abc of hoax site investigation

ABC of Hoax Site ABC of Hoax Site InvestigationInvestigation

What is a Hoax/Phishing Site?What is a Hoax/Phishing Site?

A site designed to steal passwords / A site designed to steal passwords / numbers / sensitive information.numbers / sensitive information.

Disguised as a trustworthy entity so Disguised as a trustworthy entity so people fall for the scampeople fall for the scam

Hoax site history at Full Tilt Hoax site history at Full Tilt

First hoax site appeared back in November First hoax site appeared back in November 2005.2005.

A lot of money stolen in March 06.A lot of money stolen in March 06. A lot of money stolen in Sept 06, however A lot of money stolen in Sept 06, however

we were able to recover 90%we were able to recover 90% Seeing a new hoax site every few daysSeeing a new hoax site every few days Majority of hoax sites appear to be from Majority of hoax sites appear to be from

the same group. Very professional.the same group. Very professional. Very few other phishing scams appear.Very few other phishing scams appear.

Our JobOur Job

Respond to all hoax/phishing related Respond to all hoax/phishing related questions.questions.

Investigate accounts to see if they Investigate accounts to see if they have been compromised. have been compromised.

Forward any accounts that have had Forward any accounts that have had funds stolen to Fraud Queue in Kanafunds stolen to Fraud Queue in Kana

New ProceduresNew Procedures

Handbook entry:Handbook entry:file://///tpfs1nw/workflow$/HANDBOOK/HANDBOOK/Initial%20Response%20for%20Hoax%20Relatedfile://///tpfs1nw/workflow$/HANDBOOK/HANDBOOK/Initial%20Response%20for%20Hoax%20Related

%20Emails.html%20Emails.html

Answer emails in Hoax Related queueAnswer emails in Hoax Related queue Determine if player is informant or Determine if player is informant or

victimvictim Place restrictions on accountPlace restrictions on account Respond to player addressing Respond to player addressing

concerns and educate themconcerns and educate them

Email review – Victim or Informant?Email review – Victim or Informant?

Case #1Case #1

----- Original Message ----- From: TOM LOUIE To: support@sign-fulltiltpokercom Sent: Monday, February 26, 2007 5:22 PM Subject: $50000 giveaway

hi, this is jenl88 again. at 2-14-2007 about 4am I was informed that two players visit try fulltiltpoker.com will get the $50000 giveaway. so I did it gave you all the informations ss # credit card # and all the informations. it said the funds will deposit to my credit card account. now I haven't get it yet. it said if I don't get it yet I should e-mail to you after 5 business days. please let me know what happen. thank you!!

Case #1 - VictimCase #1 - Victim

Apply RestrictionsApply Restrictions Review Know100Review Know100 Respond to player. Respond to player.

In this case we would add the web In this case we would add the web address to report Social Security address to report Social Security Number fraud.Number fraud.

(http://www.ssa.gov/oig/hotline/(http://www.ssa.gov/oig/hotline/index.htm)index.htm)


Case #2Case #2

To: support@fulltiltpokercom Sent: 03/03/07 8:14 PMSubject: Received this chat during tournament play…

ACEPUTZ (Observer):========================================System: FullTilt Poker giveaway $50,000. The firsttwo players from this table who visit the websitewww.win50k-fulltiltpoker.com they will win $25,000.Hurry tilters!!! Admin : Chris Ferguson

Case #2 - InformantCase #2 - Informant

Send template XXX.XXXSend template XXX.XXX We thank these players for letting us We thank these players for letting us

know. Tell them how much we value know. Tell them how much we value players like themselves here at Full players like themselves here at Full Tilt PokerTilt Poker


Case #3Case #3

To: security@fulltiltpokercom Sent: 03/03/07 8:17 PMSubject: scam

My name is Joseph Welcome..My Full tilt nicname is anvil1765 my listed email address is [email protected]. I was playing $10+1 11pm tourney game# 13906402 at table #33 when an observe names ACEPUTZ did the $50,000 give away scam....Just letting u know

Case #3 - InformantCase #3 - Informant

Send template XXX.XXXSend template XXX.XXX We thank these players for letting us We thank these players for letting us

know. know.

Tell them how much we value players Tell them how much we value players like themselves here at Full Tilt Pokerlike themselves here at Full Tilt Poker


Case #4Case #4

To: security@fulltiltpokercom Sent: 03/03/07 8:28 PMSubject: scam

I received this message while playing poker at your site. In a moment of stupidity I logged on to the site it looked like the full tilt site so I gave them my login and e-mail but did not give them my password on the next page it asked for net teller or credit card info and then I realized that I was making a mistake. Do I need to change my login?

