QRZ needs your help - LETS CATCH THIS GUY!

Discussion in 'Stolen Radios, Scams and Rip-Offs' started by AA7BQ, Mar 29, 2013.

Thread Status:
Not open for further replies.
ad: L-HROutlet
ad: l-rl
ad: Left-3
ad: MessiPaoloni-1
ad: L-MFJ
ad: Subscribe
ad: Left-2
  1. AA7BQ

    AA7BQ QRZ Founder Administrator Platinum Subscriber QRZ Page

    For several weeks a hacker has been posting fraudulent FOR SALE listings on QRZ. He hasn't hacked the QRZ servers, but has hacked several of our members using techniques that trick the user into turning over their password.

    This crook has been difficult to track down. It is our hope that some of you reading this will lend your time and skills to help catch this guy. With a lot of us on the lookout, it is pretty certain that he'll make a serious mistake that leads to his capture.

    First, let's take a look at how he operates and then, how we might go about catching him.

    Modus Operandi - How The Scam Typically Works

    As we browse the QRZ Swapmeet Listings, we notice a nice radio, perhaps an ICOM IC-7800 for sale at a great price. The model number doesn't matter but the price does. The bandit will usually offers a radio for $1500 or more, complete with pictures and a valid callsign. Nothing looks unusual about the ad, and the English and grammar in the posting are usually good, which suggests that the person is a native English speaker, probably in the USA. When negotiating by email, the bandit will usually want some form of payment that can't be traced such as Western Union, or perhaps a certified check. PayPal is never accepted. Should you be unlucky enough to make payment for the merchandise, you can be assured that it will never arrive and that you'll never hear from him again. Several people have already lost money and so it's time to organize a posse!

    BUT WAIT, the seller is LISTED in the QRZ callbook, and you have his official address, right? WRONG. The person whose callsign appears in the ad has nothing to do with the sale, and probably doesn't even know that something has been posted under his name. It is a case of identity theft where the bandit is pretending to be someone else (usually, but not always, an extra class or 1x2 callsign), so that they have credibility.

    Investigating closer, the bandit mentions an @yahoo.com email address in his posting. Looking at the seller's callsign page, the SAME @yahoo email address checks out. All good. NOT. A closer look at the DETAIL page shows that the listing has been recently edited (updated), often on the same day that the swapmeet ad was posted.

    Also, the photographs in the ad are usually stolen from some other website. In many cases, one can Google the model number of the rig being offered and then under Google's Images link, find the same photo taken from another website.


    The scam starts with the hacker getting the QRZ Login Password of an existing member. Then, they create a plausible looking email account @yahoo.com. Next, they login to QRZ using the stolen callsign and password and edit the callsign listing so that it now shows the new hacked @yahoo.com email account on the callsign page. Then they post a For Sale ad and wait for a victim.

    How did they get the member's password? This is where the story gets interesting, in a diabolical sort of way. In the case of some recent account thefts, it started with the legitimate QRZ user posting a WANTED AD in our Wanted/Trades section. The hacker responded to the want ad with a message that said something like: "Hi. I have just the rig you've been looking for. To see some pictures of it, check them out here: http://qrz.au.mn/........htm".

    The link that the hacker gave goes to a page that LOOKS EXACTLY LIKE the QRZ Login page. It includes our logo and the same exact wording as our login page. The user dutifully enters their callsign and password and is promptly sent to the REAL QRZ website. Everything seemed normal to the user except that perhaps the photos of the rig he was expecting weren't there. The user then moves on and forgets about it.

    Meanwhile, the hacker's fake login page, which was hosted on a computer in Mongolia (.mn, above), has the users correct ID and password. The hacker probably gets the info in an email from the hack site and sets off to run another scam. The ID theft victim should NOT have clicked on the address http://qrz.au.mn but, he probably didn't even notice the odd web address, after seeing 'qrz' in the name. Another thing that makes the scam work is that the user is truly motivated (i.e. they really want to see the item being offered), and therefore becomes a prime target for this type of con.

