Dan Q

Blog

Note #19021

I made a graph to show how the number of large hand tools stored in our garage has changed this last year…

Graph showing, over time, the number of large tools increasing as a rake, midi-spade, post holer, rake and others are acquired. Each acquired tool is labelled with what it is. However: a hatchet, a pickaxe and two log splitting axes are not labelled.

…but I forgot to label the axes.

×

Note posted at UTC on .

2 likes

Lichfield

We took a family trip up to Lichfield this weekend. I don’t know if I can give a “review” of a city-break as a whole, but if I can: I give you five stars, Lichfield.

Dan in front of Lichfield Cathedral, early on Sunday morning.
It’s got a cathedral, which is quite pretty.

Maybe it’s just because we’ve none of us had a night away from The Green… pretty-much since we moved in, last year. But there was something magical about doing things reminiscent of the “old normal”.

Dan and the kids in a bed at a hotel.
“I’m so excited! We get to stay… at a Premier Inn!” At first I rolled my eyes at this joyous line from our 4-year-old (I mean… it’s just a Premier Inn…), but it did feel good to go somewhere and do something.

It’s not that like wasn’t plenty of mask-wearing and social distancing and hand sanitiser and everything that we’ve gotten used to now: there certainly was. The magic, though, came from getting to do an expedition further away from home than we’re used to. And, perhaps, with that happening to coincide with glorious weather and fun times.

A balloon artist wearing a unicorn on her head makes sculptures for children.
Socially-distanced balloon modelling turns out to work, not least because you can hand one of those long balloons to somebody without getting anywhere near them.

We spent an unimaginably hot summer’s day watching an outdoor interpretation of Peter and the Wolf, which each of the little ones has learned about in reasonable depth, at some point or another, as part of the (fantastic) “Monkey Music” classes of which they’re now both graduates.

Ruth and John sit on a picnic blanket in a painted circle; the maquee for the band is behind them.
So long as you weren’t staring at the painted circles on the grass – for corralling families apart from one another – you’d easily forget how unusual things are, right now.

And maybe it’s that they’ve been out-of-action for so long and are only just beginning to once again ramp up… or maybe I’ve just forgotten what the hospitality industry is like?… but man, we felt well-looked after.

From the staff at the hotel who despite the clear challenges of running their establishment under the necessary restrictions still went the extra mile to make the kids feel special to the restaurant we went to that pulled out all the stops to give us all a great evening, I basically came out of the thing with the impression of Lichfield as a really nice place.

Dan in Lichfield city centre, deserted early on a Sunday morning.
Take social distancing to the next level: do your urban geocaching at the crack of dawn.

I’m not saying that it was perfect. A combination of the intolerable heat (or else the desiccating effect of the air conditioner) and a mattress that sagged with two adults on it meant that I didn’t sleep much on Saturday night (although that did mean I could get up at 5am for a geocaching expedition around the city before it got too hot later on). And an hour and a half of driving to get to a place where you’re going to see a one-hour show feels long, especially in this age where I don’t really travel anywhere, ever.

But that’s not the point.

Ruth and the kids eat breakfast
The buffet was closed, of course, but these kids were made for an “all you can eat” breakfast.

The point is that Lichfield made me happy, this weekend. And I don’t know how much of that is that it’s just a nice place and how much is that I’ve missed going anywhere or doing anything, but either way, it lead to a delightful weekend.

× × × × × ×

Dan Q found GC84Q4F Sam’s Cache

This checkin to GC84Q4F Sam's Cache reflects a geocaching.com log entry. See more of Dan's cache logs.

As the attached picture shows, there was not a soul to be seen out here this morning but that didn’t stop me from feeling like I had to use stealth as I mooched suspiciously around this exposed corner. Went straight past the correct location and spent an embarrassing amount of time looking at exactly the wrong pieces of metal before returning to what turned out to be the right place. TFTC!

Dan near the corner of the Samuel Johnson Birthplace Museum in Lichfield, in a deserted public square early in the morning.

