Hacker News new | past | comments | ask | show | jobs | submit login
Gift card gang extracts cash from 100k inboxes daily (krebsonsecurity.com)
324 points by picture 47 days ago | hide | past | favorite | 134 comments



>Microsoft declined to comment specifically on Bill’s research, but said customers can block the overwhelming majority of account takeover efforts by enabling multi-factor authentication.

Or, of course, by not reusing passwords everywhere. ISPs can help by turning on some sort of brute force protection on SMTP and IMAP. They can also help by checking for completely obvious passwords (yes, by brute force cracking with a short list). Which brings us to this:

>But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.”

If only there was some way to communicate with a email customer...


This is a common problem, if your only method of communicating with your customer is compromised (email), then you have no action except account disablement and require contact support some how, or accept the abuse.


Or, intercept non-encrypted http request, and inject popup messages via javascript... like ISPs have been doing already


how many websites do you visit without https?


Most computers will make at least one HTTP request to determine if there’s a captive portal, right?


I think only the ISP or the free wifi internet cafe gets the chance to capture that request though?


> Or, of course, by not reusing passwords everywhere.

At one of my jobs, we ran into this soon after launch. Attackers would loop through giant lists of leaked username / passwords using a different ips for every attempt. Blocking passwords at signup that existed in haveibeenpwned's database worked fairly well (and then later adding a required second factor).


> Attackers would loop through giant lists of leaked username / passwords using a different ips for every attempt

Mny password attempts for 1 username, isn't it easier to slow down attempts to authenticate the username after x tries, regardless of the IP? Just the fact that multiple IPs are being used for 1 username in a loop is enough of a red flag.

> Blocking passwords at signup that existed in haveibeenpwned's database worked fairly well

That's half a billion passwords to disallow?


> Mny password attempts for 1 username

Credential stuffing isn’t password bruteforcing. You don’t try half a billion passwords for one username. Instead, you try countless previously leaked username/password combinations from many ostensibly benign residential IPs. Each user account may only see one attempt. The goal isn’t to break into a specific account, but rather, to compromise as many as possible.


just pick which size list you want to disallow: https://github.com/danielmiessler/SecLists/tree/master/Passw...


If you refuse to out-source this capability for whatever reason, it's also ideal as a micro-service. It has no dependencies on your other components, all it does is take one parameter (the password or more likely an ordinary hash of it) and respond yes it's pwned or no it isn't.


> Mny password attempts for 1 username, isn't it easier to slow down attempts to authenticate the username after x tries, regardless of the IP? Just the fact that multiple IPs are being used for 1 username in a loop is enough of a red flag.

Nope, one attempt per username - they were using a giant list of hundreds of thousands of leaked credentials.

> That's half a billion passwords to disallow?

Yup.


Using IPs to block attempts is no longer feasible since the IPv4 shortage. Mobile carriers in Europe and even landline cable providers use NAT for IPv4, so thousands of legitimate users will appear to use the same IPv4.


>But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset, because there’s no mechanism in the email client to affect a password change.”

> If only there was some way to communicate with a email customer...

I'm not really sure what the issue here is. When the ISP knows their customer's accounts are compromised it doesn't matter what type of client they use to check their messages they absolutely can "flag the account for a password reset" by simply resetting the password or temporarily disabling those accounts.

This forces the customer to call into the ISP the next time they try to check their email, verify their identity to the ISP, and then set a new password.

The customer might be angry about having to take the time, but in most cases telling them "Your account was hacked and they were accessing your email messages" is enough to change their attitude from annoyed to grateful.

You don't even have to wait for them to be compromised. I worked for an ISP that updated their system to require more complex passwords. They put out notices to get as many people as possible to reset their passwords then disabled every remaining email account in batches until everyone had called in to reset their password under the new requirements.


> The customer might be angry about having to take the time, but in most cases telling them "Your account was hacked and they were accessing your email messages" is enough to change their attitude from annoyed to grateful.

I guess you’ve never done tech support over the phone.


I've done abuse handling, so I've had to give all kinds of bad news to people after cutting them off from the internet. Some percentage of people are always going to be unreasonable, but the vast majority are glad they found out and we stepped in, even when it means they now have to take their PC into a shop, leave it offline until their nephew comes over, or pay their contractor to come in and get the infected machines off their network.