    At QRZ HQ, we've checked the system over thoroughly and don't find any evidence where hackers have gotten into any back doors or administrative ports on the system, or have otherwise broken into QRZ in any way. Instead, they have used a form of social engineering to get people to willingly give up their password details, as described above.

    How you can help

    We need to turn the tables on this guy. Chances are, judging by the level of technical accuracy in the FOR SALE listings, that the hacker is a HAM, and is probably right here among us, and is probably reading this message. He's only going to be successful so long as he preys on single, unsuspecting members that are casually browsing the site. We need to find a way to make it difficult for him to carry on and to make sure that he's never certain whether he has a victim on the line or if he is being baited into a trap himself. Make no mistake about it, what he is doing is a federal crime and we will not hesitate to turn him over to the FBI once he's been identified.

    We need people who are willing to help catch this guy. If you want to participate, please post in the Wanted/Trade section looking for medium priced late model radios. Be sincere and don't make it obvious.

    When you get a reply to your Wanted item that includes a link to "see" what the seller has, let us know and we'll investigate. Do not delete the PM or email, instead just tell us about it. We may ask you to provide further information. Your name will not be shared with anyone should we catch the hacker. Everything you provide will be kept anonymous, unless you tell us otherwise.

    Warning: DO NOT post fake listings in the For Sale section. This is a considered a serious offense that won't be forgiven.

    In addition to keeping the Wanted section honest, we need people to really look hard at any For Sale item that is for a late model radio being offered for more than $1000, especially if the price seems lower than usual, or the deal seems awfully good for some other reason. Again, all we need is for you to click the Report Post button (the small triangle below the ad) and let us know. If you can, do a Google Image search for the model number to see if the posted picture has been used elsewhere.

    Don't assume that every nice radio for sale is a scam - it isn't. So far, nobody with a real callsign has ripped anybody off in this scam. The problem is, of course, is that you simply cannot trust that the callsign (user name) in the posting is genuine. If you know the person whose callsign appears in the posting, ask them if the listing is real. If it isn't, notify QRZ immediately!

    Remember, most hams are honest. Always assume the best until evidence proves otherwise. Some hams just don't know how to properly conduct business over the internet and you shouldn't hold that against them. Be careful, be wise, and only trust the facts, not your instinct.


    With your help, we'll either catch this guy or make him go away. Either way, our entire community will be better off for it.
    KJ6NQW, K4AGO, AD6FR and 6 others like this.
  2. WA6JFK

    WA6JFK Ham Member QRZ Page

    Very interesting. I am going to change my qrz.com PW now.
    I don't think I have been lured into the phony login page, but you can never be too safe.

    One way to prevent these dirtbags from getting our hard earned cash is "Only pay via PayPal" you are about 100% sure to get all or most of your money back if the seller either sends you junk or broken radios, or better yet, sends you nothing.

    In the past couple of months I have had a couple of deals go south, but luckily I used PayPal for payment and I was able to get all my monies back, other than shipping costs related to poorly packaged radios sent my way.

    I applaud this method of possibly catching the creeps.

    KG5SFT likes this.
  3. K9XR

    K9XR Ham Member QRZ Page

    Maybe it's the time of day I am online but it seems to me that there are an awful lot of phony listings that happen in the very late night or very early morning hours when nobody is around. I have been posting warning ads solely for the purpose of warning the other readers and they are generally deleted and the phony ads are allowed to keep running. A lot of identifying the crooks is just common sense that has been posted by you and others over and over. Is spite of this, the crooks still seem to find guys who are looking for that unbelievable deal that never really happens. I called out a very obvious crook on another board the other night and he deleted his ad because he didn't like violent people. I told him that was good because I don't really care for crooks. I am tired of the Moderators deleting my ads because they don't think they give enough info. So what do you want anyone who spots an obvious fraud when nobody is around to do?