×

Dan Q couldn’t find GC8CXVF Wiggly Windings

This checkin to GC8CXVF Wiggly Windings reflects a geocaching.com log entry. See more of Dan's cache logs.

DNF but that’s probably on me: I need to complete my morning’s geocircuit and get back to my hotel before the rest of my party get up and go to breakfast, so I was short on time to perform a more thorough search.

Dan Q found GC7B9HC Church Micro 11050…Lichfield Cathedral

This checkin to GC7B9HC Church Micro 11050...Lichfield Cathedral reflects a geocaching.com log entry. See more of Dan's cache logs.

TFTC. Answers already sent to CO, except the photo which is attached to this log!

Out for an early morning caching expedition because my hotel bed was uncomfortable so I woke up early and with a need to stretch and move. Delighted to find this wonderfully-placed virtual; thanks for sharing. Greetings from Oxfordshire!

Dan in froint of Lichfield Cathedral, waving

×

Dan Q found GC93KP4 Lichfield TB Resort & Spa

This checkin to GC93KP4 Lichfield TB Resort & Spa reflects a geocaching.com log entry. See more of Dan's cache logs.

Spent a frankly embarrassing amount of time hunting in all the wrong places before spotting the obvious difference between this hotel and the other (non travel bug) ones nearby. Excellent container, FP awarded.

Greetings from Oxfordshire! I’m up for a show and to visit family and woke early this morning for a spot of caching before breakfast. I’d perhaps not have woken so early if my hotel were as nice as this one! (I may have to deploy something like this in my neck of the woods…)

Dan hunting for a geocache in Lichfield.

×

Dan Q couldn’t find GC4KHZ4 One in a Million – Festival Gardens

This checkin to GC4KHZ4 One in a Million - Festival Gardens reflects a geocaching.com log entry. See more of Dan's cache logs.

No luck for me this morning. Based on recent logs and photos I suspect the object to which the hint relates was repaired recently and the cache muggled at the same time.

Higher/Lower Datepicker

I’ve written before about the trend in web development to take what the web gives you for free, throw it away, and then rebuild it in Javascript. The rebuilt version is invariably worse in many ways – less-accessible, higher-bandwidth, reduced features, more fragile, etc. – but it’s more convenient for developers. Personally, I try not to value developer convenience at the expense of user experience, but that’s an unpopular opinion lately.

Screenshot showing a hovered hyperlink to "Digital Forest" on a list of green hosting providers in France.
Here’s a perfect example I bumped into earlier this week, courtesy of The Green Web Foundation. This looks like a hyperlink… but if you open it in a new tab/window, you see a page (not even a 404 page!) with the text “It looks like nothing was found at this location.”

In the site shown in the screenshot above, the developer took something the web gave them for free (a hyperlink), threw it away (by making it a link-to-nowhere), and rebuilt its functionality with Javascript (without thinking about the fact that you can do more with hyperlinks than click them: you can click-and-drag them, you can bookmark them, you can share them, you can open them in new tabs etc.). Ugh.

Date pickers

Particularly egregious are the date pickers. Entering your date of birth on a web form ought to be pretty simple: gov.uk pretty much solved it based on user testing they did in 2013.

Here’s the short of it:

  • Something you can clearly type a numeric day, month and year into is best.
  • Three dropdowns are slightly worse, but at least if you use native HTML <select> elements keyboard users can still “type” to filter.
  • Everything else – including things that look like <select>s but are really funky React <div>s, is pretty terrible.
Calendar datepicker with slider-based timepicker and no text-based fallback.
Calendars can be great for choosing your holiday date range. But pressing “Prev” ~480 times to get to my month of birth isn’t good. Also: what’s with the time “sliders”? (Yes, I know I’ve implemented these myself, in the past, and I’m sorry.)

My fellow Automattician Enfys recently tweeted:

People designing webforms that require me to enter my birthdate:

I am begging you: just let me type it in.

