Bsides Cymru 2024

What do you get when you cross a bored security researcher with a gullible scammer? You get this talk, of course – an epic dive into weeks of trolling, lulz, and horrendous OPSEC.

I’ve been trolling scammers as a hobby for a while now, amusing myself by replying to their email lures with deliberately outrageous scenarios and turns-of-phrase. Usually, the scammers figure out I’m on the wind-up and disengage pretty quickly.

Not this time.

Join me as we walk through a complex, long-term email scam from start to finish – a journey featuring a ‘solicitor’ who out of the goodness of his heart wanted to help me claim an inheritance worth millions, and a ‘bank’ which was only too willing to facilitate this.

Along the way we’ll meet my slightly unhinged alter ego (the intended victim of this scam), and his fictional, put-upon, and possibly kidnapped roommate, Tarquin Fortitude. Together they turned a simple phishing lure into a litany of trolling involving increasingly ludicrous personal details, the most amateurishly-fabricated library card ever, a fake bank transfer, a giant purple envelope, and hilarious misunderstandings. Every time I thought I’d gone too far – like when I asked the scammer to send ME money – the scammer continued to reply, even laying the groundwork for a follow-up scam by telling me their son was undergoing cancer treatment.

But it wasn’t all just for the lulz. As I trolled, I also documented every domain, snippet of information, and attachment, which provided a useful insight into how modern email scammers operate and the techniques and tactics they use. It also eventually resulted in me obtaining some very interesting details about the scammer…

In this talk I’ll tell you the story in all its gory detail, explore some practical learning points, and share the IOCs and TTPs I collected.