For several weeks a hacker has been posting fraudulent FOR SALE listings on QRZ. He hasn't hacked the QRZ servers, but has hacked several of our members using techniques that trick the user into turning over their password. This crook has been difficult to track down. It is our hope that some of you reading this will lend your time and skills to help catch this guy. With a lot of us on the lookout, it is pretty certain that he'll make a serious mistake that leads to his capture. First, let's take a look at how he operates and then, how we might go about catching him. Modus Operandi - How The Scam Typically Works As we browse the QRZ Swapmeet Listings, we notice a nice radio, perhaps an ICOM IC-7800 for sale at a great price. The model number doesn't matter but the price does. The bandit will usually offers a radio for $1500 or more, complete with pictures and a valid callsign. Nothing looks unusual about the ad, and the English and grammar in the posting are usually good, which suggests that the person is a native English speaker, probably in the USA. When negotiating by email, the bandit will usually want some form of payment that can't be traced such as Western Union, or perhaps a certified check. PayPal is never accepted. Should you be unlucky enough to make payment for the merchandise, you can be assured that it will never arrive and that you'll never hear from him again. Several people have already lost money and so it's time to organize a posse! BUT WAIT, the seller is LISTED in the QRZ callbook, and you have his official address, right? WRONG. The person whose callsign appears in the ad has nothing to do with the sale, and probably doesn't even know that something has been posted under his name. It is a case of identity theft where the bandit is pretending to be someone else (usually, but not always, an extra class or 1x2 callsign), so that they have credibility. Investigating closer, the bandit mentions an @yahoo.com email address in his posting. Looking at the seller's callsign page, the SAME @yahoo email address checks out. All good. NOT. A closer look at the DETAIL page shows that the listing has been recently edited (updated), often on the same day that the swapmeet ad was posted. Also, the photographs in the ad are usually stolen from some other website. In many cases, one can Google the model number of the rig being offered and then under Google's Images link, find the same photo taken from another website. Analysis The scam starts with the hacker getting the QRZ Login Password of an existing member. Then, they create a plausible looking email account @yahoo.com. Next, they login to QRZ using the stolen callsign and password and edit the callsign listing so that it now shows the new hacked @yahoo.com email account on the callsign page. Then they post a For Sale ad and wait for a victim. How did they get the member's password? This is where the story gets interesting, in a diabolical sort of way. In the case of some recent account thefts, it started with the legitimate QRZ user posting a WANTED AD in our Wanted/Trades section. The hacker responded to the want ad with a message that said something like: "Hi. I have just the rig you've been looking for. To see some pictures of it, check them out here: http://qrz.au.mn/........htm". The link that the hacker gave goes to a page that LOOKS EXACTLY LIKE the QRZ Login page. It includes our logo and the same exact wording as our login page. The user dutifully enters their callsign and password and is promptly sent to the REAL QRZ website. Everything seemed normal to the user except that perhaps the photos of the rig he was expecting weren't there. The user then moves on and forgets about it. Meanwhile, the hacker's fake login page, which was hosted on a computer in Mongolia (.mn, above), has the users correct ID and password. The hacker probably gets the info in an email from the hack site and sets off to run another scam. The ID theft victim should NOT have clicked on the address http://qrz.au.mn but, he probably didn't even notice the odd web address, after seeing 'qrz' in the name. Another thing that makes the scam work is that the user is truly motivated (i.e. they really want to see the item being offered), and therefore becomes a prime target for this type of con. At QRZ HQ, we've checked the system over thoroughly and don't find any evidence where hackers have gotten into any back doors or administrative ports on the system, or have otherwise broken into QRZ in any way. Instead, they have used a form of social engineering to get people to willingly give up their password details, as described above. How you can help We need to turn the tables on this guy. Chances are, judging by the level of technical accuracy in the FOR SALE listings, that the hacker is a HAM, and is probably right here among us, and is probably reading this message. He's only going to be successful so long as he preys on single, unsuspecting members that are casually browsing the site. We need to find a way to make it difficult for him to carry on and to make sure that he's never certain whether he has a victim on the line or if he is being baited into a trap himself. Make no mistake about it, what he is doing is a federal crime and we will not hesitate to turn him over to the FBI once he's been identified. We need people who are willing to help catch this guy. If you want to participate, please post in the Wanted/Trade section looking for medium priced late model radios. Be sincere and don't make it obvious. When you get a reply to your Wanted item that includes a link to "see" what the seller has, let us know and we'll investigate. Do not delete the PM or email, instead just tell us about it. We may ask you to provide further information. Your name will not be shared with anyone should we catch the hacker. Everything you provide will be kept anonymous, unless you tell us otherwise. Warning: DO NOT post fake listings in the For Sale section. This is a considered a serious offense that won't be forgiven. In addition to keeping the Wanted section honest, we need people to really look hard at any For Sale item that is for a late model radio being offered for more than $1000, especially if the price seems lower than usual, or the deal seems awfully good for some other reason. Again, all we need is for you to click the Report Post button (the small triangle below the ad) and let us know. If you can, do a Google Image search for the model number to see if the posted picture has been used elsewhere. Don't assume that every nice radio for sale is a scam - it isn't. So far, nobody with a real callsign has ripped anybody off in this scam. The problem is, of course, is that you simply cannot trust that the callsign (user name) in the posting is genuine. If you know the person whose callsign appears in the posting, ask them if the listing is real. If it isn't, notify QRZ immediately! Remember, most hams are honest. Always assume the best until evidence proves otherwise. Some hams just don't know how to properly conduct business over the internet and you shouldn't hold that against them. Be careful, be wise, and only trust the facts, not your instinct. Summary With your help, we'll either catch this guy or make him go away. Either way, our entire community will be better off for it.