It helps that these days most people have the cell network for a backup and they can still get their social media fix


I did satellite television, so it's possible the clientele was different.


Microsoft’s 2FA implementation does not help because it allows attackers to guess the password first and the second factor next. They just don’t get it.


Sure. So, let's say you guess my password. Now you get prompted for the second factor, which you don't have.

In fact I have Security Keys, so, now you're trying to break AES, which you can't do.

But let's suppose you're attacking the average person whose second factor is a TOTP authenticator. Unsurprisingly Microsoft only give you a finite rate of tries at TOTP codes. And of course the correct code keeps changing meanwhile, so you can guess forever and never have better than about 1 in a 100 000 chance to guess a valid code each time. How many guesses do you think you get before your client is considered vexatious and can't try any more?


If the second factor were enough security why even have the password?

And how do you know the attacker is one client? He can just be 1000000 clients each only trying once. And if you block them you also block the user.


> If the second factor were enough security why even have the password?

Having two factors is better. But obviously neither of them should be a conventional password because passwords are crap.

You can have WebAuthn set to do usernameless authentication, with the two factors both being local. So when you visit a site with this behaviour and it wants authentication, you maybe touch your fingerprint sensor on your phone, that's one factor, having the phone is the other factor, that's two factors, the phone hands over credentials including a large identifier that's equivalent to a user ID for the site, plus its assurance that you are present (based on the fingerprint) and a signature proving it is still the same phone used to sign up for this method. No typing your email address, no passwords, much better security.

> He can just be 1000000 clients each only trying once. And if you block them you also block the user.

Yes, if you rate limit attackers you also rate limit the real user.

But as an attacker, what value am I getting from that? Maybe it's a chargeable service I can sell? It certainly doesn't help me steal gift cards.

$1000 per hour to annoy a friend by preventing them from logging into their email? Not many buyers at that price. $100 per hour? $10 per hour? $1 per hour? Remember that to fuel this you are throwing away a botnet so that you can hammer on the login until you get blocked, and botnets aren't that cheap to buy.


> You can have

Yes you can have proper security. But this is about the Microsoft solution where you don’t, where you can first guess the password and then guess the 2fa code. Which is not very smart, considering it’s not that much harder to check both at the same time and fail when either is wrong.


> it’s not that much harder to check both at the same time and fail when either is wrong.

You can't do that. Try to imagine what this looks like:

You're at the Microsoft login screen. Microsoft needs you to present both a password and...

* WebAuthn sign-in credentials, for which it must send data to your client

* a TOTP code, from the authenticator you may or may not have

* the SMS code, which you er... wait, what SMS code, how can Microsoft send it to you if you didn't say who you are?

* the email code, which again er... Microsoft can't send this until it knows who you are

OR

* any other technology Microsoft adds later which may require any of the above or something else.


They can switch to display the right one when you enter your email address, they already do this. And of course indeed it doesn’t work with methods like sms and emailing codes, both of which are not secure anyway.


> They can switch to display the right one when you enter your email address, they already do this

So the effect here is this gives bad guys a free targeting feature. Just type in any email addresses and Microsoft will tell you which 2FA is enabled if any.

> And of course indeed it doesn’t work with methods like sms and emailing codes

So, it doesn't help at all for the good case, and it breaks the bad case worse, what was the goal again?


Sorry, but if you think emailing codes is the good case you’re beyond help.


WebAuthn is the good case, which is the case you didn't break since it doesn't care about any of this. And you made the bad cases worse. So good news I guess, "At least Microsoft aren't as bad at this as tinus_hn".


Ah, so you just don’t get it. That’s fine. Other people will improve things along the way.


Agreed. Second factor where you tell the attacker they got the password right before asking for the next factor isn't really 2 factor.

Either that, or you force the user to do a password reset if ever they provide the password but cannot provide the 2nd factor in the same login attempt. I think that would upset a lot of users though.


Shouldn't repeated failed 2FA login attempts trigger a notification to the user? Or password OK, 2FA failed login attempts at a different location that the user normally is at?

I mean if there's repeated login attempts where the password is correct but the 2FA is not that's a pretty good indication that the password may be compromised. I'd like to be notified of that.


You can't guess the 2FA code. It changes faster than you could ever attempt to test all combinations.


