We all know information drives social media. It’s fairly obvious. A social media post communicates content, which allows members to engage other users. Simple, right? Well… there’s more to it than that.
Social media posts aren’t just communicative. They’re performative. Status updates, tweets, and even funny dog videos reveal something deeper about the user’s passions, status and other variables. Those posts allow a user to construct an identity.
On Facebook, Twitter, and elsewhere, users have the power to shape and protect their identity. But some don’t see that responsibility. Countless users don’t know how to securely navigate the world of social networking and reveal too many details about themselves, over-sharing which encourages identity thieves and imposters like those who preyed on Rahul Madhyani to strike.
What’s interesting about that point is all types of people are guilty of exposing too much information, including scammers. Under those circumstances, security researchers can and do leverage social media to teach unsuspecting fraudsters a lesson.
That’s exactly what security researcher Christian Haschek did to a scammer on Reddit.
Get Your Apple Gift Cards Here!
As he explains in a blog post, Haschek won first place in the Solar Winds Sysadmin Contest back in 2012 with a story he wrote about his first job. The security researcher received two 250 USD Apple store gift cards as his prize. There was just one problem. Haschek wasn’t living in the United States, the country where the cards were issued. That meant there was no way for him to redeem the cards. As a result, he turned to Reddit in an attempt to sell his prize.
One user seemed particularly interested in the cards, per their message they wrote to Haschek:
“Still selling the $500 Apple giftcard? Is it apple store or Itunes? I can do $380 BTC for it. Pm me back with info.”
After some back and forth to verify one another, Haschek and the buyer connected on eBay. The security researcher provided the Reddit user with the PIN codes for the cards. He said he would also prepare the cards to be mailed out pending receipt of payment.
So he waited several days for the buyer to transfer 380 USD worth of Bitcoin to his wallet. When nothing came, he checked on Reddit and to his surprise discovered the party had deleted their account.
Haschek now knew the guy was a scammer. But in the spirit of trying to get the money, he tried to be nice and asked if the buyer still intended to send payment over.
Here’s how the former Reddit user responded:
“Excuse me, but who are you? I don’t use this account except when I occasionally buy items. my ebay was hacked recently along with my email because I was keylogged. The hacked then proceeded to access my bank paypal and ebay. So no. I won’t send you money for someone else hacking you but I do feel sorry for you.”
Fine. Haschek could have a little fun instead.
And so he did.
Payback’s a Message to Your Mom
Haschek started by tying the scammer’s eBay and Reddit usernames together via a Google Search. With that information, he used additional searches to find out their first name and city of residence on a job search site.
It didn’t take Haschek long to find out the scammer’s full name:
“On facebook I just entered the username he was using on ebay and I found a post from someone with an anime profile pic, linking the user name of the scammer in a post. Sure enough it was only text and not a link to a facebook profile. The post had one like. But this friend of the scammer had posted everything public. Hundreds of posts a month. I scrolled through 4 years of posts until I found something that I now reffer to as the holy grail. He made a screenshot of some LoL game he played and had facebook open in the background. You could see all of his online friends. One of them was the scammer! So now I knew his full name.”
After sending a message to a few of the scammer’s family members, including their mother and brother, Haschek received an apology from the scammer in which they agreed to sell the Apple gift cards and give the security researcher the money.
They also asked that Haschek terminate all contact with their friends and family:
“Please leave me alone after this I won’t do anything like this anymore I am having panic of attacks just thinking about this.”
Haschek’s story illustrates how some social media scammers aren’t even aware of the damages their actions cause.
Sometimes, security researchers come along and teach those oblivious fraudsters a lesson. Other times, they don’t, which give those bad actors license to prey on unsuspecting users.
Don’t let yourself fall victim to a social media scam! To protect yourself, please familiarize yourself with some of the most common scams found on LinkedIn, Twitter and Facebook.