Editorial note: Sergey Dolya, the author of this post is one of the most popular Russian bloggers. This story recently involved one of his friends. The victim was Katya Turtseva, a high-ranking employee of an international IT company. We mention this to make it clear that in this specific case, the victim knew a thing or two about security.
Recently a friend of mine had her Skype account hacked. Scammers decided to use this opportunity to trick people from her contact list out of their money, and in just one hour they received more than 100,000 rubles (about $1,500)!
To the thieves benefit, there were a lot of people in her contact list: about 300 of them. The scammers decided to ask her friends to borrow relatively small sums of money, 15,000 rubles (about $250) ’till tomorrow’. In fact, this is the maximum amount Yandex Money (a popular Russian payment system) allows to transfer at a time.
The plan was simple: ‘Katya’ wanted to buy some goods online but had no money on her Yandex Money account. This approach had credibility and made people believe that they were speaking with the victim. They decided to transfer money without a call to their friend; some of them even sent money twice.
This is one of the conversations fraudsters (F) had with one of the victim’s friends (V):
F: OK. I’ll get straight to the point: I need your help.
V: What’s happened? Spill it! And send me a photo.
F: I wanted to borrow money till tomorrow
V: How much? I can send you money, if I have enough in my account.
F: 15 thousands (rubles)
V: OK, sure. Where do I send it?
V: How should I send it?
F: I need to pay with a card but my account is empty. Can you pay?
V: No problem
F: http.yandex…. (the link to payment page)
V: I need a recipient’s bank account
F: hey! where are you?
V: was changing nappy
F: oh. here it is: (number of fraudsters’ account)
V: I’ll take a photo of the invoice and lull Vanya asleep. He is crying.
F: OK, I’ll be online
F: Oh, Lena, coming to think of it. Do you have another 15,000? If not, it’s OK you’ve already helped a lot! But if you have, I’ll send you back 30,000 tomorrow + commission at my expense
When everything came to light, it was very difficult to do almost anything to fix this problem.
A few days were spent communicating with the Skype support service: employees needed more than 24 hours to understand what had happened. When they figured out that Katya’s account had been hacked, they sent her a link to a password recovery form, totally ignoring the part of the letter in which Katya explained that scammers had changed the associated e-mail as well.
Next, the support service asked Katya to fill in the verification form, twice. It was the three days since the start of this scamming affair and fraudsters were still persistently sending their requests through the contact list. Support service refused to block Katya’s account until they were able to clarify the situation through-and-through.
In the end, Katya correctly answered all questions from verification form except one: when was your Skype account created. The support service decided that the whole situation was too complicated and recommended that she create another account! By that time, the fraudsters had already stolen about $5,000.
Sergey Dolya @dolyasergey tells how his friend had her #Skype hacked and used for money scammingTweet
Meanwhile, one of Katya’s friends tried to get a refund. She blocked her card and asked her bank to cancel the payment. Her request was formally accepted. The bank confirmed that she had never worked with this shop before and asked her to file a complaint at the local police department. Her bank requested a copy of this complaint to initiate the investigation of the case.
The police sent her back to the bank: in addition to a whole bunch of different documents, they needed a document from her bank saying that the investigation had been launched. There was a lot of back and forth at that point. They were dealing with a local police department that had no experience in a situation like this. At the local police department, Katya’s friend was told that she should send her request to a main police office in Moscow.
After that, Katya’s friend called her bank once again. Her card was blocked as well as the money transfer, but it would be tied-up until the merchant applied for it. When the investigation actually starts, they will ask for a money refund from the merchant’s bank. The possibility of a successful solution to this problem seems to an unlikely dream.
When other users tried writing to the fraudsters, directly. The fraudsters did not believe that police would do anything substantial on this case. Obviously they clearly understood the imperfection of Russian legal system combined with the Skype security policy:
— ***, guys, give us an interview, at least in chat
— ***, f*** off, don’t f*** my brain)
— Come on, we do wonder. Katya says you’ve already gathered 100,000 rubles
— They say she has gone to the police. And let God bless her there… I’m blessed with my anonymity
— It’s unlikely that I can break your anonymity by chat
— You’re just disturbing me
It seems that the only one thing that you can do in this case is to secure your accounts. Here are a few tips:
— The best, most obvious and at the same time the most ignored tip is to use a reliable password! Everybody knows it but there is still a lot of thoughtless people.
— Don’t use the same password for different accounts. If you do, when one of web-services is compromised you can lose all your accounts.
— Use two-factor authentication to protect your accounts. In this case you’ll receive a short code via SMS or e-mail to use as a second password.
— Don’t click suspicious links: there are a lot of pages on the web that steal your data. It’s called phishing. Also, do not reply to letters and messages from unknown contacts.