API tools faq
paste
Advertisement
Guest User

Mexican Pickpocket and Fraud Ring

a guest
Jan 7th, 2016
1,232
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.65 KB | None | 0 0
raw download clone embed print report
  1. I was visiting Mexico and (almost) got defrauded, compromised, whatever you want to call it. Here's how:
  2.  
  3. --------------------
  4. Summary
  5. --------------------
  6.  
  7. - Walking down street
  8. - Transvestite puts arms around me
  9. - Quickly pushed it away
  10. - Realized about a minute after that it pick-pocketed my iPhone and ran to chase it down. It let me pat them down but no phone. Must have passed it off to someone else in that short time period. Phone case had my ID and credit card.
  11. - I quickly canceled my credit card and marked my phone as lost on FindMyPhone
  12. - Had my personal email address compromised and password changed. They briefly had access to my SMS on my locked screen notification window until I disabled SMS with Verizon. They used SMS to gain access to my account and change the password.
  13. - I was able to recover my gmail account with backup codes.
  14. - I discovered where they signed in from (details). It was in Playa del Carmen, Quintana Roo, Mexico (where my phone got stolen) on January 4, 4:12 PM, from IP address 187.252.94.69, Windows Device, Browser Chrome 47.0
  15. - They then tried phishing my iCloud credentials (see one of the phishing emails below). The link is now expired, but it went to a page that was a clone of the iCloud login page. From "supports@iserver.com" claiming to be Apple Support
  16. -- The link went to http://lcloud.center/E84EF2
  17. -- The whois information for lcloud.center is below
  18. -- The email is below
  19. - I proceeded to get calls from (661)748-0240 in Bakersfield, CA which I assume is a Skype Voip number. The caller was a male who barely spoke English. He claimed that "He just bought the phone at a flee market, but the phone is locked, and he will pay $250 to unlock it for me. He just wants to give it to his daughter and will even record himself wiping the phone after" - I kindly declined. The number seems to be frequently used for scams: http://800notes.com/Phone.aspx/1-661-748-0240
  20. - I also got calls from 18002752273 and Unknown callers
  21. - I assume this is quite a fraud ring at play
  22.  
  23. --------------------
  24. Sign in location
  25. --------------------
  26.  
  27. Device: Windows
  28. Time: January 4, 4:12 PM
  29. Location: Playa del Carmen, Quintana Roo, Mexico
  30. Browser: Chrome 47.0
  31. IP address: 187.252.94.69
  32.  
  33. --------------------
  34. Email is from
  35. --------------------
  36.  
  37. from: Support <no-reply@apple.com>
  38. date: Mon, Jan 4, 2016 at 11:26 PM
  39. subject: Notificacion
  40. mailed-by: mailing.rulerhost.net
  41. signed-by: rulerhost.net
  42.  
  43. --------------------
  44. Phishing email
  45. --------------------
  46.  
  47. SUBJECT: Apple Notificacion
  48. BODY:
  49. iPhone 6s Plus Rose Gold has been found today .
  50. iPhone 6s Plus Rose Gold last known location will be available for 24 hours.
  51. See Location [link to http://lcloud.center/E84EF2 which is now inactive]
  52. iCloud is an Apple Service. My Apple ID | Support | Terms and Conditions | Privacy Policy
  53. Copyright ? 2013 Apple Inc. 1 Infinite Loop, Cupertino, CA 95014, United States. All rights reserved.
  54.  
  55. --------------------
  56. Email 2 after they saw I clicked
  57. --------------------
  58.  
  59. Dear [MY NAME].
  60. We read your letter.. u can log into that site to retrieve location for you device. in case u don't want to verify the location just dismiss that email. location will be available for the next 24 hrs
  61. Apple Support
  62.  
  63. --------------------
  64. Whois information of lcloud.center
  65. --------------------
  66.  
  67. Domain Name: lcloud.center
  68. Domain ID: 05360674a6c944a19f7190b3d9e3df92-DONUTS
  69. WHOIS Server: whois.registrar.eu
  70. Referral URL: http://www.registrar.eu
  71. Updated Date: 2015-12-04T01:09:35Z
  72. Creation Date: 2015-10-08T03:18:31Z
  73. Registry Expiry Date: 2016-10-08T03:18:31Z
  74. Sponsoring Registrar: Registrar.eu
  75. Sponsoring Registrar IANA ID: 1647
  76. Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
  77. Registrant ID: pp904129mx3798
  78. Registrant Name: Proteccion Privacidad
  79. Registrant Organization: RulerHost
  80. Registrant Street: Calle Gema No 32 U. Habitac
  81. Registrant City: Tizayuca
  82. Registrant State/Province: Hidalgo
  83. Registrant Postal Code: 43800
  84. Registrant Country: MX
  85. Registrant Phone: +52.5514642471
  86. Registrant Phone Ext:
  87. Registrant Fax:
  88. Registrant Fax Ext:
  89. Registrant Email: privacidad@rulerhost.net
  90. Admin ID: pp904129mx3798
  91. Admin Name: Proteccion Privacidad
  92. Admin Organization: RulerHost
  93. Admin Street: Calle Gema No 32 U. Habitac
  94. Admin City: Tizayuca
  95. Admin State/Province: Hidalgo
  96. Admin Postal Code: 43800
  97. Admin Country: MX
  98. Admin Phone: +52.5514642471
  99. Admin Phone Ext:
  100. Admin Fax:
  101. Admin Fax Ext:
  102. Admin Email: privacidad@rulerhost.net
  103. Tech ID: pp904129mx3798
  104. Tech Name: Proteccion Privacidad
  105. Tech Organization: RulerHost
  106. Tech Street: Calle Gema No 32 U. Habitac
  107. Tech City: Tizayuca
  108. Tech State/Province: Hidalgo
  109. Tech Postal Code: 43800
  110. Tech Country: MX
  111. Tech Phone: +52.5514642471
  112. Tech Phone Ext:
  113. Tech Fax:
  114. Tech Fax Ext:
  115. Tech Email: privacidad@rulerhost.net
  116. Name Server: cns49293.hostwindsdns.com
  117. Name Server: cns49292.hostwindsdns.com
  118. DNSSEC: unsigned
  119. >>> Last update of WHOIS database: 2016-01-07T22:35:42Z <<<
  120.  
