According to 419eater.com, scambaiting is “enter[ing] into a dialogue with scammers, simply to waste their time and resources. Whilst you are doing this, you will be helping to keep the scammers away from real potential victims and screwing around with the minds of deserving thieves”. These scammers aim to take advantage of the elderly, people with disabilities, and others. I occasionally engage in scambaiting, but particularly enjoyed the encounter I document here.

I received a message concerning a computer case I was attempting to sell on Gumtree. I’d listed it about 15 minutes prior to the message arriving.

Note: If you’d prefer to read this as a series of screenshots, go ahead.

Scammer: I was interested in computer case

Scammer: Good afternoon, I’m about an announcement on gumtree

Scammer: Is it convenient for you to speak now?

No suspicions yet, seems legit!

Me: Hi, sure, are you interested?

Scammer: is he in good condition?

Me: Particularly good condition yes, it was used for around a year but just lived on my desk. There’s a few scuffs here and there but nothing particularly noticeable. All screws/fittings that were included are still there, only thing that’s missing are the shields where you’ll probably be putting a graphics card anyway.

Scammer: okay, are there fans included?

Me: No, it doesn’t come with any fans

Me: It can fit a 120mm or a 140mm fan

I decided to be extra helpful and link him to a LinusTechTips video reviewing this computer case. Can’t say my customer service isn’t on point. At least he wasn’t questioning whether I was Romanian or not!

Me: https://youtu.be/8ptbpKpObzs this is the case, if you’re curious.

Scammer: well, for such a price everything suits me

Scammer: when can you pick it up?

Wait… When can I pick it up? Strange, although it could have been a language barrier thing. Whatever.

Scammer: or will you send it by mail?

Me: Pickup only unfortunately, not cost effective to send computer cases by post!

Me: You can pick up anytime today from Mayfair - just let me know when to expect you

Scammer: I’m at work today, I’ll be free only next weekend

Scammer: Can I pay for the item now and pick it up next weekend?

Me: That would be fine yes! I’ll hold it for you. You want to pay via PayPal/bank transfer?

Me: You can also pick it up tomorrow, or any day after Friday

Me: It’s up to you

Scammer: It will be convenient for me to pick up the food next Saturday

Pick up… The food? I’m not sure who eats computer cases, but I’m not sure I want to cross them! Still I suspected nothing so far.

Scammer: yes, I can transfer to the card and paypal

Scammer: as you prefer?

Me: https://monzo.me/kevinnorman/10.00?d=Gib%20me%20money%20for%20writing%20article

I sent him a link requesting money as generated by my bank. That’s a real link, by the way, feel free to send me money, I certainly would be grateful!

Given this is an ITX case (a small one which only fits certain hardware), and because I’m a nice guy, I thought I’d ask him what he’s putting inside of it to double check he was aware that the case was an ITX case.

Me: Out of interest, what are you going to put inside it?

Scammer: Intel core i7 and gtx 2070

Scammer: or it is possible through PayPal, I have money there

Me: Sure, kn100+paypal@kn100.me

Scammer: more precisely core i7 9700k

Me: Very nice

Me: Will be a very powerful tiny computer!

Scammer: Yes

Scammer: I will send a check, do you mind?

At this point my scam senses started tingling. A check? Does he mean a cheque? Does he mean a security check? For a £10 case?

Me: I’m not sure I understand

Scammer: one second

Scammer: https://paypal DOT 3sds DOT site/pay/?id=49688501 (I have intentionally garbled this link. Visit at your own risk.)

Scammer: this is check

Scammer: fill in the data to receive money

Scammer: understand?

Ah. A Scammer. Visiting this page took me to a page that looked like the following. An obvious scam, but it’s pretty reasonable to expect that a lot of people might fall for this.

I started to consider what to do, so I stalled a bit by just telling him the link didn’t work. In this time I would quickly spin up a virtual machine, and do a bit of recon.

Me: It’s not working

Scammer: what does not work?

Me: That link

Me: It just 404s

Scammer: One second

Scammer: https://paypal DOT 3sds DOT site/pay/?id=49688501

Me: Give me a minute my dog started screaming

Scammer: Ok

Scammer: try to copy the link and paste it into the browser

Still trying to stall for time, I try to delay by asking more PC related questions to waste his time and to give me time to think.

Me: What power supply are you planning to use?

Scammer: Corsair 750w

Me: The link still isn’t loading, but now I’m getting error 509

Me: 500*

I decided to claim a different error message was occurring, really get him worried. I was honestly stalling for time.

Scammer: I’ll write to technical support now

Scammer: https://paypal DOT 3sds DOT site/paychekoff/?id=49688501

Scammer: they stuck this link

Scammer: they said everything is fine

Ah, a nugget of information! With a lot of these scams, the scammer you speak to does not manage the tool they use to scam you. The tool is purchased from some skiddie, and is then run by the scammer. The use of the word “they” in his messages above led me to believe that he was in direct contact with the person responsible for hosting the tool they were attempting to use to scam me.

At this point, I decided to fire up an image editing tool.

Me: Okay now it’s refusing to accept my details

Scammer: try with another browser

Me: It says error 418 now… PayPal is really unreliable today maybe we could try another way?

