Mastodon verification scam: The analysis#

I got this fake verification scam and I reported it, but I also opened their website and now I'm trying to feed them with a fake card (from the generator page for app developers) to see what will happen.

🙈

Fig. 1. Modal:

Attention

The bank requested additional bank card information to verify card ownership.

OK
Cancel

It's the first time I meet a verification like that:

Fig. 2. A screenshot of chat message saying:

"You must enter the actual balance of your bank card to avoid errors in adjustments before and after money is credited to your bank card. You must enter the actual balance of your bank card. This is necessary so that the bank card and its owner can be verified and identified by your bank and our system and to avoid errors in adjustments before and after crediting your bank card (e.g. 101.02 - 1002.03 EUR/USD/GBP etc. )."

Meanwhile, in the form:

Fig. 3. Form input for card balance.

I'll go with balance of 71830, which is an old joke in Polish. If you type it on a calculator and turn it upside down, it will read similarly to DEBIL (a moron).

Fig. 4. Modal:

Expect

The bank is processing your data. This may take some time

Oh no!

Fig. 5. Modal:

Error

At this moment we do not cooperate with cards of this bank. You need to specify a card of another bank!

Anyway...

An interesting thing is that they are trying to make debugging of the page as painful as possible by placing a function with only debugger in it. It's fine because I was more interested in requests they make anyway. And also, any halfwit can disable that line in DevTools.

Fig. 6. A screenshot of JS code:

function anonymous(
) {
debugger
}

They send it to their own API which responds with a token that is further used to check the status. However, it got stuck on checking after re-submitting the same fake card for the nth time.

The source code suggests a Russian actor. Comments are straight in Russian and the variable is "okno" (window).

Fig. 7. A screenshot of source code with Russian comments in it.

(Technically it's a property name.)

Then...

It doesn't verify me anymore. Maybe they flagged me or something. From the code I can see that later they might perform SMS verification. I don't think that's a path you're gonna get with a fake card.

However, I also found this. I don't know what ConsoleBan is, but the links leads to a bit unexpected video: https://www.youtube.com/watch?v=dQw4w9WgXcQ (it's safe to click, I swear!).

Fig. 8. A piece of a code that redirects to the URL posted above.

And with that, let's wrap up. Remember, kids, to never click those links and input your real data. Verification on Mastodon is a scam.