Typing it in is 6-8 quick keystrokes. Trying to navigate a little calendar or spinny wheels back to the 1970s is time-consuming, frustrating and unnecessary.

They’re right. Those little spinny wheels are a pain in the arse if you’ve got to use one to go back 40+ years.

Date "spinner" currently showing 20 December 2012.
These things are okay (I guess) on mobile/touchscreen devices, though I’d still prefer the option to type in my date of birth. But send one to my desktop and I will curse your name.

Can we do worse?

If there’s one thing we learned from making the worst volume control in the world, the other year, it’s that you can always find a worse UI metaphor. So here’s my attempt at making a date of birth field that’s somehow even worse than “date spinners”:

My datepicker implements a game of “higher/lower”. Starting from bounds specified in the HTML code and a random guess, it narrows-down its guess as to what your date of birth is as you click the up or down buttons. If you make a mistake you can start over with the restart button.

Amazingly, this isn’t actually the worst datepicker into which I’ve entered my date of birth! It’s cognitively challenging compared to most, but it’s relatively fast at narrowing down the options from any starting point. Plus, I accidentally implemented some good features that make it better than plenty of the datepickers out there:

  • It’s progressively enhanced – if the Javascript doesn’t load, you can still enter your date of birth in a sensible way.
  • Because it leans on a <input type="date"> control, your browser takes responsibility for localising, so if you’re from one of those weird countries that prefers mm-dd-yyyy then that’s what you should see.
  • It’s moderately accessible, all things considered, and it could easily be improved further.

It turns out that even when you try to make something terrible, so long as you’re building on top of the solid principles the web gives you for free, you can accidentally end up with something not-so-bad. Who knew?

× × ×

Goose-Related Etymologies

Duration

Podcast Version

This post is also available as a podcast. Listen here, download for later, or subscribe wherever you consume podcasts.

My favourite thing about geese… is the etymologies of all the phrases relating to geese. There’s so many, and they’re all amazing. I started reading about one, then – silly goose that I am – found another, and another, and another…

A Canada goose at a waterside accompanied by seven goslings. Photo by Brandon Montrone from Pexels.
Have a gander at this photo.

For example:

