Scamming the Scammers: How a Security Biz Tricked Social Media Phishers

Written by

A UK-based cybersecurity vendor has detailed how it turned the tables on an angler phishing operation posing as Virgin Media support on Twitter.

This particular type of phishing attack is a relatively new tactic. It involves the scammer registering fake Twitter accounts that masquerade as legitimate customer support and then monitoring the real support accounts for irate customer messages.

They then jump in quickly to exploit the customer’s frustration and the immediacy of Twitter to send messages back to those customers, typically loaded with malicious links.

This is what happened to a member of the team at pen-testing firm Fidus Information Security when they complained to Virgin Media via Twitter.

After receiving replies from the official account and a legitimate-looking fake they decided to have some fun.

First, they attempted to test how gullible the scammers were, providing a fake name (Wade Wilson, aka comic book character Deadpool) and address (Savile Row police station).

The scammers subsequently requested card details linked to the Virgin Media account, to which Fidus replied with a set of test credit card details.

After the card didn’t authorize for the scammers, they tried to persuade their ‘victim’ into handing over details to another card. At the same time, the security vendor was in turn trying to trick them into clicking on a link to site hosted by its company, to expose their IP address.

In the end the firm faked a screenshot of an AmEx fraud alert SMS featuring its own phishing link requesting that the user click to verify their card details.

That appears to have been enough to phish the phishers.

“After sending a fake SMS message we received a click on our web server. At this point the game was up as the IP linked back to our website and we never received a reply back,” the vendor explained.

“We reported this all back to Twitter, who’ve since suspended the account, and Police in the UK in the hope some action can be taken against those responsible.”

What’s hot on Infosecurity Magazine?