I'm a developer and I got scammed. Then I got mad.
Little Back story 🎅
So my Dad rings me up one afternoon and says, "Whatsapp sent a SMS, they want me to send them a PIN that I received and..."
Haha, funny dad, you didn't give them the pin code...Dad did you?'
The next 20 mins were spent enabling 2FA (which god knows why isn't enabled by default) as well as trying our damndest to reactivate Whatsapp with his SIM card. 30 minutes later and a lengthy lecture by yours truly we came to the conclusion that my father as intelligent as he is, should have known better. Social engineering scams are hard to spot by the untrained eye, but with my 30+ years in IT, I certainly would never fall victim to such obvious bait.
Finally, the day ended with dad's Whatsapp functioning and 2FA in place, I felt like a superhero putting out all the fires. 👩🏽🚒🔥
Cathay Pacific (CX) 🛩
It was a slow and groggy Monday as I satisfyingly hit delete on most of the trash that fills my inbox. An email from Cathay Pacific Airlines was next in line, surprisingly this one actually made it to through Office 365's spam filter, hence the email was legit, see for yourself
Red Flags ⛳
Hindsight is 20/20, so hold that thought for one second. Cathay often sends promotions like this and at first glance, I was intrigued, an email from CX was welcoming, and I can't remember the last time I've been on a plane.
Sure I'll take the survey, besides feedback is great! We love getting all kinds of criticism at Sinosend and the extra miles will sure come in handy one day. 😷
So right about now you're probably thinking to yourself:
Why didn't you notice the blatantly obvious domain?
Look I hear you, yes I should have but I didn't, I mean I am my father's son eh?
Didn't you hover over the "Take the survey" button to reveal this scammy URL?
Umm.. no I didn't, indeed it was painfully obvious.
Sadly I didn't take a screenshot of the form, but I am sad to say that I eagerly provided details such as full name, date of birth, identity data and answered a few silly questions.
Then I hit "send" and that is when it hits me.
Realization I just F'd up 😲
A pseudo error shows up "Data cant be sent", it was at this point I know I had been phished, or is it phishing, I'm not entirely sure, but something got my blood boiling. The nerve of this guy to pretend to be someone else, a company like CX, my home airline of Hong Kong, how many other people have received this email, hundreds maybe thousands... it was then I went pure nerd 🤓
Tracert & Devtools are your friends
Remember the domain name, the root was amrlink.net, a quick search of this showed that this was a company in Bangladesh that claimed to be ISP. I called the number on their website and asked to speak to a technician or someone in the fraud department. I wasn't surprised that the person at the other end didn't want to entertain the conversation and promptly hung up the phone. This got me nowhere, but now I had the scammers origin.
I opened Chrome developer tools and hit the network tab. Here is where you will find all the incoming and outgoing requests under XHR/FETCH. There is a treasure of information here:
So now I had the IP address 188.8.131.52, this is where all the personal information I submitted was being funneled. I knew that there was nothing I could do to claim my data back as once it's been POSTED it's stored on an SQL database somewhere, but I could do the next best thing and stop these guys from collecting other peoples data.
The next step is to run a tracert in the windows terminal, you can easily do this on a Mac or Linux machine with a number of other command-line tools.
Okay now we're getting somewhere, this takes me to a company called hrctech.net. Their website looked like a legit ISP in Bangladesh with a tonne of clients listed on their home page. But I needed to be sure so I picked up the phone and called them. I got connected to someone in sales and it took me a few mins to get routed through to the correct person in support. I spoke to a very friendly staff member who gave me his personal email and asked me to send him any evidence I had and that he would be in touch if I was right.
I should probably let the airline know -- me.
If you've ever called up Cathay Pacific's hotline you're greeted with a lovely jingle followed by:
🎵 Welcome to the Marco Polo Club
I had tried looking on their site for a number to CX legal, fraud, any department that might be interested in saving their customers data from being used in a deceptive phishing scam, but all I could find was a feedback form. This hotline will have to do. These days ain't nobody booking flights so I got through almost instantly, a godsend.
I explained to the kind attendant that this was going to be a weird request and that a phishing scam was taking place right about now and the email was probably sent to hundreds if not thousands of people around the world. I continued to explain to her that I have been in touch with the ISP hosting the website and they could potentially do something about this. I asked if I could add someone on the email loop or if they would like to have the contact details of the ISP, or perhaps get law enforcement involved. The reply that I got was :-
Please fill out the feedback form and we will get back to you
Okay, that got me nowhere fast, perhaps CX gets this kind of scam complaints all too often, if only they were proactive they may be able to thwart the regularity of these scams. A notice on their website does state to be wary of emails claiming to be from Cathay Pacific, but this in my humble opinion, is a very passive approach. After all, this isn't their first rodeo, they were fined in 2020 for a data breach that happened way back in 2018 that exposed the personal details of 9 million people, maybe my email address was one of them. Techcrunch Artcile Link
Ok, forget the airline -- me 30 seconds later.
I had to move fast and decided to send the email to the ISP outlining what I had found and screenshots of the POST requests, and a link to the form which captured users' data. Believe me, when I say this, I was not expecting a reply, but what I got instead was a Whatsapp message with the following contents :
It's these little wins that count
Boom! Mic Drop
A quick refresh of the criminals website and this is what showed up.
You can do this too!
Thank you to the folks over at Hrctech, you guys are amazing in your action and professionalism, as it turned out one of their customers hosting accounts was compromised. While we may have shut down one site today, there will be another set-up tomorrow. You can do this too, with a little bit of network knowledge like I shared above you can find out where and who may be responsible. Email your local cyber police or contact the ISP directly, more often than not they are willing to listen.
Thanks for reading. I work at https://sinosend.com a nice place to send business documents securely.