I don’t know about you, but the Robocalls and scam phone calls I get to my US phone number are getting out of control. (Yes, it's in the 'do not call registry'.) I use grasshopper.com to manage my business line, and it does a pretty good job of filtering them out, but on 19 February, I got one by SMS and decided to see where it would go. I also figured that if I waste some of their time, all the better. The conversation via SMS was short. Their initial objective was to move the conversation to Telegram, which I thought would be more convenient anyway. So I messaged them on Telegram and the longer conversation began. 

The premise was they wanted to offer me a job with Scentre Group. Scentre Group is a real estate conglomerate that operates out of Australia and New Zealand. According to the scammers, they are opening new offices in my area, and they need people to man up the office before it opens. I would work from home to help get them started.  They will send me a check that I can keep $250 and use the rest to fund buying my “office equipment” I will need to do the work. So I give them a phony name (Steven CA Mathews. Yes, the initials are SCAM) and an address not expecting them to actually send anything, but they did. The next day they gave me a FedEx tracking number, which of course failed because the address was fake. However, they helpfully emailed me a scan of a check, and told me that I could use the mobile app from my bank (from a bank name I invented that doesn’t exist) to take a photo of the check and upload it. When I got the scan of the check, It had a totally different company name and address on it (Not Scentre Group). So I decided to do some research on the company on the check. It turned out, the company on the check exists. When I contacted them, they looked into it, and found that their bank account had been hacked! They thanked me. 

I obviously wasn’t going to cash the check, so I told the scammers my bank’s app wouldn’t accept the resolution of the printed check and I convinced them to send me another one to a different address. This time I gave them the address to my UPS Store box. I gave the UPS store a call to give them a heads up, and they agreed to open and scan the check to me by email to speed things along. Unfortunately, the scammers somehow bungled the address, and left off my box number. Since the package arrived without a box number and Steven CA Mathews is not listed on my mail box, the UPS Store was not able to open it or forward it to me and had to send it back. 

After that, the scammers seem to get a little more annoyed with me, and were not willing to send another check. When I asked if there was another way, they asked if  I could front the money for the equipment. It was at this point, that they sent me out to buy gift cards. 

In the end, this turned out to be a long trip to a gift card scam. For most of their victims, the money to buy the cards is coming from stolen bank accounts and is probably pulled back, so the victim would end up being out of the money. 

Observations

During the initial shuffle with the first FedEx shipment, I asked them if I was looking at the right website for their company and gave them a link. The Scentre Group web page is “www.scentregroup.com”, I registered “www.scentregroupe.com”. When they clicked on my link from Telegram, I got an IP from the canary token I placed on the page which forwarded to the real Scentre Group page. Unfortunately, it resolved to a server on vultr.com that was running  Gom VPN, a proxy/vpn service from https://getgom.com/. I contacted the owners of Gom VPN, and their response was simply:

           “I wish I can help but the servers contain no logs.”

Since the scammers gave me one wrong FedEx tracking number, I had 3 to work with. The most interesting thing I found from these was that two packages were shipped from Purchase, NY,  and one shipped from Mountain View, CA. I imagine this means one of two things: 1) They are a team of people working from multiple locations or 2) They have conscripted others to send the packages via FedEx through some other sort of scam, and they are nowhere near either location.

During the course of our interactions, they did send a few emails to me (to SCA Mathews) via my disposable domain. From the headers on those emails, I was able to determine they were using another account to relay email that I suspect they have compromised. I’ve contacted the owner of this account, but have not yet heard back from them.  These emails also revealed two Gmail addresses as "reply-to" addresses which I have reported to Google via their abuse forms. 

The last step in this was to report the Telegram account. While I hold no delusion that my efforts will completely put them out of business, I certainly hope that the accounts that get shutdown will slow their progress to others who may be more susceptible to this ploy. 

A complete transcript of the Telegram and SMS conversations (with some notes) can be found here.

A special thanks to @Kre80r for his help to identify the GOM VPN.