2fA Scam -- what do they know?
Discussion
Got cold called by a 2fA scammer. For a laugh I stuck with it until the 6 figure number got texted to me...
I've always assumed they just have my phone number and are relying on me to disclose everything else. However, after they hung up I realized with some shock that to get to the point where my mobile phone firm are sending me 6 figure codes the scammers must have more than just my mobile number. It seems they either need to match my phone number to my username or alternatively my postcode, date of birth & account number.
Is that assumption correct or can they generate a 2fA text with just my phone number?
Potentially they know an awful lot about me.
I've always assumed they just have my phone number and are relying on me to disclose everything else. However, after they hung up I realized with some shock that to get to the point where my mobile phone firm are sending me 6 figure codes the scammers must have more than just my mobile number. It seems they either need to match my phone number to my username or alternatively my postcode, date of birth & account number.
Is that assumption correct or can they generate a 2fA text with just my phone number?
Potentially they know an awful lot about me.
Edited by BikeBikeBIke on Wednesday 17th July 10:55
Scammers are certainly becoming cleverer and changing their MO from flooding their recipients with spam to targeting us individually.
Remember the good old wking email scam: "Hello, we have been watching you pleasure yourself using your computer. We have taken control of your computer using a trojan and have been logging your keyboard and recording you on your webcam. We know what websites you are using and what your passwords are. If you do not send us $1,750 to our bitcoin wallet, we will release the video to your contacts."
Of course I ignored them and then got another email similar to the one above, but to confirm they knew who I was, they put in my email address, username and password.
Email: vikingaero@whateveremail.com
Username: vikingaerolovesgoats
Password: goatlover69
Now this did raise a little alarm at first and then realised that the password was from 1980/90something for MySpace or some other site where I had been pwned in the early days of the internet.
The fundamental problem with this scam? I don't have a webcam on my main PC.
Remember the good old wking email scam: "Hello, we have been watching you pleasure yourself using your computer. We have taken control of your computer using a trojan and have been logging your keyboard and recording you on your webcam. We know what websites you are using and what your passwords are. If you do not send us $1,750 to our bitcoin wallet, we will release the video to your contacts."
Of course I ignored them and then got another email similar to the one above, but to confirm they knew who I was, they put in my email address, username and password.
Email: vikingaero@whateveremail.com
Username: vikingaerolovesgoats
Password: goatlover69
Now this did raise a little alarm at first and then realised that the password was from 1980/90something for MySpace or some other site where I had been pwned in the early days of the internet.
The fundamental problem with this scam? I don't have a webcam on my main PC.
Have you checked your details against known leaks on sites like haveibeenpwned.com ?
Your details most likely are floating around the web somewhere. Most recently, Dell told me hackers got my details off their servers. Last time it was Sony who got hacked, they actually cloned my credit card with the info they gleaned.
I opened up accounts with all the credit checking agencies and started to monitor them after that. Moneysavingexpert has a good guide.
Also I’ve centralised card payments to Google pay or Apple pay as far as possible and won’t keep / save card details on individual websites unless absolutely necessary. Apple and Google will have a lot more incentive and resource to keep your financial details secure.
Your details most likely are floating around the web somewhere. Most recently, Dell told me hackers got my details off their servers. Last time it was Sony who got hacked, they actually cloned my credit card with the info they gleaned.
I opened up accounts with all the credit checking agencies and started to monitor them after that. Moneysavingexpert has a good guide.
Also I’ve centralised card payments to Google pay or Apple pay as far as possible and won’t keep / save card details on individual websites unless absolutely necessary. Apple and Google will have a lot more incentive and resource to keep your financial details secure.
Edited by wyson on Wednesday 17th July 13:24
But would you have given your phone number in addition to the email address on certain websites?
At least it confirms account details containing your email address are out there. It wouldn’t be mega shocking a company might hold your email address and phone number and physical address on the same system that got hacked.
At least it confirms account details containing your email address are out there. It wouldn’t be mega shocking a company might hold your email address and phone number and physical address on the same system that got hacked.
Last month I was bombarded with 2fa codes from amazon. The scumbags kept hitting the "forgotten password" option using my email address. I am not sure how they planned to get the 2fa code from my phone though.
I also get 20+ phishing texts per day. Mostly about Trump, all with links. My friend lost all his money and crypto because his kids clicked the link on his iPad. He got his money back but not access to his crypto.
One thing that is very evident is that they use Linkedin to identify targets based on job title. When I joined a well known company the volume of scam attempts went crazy. At one point my phone was buzzing constantly with various phone calls, emails, and text messages. Oddly, it stopped when I travelled internationally. Then, I changed job, and updated Linkedin, and it all started again.
