Thursday, February 4, 2010

Anatomy of a Craigslist scam

Our van went belly up a couple weeks ago, and we need another one. A friend sent me a link to a van for sale on Craigslist for $300.  Here is the listing:

$300 OR BEST OFFER
1996 CHRYSLER TOWN & COUNTRY LX MINIVAN
MOVING SOON & I CAN'T BRING IT WITH ME

- 106,970 MILES
- SECOND & 3RD ROW CUP HOLDERS ON BOTH SIDES
- SEPARATE REAR HEAT & AC
- AC/HEAT
- SEVEN PASSENGER
- NEWLY REBUILT AUTOMATIC TRANSMISSION
- ROOF RACK
- 3.8 LITER V6
- DUAL FRONT AIR BAGS
- AUDIOVOX 12.1 INCH DROP-DOWN DVD PLAYER
- GREY UPHOLSTERY
- METALLIC GREEN
- TINTED WINDOWS
- TWO SLIDING DOORS
- STEREO WITH CD & CASSETTE PLAYER
- HAS NO MECHANICAL PROBLEMS
- SECOND ROW FOLD-IN-FLOOR BUCKET SEATS
- FWD
- NEW TIRES
- POWER STEERING, WINDOWS, SEATS & DOORS

CONTACT ME @xxxxxx@yahoo.com

What makes this a classic scam is the appeal to our greed, in this case our desire to get something really good for as close to nothing as we can manage. Looking at the listing again, there was an obvious clue this was bogus from the start: 1996 Chrysler vans didn't have fold in the floor 2nd row seats. I know this because the van that died was a loaded 1998 Caravan. But not noticing that, this was still obviously too good to be true. It was probably a typo, though, so I checked it out. I clicked on the email address and sent a query. Shortly I received this email:

[caption id="attachment_875" align="alignnone" width="500" caption="Odd name for a personal website..."]Odd name for a personal website...[/caption]

The URL seems a little odd for a personal website, but I'll check it out...

[caption id="attachment_878" align="alignnone" width="500" caption="Appears to be a graphic, except for the phone entry fields"]Appears to be a graphic, except for the phone entry...[/caption]

Here's where the warning bells become intolerable. Some of this may be my own paranoia, but...

  • He's holding a raffle to see who gets to look at his van?

  • He's using a graphic for text - classic scam move. It's a lot more work than simply typing the text in - unless you're creating a bunch of ads. Then it's easier to create one document to upload instead of two or three (text and art)

  • He's using the Craigslists automated phone system to set this up? If he really works for them, he's fired.

  • He wants me to give him my phone number so Craigslists APS can text me?

  • I can give him as many textable numbers as I want to, he doesn't mind.


I checked the page source, and the only thing the page did is make sure you actually put something in the fields. It didn't check what you put in, just that the fields weren't empty. so I entered u, u, u. It worked. It sent me to a 5 second countdown page, which I think was setting up a hotmail account to email my phone number to. It then sent me here:

[caption id="attachment_885" align="alignnone" width="500" caption="Same page, but single code entry field now."]Same page except for single text field[/caption]

Just the blank field I'm supposed to wait and fill in when I get texted. The other hole in the blue is some of the 'text' that has a bit of cloudiness around it. That's a visual clue it's an image file, not actual text.

I look at the pagesource on this page and find a couple of interesting tidbits. There is a hotmail address and a password that I think are auto-generated every time someone enters data into the fields on the previous page. I'm pretty sure that's the case because the hotmail account is different every time. Yes, I clicked on it several times. Was that smart? Not really. I'm as protected as I can be, but there's no guarantee the doesn't have something new on his site that could compromise my computer.

Am I being paranoid? Craigslist didn't think so. By the time my friend saw the ad and told me, it had already been pulled off the site. It still showed up as a result in searches, but when you tried to go to it a page saying the ad had been marked for deletion popped up.

So what was he trying to accomplish? At first I thought he was just generating phone lists to sell. After all, all he asked for was a phone number. Then I realized what he really wanted was numbers to cell phones. SMS messaging capable cell phones that he could send simple little, "your code is: xxxxx" sms messages - at 9.99 per message. If the ad appeared in 10 cities long enough to get 1000 valid, textable numbers in each city that would be roughly $100,000 to the conman. Not a bad morning for a crook.

UPDATE: Once I was someplace I could log into hotmail, I went through the process again and tried the hotmail account and password that were on the page. Not only did it create a hotmail account, there was an email from Craigslist - it had created a new account on Craigslist. I imagine it also placed more ads. I'm bordering legality here (the scammer sent me the account info in the source code of the page), so I'm not going any further, but I suspect that the account on craigslist may have the same username and password as the hotmail account. Of course, this is all automated, so it doesn't have to be the same.