from Net Politics and Digital and Cyberspace Policy Program

An Open Letter to Thomas Chandler, a Sub-Par Cybercriminal

Cottage on Moosehead Lake Dana Moos/Flickr

If an online deal is too good to be true, it's probably a scam.

July 31, 2017

Cottage on Moosehead Lake Dana Moos/Flickr
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

Dear Thomas,

Thanks for your offer to rent the “brand-new luxury townhouse” in lovely “seaside Portland, ME.” Really, it’s too good of you to give it to us for a mere $1,500 a month. Most units on Airbnb are going for twice that per week this time of year. Guess I found a real bargain hunting on Craigslist! Unfortunately, I’m going to have to pass. And, thanks to a little help from the friendly folks at the United States Secret Service Cybercrime Unit, I figured out that you don’t own the unit you were trying to rent. You don’t even exist.

More on:

Cybersecurity

Transnational Crime

Because I work in public policy, I feel it is my responsibility to give you and your fellow petty cyber criminals a few tips. After all, the internet was designed for scams like yours. Pay attention, and in no time you’ll be slinging bitcoin around the globe with the best of them:

  • Do some research. It took me five minutes searching through property records to figure out that you did not own the home you claimed to be renting. For the sake of the nice couple who do, I’m not going to give out their address. All you needed to do was pretend to be one of the owners and spin up an online alias to match. There is nothing in the internet ecosystem to prevent that. It’s called identity fraud. Get with the program.
  • Come up with a plausible email address. I get it. A few years back the play was to pretend to be a cheaper Airbnb or vrbo.com so you bought urvachome.com (that’s short for “your vacation home”—clever). That didn’t work. So, now you are just some guy trying to rent out his place on craigslist using info@urvachome.com as an email address and a website that doesn’t work. So, if you are going to be Thomas Chandler, be Thomas Chandler. Tchandler169@gmail.com is available.
  • Get a real phone number. Criminals and startups mostly use Google Voice, not retired baby boomers. At least take the five minutes to re-program Google Voice so it doesn’t say “please hold while we try and reach the Google Voice subscriber.” And get an area code that matches your story line.
  • Build your profile online. I couldn’t find you on LinkedIn. Lazy. Once you’ve got your new Gmail account and your new phone number, use it to create false accounts. Take any picture from the web. If your Russian compatriots at a troll farm can do it, you can too.
  • Fake an accent. Thomas Chandler is a good choice for a name—solid New England stock. And two points for being willing to get on the phone with me. But seriously, if I can fake a Russian accent, you can fake an American accent. Total giveaway.
  • Think for five minutes about where somebody who owns a vacation home in Maine might live. Hint, it’s not Kansas. It’s definitely not in the middle of an empty field.
  • Avoid the mail. You are smart to keep your prices low. Not only are you attracting people who want a bargain but you are keeping the crime at the misdemeanor level. But you told me to send the check by FedEx or the postal service just as long as you had a tracking number (ostensibly to verify I had sent it but really so you could snatch it from a fake address). But if I had sent the check through the United States Postal Service, you would have committed mail fraud. That’s a felony punishable by up to five years in prison and a $250,000 fine.

Some will criticize me for providing advice to a criminal like yourself. But let’s face it, what you are doing works. This is cyberspace and the attacker has the advantage. We give it to you because it is simply too easy for you to do what you do and too hard to stop you. Judging by the many properties in your portfolio you have been “renting” out over the years, there are enough victims out there who weren’t tipped off by your too good to be true prices and slipshod tradecraft. Lazy works. And don’t worry about Google taking away your free phone number or GoDaddy unmasking your domain name registration—there is a whole ecosystem out there ready, willing, and able to abet your criminal activity.

Of course, you can count on law enforcement not to care. As the operator at the Portland Police Department told me, until an actual victim loses money, they won’t do anything. And if and when they do, you can rest assured that a cross-border cybercrime investigation is just as hard to do between Maine and Kansas as it is between the United States and Russia. So keep on bottom-feeding in the backwaters of the internet. Nobody is going to stop you.  You are the cost of doing business on the internet, and business is good.

More on:

Cybersecurity

Transnational Crime

Creative Commons
Creative Commons: Some rights reserved.
Close
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License.
View License Detail
Close