It doesn’t matter that the code changes, each guess has a 1/1000000 chance of being the right code. Yes you can’t guarantee you’ll find the code in 1000000 tries, but you still only need to do half of that to have 50% chance of a match.


If someone attempts 500,000 failed 2FA attempts on an account, I think its safe to lock that account/take extra steps.


But you could try ~100 password variations and then attack the 2FA.

Up until recently SMS 2FA could be broken for $10 because one VOIP provider allowed number registration on any number.

If you can filter 10,000 accounts down to 100 with known passwords, now you just have to bypass 2FA on 100 accounts.


How can you register a number if its already registered?


A common service offered (I think required to be offered, actually) by telephone service providers is "number porting" - where you switch providers but keep the same number, because people don't like changing phone numbers more than they have to.

It used to be this didn't have any real backend checks, so you could effectively steal someone's number, at least temporarily.


> Up until recently SMS 2FA could be broken for $10 because one VOIP provider allowed number registration on any number.

Surely not?


> "I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info," Lucky225 added, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers.

From 2021:

https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-1...

EDIT: yea it's not 'registering' the number but rather rerouting a copy of all messages to another number.


> yes, by brute force cracking with a short list)

Possible without if they're only checking during password reset or account creation.


sending email to a address controlled by a hacker isn't super effective.


My email was hacked and the attacker used that to reset my Delta password to clear out my points to use on the marketplace where you could exchange them for gift cards.

What's interesting is that they logged into my webmail to create rules to forward all mail from Delta to trash so that I wouldn't see any of the notifications.


If your only method of contacting your customer is via email and the email is demonstrably controlled by a hacker then you have a hacker for a customer.

If email isn't your only method of contacting your customer... then sending an email to an address controlled by a hacker isn't your only option.


> If your only method of contacting your customer is via email and the email is demonstrably controlled by a hacker then you have a hacker for a customer.

That's obviously false. The context of this very discussion is that more than one person is able to log into an account for many email accounts.


A previous comment mentioned the hackers setting up rules to automatically delete messages that would inform the user they were hacked.


Sure but the hacker can trash the email.


Thanks for agreeing.


It seems like they tend to not change the account password. If anything, changing the password could be counterproductive because they seem to want access to look for stuff more than exclusive control. the longer they have access more likely they are to find something valuable.

In terms of notifying them, I think an email would be appropriate, although straight up saying that the customer's account has been compromised might not be the best idea because the hacker could update their software to look for that. It might be better to send an email about some billing issue, and when the customer calls then explain to them that their account has been comprimised.


Whatever wording they chose, if any major email provider they went down this route hackers would learn to identify these emails soon enough and automatically delete them from compromised accounts


If the server software were smart, it could consider certain emails undeletable for 7 days.

I often wonder why Gmail 'Suspicious login' emails aren't like this.


They could. The success of that approach would vary though. The email provider could look for that too and resend the email. They could also disallow rules that block emails from them in this case.

The user could also get the email on their device if the hacker doesn't delete it quickly, which is a possibility given the low and slow nature of this scheme.


Can we talk about who "Bill" (the source for the article) is ?

If we read between the lines, it appears that someone sitting at a fairly large Internet choke point is grepping the flow of mail traffic for keywords (for lack of better terms since it's not literally grep).

Presumably someone placed highly enough that they can do such analysis without management oversight ?

Or are there compliance and security reasons to "grep" IMAP traffic for certain things and he just added some other keywords ?

Where, in 2021, would a network admin own this much traffic and have this little oversight ?

-----

EDIT: ... and now that I think about it, wouldn't this be fairly easy to suss out ? The source states:

"So I’m seeing this traffic to just like 10 net blocks tied to Microsoft, which means I’m only looking at maybe 25 percent of Microsoft’s infrastructure,"

I have neither the time nor the inclination but if there is an ISP out there that is routing 25% of MS mail infrastructure, all I have to do is look at mail routes to MS for a few days and run some traceroutes and I could probably make some guesses as to which network "Bill" works for ...


I would assume(/hope) IMAP would be TLS protected, these days. And since Bill doesn't seem to be inside Microsoft, he'd have to MITM the TLS sessions?

To me, it sounds more like Bill broke into (some of) the "proxy network" (likely bots on home computers?) used by the attackers, and is spying on them.


