ABC of Hoax Site ABC of Hoax Site Investigation Investigation
May 24, 2015
ABC of Hoax Site ABC of Hoax Site InvestigationInvestigation
What is a Hoax/Phishing Site?What is a Hoax/Phishing Site?
A site designed to steal passwords / A site designed to steal passwords / numbers / sensitive information.numbers / sensitive information.
Disguised as a trustworthy entity so Disguised as a trustworthy entity so people fall for the scampeople fall for the scam
Hoax site history at Full Tilt Hoax site history at Full Tilt
First hoax site appeared back in November First hoax site appeared back in November 2005.2005.
A lot of money stolen in March 06.A lot of money stolen in March 06. A lot of money stolen in Sept 06, however A lot of money stolen in Sept 06, however
we were able to recover 90%we were able to recover 90% Seeing a new hoax site every few daysSeeing a new hoax site every few days Majority of hoax sites appear to be from Majority of hoax sites appear to be from
the same group. Very professional.the same group. Very professional. Very few other phishing scams appear.Very few other phishing scams appear.
Our JobOur Job
Respond to all hoax/phishing related Respond to all hoax/phishing related questions.questions.
Investigate accounts to see if they Investigate accounts to see if they have been compromised. have been compromised.
Forward any accounts that have had Forward any accounts that have had funds stolen to Fraud Queue in Kanafunds stolen to Fraud Queue in Kana
New ProceduresNew Procedures
Handbook entry:Handbook entry:file://///tpfs1nw/workflow$/HANDBOOK/HANDBOOK/Initial%20Response%20for%20Hoax%20Relatedfile://///tpfs1nw/workflow$/HANDBOOK/HANDBOOK/Initial%20Response%20for%20Hoax%20Related
%20Emails.html%20Emails.html
Answer emails in Hoax Related queueAnswer emails in Hoax Related queue Determine if player is informant or Determine if player is informant or
victimvictim Place restrictions on accountPlace restrictions on account Respond to player addressing Respond to player addressing
concerns and educate themconcerns and educate them
Email review – Victim or Informant?Email review – Victim or Informant?
Case #1Case #1
----- Original Message ----- From: TOM LOUIE To: support@sign-fulltiltpokercom Sent: Monday, February 26, 2007 5:22 PM Subject: $50000 giveaway
hi, this is jenl88 again. at 2-14-2007 about 4am I was informed that two players visit try fulltiltpoker.com will get the $50000 giveaway. so I did it gave you all the informations ss # credit card # and all the informations. it said the funds will deposit to my credit card account. now I haven't get it yet. it said if I don't get it yet I should e-mail to you after 5 business days. please let me know what happen. thank you!!
Case #1 - VictimCase #1 - Victim
Apply RestrictionsApply Restrictions Review Know100Review Know100 Respond to player. Respond to player.
In this case we would add the web In this case we would add the web address to report Social Security address to report Social Security Number fraud.Number fraud.
(http://www.ssa.gov/oig/hotline/(http://www.ssa.gov/oig/hotline/index.htm)index.htm)
Email review – Victim or Informant?Email review – Victim or Informant?
Case #2Case #2
To: support@fulltiltpokercom Sent: 03/03/07 8:14 PMSubject: Received this chat during tournament play…
ACEPUTZ (Observer):========================================System: FullTilt Poker giveaway $50,000. The firsttwo players from this table who visit the websitewww.win50k-fulltiltpoker.com they will win $25,000.Hurry tilters!!! Admin : Chris Ferguson
Case #2 - InformantCase #2 - Informant
Send template XXX.XXXSend template XXX.XXX We thank these players for letting us We thank these players for letting us
know. Tell them how much we value know. Tell them how much we value players like themselves here at Full players like themselves here at Full Tilt PokerTilt Poker
Email review – Victim or Informant?Email review – Victim or Informant?
Case #3Case #3
To: security@fulltiltpokercom Sent: 03/03/07 8:17 PMSubject: scam
My name is Joseph Welcome..My Full tilt nicname is anvil1765 my listed email address is [email protected]. I was playing $10+1 11pm tourney game# 13906402 at table #33 when an observe names ACEPUTZ did the $50,000 give away scam....Just letting u know
Case #3 - InformantCase #3 - Informant
Send template XXX.XXXSend template XXX.XXX We thank these players for letting us We thank these players for letting us
know. know.
Tell them how much we value players Tell them how much we value players like themselves here at Full Tilt Pokerlike themselves here at Full Tilt Poker
Email review – Victim or Informant?Email review – Victim or Informant?
Case #4Case #4
To: security@fulltiltpokercom Sent: 03/03/07 8:28 PMSubject: scam
I received this message while playing poker at your site. In a moment of stupidity I logged on to the site it looked like the full tilt site so I gave them my login and e-mail but did not give them my password on the next page it asked for net teller or credit card info and then I realized that I was making a mistake. Do I need to change my login?