  • Barnacle geese are so-called because medieval Europeans believed that they grew out of a kind of barnacle called a goose barnacle, whose shell pattern… kinda, sorta looks like barnacle goose feathers? Barnacle geese breed on remote Arctic islands and so people never saw their chicks, which – coupled with the fact that migration wasn’t understood – lead to a crazy myth that lives on in the species name to this day. Incidentally, this strange belief led to these geese being classified as a fish for the purpose of fasting during Lent, and so permitted. (This from the time period that brought us the Vegetable Lamb of Tartary, of course. I’ve written about both previously.)
  • Gooseberries may have a similar etymology. Folks have tried to connect it to old Dutch or Germanic words, but inconclusively: given that they appear at the opposite end of the year to some of the migratory birds goose, the same kind of thinking that gave us “barnacle geese” could be seen as an explanation for gooseberries’ name, too. But really: nobody has a clue about this one. Fun fact: the French name for the fruit is groseille à maquereau, literally “mackerel currant”!
  • A gaggle is the collective noun for geese, seemingly derived from the sound they make. It’s also been used to describe groups of humans, especially if they’re gossiping (and disproportionately directed towards women). “Gaggle” is only correct when the geese are on the ground, by the way: the collective noun for a group of airborne geese is skein or plump depending on whether they’re in a delta shape or not, respectively. What a fascinating and confusing language we have!
  • John Stephen Farmer helps us with a variety of goose-related sexual slang though, because, well, that was his jam. He observes that a goose’s neck was a penis and gooseberries were testicles, goose-grease is vaginal juices. Related: did you ever hear the euphemism for where babies come from “under a gooseberry bush“? It makes a lot more sense when you realise that gooseberry bush was slang for pubic hair.
Face of a gosse, looking into the camera. Other geese can be seen swimming in the background.
Hey there, you big honker.
  • An actor whose performance wasn’t up to scratch might describe the experience of being goosed; that is – hissed at by the crowd. Alternatively, goosing can refer to a a pinch on the buttocks possibly in reference to geese pecking humans at about that same height.
  • If you have a gander at something you take a good look at it. Some have claimed that this is rhyming slang – “have a look” coming from “gander and duck” – but I don’t buy it. Firstly, why wouldn’t it be “goose and duck” (or “gander and drake“, which doesn’t rhyme with “look” at all). And fake, retroactively-described rhyming roots are very common: so-called mockney rhyming slang! I suspect it’s inspired by the way a goose cranes its neck to peer at something that interests it! (“Crane” as a verb is of course also a bird-inspired word!)
  • Goosebumps might appear on your skin when you’re cold or scared, and the name alludes to the appearance of plucked poultry. Many languages use geese, but some use chickens (e.g. French chair de poule, “chicken flesh”). Fun fact: Slavic languages often use anthills as the metaphor for goosebumps, such as Russian мурашки по коже (“anthill skin”). Recently, people talk of tapping into goosebumps if they’re using their fear as a motivator.
  • A tailor’s goose is a traditional kind of iron so-named for the shape of its handle.
  • The childrens game of duck duck goose is played by declaring somebody to be a “goose” and then running away before they catch you. Chasing – or at risk of being chased by! – geese is common in metaphors: if somebody wouldn’t say boo to a goose they’re timid. A wild goose chase (yet another of the many phrases for which we can possibly thank Shakespeare, although he probably only popularised this one) begins without consideration of where it might end up.
A Canada goose and young gosling swim together, side-by-side. Photo by Erick Todd from Pexels.
If humans tell children they were found under a gooseberry bush, where do geese tell their chicks they came from?
  • If those children are like their parents, you might observe that a wild goose never laid a tame egg: that traits are inherited and predetermined.
  • Until 1889, the area between Blackfriars and Tower Bridge in London – basically everything around Borough tube station up to the river – was considered to be outside the jurisdiction of both London and Surrey, and fell under the authority of the Bishop of Winchester. For a few hundred years it was the go-to place to find a prostitute South of the Thames, because the Bishop would license them to be able to trade there. These prostitutes were known as Winchester geese. As a result, to be bitten by a Winchester goose was to contract a venereal disease, and goosebumps became a slang term for the symptoms of some such diseases.
  • Perennial achillea ptarmica is known, among other names, as goose tongue, and I don’t know why. The shape of the plant isn’t particularly similar to that of a goose’s tongue, so I think it might instead relate to the effect of chewing the leaves, which release a spicy oil that might make your tongue feel “pecked”? Goose tongue can also refer to plantago maritima, whose dense rosettes do look a little like goose tongues, I guess. Honestly, I’ve no clue about this one.
  • If you’re sailing directly downwind, you might goose-wing your sails, putting the mainsail away from the wind and the jib towards it, for balance and to easily maintain your direction. Of course, a modern triangular-sailed boat usually goes faster broad reach (i.e. at an angle of about 45º to the wind) by enough that it’s faster to zig-zag downwind rather than go directly downwind, but I can see how one might sometimes want to try this anatidaetian maneuver.
Plaque with a picture of a goose running and text: "Cross Bones Graveyard. In medieval times this was an unconsecreated graveyard for prostitutes of 'Winchester Geese'. By the 18th century it had become a paupers burial ground, which closed in 1853. Here, local people have created a memorial shrine. The Outcast Dead R.I.P." A smiley face sticker has been attached to the plaque and ribbons and silk flowers are tied nearby.
I feel like the “Cross Bones Graveyard” ought to have been where pirates were buried, but prostitutes is pretty good too.

Geese make their way all over our vocabulary. If it’s snowing, the old woman is plucking her goose. If it’s fair to give two people the same thing (and especially if one might consider not doing so on account of their sex), you might say that what’s good for the goose is good for the gander,  which apparently used to use the word “sauce” instead of “good”. I’ve no idea where the idea of cooking someone’s goose comes from, nor why anybody thinks that a goose step march might look anything like the way a goose walks waddles.

