The Leboncoin classifieds site, one of the most popular in France with 140 million monthly visits, remains a formidable playground for scammers of all kinds.
If defense systems evolve, hackers and crooks have repeatedly proven in the past that they are capable of adapting. As proof, the implementation of the secure payment service on Leboncoin, which already dates back to 2018, has never really calmed the ardor of scammers. The latter continue to be creative, amounting to scam after scam.
The scam, always a matter of trust
The community site Signal-Scams, who directly put his foot in the dish by voluntarily playing the victim, alerts us to one of the many scams around this secure payment system. A user, called Émilie, decides to sell a pair of medical shoes for 10 euros on Leboncoin.
A moment after the ad goes live, she receives an SMS (it could also have been an email) from a potential buyer. The latter informs her of his interest in the pair of shoes and tells the saleswoman that he prefers to pay by PayPal or by the site’s secure system, which, a prioriis an honest approach.
Émilie continues to chat with the potential buyer, who informs her by SMS that the payment has been made. However, after checking, she finds nothing on her personal Leboncoin account, which she lets him know…
Where the magic starts to work is when, very shortly after noticing to the buyer that she hadn’t heard from the site, she receives a confirmation SMS! In style, we won’t cry genius, but the message is properly written, and above all, it comes from a 5-digit number commonly used by many services (Assurance Maladie, Netflix, WordPress, etc.): 38601. The scammer here used a shared transactional short number, sent by an intermediary service used by both legitimate services and scammers.
A scam that goes far
It is therefore difficult to imagine (for the consumer who is not very observant) that we are part of a scam. Émilie can be trusted, and she doesn’t suspect that anyone can falsify this number. She therefore clicks on the link contained in the SMS which invites her to pay the money “received” into her account, and the game begins. The saleswoman comes across a site imitating Leboncoin. He confirms that the payment has been made and that she must now send her bank details to receive the funds.
Going further, we realize that the connection interface is very similar to that of the ad site, and that it then gives access to the page which collects Emilie’s bank details. And voila….
Because, in addition to recovering your bank details, the scammer will be able to bypass a potential double bank authentication by asking for the name of the bank, the bank identifier and the personal code… And if there is a problem, he will pretend for Emilie’s bank adviser, claiming a security problem. There, he will have direct access to the bank account of the trapped person, with all the possible consequences that one can imagine, before sending him a confirmation message.
Alas, some people fall into the trap, reassured by the initial stages of trust (a social engineering release), and ultimately less likely to be wary of the fake platform’s slightly too many requests.
Morality therefore: if you buy on Leboncoin, never leave the site and do not click on any outgoing link present in any message received.
Source : Signal-Scams
23