Case #4 – VictimCase #4 – Victim
Player informed us that they didn’t Player informed us that they didn’t give passwordgive password
We do not need to place restrictions We do not need to place restrictions on account.on account.
Respond to player requesting they Respond to player requesting they change their password just to be change their password just to be safe.safe.
Email review – Victim or Informant?Email review – Victim or Informant?
Case #5Case #5
To: security@fulltiltpokercom Sent: 03/03/07 8:28 PMSubject: Very URGENT!! Please help
I went to the website, and it was full-tilt poker website, it told me that I am the second visitor and asked me for my Id and e-mail address. I filled it out and clicked next, and then it asks me for my epassporte ID and password. This is where I am right now. I want to know if this offer is legit. Please reply ASAP.
Case #5 – VictimCase #5 – Victim
Player entered PlayerID and email, Player entered PlayerID and email, and was waiting for us to respondand was waiting for us to respond
Assume player was impatient and Assume player was impatient and entered details.entered details.
Follow standard victim proceduresFollow standard victim procedures
Email review – Victim or Informant?Email review – Victim or Informant?
Case #6Case #6To: security@fulltiltpokercom Sent: 03/03/07 8:28 PMSubject: possible scam
This was posted in the message part of the table during tournament 13449279. I went to the site and they said congrats etc, fill out name, password, and e-mail address. I did and then it said you could not put the money in my Full tilt account and offered options like paypal. That is when I quit the process.
I changed my password to my account. My screename is 2007orBust and my e-mail address is [email protected].
Please let me know i this was a fraud and if I need to do anything further.
Case #6 – VictimCase #6 – Victim
Player entered PlayerID and email.Player entered PlayerID and email. However they had informed us that However they had informed us that
they had changed their password. they had changed their password. Therefore account is secure.Therefore account is secure.
No need to place restrictions or reset No need to place restrictions or reset password.password.
Confirm for player that this was a Confirm for player that this was a hoax site, and thank them for hoax site, and thank them for changing password.changing password.
Reading Know100Reading Know100 Run a Know100 with a big threshold like 9999999Run a Know100 with a big threshold like 9999999 We are looking for a foreign login over the past We are looking for a foreign login over the past
few days.few days.
Foreign Logins
Clean logins
Evidence of chip dumping
Restricting AccountRestricting Account1.1. Select the ‘Security & Limits’ tab in Select the ‘Security & Limits’ tab in
WATWAT
2.2. Check ‘No Play’, ‘No Mix, ‘No Deposit’, Check ‘No Play’, ‘No Mix, ‘No Deposit’, ‘No Transfer’, ‘No Chat’ and hit ‘No Transfer’, ‘No Chat’ and hit Submit and Accept.Submit and Accept.
1 2
Reset PasswordReset Password On Player Summary page, select On Player Summary page, select
Reset Password. Enter ‘Hoax Site Reset Password. Enter ‘Hoax Site Victim – Resetting Password’Victim – Resetting Password’
Notate accountNotate account In WAT, notate account with: In WAT, notate account with:
“ “HOAX: Victim of hoax site. No foreign HOAX: Victim of hoax site. No foreign logins found. Reset password and placed logins found. Reset password and placed restrictions on account. Once player restrictions on account. Once player emails in confirming they have changed emails in confirming they have changed their password, please remove their password, please remove restrictions.” restrictions.”
Note: Please ensure player doesn’t have any Note: Please ensure player doesn’t have any current chat related bans.current chat related bans.
Sending EmailSending Email
We will be using templates, however it We will be using templates, however it should be customized just like every other should be customized just like every other emailemail
If they mention a payment processor, If they mention a payment processor, provide their contact details. provide their contact details.
If they say a credit card, then get them to If they say a credit card, then get them to contact their bankcontact their bank
Sympathize with the playerSympathize with the player Educate with links to our identity Educate with links to our identity
protection page.protection page.
Account used to spam hoax siteAccount used to spam hoax site
1.1. Boot player from system.Boot player from system.2.2. Notate account with: “Hoax Notate account with: “Hoax
Site victim – Used to spam hoax site”Site victim – Used to spam hoax site”3.3. Restrict account.Restrict account.4.4. Send player an email.Send player an email.5.5. Follow handbook to have website removedFollow handbook to have website removed
Note: Do not TRAP account. This will only Note: Do not TRAP account. This will only cause headaches for us.cause headaches for us.
Evidence of stolen fundsEvidence of stolen funds
Pause accountPause account IR the player explaining their account IR the player explaining their account
has been compromised and we are has been compromised and we are investigating.investigating.
Route the follow-up to the fraud Route the follow-up to the fraud queuequeue