I also get 20+ phishing texts per day. Mostly about Trump, all with links. My friend lost all his money and crypto because his kids clicked the link on his iPad. He got his money back but not access to his crypto.
One thing that is very evident is that they use Linkedin to identify targets based on job title. When I joined a well known company the volume of scam attempts went crazy. At one point my phone was buzzing constantly with various phone calls, emails, and text messages. Oddly, it stopped when I travelled internationally. Then, I changed job, and updated Linkedin, and it all started again.
wyson said:
But would you have given your phone number in addition to the email address on certain websites?
At least it confirms account details containing your email address are out there. It wouldn’t be mega shocking a company might hold your email address and phone number and physical address on the same system that got hacked.
Well yeah, although the pwned website doesn't specifically tell me it's entirely likely/possible that someone has matched several bits of information to my phone number. In fact if my experiments with my phone company website are right, they must have.At least it confirms account details containing your email address are out there. It wouldn’t be mega shocking a company might hold your email address and phone number and physical address on the same system that got hacked.
I've just experimented again and unless there's a way to generate a genuine OTP text with less information than the website requires I don't think they can do it. Plus anything I try generates and e-mail in addition to the text. So I think the OTP text must be fake and I was at the start of a longer process of getting info out of me. I can't think of a way of testing that theory.
vikingaero said:
Scammers are certainly becoming cleverer and changing their MO from flooding their recipients with spam to targeting us individually.
Remember the good old wking email scam: "Hello, we have been watching you pleasure yourself using your computer. We have taken control of your computer using a trojan and have been logging your keyboard and recording you on your webcam. We know what websites you are using and what your passwords are. If you do not send us $1,750 to our bitcoin wallet, we will release the video to your contacts."
Of course I ignored them and then got another email similar to the one above, but to confirm they knew who I was, they put in my email address, username and password.
Email: vikingaero@whateveremail.com
Username: vikingaerolovesgoats
Password: goatlover69
Now this did raise a little alarm at first and then realised that the password was from 1980/90something for MySpace or some other site where I had been pwned in the early days of the internet.
The fundamental problem with this scam? I don't have a webcam on my main PC.
I note that you haven't denied the 'pleasuring'...Remember the good old wking email scam: "Hello, we have been watching you pleasure yourself using your computer. We have taken control of your computer using a trojan and have been logging your keyboard and recording you on your webcam. We know what websites you are using and what your passwords are. If you do not send us $1,750 to our bitcoin wallet, we will release the video to your contacts."
Of course I ignored them and then got another email similar to the one above, but to confirm they knew who I was, they put in my email address, username and password.
Email: vikingaero@whateveremail.com
Username: vikingaerolovesgoats
Password: goatlover69
Now this did raise a little alarm at first and then realised that the password was from 1980/90something for MySpace or some other site where I had been pwned in the early days of the internet.
The fundamental problem with this scam? I don't have a webcam on my main PC.
I had one a few months ago, I'm very wise to it usually but they caught me at the right time (well oiled)
I had been out on an all day session, at 10pm on an Instagram account I use which is dedicated to a certain black stout from Dublin they messaged me from a hijacked account (a bar) asking me if I could vote for their bar in a competition, so being well oiled I said yeh go for it. They then proceeded to tell me to vote I was going to be sent a code to my email that I needed to give them. When my personal gmail started getting bombarded with 2FA codes I become wise to what was going on.
if I had of given them the F2A code they would have access to that IG account as well then.
I had been out on an all day session, at 10pm on an Instagram account I use which is dedicated to a certain black stout from Dublin they messaged me from a hijacked account (a bar) asking me if I could vote for their bar in a competition, so being well oiled I said yeh go for it. They then proceeded to tell me to vote I was going to be sent a code to my email that I needed to give them. When my personal gmail started getting bombarded with 2FA codes I become wise to what was going on.
if I had of given them the F2A code they would have access to that IG account as well then.
Edited by the-norseman on Sunday 21st July 06:14
h0b0 said:
Last month I was bombarded with 2fa codes from amazon. The scumbags kept hitting the "forgotten password" option using my email address. I am not sure how they planned to get the 2fa code from my phone though.
I also get 20+ phishing texts per day. Mostly about Trump, all with links. My friend lost all his money and crypto because his kids clicked the link on his iPad. He got his money back but not access to his crypto.
One thing that is very evident is that they use Linkedin to identify targets based on job title. When I joined a well known company the volume of scam attempts went crazy. At one point my phone was buzzing constantly with various phone calls, emails, and text messages. Oddly, it stopped when I travelled internationally. Then, I changed job, and updated Linkedin, and it all started again.
