Recently, the ticketing website Damai.com was stolen due to the stolen account information, which indirectly caused users in many places across the country to be deceived. At present, at least 17 victims have been defrauded of at least 540,000 yuan. Damai.com said early yesterday morning that the incident was caused by criminals using the "crash library" method, and the information security level of the platform has been fully upgraded. Both Beijing police and Chengdu police said that the case has been accepted and is under investigation.
The victim was directed to "connect the Internet" of the ATM.
At 9 pm on July 8, the victim Ms. Xing received a call starting with "+87". The other party claimed to be an employee of Damai.com. Due to the misoperation, she accidentally added a VIP service to her account. If it was not cancelled, the money would be deducted from her bank card that night. To cancel, follow their instructions.
Ms. Xing followed the other party's instructions to find a bank ATM machine. Later, a "bank employee" called and said that since the data was to be uploaded to the UnionPay Center, it was necessary to follow the instructions on the ATM to "operate online". Afterwards, the other party asked her to insert the bank card into the ATM machine, follow the instructions to enter the transfer page, and enter the two strings of numbers reported by the other party, one is the "order processing number" and the other is the "verification code".
The first time, after Ms. Xing entered the above two strings of numbers, the ATM machine showed that the transfer failed. The other party immediately asked her to change the card, and the system prompted that she had successfully transferred 9,988 yuan.
She recalled that the first string of numbers was actually the other party’s bank card number, and the second string was the transfer amount. After that, the scammer tried to ask her about her Alipay account. After finding that she was cheated, she quickly hung up the phone and called the police.
Ms. Xing said that the reason why she did not doubt it was because the other party accurately reported her ID number, mobile phone number, and other information on the performance tickets she purchased.
Yesterday afternoon, the reporter learned that the Chaoyang Branch of the Beijing Municipal Public Security Bureau has intervened in the investigation of the matter.
Damai.com admitted the matter and communicated with the deceived.
Damai.com issued a statement early yesterday morning saying that some users used the same registration information on different websites, so they were used by criminals. They used the "crash library" method to try to log in on Damai.com and obtain information about users' purchases, and then impersonated customer service personnel to commit fraud, resulting in some users suffering economic losses.
According to the explanation of the "Wuyun Vulnerability Platform", the "Canshe Bumping Attack" is also known as the "Internet Leakage Incident". It uses a large amount of user data and uses the same registration habits (same username and password) to try to log in to other websites. The reporter checked the platform and found that Damai.com had been reported four times last year with a "bumping library" problem, and all of them were marked as design defects.
The reporter noticed that in 2014, the Wuyun Vulnerability Platform released the news that "Improper configuration of Damai.com can lead to the leakage of all users' information", and the manufacturer replied at the time that it would "modify it as soon as possible."
The statement of "Damai.com" also stated that after the fraud incident, it had actively reported to the network security supervision department of the administrative authority to intervene in the investigation and communicated with users who were known to cause economic losses. At the same time, it also reminds users to be careful of being deceived through multiple mass text messages and the official channel of Damai.com. At present, the technical team has strengthened security precautions for the entire platform and comprehensively upgraded the information security level.
■ Telling about
"My father's funeral expenses were cheated away."
There are 16 people who have the same experience as Ms. Xing, and are distributed in Beijing, Chengdu and other places. They have established a "WeChat Group" to discuss how to deal with this matter. Among them, there are more than 10 people in Beijing. The total amount of fraud is at least 540,000 yuan, and the highest amount of a single person is nearly 100,000 yuan. "Now I'm looking for a needle in a haystack, and I don't expect to get the money back. I just hope to remind everyone."
A fraudster in Chengdu said that the "Damai.com employee" had called twice. The first time I was on vacation in Japan, I ignored it. The second time I returned to China, everything was complicated and I had no thoughts and was cheated of 6,287 yuan.
Another person who was deceived in Chengdu paid his father's funeral expenses. "I originally wanted to buy a better cemetery for my father, but now I have been cheated and I dare not let my family know." She said that the case is currently accepted by the Jinjiang Branch of the Chengdu Public Security Bureau.
According to Guangxi media reports, on July 10, a woman in Nanning was cheated of more than 60,000 yuan by the fake "Damai.com customer service".
At present, the Jinjiang Branch of Chengdu Public Security Bureau has also accepted the case and is under investigation.
■ Lawyer's statement:
The victims can be held accountable for infringement of the website manager.
Chang Sha, a lawyer at Kyoto Law Firm, believes that this behavior is a new type of telecommunications fraud that is different from traditional fraud methods and still constitutes the crime of fraud in the criminal law.
Chang Sha said that website users can save relevant transfer records, call records, bank statements and other evidence materials in a timely manner, and report the police to the public security organs as soon as possible. After the police arrest the suspect and file a public prosecution, a criminal and civil lawsuit can be filed to demand compensation for the suspect's losses.
In addition, Damai.com's actions do not constitute criminal crimes, but can only constitute civil tort. In this regard, the victim can file a civil lawsuit with the court alone, demanding that the website administrator be held liable for infringement.
EN
CN