With apologies to Beverley, whose appreciation of geese (my take, previously) is something else entirely but might well have got me thinking about this in the first instance.

× × × ×

Parcel Delivery Scammers Could Try Harder

There’s a lot of talk lately about scam texts pretending to be from Royal Mail (or other parcel carriers), tricking victims into paying a fee to receive a parcel. Hearing of recent experiences with this sort of scam inspired me to dissect the approach the scammers use… and to come up with ways in which the scams could be more-effective.

Let’s take a look at a scam:

Anatomy of a Parcel Fee Scam

A parcel fee scam begins with a phishing email or, increasingly, text message, telling the victim that they need to pay a fee in order to receive a parcel and directing them to a website to make payment.

Scam SMS from "Royal Mail" asking the recipient to go to myparce-uk-manage.com to pay a "fee required for shipping", shown on an iPhone screen
This text message was received by a friend of mine the other week, and it’s pretty typical. Don’t type in that web address, obviously.

If the victim clicks the link, they’ll likely see a fake website belonging to the company who allegedly have the victim’s parcel. They’ll be asked for personal and payment information, after which they’ll be told that their parcel is scheduled for redelivery. They’ll often be redirected back to the real website as a “convincer”. The redirects often go through a third-party redirect site so that your browser’s “Referer:” header doesn’t give away the scam to the legitimate company (if it did, they could e.g. detect it and show you a “you just got scammed by somebody pretending to be us” warning!).

Many scammers also set a cookie so they’ll recognise you if you come back: if you return to the scam site with this cookie in-place, they’ll redirect you instantly to the genuine company’s site. This means that if you later try to follow the link in the text message you’ll see e.g. the real Royal Mail website, which makes it harder for you to subsequently identify that you’ve been scammed. (Some use other fingerprinting methods to detect that you’ve been victimised already, such as your IP address.)

Spoofed Royal Mail webpage saying "Royal Mail: Your Package Has A £2.99 Unpaid Shipping Fee, To Pay This Now Please Visit www.myparcel-uk-manage.com If You Do Not Pay This Your Package Will Be Returned To Sender" and asking for personal details
The spoofed websites usually use HTTPS (“padlock icon” etc.) and have convincing branding (lifted directly from the real company’s website). They frequently – but not always – ask for information that seems… suspicious and unnecessary, like date of birth or bank account sort code.

Typically, no payment is actually taken. Often, the card number and address aren’t even validated, and virtually any input is accepted. That’s because this kind of scam isn’t about tricking you into giving the scammers money. It’s about harvesting personal information for use in a second phase.

Once the scammers have your personal information they’ll either use your card details to make purchases of hard-to-trace, easy-to-resell goods like gift cards or, increasingly, use all of the information you’ve provided in order to perform an even more-insidious trick. Knowing your personal, contact and bank details, they can convincingly call you and pretend to be your bank! Some sophisticated fraudsters will even highlight the parcel fee scam you just fell victim to in order to gain your trust and persuade you that they’re genuinely your bank, which is a very powerful convincer.

"SCAM" spelled out using keycaps from a cyrillic keyboard. Photo by Mikhail Nilov from Pexels.
SCAM > ЫСФЬ? Who knew translation was as simple as these keycaps suggest!

Why does the scam work?

A scam like the one described above works because each individual part of it is individually convincing, but the parts are delivered separately.

Email, reading: Ihre Sendung CH63 **** 26 wurde noch nicht geliefert.
Parcel fee scams aren’t limited to the Anglophone world. Apparently Swiss Post tried to visit me on Monday, even though I’m about 500 miles outside of their delivery area!

Being asked to pay a fee to receive a parcel is a pretty common experience, and getting texts from carriers is too. A lot of people are getting a lot more stuff mail-ordered than they used to, right now, and that – along with the Brexit-related import duties that one in ten people have had to pay – means that it seems perfectly reasonable to get a message telling you that you need to pay a fee to get your parcel.