Scammer: I only keep money on paypal

Me: It loaded this time at least, but I’ve tried submitting like 5 times

Me: Maybe you can withdraw 10 pounds and bank transfer me

Scammer: send a screenshot of the error, I will send to those support

Me: One second

Scammer: Well?

So I edited an image with an error 418. For the uninitiated, according to Mozilla, Error 418 “indicates that the server refuses to brew coffee because it is, permanently, a teapot.”. I used this error for two reasons. Firstly because it was hilarious to me, and secondly any person who knows anything about web development is very likely to know this error and realise what is going on. If this person catches on, I was unlikely to be able to have much fun with them anyway.

Scammer: if it doesn’t work now, write to those support, at the bottom right

Scammer: it just works for me

It just works for you huh? You’re just paying yourself money? Seems legit Mr. Scammer!

Me: I tried writing to the chat but it seems its gone offline

Me: also, the payment boxes have disappeared completely now, maybe too many attempts?

Scammer: Maybe

Scammer: all this is strange

To really confuse this guy, I decided I’d edit the screenshot so the online chat appeared offline. You’ll notice the little circle on the chat thing turned from green to red. I also hid the ‘payment’ boxes, as promised. What I wouldn’t give to see the conversation between this guy and the tech guy running it.

I wanted to create a sense of urgency, and to force this scammer to regenerate their payment link, so I engineered a situation where he’d increase the price.

Me: I think I might have another buyer for the case, I might see if they can pay for it in a different way, I just want shot of it

Scammer: as you wish

Scammer: technical support wrote: the server was restored

Scammer: can you try again?

Me: Hmnn, this other buyer is offering me cash today. Perhaps if you want it we can say 15 pounds?

Scammer: okay let’s go for 15

Me: The link still says 10

Scammer: now we will create a new translation

Scammer: https://paypal DOT 3sds DOT site/paychekoff/?id=49688501

Hey, a new link, with a name! Thanks Chekoff!

Scammer: 15£

Scammer: works?

Me: I don’t know what the hell is going on

Now, I decided to give the Script kiddie behind this nightmares. I edited the payment page to read NaN for the payment amount.

Me: this says: To Receive: NaN

Scammer: I do not know what’s happening

Scammer: try to go through another browser

Scammer: I’m already so tired, I’m ready to give 20 £

Next, I decided to engage with the scammer via their “tech support”. This screenshot is undoctored.

Scammer: how will tech support answer write me

Hilariously, after I refused to provide my card details via chat, the scammer messaged me again on Whatsapp to ask why I wasn’t providing the card details!

Me: I have no idea but I am not typing my card details into a text box for 20 quid

Me: oh man I just went to reply to support and got this

Next, I threw him a curveball. I edited the screenshot of the chat to have a fake warning indicating that the “free trial period” had expired. Next, I asked him if he’d like to sign up to my Onlyfans. I also linked him to a nursery rhyme for no good reason.

Me: Here’s a weird idea… I actually have an Onlyfans, and Onlyfans can be paid for with Paypal. What if you sign up to my Onlyfans and I make a tier that is 20 pounds?

Me: https://www.youtube.com/watch?v=B6en-O5yF0o

Me: oh sorry that link wasn’t for you

Here, he went quiet. I decided a few hours later to try to re-engage him by letting him know other buyers had lost interest. What he didn’t know is I’d already sold the case to someone else.

Me: this other buyer has fallen through, so it’s just you now. Not sure what to do.

Scammer: how paypal works, i will transfer you £ 20

Scammer: Ok?

Me: how?

Me: Hello? Do you still want it?

Scammer: Yes

Me: Then how shall we conduct this business transaction sir

Me: I’ve got the case, you’ve got the cash, can I make it any more obvious?

Scammer: I’m going to try now

Scammer: try now

Scammer: https://paypal DOT wis3 DOT site/pay/?id=73531466

Ha! He’s given me another domain to report. Excellent. More sleuthing indicates both domains were registered with the same email. A tiny bit more looking showed that there were around 50 of these domains all serving the same content. Reg.ru of course got a list.

Scammer: work?

Another curveball. My sleuthing through WHOIS records lead me to believe the scammer in question was Russian too, and the domain was registered with Reg.ru. I decided to mock up a fake domain suspension notice. The Russian reads “This website has been blocked. Get in contact with the support team”.

Scammer: I don’t know, try using another browser

Me: sorry let me try on a computer, this is tiresome

Me: Same thing

Of course, the same thing on the desktop! Left a nice easter egg in the tab bar though, which wasn’t noticed of course.

Scammer: so is the deal canceled?

Me: I can’t seem to get payment from you so I’m not sure what you want me to do

Me: maybe you have other suggestions

Scammer: there is a suggestion to put an end to this

HE’S FINALLY CLOCKED ON!

Me: go onnnn

Scammer: Goodbye

At this point, I’d done a fair bit of sleuthing, and determined his name was probably not Mark. I’d also reported both domains to their registrars, reported abuse to their host, reported them to the various safe browsing blacklist services, etc.

Me: Have a lovely evening Mark :)

Me: Does your scam work often?

Scammer: almost always

Me: how much do you make?

Scammer: it’s a secret

Me: welp, I hope you find some joy in life that doesn’t involve destroying others lives, and I hope you enjoyed having so much of your time wasted, I certainly had a whale of a time in Photoshop :)

Let me know what you thought! Hit me up on Mastodon at @kn100@fosstodon.org.