Zhanga Redux

The chronicles of the work and personal life of a boring software developer with an awesome dog.

Advance fee fraud targeted against local phtographers

Monday, March 9, 2015

I received a suspicious email a month ago via A Tale Ahead Photography's contact form:

From: Thomas Taylor <generalglaber@gmail.com>


How are you doing ?,i will like to know your availability day in
Feb,2015 just 4 hours service,also i will need portrait work done after
the photography work is done after the event...............i will like
you to get back to me with your availability day in Feb,2015 it a
family reunion party..........i will like you to email back Asap 
.Do you accept credit card payment ?

Thomas T

It's not only distinctly un-American, but the grammar and syntax closely matches the style of emails from Nigerian princes. It's also worth noting that he filled in the "date of event" field on my contact form as "20 02 2015." In fact, I'm betting this is the side job of one such prince on days when he's away from his palace. Anyway, if you couldn't tell, I was getting set up for the classic fake check scam, except this time with a stolen credit card. What's neat in this particular case is that it's not just a generic scam, but rather, locally and specifically targeted against photographers like Annie & myself.

I thought I'd mess around a bit and string him along. Note that these aren't things I would say to a real client... I would never ask a client to reschedule a family reunion party for me, or matter-of-factly add 60% as a travel fee. But "Thomas" didn't mind! Read on...

Hi Thomas,

Thank you for contacting me. I am available for your family reunion 
party on most days this month. What day and time is your party and 
where is it located?

From: Thomas Taylor <generalglaber@gmail.com>

Yes good to hear this i am looking for Feb,20th but i don't know maybe
the date is open,if the date is open with you that would be okay,also
what is your accurate cost for 4 hours service?,and i can see you can 
handle my family reunion party photography service
Photo size i want,get back to me with the accurate cost.
16x20 and 7 portrait of my family,and here is the address of the venue
470 West 7th Street San Pedro, California 90731.
The event start 12noon.


(The email above actually used four different fonts/sizes/colors. Copy/pasting from different templates?)

Hi Thomas,

The cost for four hours of photography is $1150. How many of each print
did you want? Our prints start at $1.50 for each 4x6". I am actually booked
on Feb 20, though. Any chance you could reschedule for another day?

From: Thomas Taylor <generalglaber@gmail.com>

Okay can i make it on the 21st? and i want at least two each of them so 
i want you to make it as fast as you can.....
thank you.
Hi Thomas,

Sure, the rate would be $1150 plus the 10 prints would would be a total of 
$125 extra. There is also a travel fee of $660 as your party will be 
approximately 6 hours from our studio. Would this total of $1935 work for you?

From: Thomas Taylor <generalglaber@gmail.com>

Yes good,
I am okay with the cost of $1935 does that include processing fee + tax 
cause i would need you to do me little favour cause i have a little issue 
with the payment of the venue the management of the venue for the event the 
manager told me he didn't have a credit card machine so i will need you to 
do me the favor to add his fee together with your fee he has to receive 
1900$  thru via western union for the booking of the venue so i will like 
you to get back to me with the total cost so that i can make the payment 
today or tomorrow.
Also , the reason why you are sending money via western union to the manager 
is because they have to receive payment upfront and their credit card machine 
is faulty at the moment.


Ah ha! There it is.

Sure, that's fine. Can you provide me with the name and contact info of the venue?
From: Thomas Taylor <generalglaber@gmail.com>

Yes sure, i will give you the necessary info once you have run my credit 
card, and what type of credit card do you accept?
We accept all types of credit cards, but I need the contact info of the 
venue. Could you provide that information to me?
From: Thomas Taylor <generalglaber@gmail.com>

Here is the number of the venue 312 681 0885 ask of Terry Lisa thank you.

312 is a Chicago area code. I guess they can't afford to buy a local VOIP number?

Hi Thomas,

My phone is having issues and I can't dial long distance right now. The 
number you gave me is a 312 number. Does the venue have a local phone number?

From: Thomas Taylor <generalglaber@gmail.com>

Sorry for that, you can also reach them on there email terrysa001@gmail.com 
soget back to Asap.
Hi Thomas,

That email didn't work. Why doesn't the venue have a local phone number?

From: Thomas Taylor <generalglaber@gmail.com>

I don't know, heaven me i normally send them via email but for that phone i don't know....
So i want to know if you are ready for my card or not? because i want to make the 
payment so i will know i have payed 
upfront for the venue thank you david.
Sure, I am ready. I will try emailing again tomorrow. What is the credit card number?
From: Thomas Taylor <generalglaber@gmail.com>

I will like to know all the neccessary informations needed on my Credit Card...
Hi Thomas,

I just need the credit card number as well as whether it's Amex/Visa/Mastercard/etc.

From: Thomas Taylor <generalglaber@gmail.com>

CARD NUMBER:[redacted]

NAME ON CARD: Thomas Taylor

C V V CODE: [redacted]



BILLING POST CODE: [redacted, but in California]

 I will like you to charge on my card and get back to me with the approval 


Thanks Thomas. Would you like me to charge the amount in US dollars or Naira?

(Naira is the Nigerian currency.)

From: Thomas Taylor <generalglaber@gmail.com>

US dollars what do you mean Naira? who is Naira? kindly charge my card in 
US dollars and get back to me with the approval code..

