Monday, September 12, 2022

Hacker Temporarily Stole My PayPal Account

 On 11 September 2022, at 4:55pm Hawaii time, I received an email notification that a new email address had been added to my PayPal account. Since I was doing laundry, I wasn’t paying attention to my email account and by the time I realized what had happened, my email address and phone number had been removed from my account and the hacker had replaced them with his own. 

Upon noticing the email change, I tried to login to my account, but was unsuccessful.

While the hacker takes primary responsibility for his actions, I have to admit that I have to accept some blame because I hadn’t changed my password in a very long time and I should have known that my login information would eventually leak out and some malicious actor would take the opportunity to steal my account.

Realizing that I had to act quickly, I canceled my PayPal debit card and ordered a new one. Fortunately, there was no money in the account for him to take. I also transferred money from my linked bank account into another one to prevent the hacker from spending my money.

The hacker had acted at just the right time, stealing my account about two hours after PayPal’s customer service office had closed, giving plenty of time to do whatever he wanted with it. I had no choice it to wait and worry until the office reopened.

Given the steps I had taken, I hoped that whatever damage had occurred until such time as I could regain my account would be minimal. Remember the old saying: “Hope for the best, but prepare for the worst”.

When the office finally reopened, I was already on the phone and it took less than ten minutes to regain complete control of my account. It appears that the hacker had only changed the email address and phone number on the account,  it hadn’t altered anything else.

The email address the hacker used is: BNiederme153@gmx.com

The telephone number he used is: 304-318-3023 

Naturally, I changed the password on my PayPal and GMail accounts and enabled two-step security measures.

Not to be foiled in his attempt to take what wasn’t his, the hacker soon noticed that he no longer possessed my account and tried to take it back by sending a Gmail password change request. I immediately realized what he was doing, since I hadn’t requested such a change. A few hours later, I received two automated phone calls, supposedly from PayPal. I didn’t respond to them and instead called PayPal myself to find out that they had placed no such calls to me. It’s obvious that the phone number was spoofed to appear to be PayPal’s customer help line. I had no choice but to block that number.

So, I’m a little wearied from yesterday’s hack, but I’ve learned not to be so complacent from now on. 


Duane.Browning

Sunday, January 30, 2022

Fighting Back Against Fake Fansly Pages

 Introduction

I first became aware of this problem when it happened to someone I know. 

She works as an exotic dancer in Honolulu and someone created a fake Instagram page with a username very close to her own, with a "_" added at the end. The scammer then proceeded to follow all of her followers with the enticement of offering them access to her "exclusive adult content". Once the follows were completed, the scammer then blocked the original account to prevent her from reporting them to Instagram for impersonating her, which was really smart.

It was only after I contacted my acquaintance to ask if it was really her page and she told me that it wasn't, that I began to have a look at the scam page more closely to see how it worked and to take steps to have it shutdown.

If you want to skip ahead and just find out how you can shutdown the scammers' site, scroll down to "The Short Version".


Getting Started

Of course, the first step would be for the scammer to setup the Instagram account. At least one picture would be copied from the original timeline to serve as a profile picture. 

From there, the scammer would follow most or all of the original account's followers and then block the original to prevent the original account from reporting them for impersonation.

Since Instagram doesn't notify you when you have been blocked or unfollowed, the original account is completely unaware that something nefarious is underway, until one of their followers actually contacts them to ask if the new account is really something they created.

At this point, the only option left to the original account is to notify their followers and ask them to report it, which may not do any good since Instagram is very slow to shutdown accounts.


The Shortcut

On the fake profile, a shortened link is provided for interested people to click to be redirected to the adult content site. This shortened link is typically from tinyurl.com. If the tinyurl link is cutoff, you cannot access the link to which it redirects and the scammers' work on building the site on the other side is wasted, until they can create a new shortcut.

TinyURL does not want its service to be used to facilitate criminal activity and they are legally obligated to cutoff access when they are notified of it.

Send an email to privacy@tinyurl.com with the subject line "Reporting Phishing Site". Include the tinyurl.com link itself and the site where it redirects. TinyURL will then investigate and the shortcut link will likely be shutdown within 24 hours, as it was in my case.

I have become aware that rebrand.ly is also being used as a shortcut, send an email to support@rebrandly.com with "Abuse" in the Subject line.

The Main Site

From what I have seen, the scammers' current method of operation involves using free services to help get their scam started. TinyURL is a free service and you can create a free website using Wix. The reason Wix is so appealing is that you don't even need a credit card or any form of identification to open the account, just an email address.

