1

I'm not sure I posted in the right place, but I posted a question about an apparent scam that hinges on GoFundMe's particular behavior at https://money.stackexchange.com/questions/112175/is-this-gofundme-response-a-pattern-of-scam-behavior . From the feedback, people were eventually convinced I'm possibly right, but nobody showed familiarity with the attack; I contacted GoFundMe and got a boilerplate customer happiness about general safety and security. I asked for the customer happiness agent to forward my note to infosec; I haven't gotten a response yet.

I may have made the first response about a line of attack that I believe GoFundMe's infosec team would very much want to know. Can anybody help me get across the style of attack to GoFundMe's infosec?

Christos Hayward
  • 1,210
  • 8
  • 10
  • I'm not sure what you are asking. Do you want info on an attack launched against GoFundMe or against you? Do you want to know how to describe the attack to GoFundMe support? Can you clarify? – schroeder Aug 05 '19 at 07:24
  • There was an attack made against me that hinged on the fact that an attacker can make GoFundMe say, "We're sending you several hundred dollars," and then a little later, "No, we aren't!" I regard this as a style of attack that GoFundMe's infosec professionals would want to know so that they can reduce or eliminate this way for an attacker to manipulate GoFundMe into helping with their attack. – Christos Hayward Aug 05 '19 at 11:35
  • This is not an infosec problem though. Reaching out to their *defence* team will not get the attention you want. You want to raise a bug/feature request to the developers to change the behaviour of the business logic. I can't imagine why their infosec team would be interested. That's why you got boilerplate response. – schroeder Aug 05 '19 at 11:39
  • I'm also not seeing a scam. The person pledged but the site said it did not get the funds. *You* reached out and were told something by the person. There is no dodgy process, no scam, nothing to fix. – schroeder Aug 05 '19 at 11:45
  • Could it possibly be a set up for a scam? To pledge and not follow through in order to get direct contact with the victim? Sure. But none of that happened. It is also possible that the person pledged and the funds were blocked. From your description, there is just nothing happening that is "wrong". And certainly nothing that I would want to know if I was their CISO. – schroeder Aug 05 '19 at 11:46

0 Answers0