I ran out of things to say at this point. I should note that I immediately contacted both stopit@mastercard.com and spoof@citicorp.com to report the Citi-issued Mastercard as stolen, but never heard back.

Tags: fraud, photography | Posted at 12:24 | Comments (2)

Changing the time zone in CentOS

Friday, June 6, 2014

Here's how to change the time zone in CentOS. This should work on both CentOS 5 and 6.

First, determine the correct timezone. You can do this using tzselect (which just outputs some text and doesn't save anything), or by looking in /usr/share/zoneinfo for the right file. I'm on Pacific time, so for me it would be America/Los_Angeles.

Now, back up your existing time zone file:

# mv /etc/localtime /etc/localtime.bak

Then symlink the desired zoneinfo file to localtime:

# ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

Now if you run date, the appropriate time zone should be displayed. There is one more step though. Open up the file /etc/sysconfig/clock and edit it to reflect the appropriate zone. For example:


Without this change, /etc/localtime will get overwritten and will revert to the previous time zone after yum or rpm updates tzdata.

Tags: linux | Posted at 08:53 | Comments (0)

A Tale Ahead: Event and Wedding Photographers in Mountain View

Thursday, May 8, 2014

A Tale Ahead logo

Annie and I have decided to take our love of photography to the next level and make it a career and a way of life — so far it has been going really well, and we've gotten lots of absolutely glowing feedback!

We're currently covering weddings and events around the San Francisco Bay Area, from San Francisco to San Jose and also the East Bay. Check out our website at ataleahead.com!

Tags: photography | Posted at 09:53 | Comments (0)

Darktable + Nvidia OpenCL on Fedora

Thursday, March 20, 2014

Darktable's OpenCL isn't activated by default on Fedora when using the RPMFusion Nvidia drivers, apparently because Darktable can't find the library:

$ darktable -d opencl
[opencl_init] trying to load opencl library: '<system default>'
[opencl_init] could not find opencl runtime library 'libOpenCL'
[opencl_init] no working opencl library found. Continue with opencl disabled
[opencl_init] FINALLY: opencl is NOT AVAILABLE on this system.
[opencl_init] initial status of opencl enabled flag is OFF.

A quick, if hacky, solution is to just make a symlink to Darktable's directory so it can find the library:

# ln -s /usr/lib64/nvidia-304xx/libOpenCL.so.1 /usr/lib64/darktable/libOpenCL.so

(Obviously, adjust the paths based on your system.)

Tags: darktable, fedora | Posted at 01:35 | Comments (0)

Prosper's insecure bank account management feature

Wednesday, December 4, 2013

Prosper Marketplace is one of the two big peer-to-peer lending platforms (the other being Lending Club), where individuals can loan or borrow money from each other. Like any online investment system, it provides a way for users to move money in and out via ACH transfers to regular bank accounts. And to do that, one needs to link one's Prosper account and bank account.

Since we're talking about a financial institution making important account changes, surely they have a secure way to do this, right? Wrong.

Back in March 2012 when I started making loans on Prosper, the process was pretty standard: enter the bank account number into Prosper.com (over HTTPS), wait a few days for some verification deposits of less than $1 each, and then log back into Prosper.com and type in the amounts to verify that you really own the bank account. This seems to work for most financial institutions, but apparently not Prosper, because, in a unique move that harms both security and usability, they've changed it. Now, when trying to add or remove a bank account, Prosper shows the following message:

For security reasons, to add or change your bank account, you must print a fax cover sheet and attach a copy of a cancelled check from the bank account you wish to add.

Click here to print a specially coded fax cover sheet which will speed processing. Specific instructions are printed on the cover sheet.

The instructions say to fax or email a copy of the account holder's driver's license and either a voided check or recent bank statement. And they won't accept this form snail-mailed or hand-delivered (I called to check). This is horrible!

Fax and email are both completely insecure methods of communication. Anyone between me and Prosper can read, copy, and store my driver's license, bank account number, address, and whatever other personal information I might be sending (like any recent transactions shown on the bank statement). Email is probably worse because typically emails are routed through a couple of servers, creating multiple copies along the way.

It's especially scary that Prosper's message begins with "for security reasons" — is their intent to eliminate security? Because that's the only effect on security that I can see. If there is any security benefit to this approach at all, I'd love to hear. Anyway, how can Prosper even verify whether a copy of a driver's license, check, or bank statement is legitimate? Copies of all of these items are trivially forgeable.

Worse, Prosper is requiring its lenders to send private documents over an insecure channel. One example attack, just for illustration, might be the following:

  1. Intercept a legitimate fax/email containing relevant documents. (Example methods: hack an insecure mail server along the route, hack a router, DNS attacks, routing attacks, bribe a Gmail/Hotmail/Yahoo employee, wiretap ...)
  2. Slightly modify the voided check or bank statement to show the same name, but an account number owned by the attacker.
  3. Send Prosper a new email containing the real driver's license with the modified check or bank statement.
  4. The victim probably doesn't notice since the "Bank Accounts" section of the Prosper site only shows the name of the bank and the last few digits of the account number; only the account number will have changed.
  5. Wait for the real user to withdraw some cash out of Prosper.
  6. Profit!

I am extremely disappointed that Prosper has taken such a giant leap backwards in terms of security and am strongly considering withdrawing my funds from the platform and leaving — if this is how their public-facing side operates, then what security nightmares are hidden from view?

Tags: prosper, security | Posted at 23:42 | Comments (0)