T-Mobile phishing camp
Cory Doctorow shares his experience of being ‘phished’. I had a similar experience, only in reverse.
As I’m waiting to board a flight, my phone rings and someone claiming to be a T-Mobile rep is on the other side.
“You’ve been using your phone a lot” she says
Yes, I spent a week in China and the roaming charges are especially high there.
“Well, you are over $2,000 in your phone bill”
Well, thanks for letting me know. When the bill comes I will be happy to pay it.
“No, you need to pay it now; it is higher than your monthly average and we need to collect the payment outside your monthly billing cycle”
Fine. I will call the billing center once I get back to the office tomorrow
“No, you need to pay it now”
I am just about to board the plane. Call me in 3 hours when I land.
“Sorry, I need to collect a payment or we will suspend the account”
Fine. Bill me. You have my credit card details on file.
“No, we need you to provide them again as proof that you are ok’ing the billing”
Hmm… This is beginning to sound like the most unsophisticated phishing attack ever. You need my credit card details? Now? Can’t wait? Ok. Give me your number and I will call you right back and give you my CC.
“This line is for outbound calls only. There is no direct number back to me”
No problem – I will call the t-mobile 800 number and ask for your department.
“They cannot transfer you to me”
Then how do I know you’re a real T-mobile rep and not someone out to get my credit card number?
“Well, how else would I have known your charges this month were especially high?”
At this point I burst out laughing and since boarding is about to end I give her my full credit card details. VISA will take the loss on that one, but who will save me from the embarrassment of ‘securiteam blogger falls victim to the most amateurish phishing attack in history”?
I land, and log online to my t-mobile account, and am shocked to see a bill of $2,500 that is marked as paid. It really was T-Mobile.
Somewhere in Eastern Europe some guy is telling his boss: “Sergei, you’ll never believe this. The fake training material we planted at T-Mobile are actually being used. They are teaching their customers to be phished!”.
Phishing camp indeed.