Ironically, I could see people actually paying for this service by splitting the "gift cards" etc. that are found.

Essentially, it's an automated service to find all of the places where programs give you free stuff for little or no work, and then their system just watches your email and does it for you, splitting the final values in some fashion.

Despite the extreme security issues around it, I could many people signing up for this.


I don't remember what it was called, but there was a service that did exactly this for price drop protection. They'd scan your purchases by monitoring your email, and when the price of something you purchased dropped within the protection period, they'd automatically file a claim with the credit card company, taking 20%.


I really like the idea of automating these things, I am pretty sure I miss out on a ton of free deals and good opportunities to save money. However, the amount of trust I'd have to have in any system where they can scan all of my email with impunity.... Hooo boy. Ain't going to happen anytime soon.


It's a zero sum game though... if everyone did this then the price you pay in the first place will go up or they would be cancelled. These benefits only work because most people don't take advantage of them.


Aren't extensions like Honey (PayPal) scanning all of your browsing and emails?


Are they scanning email? Browsing history for sure.


But millions use things like gmail and hotmail which do just that


Sure but some rando "deals" service is a much riskier point of failure than Google if you're worried about data leaks..


You always have to implicitly trust your email provider no matter who it is. Or run it yourself, but I assure you that is not fun.


Do you use Gmail?


Nope


Paribus used to do this. There's earny as well and I'm sure many others at this point.


https://www.earny.co – since pivoted to other offers


How can you claim with the CC company because the price dropped? Or is this just a chargeback?


Some credit cards will refund the difference in price within a certain period of time. It's one of those spiffs like airline miles or vague "points" that some cards use to hook new customers.


for example: https://www.chase.com/card-benefits/benefit-details/slate/pr...

edit: Although I see it's discontinued now..news to me


Yes I actually had this service but can’t remember the name now


Imagine feeling like real badasses after stealing lots of money and then they call you "Gift Card Gang".


That made me chuckle.


Hey, big corporations pay a lot of money for people to know them as the friendly neighbourhood (Mickey) mouse.



100k a day i don't think they care what people call them.


No they didn't make 100k a day. They unauthorized access 100k inboxes daily


Imagine caring about what someone else calls you. Unless you have some affiliation or need for them, why care?


Harry: [Marv brings a load of stolen goods from the Murphy household to the van and Harry sees him laughing] What's so funny? What are you laughing at? You did it again didn't you? You left the water running. What's wrong with you? Why do you do that? I told you not to do it.

Marv: Harry, it's our calling card!

Harry: Calling card.

Marv: All the great ones leave their mark. We're the wet bandits!


Keep the change, ya filthy bastard.


Filthy animal*


Shoot. You're right. My wife would be really mad if she knew I screwed that up.


t. gift card gangster


> They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.

What they're doing is terrible, but I felt a bit of respect for how clever this is.


At least it adds an extra fun dimension to our otherwise grim social credit score future.


Makes me curious if Gmail tells you when new/suspicious IMAP connections are made. I know they do tell you for normal web logins. Off to disable IMAP where I don't need it...


I'm not sure about Gmail, but Outlook does, and it's kind of interesting to check out https://account.microsoft.com/security > Sign-in activity and see all the random IPv6 addresses unsuccessfully trying to connect via IMAP. My email was in some random db dump (with a password I didn't reuse) probably a decade ago and apparently people are still trying to cred stuff it.


The article mentions that lots of German and French ISPs are being hit, I guess they're going after @orange.fr address and the like?

Gmail is pretty secure, I seriously doubt you can log in to someone's account using just their password if you don't have their usual IP, Geo location, User Agent etc.

EDIT looks like maybe I'm wrong: “It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”


if the user has 2FA then GMail needs either

1. RFC 7628 OAUTHBEARER. Basically your IMAP client has to have a way to obtain OAUTH tokens (e.g. spawn a web browser window first time you log in, that authenticates because it's a web browser, then get it to give you an OAUTH token) and it binds that token to your IMAP login as proof of who you are. Google also supports a non-standard older way to do this. Cheesy "my first IMAP implementation" code can't do this, but several Free Software mail clients do.

2. User goes into Google's security settings, says they agree to suffer worse security, gets "app password" minted by Google, fills that into the IMAP client. They can't use their "real" password which is presumably "password1" so the Pwned list doesn't work on this but it's not great.