  121. --------------------
  122. Whois for rulerhost.net
  123. --------------------
  124.  
  125. Domain Name: rulerhost.net
  126. Registry Domain ID:
  127. Registrar WHOIS Server: whois.registrar.eu
  128. Registrar URL: http://www.registrar.eu
  129. Updated Date: 2015-11-08T08:29:28Z
  130. Creation Date: 2013-12-17T17:37:56Z
  131. Registrar Registration Expiration Date: 2016-12-17T17:37:56Z
  132. Registrar: Hosting Concepts B.V. d/b/a Openprovider
  133. Registrar IANA ID: 1647
  134. Registrar Abuse Contact Email: abuse@registrar.eu
  135. Registrar Abuse Contact Phone: - (use e-mail)
  136. Registry Registrant ID: EG905005-MX
  137. Registrant Name: Edgar Alan Guerrero Montejo
  138. Registrant Organization: RulerHost
  139. Registrant Street: Calle Gema No 32
  140. Registrant City: Tizayuca
  141. Registrant State/Province:
  142. Registrant Postal Code: 43800
  143. Registrant Country: MX
  144. Registrant Phone: +52.5569535187
  145. Registrant Phone Ext:
  146. Registrant Fax:
  147. Registrant Fax Ext:
  148. Registrant Email: alan@rulerhost.net
  149. Registry Admin ID: EG905005-MX
  150. Admin Name: Edgar Alan Guerrero Montejo
  151. Admin Organization: RulerHost
  152. Admin Street: Calle Gema No 32
  153. Admin City: Tizayuca
  154. Admin State/Province:
  155. Admin Postal Code: 43800
  156. Admin Country: MX
  157. Admin Phone: +52.5569535187
  158. Admin Phone Ext:
  159. Admin Fax:
  160. Admin Fax Ext:
  161. Admin Email: alan@rulerhost.net
  162. Registry Tech ID: EG905005-MX
  163. Tech Name: Edgar Alan Guerrero Montejo
  164. Tech Organization: RulerHost
  165. Tech Street: Calle Gema No 32
  166. Tech City: Tizayuca
  167. Tech State/Province:
  168. Tech Postal Code: 43800
  169. Tech Country: MX
  170. Tech Phone: +52.5569535187
  171. Tech Phone Ext:
  172. Tech Fax:
  173. Tech Fax Ext:
  174. Tech Email: alan@rulerhost.net
  175. Name Server: ruler02.rulerhost.net
  176. Name Server: ruler01.rulerhost.net
  177. DNSSEC: unsigned
  178.  
  179. --------------------
  180. Pseudo information of fraudster
  181. --------------------
  182.  
  183. Edgar Alan Guerrero Montejo
  184. alan@rulerhost.net
  185. Calle Gema No 32
  186. Tizayuca, Mexico, 43800
  187. +52.5569535187
  188.  
  189. --------------------
  190. Takeaways
  191. --------------------
  192.  
  193. - Don't let random people touch you
  194. - Don't show messages on locked screen (Settings > Notifications > Show on Lock Screen > Off)
  195. - Auto delete phone after 10 failed passcode attempts (Settings > Touch ID & Passcode > Erase Data > On)
  196. - Require 2 factor everywhere possible
  197. - Use authenticators when possible, not SMS
  198. - Use a PIN at least 6 digits/characters long
  199. - Both mark phone as lost with Apple and your carrier (ex. Verizon)
  200. - Have backup codes and store in a secure location
  201. - Check that your email accounts don't have forwarding addresses afterwards
  202. - Use PixelBlock https://chrome.google.com/webstore/detail/pixelblock/jmpmfcjnflbcoidlgapblgpgbilinlem?hl=en
  203. - Generally don't click on most links :)
  204.  
  205. --------------------
  206. Closing
  207. --------------------
  208.  
  209. Hope this is helpful. If anyone wants to continue the digging, please be my guest!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!