Despite its short life, Uber has already faced waves of fraudulent activity. In 2015, hackers broke into and sold wads of Uber accounts on the dark web, and at around the same time scammers in China used modified smartphones to place fake Uber bookings.
More recently, English-speaking fraudsters have also allegedly been spoofing Uber rides, pretending to be both a driver and customer, and tricking the company out of cash in the process.
“Despite the security concerns with hacked accounts and lackluster security that are have [sic] plagued Uber for most of the past year surprisingly, more and more people are joining,” one scamming guide reads. “Let's explore how we have TRICKED Uber into paying us, for nothing, and teach you how you can do the same,” it continues. The alleged process, however, is not exactly straightforward, and there are plenty of steps where a budding fraudster might trip up or get caught.
First, our scammer-in-training needs to create a fake Uber driver account with a “fullz”; that is, a full or near complete stolen identity. Fullz may include someone's name, physical address, Social Security number, contact information, and more. Fullz can go for around $10-$15.
“MAKE SURE you are using a proxy or VPN when you do this, from the city of your FAKE identity,” the guide adds. The scammer also needs to use the identity of someone who owns a car that Uber will accept: the vehicle needs four doors, for example. (Some dealers sell fullz that include car histories.)
The guide then says to download the Uber app onto a smartphone, and upload some fake documentation, including the fullz driver's license and vehicle registration and insurance. The fraudster can fabricate these himself with templates available on the dark web, or pay a counterfeiter to make them. The next step requires a bit of social engineering. According to the guide, a Uber representative will contact the new 'driver', ask questions about their background, and maybe schedule an in-person session.
But the guide says it's not necessary to attend this meeting. After the session date has passed, the fraudster needs to phone Uber, tell the company that they did meet the representative, and that “it hasn't shown up in the system yet.” “95 percent of the time they will just believe you and set you up as a driver immediately,” the guide adds.
Now comes the hard bit. The scammer will need to buy a second phone, and install a GPS location spoofer on it and their 'driver' phone, or boot up an emulator on their laptop. Using hacked Uber customer accounts, the scammer then pretends to be both driver and rider, moving each device's GPS location as if a ride really was taking place. After around two weeks, Uber will deposit the scammer's earnings into their bank drop; a bank account set up with a fake or stolen identity.
Judging by reviews on the forum for AlphaBay, likely the largest dark web marketplace around at the moment, the method did work, at least last year. “The payout is a little slow, and the actual 'work' can be tedious, but it's well worth it, especially during surge times,” one reviewer wrote. According to more forum postings, the method did hit a snag though after Uber introduced additional security measures. It’s unclear if the method laid out in the guide still works.
An Uber spokesperson told in an email, "We have comprehensive safeguards in place to detect and stop fraudulent behaviour before it succeeds and we're constantly innovating to proactively prevent ever-evolving schemes.” Another Uber spokesperson said: "Most of these fraudsters never get paid. Uber's detection systems look at activity throughout the entire lifecycle of an account, not just account creation. Setting up a fake account or conducting fake trips does not mean you'll get paid."