honzabe 2 days ago

That's bizarre - someone tried to scam me in a similar way literally a few minutes ago.

I am selling something on a marketplace. Someone contacted me - they want to buy the thing I am selling. Do I still have it? I say yes. They say they are sending a GLS courier to collect the item. I figure they need the item fast - we are celebrating Christmas tomorrow. Why not.

The "buyer" sends me a link to a service supposedly offered by GLS, where GLS works as an intermediary - they collected the money from the buyer; when they collect the item, they will pay me. This is happening in the Czech Republic, and services like that seem plausible here. I do not know every detail of every delivery service offered here. The page looks just like an ordinary GLS page. I am in a hurry. I do not pay that much attention. I pause and check only when redirected to my bank's authentication page (this is the phishing part, obviously). Turns out GLS offers no such service.

I was closer to giving them what they wanted than I imagined possible. I was on autopilot until the last second. Not even my bank's login page surprised me that much - we have something called "bank identity" that lets you authenticate stuff by your bank ID. It is so convenient that I got used to it and I do it carelessly.

>> I hate scammers

Yes, me too.

  • Gys 2 days ago

    I missed something: why do you as a seller have to enter your bankdetails?

    • honzabe 2 days ago

      That is the thing - you don't.

      In Czechia, something called bank ID is commonly used to authenticate. The point is to verify it is you, for example when you sign a contract online, fill in tax returns online... stuff like that. The way it works is that you are on some site, you get redirected to your internet banking, you log in (that's what I meant by "bank details", I am sorry about expressing myself so clumsily), and your bank redirects you back to that site with confirmation that is you.

      Do I need to verify my identity when someone wants to send me money? Who knows. This is the part that made me check. But I was close to not checking simply because it is habitual, and you do stuff like that automatically.

      Nowadays, we are often dealing with systems we do not fully understand. You get redirected to some familiar login form, you log in, and you don't even pause. Well, at least I do it. I should be a lot more careful, apparently.

      • mcyukon a day ago

        Canada checking in. We have the same system for authenticating with government services. https://www.interac.ca/en/verification/personal/sign-into-go...

        I dislike this as well, as this is conditioning people to not second guess why a third party website is sending you to your bank to login. As well as scam websites I've come across that mirror the authentication process down to every step you would have when using it for legitimate purposes. Scam website>Scam Interact login parter>Scam web banking login> stolen bank credentials.

        • ustad a day ago

          Holy crap! I would have thought Canada would know better than use this “Bank ID” method.

      • seymore_12 a day ago

        Honest question. Shouldn't this internet banking that offer authentication as a service do it via at least mandatory 2FA for log in. I would guess that way fake bank sites would be failing?

        I dont have many banking relationships, using 2 banks and there is not even a password to remember, all login is done via authentication apps.

      • XorNot a day ago

        Login page redirects have become a big user security hazard it would seem - and OAuth is basically the culprit.

        • dylan604 a day ago

          The entire social engineering of sending everything off to 3rd party is something that really irks me. The touted convenience of faster to deploy updates by using 3rd party rather than depending on local version updates has never been enough for me. It also was the sugar pill for switching to rent seeking SaaS to gain traction.

          I don't want my web server dependent on anyone else's server/service being available or in any other way slowing down my user's experience.

          The only service that I have no local solution is payment processing.

      • ustad a day ago

        Holy crap. What a terrible system and I hope my part of the world never implements such forms of tech.

        • honzabe a day ago

          I am not sure I can agree with that. I almost got scammed, but isn't that my responsibility to check?

          The thing is, those services really are useful. A lot of stuff that used to be complicated and required me to stand in line somewhere can now be done comfortably from home. Many good things can be abused, but that does not mean they should not be implemented. And you don't have to use it if you do not want to.

          Also, I don't know how the scam works behind the login form that stopped me, but I think it would not have worked even if I had given them my info because there is 2FA - how would they overcome that hurdle?

          • ustad a day ago

            Sorry, I was not clear. I was talking about having to use your bank for authentication/sign in.

        • noprocrasted a day ago

          It's an actually really good system, as the origin (aka the domain displayed in your URL bar) changes during the redirect.

          The problem is the lack of user education as to what an "origin" is.

          But assuming there is good user education, this is the proper way to do it. One (untrusted) origin redirects you to a trusted one with instructions to give it some information. The trusted origin asks for your authentication and tells you what the untrusted origin is requesting. If you approve, the untrusted origin only gets the very specific data it requested (and you approved) and nothing else.

          • ustad a day ago

            I’ll repeat what I said above/below: Sorry, I was not clear. I was talking about having to use your bank for authentication/sign in.

  • lifestyleguru a day ago

    The problem is using bank account for anything else than managing and transferring money. Confirming identity is a "convenience" no one asked for. Government services have their own authentication. Bank shouldn't know where and when you are accessing any other services, they _will_ use it for profiling or could even escalate into some KYC enquiry. Government should know only your IBAN. Connecting these dots for various service providers will never work in your favor.

