The place to dump all kinds of scam numbers to prank call them and also to
spread awareness against such scammers. Find active scam numbers daily! NOTE:
POSTING ANY KIND OF PERSONAL NUMBER (INCLUDING SPOOFS) IS STRICTLY AGAINST THE
RULES. If you see a personal number, REPORT the post and/or DM a moderator.
Matrix Space [https://matrix.to/#/#ScamNumbers:matrix.org] Subreddit
[https://www.reddit.com/r/ScamNumbers/] 1. Do not post personal phone numbers.
You are NOT allowed to post personal phone numbers of any kind, including the
scammer’s personal phone number. 2. No harassment. This community strictly
forbids harassing other people, for example by posting other’s personal phone
numbers to prank call them. If prank calling scammers, please to not overly
harass them. There is a line between a small joke prank call and completely
harassing someone. 3. No “Any numbers?” posts No “Anyone have any numbers?”-type
posts are allowed. That’s what the whole point of the sub is. Sort the subreddit
by “New” to see (possibly) active numbers. Other questions are fine though. 4.
No scambait videos/pictures without contact info Videos and pictures of
scambaits must include the scammer’s contact information somewhere that is
easily visible (title, thumbnail, top bar of texting apps, etc.).
With almost 40k subscribers on Reddit, r/ScamNumbers is one of the most useful online databases for tracking down scam phone numbers. Some use the information for awareness, while others take advantage by prank calling scammers to waste their time.
Whatever the case may be, we have a zero-tolerance policy towards personal phone numbers. We have enforced this rule severely on Reddit and will do the same here.
I hate that Google is exerting even more control on the internet with their TLD, but I don’t really think this attack is made all that much worse with .zip TLD. I can already bury a .com in a long URL and end it in .zip just fine like so:
The truth is most people don’t look much at URLs outside of a domain to verify its authenticity, at which point the .zip TLD does not do much more harm than existing domains do.
For mitigation, Firefox already doesn’t display the username portion of the URL on hover of a link and URL-encodes it if copy-pasted into the url bar. It also displays the punycode representation when hovering or navigating to the second example.
Edit: looks like lemmy now replaces 0x2215 which is a character that looks like forward slash with an actual forward slash, so my comment is a bit more confusing. For clarity, the slashes beforeexample.com in the above urls were 0x2215 and not “/”.
Great writeup and easy to understand. What would be a solution to this problem?
I hate that Google is exerting even more control on the internet with their TLD, but I don’t really think this attack is made all that much worse with .zip TLD. I can already bury a
.com
in a long URL and end it in .zip just fine like so:https://github.com∕foo∕bar∕[email protected]/foo/bar/baz.zip
Or even use a subdomain to remove the @:
https://github.com∕foo∕bar∕baz.example.com/foo/bar/baz.zip
The truth is most people don’t look much at URLs outside of a domain to verify its authenticity, at which point the
.zip
TLD does not do much more harm than existing domains do.For mitigation, Firefox already doesn’t display the username portion of the URL on hover of a link and URL-encodes it if copy-pasted into the url bar. It also displays the punycode representation when hovering or navigating to the second example.
Edit: looks like lemmy now replaces
0x2215
which is a character that looks like forward slash with an actual forward slash, so my comment is a bit more confusing. For clarity, the slashes beforeexample.com
in the above urls were0x2215
and not “/”.