So a few days a close friend of mine messaged me to say he thought he had someone attempt to scam him on Gumtree (an online selling app) via WhatsApp.

I was incredibly interested as it is rare to be able to see the inner workings of such a scam. Luckily my friend was not only more than willing to send videos of his phone screen but allowed me to sanitise them and use them to write this case study.

ITEM FOR SALE

My friend listed an item on Gumtree for sale and a hacker/chancer in question has seen this as an opportunity to make some money. Now I would say easy money, but the work involved in this scam shows there must have been more than one person involved in this - more on that later though.

FIRST CONTACT

Friend receives a Whastapp message from a lady called Emily Harris in Glasgow, Scotland (we are in Somerset, South England) asking if the item is still available. The Whatsapp Account was registered as a Whatsapp Business Account and they had included an image.

A conversation takes place where the potential buyer asks the seller if they are aware of Gumtree's terms and how payment works and once all in acceptance they pay their trap in the form of a Gumtree Payment Link - https://gumtrepay.site/cash29263280

THE PAYMENT

When clicking the link, my friend is taken to the Gumtree website showing his listing, the details and picture of the product and there is a button to request funds.

Pressing this button a screen appears asking friend to provide card details so they can send him the funds.

LETS STOP RIGHT HERE

All seems legit so far? That's where you are wrong and where my friend was lucky to spot that something smelt iffy. Being a long time user of MONZO (an online bank) he used a virtual card which can be deleted straight after and had a nil balance to see the website did nothing and had now harvested his card details like it probably has with many other people. My friend deleted his virtual card and the contacted me to share the experience with me.

REWIND.......

Let's go back to that link from earlier and pick it apart. First up Gumtrees official website is https://www.gumtree.com whereas this link is not only incorrect it is also missing a letter from the word GUMTREE - https://gumtrepay.site/cash29263280 (this site has now been taken down)

I have since performed a "Who Is" lookup of the domain before the site was taken down using centralops.net, which anyone can do on any domain, to see the domain was bought and owned by an individual in Russia and a quick lookup of the About page on Gumtree tells you that they are a British company.

Next up, when looking at the website, yes it's protected by HTTPS but when we look at the certificate we see it's not actually owned by Gumtree and some of the links on the website didn't work.

The wording for the receiving of funds didn't quite add up either and the lack of info on the card capture screen.

What was increasingly impressive though is that the chat facility on the card details page actually worked and was manned the other end meaning they were monitoring and replying to support chat - making this seem like an extremely well orchestrated plan.

WRAP UP

Luckily my friend was not ripped off here but it was a very convincing scam and I dread to think the number of people they got before they were taken down.

Long story short, if something seems off whilst doing financials or sharing sensitive data online, stop what you are doing, go to the official site and try and use their own messaging platforms. If making a transaction use PayPal or a Credit Card where you can so you have payment protection too as this can prove invaluable if you do get stung.

Stay safe out there guys!