USPS Text Scammers Duped His Wife, So He Hacked Their Operation
Grant Smith infiltrated a smishing operation after his wife was scammed, revealing over 438,000 compromised credit cards. He reported findings to authorities, highlighting the global scale of the Smishing Triad's activities.
Read original articleGrant Smith, a security researcher, took action after his wife fell victim to a smishing scam involving fake USPS delivery texts. The scam, operated by a Chinese-language group known as the Smishing Triad, sends out up to 100,000 scam texts daily, tricking individuals into providing sensitive information like credit card details. After discovering his wife's compromised information, Smith infiltrated the scammers' systems, gathering evidence and victim data to report to US authorities, including the USPS and a bank. His investigation revealed that over 438,000 unique credit cards were entered across 1,133 domains, with victims from various states, particularly California. Smith utilized vulnerabilities in the scammers' websites to extract data and identified a Telegram channel where the smishing kits were sold. The Smishing Triad has been linked to similar scams globally, targeting various sectors beyond postal services. Smith's findings highlight the scale of the issue and the ongoing efforts by authorities to combat such scams. He presented his research at the Defcon security conference, emphasizing the need for vigilance against smishing attempts.
- Grant Smith hacked into a smishing operation after his wife was scammed.
- The Smishing Triad sends up to 100,000 scam texts daily, targeting USPS delivery notifications.
- Over 438,000 credit cards were compromised through the scam.
- Smith reported his findings to USPS and the FBI, aiding in ongoing investigations.
- The operation has connections to similar scams in multiple countries.
Related
https://blog.smithsecurity.biz/hacking-the-scammers
https://blog.smithsecurity.biz/systematic-destruction-hackin...
He identifies the culprits in detail, scares the hell out of them, reports them to police, and tries to inform / refund the victims. In at least one video, he accesses the scammer's Stripe account and refunds the victims (often elderly) for their payments on bogus IT security products. I recall another video where gains access to the CCTV in the scammer's office building, and captures a police raid on the scammers.
"wangduoyu666!.+-"
Whoops, this looks like username -> wangduoyu666 (same for "wangduoyu8", "wdy666666". Seems like they're incrementing numbers in username too, but probably false positives, maybe popular username)
Google it. Probably skid's github, linkedin, etc. (not verified)
And looks like OP missed this. Also name on telegram is fake of course, Wang Duo Yu is singer in China, so skid is using singer's name as username and also as a full name in Telegram.
Ps.: From their backup telegram, also "wangduoyu12"
Ps2: From OP write up -> https://t.me/wangduoyu0 -> there is youtube channel https://www.youtube.com/@duoyuwang4820 which links in description to this telegram channel wangduoyu0
And it's full of videos of someone making tutorials to bypass china firewall? etc. Multiple 30min-1hour videos, there must be treasure trove of info. Videos is leaking these gmail accounts: https://i.imgur.com/LUiKbF6.png
This should not be possible. I guess the iMessage scams used e2ee, but the SMS scams should have been caught. It would be great if there was law enforcement that competently handled cybercrime, or at least triaged it.
More broadly, and at the risk of creating another TLA, the US needs a Blue Team version of the NSA. In other words, identify critical infrastructure, figure out how it can be hacked, and require that companies fix the issues. Use national security if need be. Banks have to undergo stress tests to prove they are solvent, there is no reason that critical infrastructure should be able to leave their doors unlocked.
There's a strong argument right here for teaching technology ethics as part of a typical CS curriculum. I'm not saying that would have stopped this student from making his own unethical choices, but it does highlight the fact that we equip people with these really powerful technical skills, but we don't even try to equip them with the ethics to be responsible about it. We just sort of hope they were raised right, I guess.
Anyone here have experience with a curriculum that includes the ethics aspect?
Most of them are quite capable of delivering a nasty counterattack. Some, IRL.
Had a friend hack a spammer that hijacked his server, and they blasted his server into LEO.
I always thought there should be a driver license and test to use the Internet to cut down on people being ignorant. As well or a class you must pass in high school that teaches ignore all phone calls, text, emails and etc from people you have not met offline. If you do meet them online make them snap or facetime you fairly quickly to verify veracity.
Seems it's no longer active. If I send "Y", the message is not delivered. The domain points to 404 on a "King Ice" website selling jewelry shaped like guns or penises, I'm not joking.
The US has roughly 340 million people now.
The US gdp is roughly 28 trillion dollars.
Which means that on average the dollar value per citizen is roughly 82 thousand dollars…
Divided by days in year, hours and minutes its roughly 15 cents per minute.
So if we assume 100% of the population is getting at least one scam a day of some sort and that the disruption to thought to get back on track as result of the anger induced is about 30 minutes…
That puts the loss to the US at little over 1.5 trillion dollars in lost productivity.
The US currently spends roughly 840 billion on defense…
So almost twice the yearly national defense budget is potentially lost to scams.
Seems crazy, as I said off the cuff. I would love to see some way more accurate numbers.
But arguing in dollar amounts I think will go a long way to putting the problem in perspective. And who knows, maybe we’ll get to some drone strikes on scammers in our lifetime.
What's freaky is I just got a package through the post office a few days before. These guys are maybe accessing package tracking tools looking for phone numbers. I would expect that's not heavily secured data.
Edit: I reported the domain to the registrar and they took it down.
Can't tell you how, it's been a minute.
You know what? I do. We all should. These scammers are awful people and deserve to be attacked. I am tired of toothless authorities like CISA and the alphabet agencies in the US doing next to nothing about it unless some YouTube scam baiter does the work for them. Scammers destroy people, not just financially, but emotionally as well, even driving some victims to suicide. As far as I am concerned, any wannabe hacker out there should be using these scammers for target practice.
How in the hell do we not have a trivial "report a scam" option on phone calls and text messages? Which reports it to the FTC or FBI or something?
Oh, they 100% can. There's a US Constitution thing allowing them to comment on things. They just chose not to comment because they don't want to.