Monday, May 18, 2020

College Students Beware

by Robin Pugh
President, DarkTower

Fraudsters are always quick to leverage a crisis for the purposes of cybercrime, and COVID19 has created a new target demographic of 14 million college students.  As over 1,100 colleges and universities across the United States have closed their doors, forcing students to leave their college housing, many have been actively pursuing a sub-lease of their off-campus housing to try to alleviate the financial burden of a semester now forced to go virtual.

Anatomy of a Rental Fraud
Most campuses have official or unofficial online bulletin boards where students can look for roommates, apartments, sub-lessors, etc., and these places are target-rich environments for fraudsters.  Take the case of my friend whose son, like millions of others, is now living at home, finishing out his semester online.  There’s no refund for his fees, tuition, or meal plan, and to continue to pay for his off-campus housing is yet another financial burden.  So, like millions of others, he and his parents have been looking for someone to sub-lease his apartment.  When they finally got a bite, it was from someone in a Facebook Group where he had posted his apartment for rent.  The person who contacted him was “Anthony S Felix” who did so on behalf of his ‘friend’ Liang—a nice, quiet, single woman with no kids and no pets – who was very interested in his place.  We’re going to call my friend’s son “Austin.”

Figure 1: hxxps://www.facebook[.]com/groups/NCSUOffCampusHousing/

Exactly as “Anthony” promised, his friend Liang texted Austin with her interest in sub-leasing his apartment.  
Figure 2:  Initial contact from Anthony introducing "Liang"

Liang built rapport and trust, sharing details of her job, the timeline of her move, and both her phone number and email address.  Since she is a traveling nurse, she wouldn’t be able to come see the apartment in person, which worked well, since the property managers weren’t allowing in-person showings anyway.  It seemed like a match made in heaven!

Figure 3: First communication from Liang

Liang’s move was being funded by her employer; so, she told Austin she was going to get them to approve her relocation costs and get back to him.  And she did – she committed to sub-leasing the apartment and promised to send her first partial-month’s rent right away.  
Very soon, Liang texted Austin with the tracking number for the rent check, but there was just one little problem.  The check was actually for quite a bit more than just her first partial-month’s rent of $386.  Her employer had mistakenly issued the check for all of her relocation costs, but she trusted Austin completely; so, she just asked that he keep the rent payment, and transfer the rest to her via Zelle.  As a matter of fact, she was so flexible that she didn’t even mind if he broke it into two payments of $1,000 each.

Figure 4: Communication with Liang, continued
          
Figure 5: Liang constructs the fraud


As Liang promised, the check arrived via USPS, and Austin’s parents deposited it into their Bank of America Wealth Management account.  Because they are long-time customers of Bank of America, the funds were available quickly, giving Austin’s parents confidence because a) it was a Cashier’s check, and b) since the funds were available, the check must have cleared.  They kept their end of the bargain, retaining $386 for the partial month’s rent and sending $2,249 via Zelle to the recipient Liang had directed.
A few days later, the bank notified Austin’s parents that the check had NOT, in fact, cleared, and they were now left with no renter, no first month’s rent, and a bank account balance $2,249 less than it should have been.  Due to the fact that Zelle transfers happen within minutes, there was no recourse to retrieve the funds that were now in the scammers hands.

Figure 6: Cashier's Check from Liang

Will the Real Anthony S. Felix Please Stand Up?
A review of Anthony’s Facebook profile shows no public posts since 2017; however, his Facebook URL reveals the name “Osunday Adekunle,” and a Facebook search reveals many profiles under the name Sunday Adekunle.  The “O” could possibly refer to the title “Oba” which, in West Africa, means “Ruler.”  Additionally, there are a few “friendversary” Facebook videos showing Adekunle and his Nigerian friends.  Regardless, his Facebook profile says that he is an employee at Oklahoma State University, living in Seattle, Washington.  That’s quite a commute!  His profile photo is a quote attributed to Bill Gates about his wish to become involved in Network Marketing.  

Figure 7: hxxps://www.facebook[.]com/osundayadekunle

His Likes include sketchy financial investment firms and Nigerian companies.

Figure 8: hxxps://www.facebook[.]com/osundayadekunle/likes

Austin is not alone
From reviewing the interactions between the scammers and Austin, I knew that this wasn’t the scammers’ first rodeo.  They had a well-crafted script that was designed to build trust with the victim until the very last minute when they realized their money had been stolen.  I reached out to the administrator of the Facebook Group “NCSU Off Campus Housing” to see if she’d be willing to speak with us.  While she declined to be interviewed, she allowed me to post in the Group, asking others who had been victimized to reach out to me with details. Within a day of posting, I received another story identical to Austin’s.  Same actors (“Anthony Felix” and “Liang Quain”) and the same story – traveling nurse, won’t be able to see the apartment first, but it’s PERFECT!  And whoops – my company accidentally sent all of my relocation funds to you, so I need you to keep $375 and send the rest to me via Zelle.

Figure 9: Liang texts to Victim 2


From Victim #2 – let’s call her Gabby – we learned a couple additional things.  She had saved a copy of the shipping label from the envelope containing the counterfeit check.  We knew from Austin’s tracking number that the check had been mailed from Newington, Connecticut, but with Gabby’s mailing label, we learned that the shipping label was from a legitimate company located in Hartford.  Fraudsters commonly use stolen shipping labels – it further covers their tracks and keeps their costs down!

Figure 10: Stolen Mailing Label addressed to Victim 2

Further, Gabby had a hard time sending the total amount via Zelle; so, she ended up sending part of the payment through Zelle and then was provided a CashApp ID to send the remainder.  She was given the name Christopher Brown and the associated ID to process the payment.
Because DarkTower has a good working relationship with the team at Early Warning, the owners of Zelle, we immediately reached out with the Zelle ID that the fraudsters were using to move money, and the team was able to notify the associated bank (Citizens Bank) and shut down the account.


Recommendations
Let’s talk briefly about the Facebook Group where these apartment sub-leases were shared.  The Administrator had actually done a very good job of trying to raise awareness in the Group about the fact that fraudsters and scammers would potentially target individuals posting there.  She has an ongoing list of names that she shares with the Group and updates regularly.  She also posted tips about identifying scams, not sending money to someone you don’t know, etc.  The Group requires approval to become a member, and you had to be a member to post.  However, you don’t have to be a member to SEE the posts and the names of the posters.  So, in this case, Anthony Felix could peruse the postings, identify a situation that was ripe for their scam, send a direct message to the poster, and then direct them off-platform to the next step of the scam.
Instant payment platforms are a wonderful thing for transactions with PEOPLE YOU KNOW and trust.  Many of them, including Zelle, even post warnings in their apps about not sending funds to people you don’t know.  Nevertheless, the scammers are really good at building trust with their victims and creating plausible scenarios that give a false comfort level to ignore those warnings and send out funds that can never be recovered.

1 comment:

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.