    I've sent emails with little or no response so I figured the best way to help unsuspecting bargain hunters was to post an announcement in the For Sale forum .BTW I'm not very worried about the "no deletion" policy, because I try really hard to do my homework before posting Anything. Maybe a new forum for posting about questionable postings? The scam forum doesn't really help in "real time" because it is moderated and this kind of post can't wait until the morning. If, not what?
  4. N4UFO

    N4UFO Ham Member QRZ Page

    Fred, I got an e-mail a couple weeks ago after I sold something by someone claiming to be ham... I replied it was sold and asked where they saw the ad because I had posted it on three sites and thought I had deleted them all or marked them as sold. I got a confusing reply back again acting like they were still interested. I looked the guy up and it was his alleged e-mail according to QRZ. When I did a net search for the ham, he had ads listed on another classified site, but a different e-mail address. I contacted him at that e-mail and let him know what was going on. He was confused by my explanation and kept thinking I was talking about his ads on THAT site. He eventually contacted the admin of that site to delete all his ads and I dropped it. I was also curious as to the confusing reply and wondered if it was generated by a 'bot'. (I know someone closely that programs social bots, AKA 'chat bots'. They can be pretty good at acting like a real person.) I sent yet another reply with nonsensical info obvious to anyone knowledgeable about ham radio that I was onto the scam. (ridiculous price, unknown website referral) Unfortunately, I did not get a response...

    My points....

    1. The value was way below $1500.

    2. It was likely an automated robot reply that may be supervised by a human... this allows one guy to a lot in less time.

    3. It's going on at at least two other classified sites I know of.

    And while this is happening with e-mail replies, I want to mention what one site is doing... Every ad posted shows the IP of the poster. The IP is a clickable link that brings up a "Who Is" listing and shows the ISP name and the location area of that IP. The callsign of the poster is also a clickable link to a callsign lookup. An ad viewer that may think an ad is fishy or too good to be true can see that Fred WZ1XYZ is in New England, yet the ad was posted by someone in Arizona... or worse a foreign country. Often someone that does this calls attention to the ad and it is dealt with. Just FYI on a good idea.

    Hope this information is helpful...

    73, Kevin, N4UFO
  5. W2NAP

    W2NAP Ham Member QRZ Page

    I hate to say it. but posting this in public wont it tip off the scammer?
    N1SCA and AC2AE like this.
  6. AF6LJ

    AF6LJ Ham Member QRZ Page

    If it does the problem solves itself.
    The scammer knows we will be watching.
  7. KA9JLM

    KA9JLM Ham Member QRZ Page

    As mentioned if they just go away that would be good.

    I have seen fake website login links in emails and I save them for investigation.

    That help greatly in catching these kind of folks.

    Some are not so smart.

    Here is a dumb one that wants a reply;

    This message is from the helpdesk support center. Be informed that your mail box has exceeded the storage limit set by your administrator/database, you are currently running out of context and you may not be able to send or receive some new mail
    until you re-validate your mailbox.
    We are sending this email to you so that you can verify and let us know if you still want to use this account.
    If you are still interested please fill the form below for upgrade.
    Thank you for your understanding.

    Your name:________________

    Email Address_____________

    Email Password:___________

    Confirm password:___________

    Enter the web:______________

    The reply goes to;

    Reply-To: <webmail_service @ymail.com>

    I do not even use webmail, as it is not very safe.
    K4XJ likes this.
  8. KB9TMP

    KB9TMP Ham Member QRZ Page

    Other sites display the DNS number of the person making the post. Maybe QRZ should do this also. It may not pin-point the jerk but it might just narrow the search to a geographical area.
    K4XJ likes this.
  9. WA6MHZ

    WA6MHZ Subscriber QRZ Page

    I want the Rat B*****D Scammer CAUGHT, Castrated, Tortured and Waterboarded! he need to PAY DEARLY for his sins against Humanity! He is no different than a Robber or Carjacker. MAKE HIM PAY!!!! MAKE HIM SUFFER!!!!
    N1SCA, KN4LGM, K4XJ and 1 other person like this.
  10. KF5RRF

    KF5RRF Premium Subscriber QRZ Page

    While having the IP address is a good idea, it is entirely possible to obfuscate the IP by using an open web proxy or some form of proxy routing. Even having a phone number isn't a guarantee nowadays as just about anyone can signup for VoIP service that lets you pick a phone number that isn't your true geographic locale. Basically, you need to be able to out-scam the scammer. "How?" is the big question.
Thread Status:
Not open for further replies.

Share This Page