Scammer unmasked by friend’s poor Facebook privacy

Four years ago, Christian Haschek, uber sysadmin and security researcher, won a contest for the best sysadmin tale from the trenches.

His prize: two Apple store gift cards, worth a total of $500, plus being immortalized in a comic strip.

His problem: he’s based in Austria.

The cards were only good in the US, his local Apple store told him.

It turns out that Apple won’t ship overseas, and they don’t allow forwarding addresses, so he couldn’t use a service  to send him any purchases.

He tried to sell the cards online, but it didn’t work out. Some sites required him to have a US address, and some wanted him to snail mail the cards: an option he didn’t relish.

So Haschek took to Reddit about a month ago to explain his predicament and offload the cards for less than face value.

He got low-balled initially, but eventually he found what seemed like an interested buyer. They struck up a deal, and the “buyer” “verified” his identity by messaging Haschek from an eBay account that had plenty of positive feedback.

Haschek knew he might be setting himself up for a fleecing, but hey, the guy had good cred on eBay, and he’d been stuck with these cards for far too long, as he said in his writeup of the incident:

I tried to sell these cards for 4 years. F*ck it, let’s give him the benefit of the doubt

So he emailed the PINs, and he shipped the physical cards to the guy (to a fake address) so he could purportedly use them in a store that requires the actual cards.

Haschek also did one thing that would turn out to be crucial: he sent the “buyer” photos of the cards that he’d uploaded on his own image hosting service.

Then, he sat back to await his 0.6400BTC payment.

…which never came. He checked back on Reddit in a few days, only to find that the buyer had deleted his account.

GAH!

He knew he’d been scammed. But he played it nice, writing to the scammer’s eBay address to see if the deal was still on.

Then, the scammer tried to pull the old “excuse me, but this account has been hacked and I don’t know what you’re talking about” bit:

Excuse me, but who are you? I don’t use this account except when I occasionally buy items. Antworten

my ebay was hacked recently along with my email because I was keylogged. The hacked then proceeded to access my bank paypal and ebay. So no. I won’t send you money for someone else hacking you but I do feel sorry for you.

Haschek did some sleuthing and decided the eBay account hadn’t been hacked: He found the same nickname being used on Reddit, eBay, and Steam.

The scammer had also used the same nickname on a job site. Piecing it all together, Haschek had the scammer’s:

• First name
• The first letter of his last name
• His city location

Entering the nickname on Facebook, Haschek only found one post, which only had one like. But that like had been made by one of the scammer’s friends, who’d made hundreds of posts per month, all of them public.

Haschek scrolled through 4 years of posts until he found the “Holy Grail”: a screenshot of a game, with Facebook open in the background, showing all of his friends, including the scammer.

Bingo! Haschek had the crook’s full name. Ten minutes later, he also had the Facebook profiles of his whole family: the scammer’s brother, father, mother, and cousins.

He composed a head’s-up message and sent it to the scammer’s older brother and mother, informing them that their brother/son was scamming people and that Haschek didn’t want to go to the police, since the scammer was a young guy (22) and it could ruin his life.

Ten minutes after the message had been read, Haschek got this message on Reddit, from a new user calling himself “ungustly”:

This is ungustly from before. I am sorry for what I did. I am young and stupid and always in a really bad place. I ama full time student and I have no job. I contacted Apple and got a giftcard back. I can. Give you your giftcard back I have a card for $477 and one of the existing card you gave me should have the remaining balance. Please leave me alone after this I won’t do anything like this anymore I am having panic of attacks just thinking about this.

I do not have the bitcoins if I did I would have sent it to you already. I have literally 0 money and as a full time college student I have no savings please I beg you to understand I have had a handful of anxiety attacks in the past few days over this issue and I am extremely scared. All I want is to leave me alone I know what I did was wrong please I beg you to forgive me

I will never do anything like this again. I have 6 classes and I am a full time student I can’t even go to work to pay you back. I would immediately pay I back if I could but I am broke and living on cheap fast-food. Please I beg you to forgive me and accept the card I returned I am very sorry I did this to you.

Haschek told ungustly to sell the card he’d been trying so diligently to get rid of and to send him the bitcoin.

Ungustly’s reply, in essence: Thank you thank you thank you, I’ll never do this again. Then, he asked Haschek to please delete the message he’d sent to ungustly’s mother, or make up something to throw her off.

Haschek’s takeaways from this sordid episode? Use an escrow service if you want to make trades via bitcoin and remember that your privacy on Facebook is only as good as you’re friends’ privacy settings.

I agree, so here are some additional tips on how to keep your Facebook account secure.