Similarly, I’m sure we’ve all been called by our bank to discuss a suspicious transaction. (When this happens to me, I’ve always said that I’ll call them back on the number on my card or my bank statements rather than assume that they are who they claim to be. When I first started doing this, 20 years ago, this sometimes frustrated bank policies, but nowadays they’re more accepting.) Most people though will willingly believe the legitimacy of a person who calls them up, addresses them by name and claims to be from their bank.

Separating the scam into two separate parts, each of which is individually unsuspicious, makes it more effective at tricking the victim than simpler phishing scams.

Delivery man, wearing a face mask, holding a parcel and checking his mobile phone. Photo by Kindel Media from Pexels.
“You know these £50 headphones you bought? Yeah, they came from the EU so you owe another £25 somehow.” Fuck Brexit.

Anybody could fall for this. It’s not about being smart and savvy; lots of perfectly smart people become victims of this kind of fraud. Certainly, there are things you can do (like learning to tell a legitimate domain name from a probably-fake one and only ever talking to your bank if you were the one who initiated the call), but we’re all vulnerable sometimes. If you were expecting a delivery, and it’s really important, and you’re tired, and you’re distracted, and then a text message comes along pressuring you to pay the fee right nowanybody could make a mistake.

The scammers aren’t really trying

But do you know what: these scammers aren’t even trying that hard. There’s so much that they could be doing so much “better”. I’m going to tell you, off the top of my head, four things that they could do to amplify their effect.

Wait a minute: am I helping criminals by writing this? No, I don’t think so. I believe that these are things that they’ve thought of already. Right now, it’s just not worthwhile for them to pull out all the stops… they can make plenty of money conning people using their current methods: they don’t need to invest the time and energy into doing their shitty job better.

But if there’s one thing we’ve learned it’s that digital security is an arms race. If people stop falling for these scams, the criminals will up their game. And they don’t need me to tell them how.

"Hacker type" man in hoodie between two computer monitors, looking at his phone.
He ain’t even breaking a sweat. But if the economic pressure was there, he might.

I’m a big fan of trying to make better attacks. Even just looking at site-spoofing scams I’ve been doing this for a couple of decades. Because if we can collectively get ahead of security threats, we’re better able to defend against them.

So no: this isn’t about informing criminals – it’s about understanding what they might do next.

How could the scammers be more effective?

I’d like to highlight four ways that this scam could be made more-effective. Again, this isn’t about helping the criminals: it’s about thinking about and planning for what tomorrow’s attacks might look like.

1. SMS Spoofing

Most of these text messages appear to come from random mobile numbers, which can be an red flag. But it’s distressingly easy to send a text message “from” any other number or even from a short string of text. Imagine how much more-convincing one of these messages would be if it appeared to come from e.g. “Royal Mail” instead?

Text message from "Mum", but actually a marketing text.
Organisers of Parklife Festival were fined £70K for causing distress by texting participants from “Mum” in 2014.

A further step would be to spoof the message to appear to come from the automated redelivery line of the target courier. Many parcel delivery services have automated lines you can call, provide the code from the card dropped through your door, and arrange redelivery: making the message appear to come from such a number means that any victim who calls it will hear a genuine message from the real company, although they won’t be able to use it because they don’t have a real redelivery card. Plus: any efforts to search for the number online (as is done automatically by scam-detection apps) will likely be confused by the appearance of the legitimate data.

"Royal Mail" text message reading: You owe, like, a billion pounds for a parcel we tried to deliver. Go to DanQ.me/royal-mail-scam and pay us. This is totally a legit text message.
This took me literally seconds and fractions of a penny.

SMS spoofing is getting harder as the underlying industry that supports bulk senders tries to clean up its image, but it’s still easy enough to be a real (yet underexploited) threat.

2. Attention to detail

Scammers routinely show a lack of attention to detail that can help give the game away to an attentive target. Spelling and grammar mistakes are commonplace, and compared to legitimate messages the scams generally have suspicious features like providing few options for arranging redelivery or asking for unusual personal information.

A "Royal Mail" scam message that's full of little errors that make it unlike a legitimate one.
Also: where would you even get this email address from, “Royal Mail”? Can’t be from a merchant because I give a different one to each store…

They’re getting a lot better at this already: text messages and emails this year are far more-convincing, from an attention-to-detail perspective, than they were three years ago. And because improvements to the scam can be made iteratively, it’s probably already close to the “sweet spot” at the intersection of effort required versus efficacy. But the bad guys’ attention to detail will only grow and in future they’ll develop richer, more-believable designs and content based on whatever success metrics they collect.

3. Tracking tokens

On which note: it amazes me that these SMS scams don’t yet seem to include any identifier unique to the victim. Spam email does this all the time, but a typical parcel scam text directs you to a simple web address like https://royalmail.co.uk.scamsite.com/. A smarter scam could send you to e.g. https://royalmail.co.uk.scamsite.com/YRC0D35 and/or tell you that your parcel tracking number was e.g. YRC0D35.

"DHL" scam email encouraging you to click a link to arrange redelivery.
Click a link (or even just view the images!) in this phishing email and the sender knows that you read it. SMS scammers could learn from this.

Not only would this be more-convincing for anybody who’s familiar with the kind of messages that are legitimately left by couriers, it would also facilitate the gathering of a great deal of additional metrics which scammers could use to improve their operation. For example:

  • How many, and which, potential victims clicked the link? Knowing this helps plan future scams, or for follow-up attacks.
  • Pre-filling personal data, even just a phone number, acts as an additional convincer, or else needn’t be asked at all.
  • Multivariate testing can determine which approaches work best: show half the victims one form and half the victims another and use the results as research for future evolution.

These are exactly the same techniques that legitimate marketers (and email spammers) use to track engagement with emails and advertisements. It stands to reason that any sufficiently-large digital fraud operation could benefit from them too.

4. Partial submission analysis

I’ve reverse-engineered quite a few parcel scams to work out what they’re recording, and the summary is: not nearly as much as they could be. A typical parcel scam site will ask for your personal details and payment information, and when you submit it will send that information to the attacker. But they could do so much more…

C5 envelope with a yellow "Item underpaid. Fee to pay £1.50" sticker attached.
Real couriers put a card through your door with a code on. Or just put a sticker on your letter and never actually claim the fee, as recently happened to my friends Kit and Matt.

I’ve spoken to potential victims, for example, who got part way through filling the form before it felt suspicious enough that they stopped. Coupled with tracking tokens, even this partial data would have value to a determined fraudster. Suppose the victim only gets as far as typing their name and address… the scammer now has enough information to convincingly call them up, pretending to be the courier, ask for them by name and address, and con them out of their card details over the phone. Every single piece of metadata has value; even just having the victim’s name is a powerful convincer for a future text message campaign.

Summary

There’s so much more that parcel fee SMS scammers could be doing to increase the effectiveness of their campaigns, such as the techniques described above. It’s not rocket science, and they’ll definitely have considered them (they won’t learn anything new from this post!)… but if we can start thinking about them it’ll help us prepare to educate people about how to protect themselves tomorrow, as well as today.

× × × × × × × × × × ×

Article posted at UTC on .

4 comments

Geohashing expedition 2021-06-26 51 -1

This checkin to geohash 2021-06-26 51 -1 reflects a geohashing expedition. See more of Dan's hash logs.

Location

Woodland on Bladon Heath

Participants

Plans

Thought I’d get up early and cycle up to the hashpoint and back this morning.

Expedition

Unfortunately I forgot to bring a bike lock, and so when I reached the cycle-inaccessible path across the heath and couldn’t find somewhere to safely leave my bike, I had to give up. Still a nice ride, though.

Tracklog

My GPSr kept a tracklog of the 25km round trip: