I’ve been targeted by scammers and was quite surprised how smart they can be.
Everything started from tweet I posted a few weeks ago:
@comcastcares Any problem on Bay Area (Berkeley, CA), can ping 18.104.22.168 but not https://t.co/FMjZA2di6C
— bitonio (@bitonio) April 28, 2017
At that time I was troubleshooting some connectivity issue at home, some part of the Internet was reachable (like Google Anycast DNS 22.214.171.124), some part was not (like the google.com website). In order to do that, lots of people uses a tool called ping.
Scammer can read internet and probably public records where they apparently found my address, name and cell#.
Despite the unknown caller ID I picked the call.
Scammer: Hi, this is your ISP, do you confirm you live at this address: xxxx, xxxxxx, CA?
Me: hummm, maybe
Scammer: were pinging a Google IP address as you said on social media?
Me: yes, I was troubleshooting a connectivity/routing problem
Scammer: do you know it is illegal to ping, we received a complaint from Google
Scammer: Ping are illegal sir, we have to charge you the legal fees Google is charging us.
Me: I’d like to see that, could you send me the details over mail so I can read this carefully and get back to you? Also can you confirm if I can ping other destinations?
Scammer: Do you know DDoS attack, it was a DDoS attack you created with some illegal tool
Me: I used Terminal and typed ping <space> height dot height dot height do height.
Scammer: You used a special machine to generate the attack?
Me (exhausted): no it is the console application in MacOS
Scammer: You know what you were doing, sir, I’m sending the authorities to your place unless you pay right away the $470 legal fees.
Me: Hang out the phone
They were clever, they were actually two: one playing the employee, the other one the manager, probably to create even more stress to their target.
I called Comcast right away to confirm this was a scam (I’m a bit paranoid), they confirm not such thing existed and invited me to report the issue to some service they have to deal with such thing.
I can’t imagine if it was coming from an average person, it is really elaborated, tailored and social (unlike widespread dumb and dangerous #WannCry ransomware running over the networks like a B movie).
Anyway, be careful my friends, make sure the chain of trust is fully verified.