Maybe an attempt at sim swapping or port-out fraud?I also get 20+ phishing texts per day. Mostly about Trump, all with links. My friend lost all his money and crypto because his kids clicked the link on his iPad. He got his money back but not access to his crypto.
One thing that is very evident is that they use Linkedin to identify targets based on job title. When I joined a well known company the volume of scam attempts went crazy. At one point my phone was buzzing constantly with various phone calls, emails, and text messages. Oddly, it stopped when I travelled internationally. Then, I changed job, and updated Linkedin, and it all started again.
vikingaero said:
Scammers are certainly becoming cleverer and changing their MO from flooding their recipients with spam to targeting us individually.
Remember the good old wking email scam: "Hello, we have been watching you pleasure yourself using your computer. We have taken control of your computer using a trojan and have been logging your keyboard and recording you on your webcam. We know what websites you are using and what your passwords are. If you do not send us $1,750 to our bitcoin wallet, we will release the video to your contacts."
Of course I ignored them and then got another email similar to the one above, but to confirm they knew who I was, they put in my email address, username and password.
Email: vikingaero@whateveremail.com
Username: vikingaerolovesgoats
Password: goatlover69
Now this did raise a little alarm at first and then realised that the password was from 1980/90something for MySpace or some other site where I had been pwned in the early days of the internet.
The fundamental problem with this scam? I don't have a webcam on my main PC.
But you had been pleasuring yourself to goat porn though? Remember the good old wking email scam: "Hello, we have been watching you pleasure yourself using your computer. We have taken control of your computer using a trojan and have been logging your keyboard and recording you on your webcam. We know what websites you are using and what your passwords are. If you do not send us $1,750 to our bitcoin wallet, we will release the video to your contacts."
Of course I ignored them and then got another email similar to the one above, but to confirm they knew who I was, they put in my email address, username and password.
Email: vikingaero@whateveremail.com
Username: vikingaerolovesgoats
Password: goatlover69
Now this did raise a little alarm at first and then realised that the password was from 1980/90something for MySpace or some other site where I had been pwned in the early days of the internet.
The fundamental problem with this scam? I don't have a webcam on my main PC.
vikingaero said:
Scammers are certainly becoming cleverer and changing their MO from flooding their recipients with spam to targeting us individually.
Remember the good old wking email scam: "Hello, we have been watching you pleasure yourself using your computer. We have taken control of your computer using a trojan and have been logging your keyboard and recording you on your webcam. We know what websites you are using and what your passwords are. If you do not send us $1,750 to our bitcoin wallet, we will release the video to your contacts."
Of course I ignored them and then got another email similar to the one above, but to confirm they knew who I was, they put in my email address, username and password.
Email: vikingaero@whateveremail.com
Username: vikingaerolovesgoats
Password: goatlover69
Now this did raise a little alarm at first and then realised that the password was from 1980/90something for MySpace or some other site where I had been pwned in the early days of the internet.
The fundamental problem with this scam? I don't have a webcam on my main PC.
You wouldn't believe the number of "I've just had this email do I need to do anything?" queries I used to get about this.Remember the good old wking email scam: "Hello, we have been watching you pleasure yourself using your computer. We have taken control of your computer using a trojan and have been logging your keyboard and recording you on your webcam. We know what websites you are using and what your passwords are. If you do not send us $1,750 to our bitcoin wallet, we will release the video to your contacts."
Of course I ignored them and then got another email similar to the one above, but to confirm they knew who I was, they put in my email address, username and password.
Email: vikingaero@whateveremail.com
Username: vikingaerolovesgoats
Password: goatlover69
Now this did raise a little alarm at first and then realised that the password was from 1980/90something for MySpace or some other site where I had been pwned in the early days of the internet.
The fundamental problem with this scam? I don't have a webcam on my main PC.
I almost had a boilerplate "No unless you've been wking in front of your work laptop" template ready to go.
bhstewie said:
You wouldn't believe the number of "I've just had this email do I need to do anything?" queries I used to get about this.
I almost had a boilerplate "No unless you've been wking in front of your work laptop" template ready to go.
We operate across Europe and scam emails in English are a nightmare with staff for whom English isn’t their first language as they don’t twig the (thankfully) often clumsy way they’re written.I almost had a boilerplate "No unless you've been wking in front of your work laptop" template ready to go.
Increasingly they’re targeted and often it’s clear some research has gone into them. As someone else mentioned, new starters are being picked up from LinkedIn and it’s clear they’re guessing email addresses (if it’s not public on LinkedIn) as we use two different forms and they try them both.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff