A kid was caught running a sophisticated phishing scam, in which he abused Google Ads to lure victims to a bogus gift card website.
Monster Phishing Scam Run By A Kid
At the beginning of the COVID-19 pandemic, a teenager created a fake “Love2Shop” gift card site from his bedroom. He used the phishing site to collect users’ payment information, invest the stolen money in cryptocurrency, and ultimately become a millionaire.
The U.K.-based 17-year-old scammer netted nearly $9,000 before customers of the real Love2Shop started to complain, and he got caught. Because he was a minor, his name was not disclosed.
Authorities reported that they found 12,000 credit card numbers and 197 PayPal accounts on his computer. He managed to collect $440,000 in stolen money.
“He had received through his PayPal accounts between January and March 2020 a total of £323,000,” the case’s prosecutor, Sam Skinner, said, according to Lincolnshire Live. “These sums came into his account and were transferred into cryptocurrency.”
Stolen Money Invested in Cryptocurrency
The ambitious teen not only set up a lucrative criminal scheme, but he also invested the stolen money in Bitcoin, his profits climbing to nearly $2.7 million.
“The police found a large quantity of cryptocurrency,” Skinner added, “There were 48 Bitcoins and a smaller number of other coins. At the time they were worth £200,000. They are now worth a little over £2 million.”
The teen cybercriminal was sentenced to a year in youth rehab for fraud and money laundering. His Bitcoin was confiscated.
Even Kids Can Phish In The Absence Of Cybersecurity Awareness
If a bored teen was able to conduct a cybercrime of massive proportions, then we really need to work on our online defenses and security awareness. Unfortunately, the incident shows us just how oblivious we are of cybersecurity fundamentals, according to John Bambenek, Netenrich’s principal threat hunter.
“Ultimately, 40 years on with Internet-connected technologies and we still can’t resolve two basic problems: How can consumers verify that the websites they visit are legitimate? And, How can financial institutions validate transactions are legitimate?” Bambenek said. “We’re failing so profoundly at the very basics that children can literally become millionaire criminals.”
Massive Platform Need Better Security To Prevent Abuse
ThreatModeler’s CEO Archie Agarwal explained how not only users who fall victim to phishing attacks are to blame, but also huge companies, which sometimes fail to protect their platforms from being abused.
“With the prevalence of open-source tools that scrape and rebuild replica existing websites in minutes, this type of crime is very hard to prevent,” Agarwal wrote. “And we must not make the mistake of blaming the victims for clicking links on a system built on clicking links. It is the duty of the security community and the large Internet companies such as Google and PayPal, who were used in this scam, to find ways for alarms to trip to protect users as fast as possible.”
“Our goal is to create a safe and trustworthy experience for users. We take matters of ad fraud very seriously and continue to vigorously enforce our policies and be nimble when faced with new threats,” a Google spokesperson stated.
The tech giant’s current ad policies prohibit brand impersonation, replicating content, and other misinterpretation strategies cybercriminals use to exploit Google’s platform.
Google vice president Scott Spencer explained how the pandemic and disinformation campaigns rose a series of challenges over the past year, but that the company continues to invest in cybersecurity improvement.
“Preserving trust for advertisers and publishers helps their businesses succeed in the long term,” Spencer added. “In the upcoming year, we will continue to invest in policies, our team of experts, and enforcement technology to stay ahead of potential threats.”