From: Stavros

Date: August 04, 2023 14:13

Hello! I'm Stavros, welcome to the Spam Chronicles.

Years ago, I created Spamnesty. Spamnesty let you forward your spam to it, and it would reply to spammers with pre-written messages, wasting their time and (hopefully) resulting in entertaining conversations.

Much, much later, ChatGPT came out, and its impact on messing with spammers was obvious. Unfortunately, I couldn't really integrate it into Spamnesty for two reasons: One was that of cost, as it would get very expensive very quickly to have to generate thousands of responses per day. The other was simply that most spam today is automated, so it would just be bots talking to bots, which doesn't make for entertaining conversation.

Still, this idea was on the back of my mind, and when one day I got a spam message from someone trying to sell me some services, I thought "well, this is an actual person, and I could waste their time by having ChatGPT generate a reply that comes from my own inbox."

A day later, I had made SpamGPT, a small script that would look at a certain label in my mailbox, and have ChatGPT reply to emails with that label. That way, whenever I got a spam email that looked like it came from a person, I could just apply the SpamGPT label to it and the script would handle the rest.

Seeing how the conversations were lots of fun to read, I figured I shouldn't keep them to myself, so I created this site for you to share in my mirth.

Without any delay, and with exceeding haste, I began asking ChatGPT to write the code for me, creating what ChatGPT named SpamGPT.

SpamGPT

Two spammer robots, spamming each other.
SpamGPT is a simple program: It runs at a random minute every hour, opens my email, looks in a folder I’ve named SpamGPT, and replies to any emails in there that it hasn’t already replied to.

All I have to do is find spam messages that looks like they were written by a person (mostly sales emails), and move them to the SpamGPT email folder, and SpamGPT will eventually reply to them. Its instructions are that it should pretend to be interested in whatever the spammer is selling, and do whatever it can to waste their time. This includes trying to set up meetings, pretending to have issues with its computer, insist that payment details are wrong, or that it has sent the payment, and whatever else it can conceive of.

The result is as entertaining as ever.

In the past 30 days, over 70,000 IT professionals have fled Russia. The Russian Association of Electronic Communications (RAEC) expects them to be joined by an additional 100,00 by end of April.

According to RAEC, “The only things holding back the second wave are the high costs of tickets and housing in the countries of destination, and the fact that it’s now almost impossible to make international financial transactions”.

According to one poll, one third of Russia’s IT sector is looking for overseas employment, which would put the potential brain drain at more that 600,000.

This talent flight is particularly crippling since the most capable engineers are those who are able to leave first because their skills are in demand.

At the end of April, Apple’s introduction of App Tracking Transparency tools shook the advertising industry to its core. iPhone and iPad owners could now stop apps from tracking their behavior and using their data for personalized advertising. Since the new privacy controls launched, almost $10 billion has been wiped from the revenues of Snap, Meta Platform’s Facebook, Twitter, and YouTube.

Now, a similar tool is coming to Google’s Android operating system—although not from Google itself. Privacy-focused tech company DuckDuckGo, which started life as a private search engine, is adding the ability to block hidden trackers to its Android app. The feature, dubbed “App Tracking Protection for Android,” is rolling out in beta from today and aims to mimic Apple’s iOS controls. “The idea is we block this data collection from happening from the apps the trackers don’t own,” says Peter Dolanjski, a director of product at DuckDuckGo. “You should see far fewer creepy ads following you around online.”

The vast majority of apps have third-party trackers tucked away in their code. These trackers monitor your behavior across different apps and help create profiles about you that can include what you buy, demographic data, and other information that can be used to serve you personalized ads. DuckDuckGo says its analysis of popular free Android apps shows more than 96 percent of them contain trackers. Blocking these trackers means Facebook and Google, whose trackers are some of the most prominent, can’t send data back to the mothership—neither will the dozens of advertising networks you’ve never heard of.

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it.

Last week’s story warned that scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text.

Anyone who responds “yes,” “no” or at all will very soon after receive a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member.

Ken Otsuka is a senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”

“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.'”

The fraudster then uses the code to complete the password reset process, and then changes the victim’s online banking password. The fraudster then uses Zelle to transfer the victim’s funds to others.

An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password. //

“Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin,” Sullivan wrote in a recent Substack post. “Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.”

“If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds,” Sullivan said. “If a consumer initiates the transfer under false pretenses, the case for redress is more weak.” //

Anyone interested in letting the CFPB know about a fraud scam that abused a P2P payment platform like Zelle, Cashapp, or Venmo, for example, should send an email describing the incident to BigTechPaymentsInquiry@cfpb.gov. Be sure to include Docket No. CFPB-2021-0017 in the subject line of the message.

In the meantime, remember the mantra: Hang up, Look Up, and Call Back. If you receive a call from someone warning about fraud, hang up. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.