T-Mobile phishing camp

Cory Doctorow shares his experience of being ‘phished’. I had a similar experience, only in reverse.

As I’m waiting to board a flight, my phone rings and someone claiming to be a T-Mobile rep is on the other side.

“You’ve been using your phone a lot” she says

Yes, I spent a week in China and the roaming charges are especially high there.

“Well, you are over $2,000 in your phone bill”

Well, thanks for letting me know. When the bill comes I will be happy to pay it.

“No, you need to pay it now; it is higher than your monthly average and we need to collect the payment outside your monthly billing cycle”

Fine. I will call the billing center once I get back to the office tomorrow

“No, you need to pay it now”

I am just about to board the plane. Call me in 3 hours when I land.

“Sorry, I need to collect a payment or we will suspend the account”

Fine. Bill me. You have my credit card details on file.

“No, we need you to provide them again as proof that you are ok’ing the billing”

Hmm… This is beginning to sound like the most unsophisticated phishing attack ever. You need my credit card details? Now? Can’t wait? Ok. Give me your number and I will call you right back and give you my CC.

“This line is for outbound calls only. There is no direct number back to me”

No problem – I will call the t-mobile 800 number and ask for your department.

“They cannot transfer you to me”

Then how do I know you’re a real T-mobile rep and not someone out to get my credit card number?

“Well, how else would I have known your charges this month were especially high?”

At this point I burst out laughing and since boarding is about to end I give her my full credit card details. VISA will take the loss on that one, but who will save me from the embarrassment of ‘securiteam blogger falls victim to the most amateurish phishing attack in history”?
I land, and log online to my t-mobile account, and am shocked to see a bill of $2,500 that is marked as paid. It really was T-Mobile.

Somewhere in Eastern Europe some guy is telling his boss: “Sergei, you’ll never believe this. The fake training material we planted at T-Mobile are actually being used. They are teaching their customers to be phished!”.

Phishing camp indeed.

  • williamh

    I honestly don’t understand why in the end you gave your credit card information. Boarding is about to end, why not just hang up the phone! Even if it really was T-Mobile, what kind of way is that to treat a (terrific high-spending) customer?

  • I weaned Sprint of this

    Sprint used to call people and ask for your account password, to “offer you enhanced services”. Since I have an executive level contact; a few phone calls, and some simple explanation, backed up with some links to SANS articles, and the stupidity was stopped.

    Personally, I’d have told the person on the other end of the ,line: “I’m NOT giving you my credit card information, and if you turn off my account before I have the opportunity to pay the bill in a way _I_ initiate, I will drop T-Mobile like a hot coal, and ensure that your supervisor, and their supervisor, knows why.”

  • http://www.BeyondSecurity.com Aviram

    @williamh, there is really no down side for me. If it turns out to be phishing, I call my credit card company and cancel the charge.
    Using the credit card on the Internet or over the phone is as safe as it gets.