The scammers have attempted to obscure their activities by making their Wix site appear to be a Fansly account. Initially, I thought that the scammer had actually setup a Fansly account, but a quick look at the URL informed me that I was really seeing a Wix page made to appear to be a Fansly profile. Since it wasn't a Fansly account that stole my acquaintance's pictures, notifying Fansly would do me no good, at all.

So, if I wanted the pseudo-Fansly site shutdown, I had to report them to Wix's Abuse Department. Simply go to https://www.wix.com/about/abuse, scroll down to "Phishing or Spam" and click on Send a Report". A chatbot will open and all you'll need to do is copy & paste the offending Wix site into the chat when the bot asks what site you are reporting. When it asks why you're reporting, simply enter that it's a phishing site. After that, you'll need to provide them with your name and email address. Once that's done, click "submit my report" and it's all in their hands now.

As an added measure, you can also post a message on Twitter to make sure the ball gets rolling. There are two accounts which are relevant for our purposes: @Wix and especially @WixHelp. It may take a few hours, but you should receive a reply from @WixHelp with instructions to DM the URL of the offending site. The staff will go back through the abuse reports they've recently received, find your file and give it priority status to get it shutdown as soon as possible.

In your initial tweet to Wix, post something like this:

"I have filed a report with @Wix and @WixHelp regarding a phishing site that was made to look like a @fansly account.

I eagerly await their reply."

Yeah, it does come-off as kind of smarmy, but you need to get someone's attention over there.

So, with the initial report you send through the chatbot, followed by a follow-up tweet, the ball should be moving fairly quickly and the scammer site should be down fairly soon. 


Follow the Money

You've seen me refer to the people behind these fake Fansly accounts as "scammers" who are involved in phishing and may be wondering why I have made such allegations. Well, I don't make such accusations lightly.

First of all, the scammers aren't doing all this as a prank, they are in it to make money. The use of free services (i.e. Instagram, TinyURL and Wix) simply helps keep their costs down and improves their bottom line. 

When you go the the fake Fansly page, there will be links provided for you to subscribe to the account or to create an account. The links will take you to this page.

You may have noticed the link is to a site pcnghw.com which is not one of the services Fansly uses for its subscribers. No, they aren't even based in the United States, but in Nicosia, Cyprus.

According to its website PCNGHW is a subsidiary of Wesicron Limited and is physically based at Nikiforou Foka 33, Flat/Office 6, 1036, Nicosia, Cyprus. The building also appears to contain a nightclub and I have no idea if the owners and staff of that nightclub are involved in the ongoing scams taking place.

For whatever good it would do, if you want to take a chance and actually contact PCNGHW or Wesicron, here is the contact information they provided, aside from the address:

PCNGHW:

E-mail Support: cs@pcnghw.com

Phone Support: (888) 498-5733

Wesicron Limited:

Email: info@wesicronlimited.com

Call: 3-572-200-7758

Personally, I wouldn't waste my time. Wesicron/PCNGHW has a rather bad reputation, judging by reports from Scam Detector StopThatCharge and OnlineThreatAlerts, among others. It would be a better use of your time to simply have the scammers' site cutoff and shutdown.


The Short Version

If you wanted to avoid my blah, blah, blah and just get straight to the point of shutting down the scammers' site, here you go:

Shutdown the Wix site: Simply go to https://www.wix.com/about/abuse, scroll down to "Phishing or Spam" and click on Send a Report". A chatbot will open and all you'll need to do is copy & paste the offending Wix site into the chat when the bot asks what site you are reporting. When it asks why you're reporting, simply enter that it's a phishing site. After that, you'll need to provide them with your name and email address. Once that's done, click "submit my report".

Shutdown the shortcut: Send an email to privacy@tinyurl.com with the subject line "Reporting Phishing Site". Include the tinyurl.com link itself and the site where it redirects. If they're using rebrand.ly send email to support@rebrandly.com with "Abuse" in the Subject line.


Report the Instagram account: if you are not blocked, report them for impersonating you and ask all of your followers to block them. If you are blocked, ask your followers to report and block the scammers' page.


A Final Word

Scammers are certainly resilient and change tactics when their old methods no longer work. So, it's likely that I will have to update this blog post at a later date.

To support and encourage my work send $1 to:

CashApp: $postmates808

Venmo: @postmates808


Duane Browning