Case #4 – VictimCase #4 – Victim

Player informed us that they didn’t Player informed us that they didn’t give passwordgive password

We do not need to place restrictions We do not need to place restrictions on account.on account.

Respond to player requesting they Respond to player requesting they change their password just to be change their password just to be safe.safe.


Case #5Case #5

To: security@fulltiltpokercom Sent: 03/03/07 8:28 PMSubject: Very URGENT!! Please help

I went to the website, and it was full-tilt poker website, it told me that I am the second visitor and asked me for my Id and e-mail address. I filled it out and clicked next, and then it asks me for my epassporte ID and password. This is where I am right now. I want to know if this offer is legit. Please reply ASAP.


Player entered PlayerID and email, Player entered PlayerID and email, and was waiting for us to respondand was waiting for us to respond

Assume player was impatient and Assume player was impatient and entered details.entered details.

Follow standard victim proceduresFollow standard victim procedures


Case #6Case #6To: security@fulltiltpokercom Sent: 03/03/07 8:28 PMSubject: possible scam

This was posted in the message part of the table during tournament 13449279. I went to the site and they said congrats etc, fill out name, password, and e-mail address. I did and then it said you could not put the money in my Full tilt account and offered options like paypal. That is when I quit the process.

I changed my password to my account. My screename is 2007orBust and my e-mail address is [email protected].

Please let me know i this was a fraud and if I need to do anything further.


Player entered PlayerID and email.Player entered PlayerID and email. However they had informed us that However they had informed us that

they had changed their password. they had changed their password. Therefore account is secure.Therefore account is secure.

No need to place restrictions or reset No need to place restrictions or reset password.password.

Confirm for player that this was a Confirm for player that this was a hoax site, and thank them for hoax site, and thank them for changing password.changing password.

Reading Know100Reading Know100 Run a Know100 with a big threshold like 9999999Run a Know100 with a big threshold like 9999999 We are looking for a foreign login over the past We are looking for a foreign login over the past

few days.few days.

Foreign Logins

Clean logins

Evidence of chip dumping

Restricting AccountRestricting Account1.1. Select the ‘Security & Limits’ tab in Select the ‘Security & Limits’ tab in

WATWAT

2.2. Check ‘No Play’, ‘No Mix, ‘No Deposit’, Check ‘No Play’, ‘No Mix, ‘No Deposit’, ‘No Transfer’, ‘No Chat’ and hit ‘No Transfer’, ‘No Chat’ and hit Submit and Accept.Submit and Accept.

1 2

Reset PasswordReset Password On Player Summary page, select On Player Summary page, select

Reset Password. Enter ‘Hoax Site Reset Password. Enter ‘Hoax Site Victim – Resetting Password’Victim – Resetting Password’

Notate accountNotate account In WAT, notate account with: In WAT, notate account with:

“ “HOAX: Victim of hoax site. No foreign HOAX: Victim of hoax site. No foreign logins found. Reset password and placed logins found. Reset password and placed restrictions on account. Once player restrictions on account. Once player emails in confirming they have changed emails in confirming they have changed their password, please remove their password, please remove restrictions.” restrictions.”

Note: Please ensure player doesn’t have any Note: Please ensure player doesn’t have any current chat related bans.current chat related bans.

Sending EmailSending Email

We will be using templates, however it We will be using templates, however it should be customized just like every other should be customized just like every other emailemail

If they mention a payment processor, If they mention a payment processor, provide their contact details. provide their contact details.

If they say a credit card, then get them to If they say a credit card, then get them to contact their bankcontact their bank

Sympathize with the playerSympathize with the player Educate with links to our identity Educate with links to our identity

protection page.protection page.

Account used to spam hoax siteAccount used to spam hoax site

1.1. Boot player from system.Boot player from system.2.2. Notate account with: “Hoax Notate account with: “Hoax

Site victim – Used to spam hoax site”Site victim – Used to spam hoax site”3.3. Restrict account.Restrict account.4.4. Send player an email.Send player an email.5.5. Follow handbook to have website removedFollow handbook to have website removed

Note: Do not TRAP account. This will only Note: Do not TRAP account. This will only cause headaches for us.cause headaches for us.

Evidence of stolen fundsEvidence of stolen funds

Pause accountPause account IR the player explaining their account IR the player explaining their account

has been compromised and we are has been compromised and we are investigating.investigating.

Route the follow-up to the fraud Route the follow-up to the fraud queuequeue

abc of hoax site investigation

Technology

victim player

email review victim

tilt site

new hoax site

hoaxphishing site

hoax site history

tilt account

ahoax site