Ask HN: I found out a hacker's phone number. Now what?

46 points by throwawaySaaS1 ↗ HN
Hi guys,

I run a SaaS business in Canada, and I had an individual attempting to gain access to one of our customer's account illegally via social engineering (pretending that she's an employee of the customer) I asked for her phone number as a part of verification process (completely made up), and I was able to speak with her briefly. During our phone call, she blatantly lied about being my customer's wife when I know for fact that he's single.

I checked out the government's website about reporting a cybercrime, but it seems to have very little resources available. Their office's closed right now, so I'll give them a call tomorrow.

Has anyone experienced a situation like this?

28 comments

[ 3.3 ms ] story [ 59.2 ms ] thread
4chan.

You know what to do.

(don't really do this. But it would be fun...)

It could’ve been someone who performed a sim swap on another in order to leave no trace though, or a prepaid phone number that will be recycled after a year
Do parentheses make text invisible on this forum?
I’m not sure to be honest, I’m pretty sure it supports just generic markup
No. When you are downvoted / flagged by enough users your text slowly fades out. Though, I believe you have to be configured to show dead comments.
You missed my point. I clearly explained that I was joking, inside parentheses, and then got serious responses as though I really meant for them to do it.
Make a note for the support people to ignore fraud attempts matching the details.

Then move on.

DO NOT DO THIS. Having worked in customer care security, I can gaurantee that the note will be missed or ignored.
Give her access to an empty account, then log everything she does. Block her and report as necessary.
While the crime is done using computers, it seems like it could be fraud, if they are trying to use the access to spend money or steal information to do something with?

Given the nature of the attack being aimed directly for one customer, if I were you, I would possibly alert that customer that something funny is up. That way they might be able to prevent the same thing happening at other companies they use that might not be as careful.

As far as dealing with the police, if they didn't manage to get anything, I wouldn't bother. Keep the info around just in case.

It's most surely not the hacker's phone number.
Definitely: “hackers phone number” is an oxymoron, because no somewhat experienced hacker would ever give out their personal number.

Don’t be shocked if it’s some twilio or google voice number

It IS possible that they screwed up. But yeah, I doubt it
If you attack the number you might hit an innocent bystander whose number as been misused by the hacker.
One thing that might ruffle their feathers a bit is if you figure out what time zone they're in, and then give them a call in the middle of the night.
I would randomly send her made up verification codes :D
List the phone number on Craigslist for a free tv in several large cities. (I’ve done this as pranks to friends, they’ll get several hundred texts and phone calls)
I wouldn't follow the comments suggesting vigilante retaliation against the hacker via the phone number. For all you know it belongs to a second victim (e.g. hacked Skype number).
I think you should just report it to the RCMP and leave it be. Vigilante action can have unforeseen consequences and since you are a business owner, it's best avoided.

p.s. incorporate stronger authentication mechanisms (2FA) for your offering, if not already.

Let the actual victim(the customer) know and leave it at that. They can file a criminal complaint or take further action as they see it fit.

Don't go about acting like a vigilante. What if she does get arrested but she is the guy's gf/ex? What if she is a legit business partner? This things can will often go south in differeny ways. You were not target,a victim or a criminal detective.

Give it to the 'Your auto warranty is about to expire' people. Can there be a worse punishment?
Definitely report it to the RCMP, but you can also report it to the US FBI via https://www.ic3.gov/default.aspx. I'd suggest not mentioning that you're a Canadian citizen; just let them assume you're American so they don't use your citizenship as an excuse to just shut down the case and ignore it. I'm not suggesting you lie of course, but let them draw their own conclusions.
he might try doing it again, that's often called spear phishing in a more nerdy manner, just let people around you know this happened and move on.