www.jollyrogertelco.com/ http://www.businessinsider.com/man-creates-bot-to-deal-with-...

I can't wait for voice recognition, voice synthesis, and AI researchers to pick this up and offer a more advanced version that is a free public service just to use the scammers as a free, endless training corpus. Instead of pre-recorded snippets, evolve a completely dynamic model.
Then the scanners start doing the same, and boom, you've got a GAN that quickly learns to be incredibly good at pretending to be human.
Can't possibly generate a worse foundation for a customer service bot than some of the human-staffed customer service departments I run into today. That was said tongue in cheek, but I do wonder.
I went to Delhi to learn more about tourist touts. It was enlightening watching the guys work. They worked hard, they were good at what they were about and at the end I made their time worth their while, though not as much as they might hope.

I don't know that I would recommend it as a hobby though, one might find themselves in some serious danger.

Also see a website I made: https://spa.mnesty.com/
That is pretty spectacular!

You should have a /bestof. As you know, many of the conversations are just bot vs. bot. But some are pure gold:

https://spa.mnesty.com/conversations/egtkaezd/

Hmm, a "best of" is a good idea, but I'm not sure who would judge conversation. A voting system feels like too much for such a simple app.
I use it quite often. One "conversation" having gone for ~30 emails...
I got a Rachel from Cardholder Services call once during an in-office meeting so I put the call on speaker for everyone to enjoy, then immediately went to Graham King: https://www.darkcoding.net/credit-card-numbers/ to get some credit-card numbers that would pass their basic Mod 10 check and go to their CC merchant service, thus costing them money. By the sixth failed card and 20 minutes later the 'agent' figured out I was messing with him and threatened to rape my wife and kill me while screaming obscenities. It went very NSFW in a matter of seconds.
(comment deleted)
The comments on that page are pretty weird
Yeah, it's a highlight of my day every time.
So I got a call from "the IRS" yesterday asking me to pay my taxes since according to them I had underpaid. It was clearly a call center in India, but I went along with it. When it came down to paying, they claimed I could do it in cash by walking to Walmart or Target and buying 5 gift cards for $1k each. I busted out laughing and they just hung up.

The thing is, this was the second call I had gotten from the same phone number. First time they called was 4 months ago, so I added them to my address book as "Mr Scam". I told my friend about this, and we decided to call them back again today on speaker... they answered! So I asked them for their bank account so I could transfer them $100k. They said no, go to target and buy a gift card. I quickly asked "ok, so I can only buy $100 gift cards... how many do I need?" The guy struggled and could not answer, so I walked him through the math and taught him a trick to remove zeros - it was hilarious! Then the guy caught on, got upset, and told me to "to stop calling, they are just trying to work there". It was funny and disturbing at the same time.

In case you want to prank the scammers, feel free to call them to +1 (208) 501-0873. The phone seems to only work during US business hours - call a few times and you will get these bastards :)

That is hilarious!

I got a similar call yesterday. Unfortunately I missed the call, but they left a voicemail. My transcription:

> We have just received a notification regarding your tax filings. From the headquarters which will get expired in next 24 working hours. And once it get expired after that you will be taken under custody by the local cops. As there are 4 serious allegations pressed on your name at this moment. We would request you to get back to us. So that we can discuss about this case. Before taking any legal action against you. The number to reach us is 505-300-1053. I repeat 505-300-1053. Thank you.

trust me, I did that the second I hung up. I got an automated email from them telling me it is a scam and not to send them money. I replied telling them that they had been using the same phone number for months - they should investigate. No response since yesterday. From the background noises in the call center, this was a full-blown large scale operation (I could overhear at least three parallel phone conversations. Sadly, they have obviously not stopped them yet...
>In case you want to prank the scammers, feel free to call them to +1 (208) 501-0873. The phone seems to only work during US business hours - call a few times and you will get these bastards :)

It occurs to me it might be funny to try to get the scammers to call each other. Give them all each others' numbers somehow.

A coworker's wife was almost taken for several thousand dollars by a phone scammer. She asked him at the last minute and he told her to call it off. He was pretty upset that they'd tried to exploit his wife, though. He talked to the police, but they weren't much help.

So he set his cell phone to autodial their number. For the next three days. His number is unlisted, so they couldn't block him without blocking all incoming calls, which was essential to whatever scam they were trying to run. He just tied up their whole operation.

His phone sat there on his desk ringing quietly over and over all day. Every now and then they'd pick up and scream at him.

Occasionally I get a nigerian scammer that makes it through the spam filter. Last one I had I played really dumb for about two weeks.

Oh western union? Yeah I live on the east coast I'm pretty sure we don't have that here.

I found the western union but I don't have any nigerian money to send, how do I get nigerian money?

I was going to send the money today but I stopped at the mini McDonald's at Walmart and ate some fries. I don't have the full 500, only 496 now, sorry I'll see if I can find the rest.

Someone told me that there was a robot computer from Nigeria that asks for money, how do I know you're not a robot?

I'm pretty sure a robot would say it isn't a robot. Can you send me pictures to prove you're not a robot?

etc etc etc

Why is this on the front page when https://news.ycombinator.com/item?id=14519343 has more upvotes?
Because HN frontpage is Magic™.

A rumour between the wizards has it that the frontpage spell takes into account the first derivative of upvotes, among other things.

I have no official position and no inside information. Here are my observations.

There are a number of things that happen that people are not always aware of. There is, for example, a "flame-war" detector, that works on the heuristic that if there are more comments than points then it's probably a smaller number of people having a back'n'forth, so it's likely to be unproductive/unenlightening. It's a heuristic, but it works well enough to be a good first approximation.

But these things are watched and reviewed by the mods. They can remove that penalty if it seems to be a false positive. They can also apply a boost to items they think are good material for HN, but which haven't got the attention they deserve.

Looking at the traces[0][1] I suspect that this item has had a boost, and the other has had the flame-war penalty.

[0] http://hnrankings.info/14517461/

[1] http://hnrankings.info/14519343/