But if you never set up any 2FA then it really wouldn't matter. Google's answer for their own employees was just to issue them FIDO Security Keys and mandate 2FA, and that's certainly what I'd endorse if you have money and want security, but their medium term plan is to enforce 2FA setup for users who seem to own e.g. a smartphone.


You have to go through a number of extra steps to turn on being able to get your mail outside of gmail. I think most never bother. I believe it is called allow insecure devices.


IIRC, you can log in with external clients, but those clients need to support the embedded google login screen which can ask for 2FA / anything else. If you want to log in with just an email and password then you have to change that setting.


most people dont even need an imap password if using a client like thunderbird. It will juset pop up a webpage to generate an oauth token that it will use.


Enable two-factor authentication and disable app passwords. That should be enough to stop this particular type of scam.


I've gotten notifications from gmail when there were logins from outside the US to my account.


Right...for regular Gmail logins though, or IMAP ones?


You can't just log in via username/password with IMAP anymore. The email client either has to support the google login window or you have to go in to your account and generate a program specific access token for it.


Google does recognize new IMAP logins.

Every time I buy a new device and port my account, I get spam from Google saying, "You're new iPad isn't set up yet without the Gmail app! Get the Gmail app now or you won't be super duper cool!"


The thing about this scheme is that it seems to amount to an extremely low tax on the accounts of the average user.

The big downside isn't really that people might lose their gift cards but that other horrible things could happen at scale 'cause who knows who the Gift Card Gang are really.

And the thing is here that the state, the broader authorities, are the only ones who have some incentive to act now about this. If it affected me, I'd shrug, I have no incentive. And the story everywhere with this is the state has become as short-term-ist as everyone else. And, what problems could possibly arise from that?? (posts and then checks outside for fire, poison gas and deadly disease).


I could go for something that lets me know I have cash sitting in my bloated inbox.


See, they could have made it into a business and split the profits!


They’d have made more money with an IPO. 40m a year is peanuts.


But the main growth hack is hacking into peoples email accounts.


So search your inbox for the same items these scripts are.


I'm wondering… would the gift card gang also be interested in those "You won a $100 gift card!" emails in my spam folder? :)

The idea of the gang and the spammer going on about who should drop their pants first ("Please send us the gift card" – "No you send me your bank account information first") makes me chuckle.


I thought this was going to be about a different scam: Taking over an email account and messaging the contacts to send e-gift cards.

This happened to my real estate agent. I got an email from her saying "I really need to get a (Google play gift card) for a friend who is a cancer patient.". That seemed super phishy, so I texted her, and she said her email was taken over.

This was a verizon.net account that was migrated to aol. The hacker had reset her email password and created a hotmail account in her name, and was forwarding all incoming mail to the account he controlled. She regained control of the account, but he still had an active session and was still sending out phishing emails. I tried to help her, but I could not find any way to have AOL sign out all active sessions..


A gift card was taken from our mail and spent nearby. Fun part is they resealed the envelope so we'd never have known had the sender not told us.


how did they get access to your mail?


Not the OP, but I'd guess just by walking past and opening the mailbox.


> (if the ISP blocks the account) “Those customers are likely going to get super pissed off and call up the ISP mad as hell,” Bill said. “And that customer service person is then going to have to spend a bunch of time explaining how to use the webmail service. As a result, very few ISPs are going to do anything about this.”

If someone had copied your door key, and was breaking into your house each week to look for food, then you probably would want the police to change the lock. Or at least let you know you need to.

This just strikes me as a regulatory issue - we have to be able to trust our online services. As such, the level of security needs to be upped by fiat. Its not a popular idea but a FIDO key for everyone in US / Europe would be within the bounds of feasible in next 10 years. Hell just SMS 2FA would massively cut back on this.


I don't believe it's the norm anywhere in the US for the police to change your locks by fiat, or to go lock your unlocked car doors. That's not something I think a lot of people want.


OK OK everyone - not a perfect analogy ... but I feel it's worth defending.

No I don't want the cops to change my locks either - but imagine you lived in an apartment building whose rules that prevented say, adding a second lock. Even if you changed your lock, you could not give yourself the comfort of two-factor doors.

