VPN-enabled advance fee fraud
TJ Trout
tj at pcguys.us
Mon Mar 21 17:30:37 UTC 2022
ExpressVPN does NOT and WILL NEVER log:
IP addresses (source or VPN)
Browsing history
Traffic destination or metadata
DNS queries
We have carefully engineered our apps and VPN servers to categorically
eliminate sensitive information. As a result, ExpressVPN can never be
compelled to provide customer data that does not exist.
On Mon, Mar 21, 2022, 7:11 AM Andrew G. Watters <andrew at raellic.com> wrote:
> Nutshell version: a group of criminals who appear to be in Mexico have
> created an entire fake law firm and deal flow in the U.S., with
> Photoshopped notary seals and wire instructions. They reportedly use
> ExpressVPN-- the owner of the IP block used by the suspects states that
> it leased the IP block to ExpressVPN under a Letter of Authorization.
>
> The suspects make money by causing victims to wire advance fees to
> Mexico as part of selling their timeshares, and possibly other
> transactions. My client has lost $70k or so thus far. He has received
> legit-looking documents, but upon even a cursory electronic inspection
> they are obvious forgeries. So this gang is savvy enough to steal
> money, but really reckless as well, which may explain why they are
> risking clicking on my links as well. I spoke with the lawyer who they
> are impersonating, and it was news to him that he is in New York City
> running a law firm considering that he retired in another state many
> years ago.
>
> So the suspects are offshore and I'm not sure what I can do. But I
> would still rather have their IP addresses than nothing. Can I have a
> recommendation on the best way to pursue user data from VPN providers
> such as ExpressVPN? I already sent in a notice to preserve logs for the
> involved ASN, and I'm headed to Federal court in the next few days to
> see if I have a chance to get even some of the victim's money back-- or
> at least an injunction shutting down the suspects' online presence. Any
> tips on getting VPN user data (or best practices in this type of
> situation) would be greatly appreciated.
>
> Best,
>
> Andrew Watters
>
> --
> Andrew G. Watters
> Rællic Systems
> andrew at raellic.com
> +1 (415) 261-8527
> https://www.raellic.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220321/f972fafc/attachment.html>
More information about the NANOG
mailing list