RobinL a day ago

I got several people wanting to send a courier last time I listed something on Facebook. Checking their pages, they were all from eastern Europe with no obvious connection to my city. Good to know the mechanics of the scam, I wondered what they were up to. Don't understand why Facebook couldn't have auto detected the messages though - seemed like a pretty major failure of marketplace that the majority of the messages I got were scams.

  • lazide a day ago

    Someone is probably afraid to be too effective at filtering them out, as it would nuke their numbers. (Engagement/messages sent? Who knows)

    If most of the traffic is scams, it’s not like they can remove it without something showing up in their metrics after all.

    Search, and USPS ‘spam’ mail has a similar problem.

paxys 2 days ago

It's so easy to spot marketplace scams that I'm baffled people still fall for them.

Are you going to show up with cash on my doorstep (or another agreed upon location)? If yes, we can continue talking. If not, you are blocked and reported. End of story.

  • yojo a day ago

    The article mentioned it was a listing specifically for a large item.

    I get why someone might not show up on my doorstep if they’re buying a piano - they probably need to hire somebody and are themselves not going to contribute anything to the piano moving process.

    But fully agreed that once you’re an inch off the “show up with money” path, everything is suspect.

    • paxys a day ago

      That's even more of an indicator that it's a scam. You put a listing for something big/bulky/expensive on the internet and some person sees a couple pictures, thinks "good enough" and immediately wants to wire you hundreds of dollars? Without actually seeing it or making sure they aren't getting scammed? Nope, does not happen.

      • sfjailbird 14 hours ago

        This is common. I've done it myself and had no problems. I want to buy some bulky item from another part of the country, I trust the seller, so I just wire them the money and tell them when my movers are going to show up.

      • lazide a day ago

        Hey, only a hundred ish for a piano? Even if 1/2 the time it’s a scam, that’s still a pretty good deal.

        This is how overall marketplace trust dies and the overall industry collapses though.

  • seb1204 a day ago

    This is how I do it as well, gumtree or marketplace. I Still have to deal with the spammers messages and reporting

  • lazide a day ago

    The ‘beauty’ of the Internet is how scalable it is. Both for good, and for evil.

    Even if you get .01% success rate, if it costs so little to reach 1M people, you’ll do well.

  • meiraleal a day ago

    > It's so easy to spot marketplace scams that I'm baffled people still fall for them.

    That's survival bias. There are some you can't spot.

    • alangibson a day ago

      You missed their point. It's cash on the barrel head or counterparty is presumed to be a scammer. If you follow that rule you'll never be scammed.

      • meiraleal a day ago

        > If you follow that rule you'll never be scammed.

        until you get robbed, kidnapped or forced to do a bank transfer.

        • dylan604 a day ago

          you just named multiple things that are not a scam

          • meiraleal a day ago

            How not? The robber never intended to finish the deal.

            • dylan604 a day ago

              Because like everything else in law, the lower charge becomes irrelevant in light of a worse offense. Breaking into someones home is burglary, but do it when someone is home and it becomes home invasion. Do it with a weapon and it becomes an aggravated charge.

              At that point, nobody cares if you were trying to steal the silverware.

aorth 2 days ago

Awesome work. Entertaining read. Много поздрави!

ChrisMarshallNY 2 days ago

Good work!

As noted, it probably won't change anything, but scammers are a lot more sophisticated, these days, than they used to be.

  • vintermann 2 days ago

    From the description, these are rent-a-scammers, who convince people that renting their all in one scam platform is a great deal. It probably isn't, or they'd be doing it themselves. It's a good deal if you place a premium on feeling clever from scamming people, and don't care about the risk of getting hit by the police, or by rival would-be scammers eager to show they're more tough criminals than you.

    It's the lifecycle of a scam. Once it really isn't worth the effort anymore, it gets packaged up and sold to stupid kids.

    • dylan604 a day ago

      This isn't any different from those seminars that teach you how to make money in real estate, forex, or similar. All you have to do is buy their books and attend their seminars and they teach you how to host your own seminars.

  • phoronixrly a day ago

    If only there were authorities that would take actions to track down these scammers with as much zeal as they track down pirates...

hkdobrev a day ago

I had a bunch of those whenever I tried to use OLX - both on OLX messages and Whatsapp as well. Bot prevention is 0. I know people who were successfully scammed as they think they are entering their card details to get money transferred by their card number.

atodorov99 a day ago

If anyone here has done a similar reconnaissance operation - I am curious how much time does it roughly take ?

cynicalsecurity 2 days ago

Why am I not surprised that Russians are behind this scam?

  • akaitea a day ago

    because their similarity in language with Bulgaria helps performing convincing scams

    • atodorov99 a day ago

      The author has shared information that he had discovered the scammers are operating in Spain and Italy as well. So it is not specifically because of language similarity.

  • meiraleal a day ago

    [flagged]

    • chasebank a day ago

      Russian is not a race.

      • pavel_lishin 15 hours ago

        Neither is "Mexican", yet saying something like "All Mexicans are <negative quality>" would be an unequivocally racist statement.