If there were tens of thousands of such apartments being burgled each day I would be surprised if the answer was not requiring landlords to raise their security standards.

Ultimately it frustrates me to find (yet another) area that criminal activity trivially siphons off cash to the extent we may as well call it a subsidy.


Back when cops used to walk a beat, it was usual for them to check the doors of the closed businesses as they passed to make sure they were still locked.

Whether they locked one if they found it unlocked, I do not know.


Are there really people that want the police to manage their locks? I've genuinely never heard of this idea before but I absolutely don't want the police touching my locks and if my house was broken into I'd want to change the locks myself, immediately.


In England, if the police cannot contact the owner of a burgled property in a "reasonable time" they will call a company to board it up. The property owner (or their insurance) is charged by the security company.


I also want the police to do the dishes and take out the trash...

There are things people are personally responsible for.


A story in the UK (attributed to any number of well known bank robbers) was after they were caught and doing a long stretch, their wife arrives and says the allotment is over-grown and needs digging up. So they ask to see the arresting detective, say "if I tell you were I hit the loot, can I get a reduced sentence", and then announce its buried under the allotment.

Twenty police dig up and de-weed the allotment the next day, and everyone laughs.

Dishes not done of course :-)


Change the analogy from house to hotel room and management, it'd be more fitting.


Yes. I tried a reply above - I think the episode of CSI:Locksmiths has got a few strong replies :-)


This is making me wonder about the legitimacy of gift card resell sites like https://www.raise.com/


How does this work please


Gift card cannot be cashed out, right?

I don't follow how this scam can be profitable. Are they reselling the gift card? I did not find mentioning that in the article.


Yes they resell the gift cards. If I quote the article: "... these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value"

Additionally, a quick google search for "sell gift cards online" reveals many sites that offer the ability to sell your gift cards. One example: https://www.cardcash.com/sell-gift-cards/


Quote:

Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

“These guys want that hard digital asset — the cash that is sitting there in your inbox,” Bill said. “You literally just pull cash out of peoples’ inboxes, and then you have all these secondary markets where you can sell this stuff.”


Some gift cards can be cashed out conditionally. For example, California requires that gift cards under $10 be redeemable for cash.

Outside of that, there's a huge grey market for "discounted" gift cards. That's probably where most of these are going.


Reselling for 80% of value per article.


they can sell a $50 gift card for $40 or something


I have tried to do this legitimately for unwanted gifts and its a lot of work. Posting a gift card on the normal buy and sell sites attracts every scammer in the country who all pretend to have sent payments or send fake paypal emails to you and get angry when you don't hand over the code.

And then even when they do pay you they could always tell paypal that the code didn't work.


There's sites you can sell them to, rather than individuals. I've sold lots to a few different sites and I've never had any issues.


Paxful.com


Turns out it is more profitable to just take everyone's inbox cash than to offer them a service to make their own cash visible to them for a % fee


I reclaimed one of these accounts for a customer of mine - literally 15 minutes ago.

The first scam email was Hey. Catching up. Follow up email was I'm in a bind tonight. Unexpected bad thing happened. Can you order this gift card and send it to my relative for me?

The initial phish was an bogus AOL email saying there's a system change coming up and the customer needs to log in and apply the change to their email account.


I have a Comcast email account that was hacked years ago. They even got my password from Comcast. (I have been given Comcast $200 monthly, and just figured they had decent security?)

I now have 2FA from Comcast, but I get hacking emails daily. I don't care about the emails. They keep me up to date on the latest scam.

This email is not attached to anything important besides my doctor.

Is there something a Russian hacker could do with my email address? I said Russian because they told me they were Russian. 15 years ago I responded to a friendship ad on CL, and that's how I got on the sucker list.


Of course, tons of queries for crypto exchanges


Are stolen airline miles really that valuable?


Normally? Yeah. Stolen? Yeah, sort of.

Banks, hotels & a few airlines let you convert points to gift cards but the conversion rate for miles in particular is trash (less than $0.01 / mile).

Using them for an international business / first class flight can easily pass $0.05 and often $0.10 or $0.20 per mile, but this makes it easy for the airline to cancel & return the miles unless someone is flying same-day.


Yes. They can be turned into gift cards and resold online. I remember reading somewhere that most of an airline's profits come through their loyalty programs.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: