Show HN: Melony – React toolkit for AI chat interface (github.com)

We called the IRS to discuss an issue and we utilized the callback system. We entered our phone number and were told to expect a call back within 30 minutes, from a West Virginia number. I have used this system before so all this was familiar. The call came at the expected time, from the expected area code. However, it turned out to be a scam call center. How is this technically possible?

Comments (3)

rolph · 5h ago

if you have a bad app with contact, or dialing history permissions, someone can keep snarfing your last dialed numbers until they see you dial a number that fits one of the scam workflows they have at ready.

the same principle can be used in browser.

supportengineer · 5h ago

It was an Android phone used. How could I detect such a malicious app? I am not an Android user.

rolph · 5h ago

curating apps for security is like closing a loop tighter.

look for list of malignant apps e.g.

https://duckduckgo.com/?t=lm&q=which+app+is+doing+the+scam+&...

if you have any such apps delete them.

if you see that some bad thing happens, e.g. you get a scam call after requesting callback, you then look at app history, and you look for apps that were active during that time span, and you have a short list of suspects.

the name and description of the app may be misleading, but have an odd permission set, for example a flashlight app that requires contact history and calander access. flashlights dont need that.

look at the permissions of each one, individually for any that allow, in your case, access to contacts, or dialing/dial history.

there is going to be some [system] app[s] that legitimately has this access and presumably, some unfamiliar app, or recently installed app that is abusive. make sure you know the difference!

if your not sure, your can perform experiments such as removing the permissions, or forcing stop of the app, to see if the problem stops, or something complains.

a sophisticated exploit may involve a number of apps working together, to cloak activity, and keep reinstalling if the whole gang isnt cleared out at once.

in this case you may have some other compromise and a password change might be a good idea.

if any of these apps somehow have financial access, you may need to look at replacing cards, and auditing bank / credit activity.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

the last bastion of defense, is how the target responds to the contact. they may be at the edge of competency, thus an easy mark, the target may be contacted at a time they are known to be overwhelmed with the mothly rota of bills and income. the target may have been behaviourally profiled and bombarded with a campaign from all sources and is now acting in a frame; a headspace that seems real, and very urgent.

you may actually have to talk them down out of that headspace, to prevent signifigant, recurring vicimization.

https://www.aarp.org/money/scams-fraud/fraud-tactics/

https://consumer.ftc.gov/consumer-alerts/2024/03/sure-ways-s...

Show HN: Melony – React toolkit for AI chat interface (github.com)

Green Wave: A Plan for Cycling in New York City [pdf] (nyc.gov)

Mazlo raises $4.6M, launches nonprofit finance platform (news.crunchbase.com)

Show HN: Backwalk – A lightweight backtrace library written in C (github.com)

Show HN: Rift (Flexible Translator) – Build Languages in Days, Not Years (github.com)

A World Without Plugins (swyx.io)

Hypervisor in 1k Lines (1000hv.seiya.me)

Show HN: LibPolyCall – Zero-Trust Polyglot FFI with Perfect State Reproduction (github.com)

Ask HN: How high is the bar for AGI? what problems are "AGI-complete"?

How Tim Cook sold out Steve Jobs (anildash.com)

Show HN: Open-Source Game for Kids for Learning Letters and Phonics (letter-learning-game.org)

Show HN: HardView – Cross-Platform Hardware Info and Monitoring (Python/C++/C) (github.com)

Ask HN: How are you using AI / LLMs for coding?

Factors associated with weight loss response to GLP-1 analogues for obesity (pmc.ncbi.nlm.nih.gov)

Book Review: Poor Economics (pelorus.substack.com)

AI Induced Psychosis: A shallow investigation (lesswrong.com)

iOS 18.6.2 – System-Wide Trust Collapse via Anchor Corruption and ATS Reset (github.com)

Why Mark S. Zuckerberg Is Suing Facebook's Parent Company, Meta (nytimes.com)

Consumption of Low- and No-Calorie Artificial Sweeteners and Cognitive Decline (neurology.org)

Show HN: Open-source MCP Tester Agent – Can Claude use your MCP server tools? (github.com)

What I Learned Building My First Jenkins Plugin (mergify.com)

Browser extension gives Claude the ability to think step by step (github.com)

Codebuff: Generate Code from the Terminal (github.com)

Reddit: Evolving Moderation on Reddit: Reshaping Boundaries (old.reddit.com)

K-Pop Demon Hunters Special Drone Show at Ttukseom Hangang Park [video] (youtube.com)

Show HN: ArduinoCogs adds web-based dashboards and config to ESP32 projects (github.com)

Executive Director Cindy Cohn Will Step Down After 25 Years with EFF (eff.org)

The women in love with AI companions: 'I vowed I wouldn't leave him' (theguardian.com)

Cindy Cohn Is Leaving the EFF, but Not the Fight for Digital Rights (wired.com)

Second-Me: run a personal AI that remembers for you, locally (secondme.io)

iPhone Air Gets Faster and More Efficient C1X 5G Modem, but No MmWave (macrumors.com)

Microsoft to Use AI from Anthropic in Partial Shift from OpenAI (reuters.com)

I made the most unique Chrome extension (chromewebstore.google.com)

Show HN: Mermaid-animate, GSAP animations for Mermaid sequence and flow diagrams (jameshealyio.github.io)

Reuters withdraws Xi, Putin longevity video after China pulls permission to use (reuters.com)

Breakthrough Cancer Therapy Moves to Phase 2 Trials (news.gsu.edu)

BatteryScope Device Health Checker (batteryscope.com)

Google admits the open web is in 'rapid decline' (theverge.com)

Show HN: Personalized Learning Pathways (eigenarc.com)

Open Source Game Clones (osgameclones.com)

The Unseen Cost of Custom Domains: Why Manual SSL Management Is Hurting You (vanitycert.com)

Geoffrey Huntle Is Cursed: Making a GenZ slang programming language with Claude (simonwillison.net)

A Mercedes EQS with solid-state batteries drove 750 miles with range to spare (electrek.co)

ADL-CLI – Generate enterprise-grade AI agents from a YAML spec (github.com)

Hypertension Alerts Coming to Older Apple Watch Models (macrumors.com)

All vibe coding tools are selling a get rich quick scheme (varunraghu.com)

Perceived Age (sdan.io)

Mercedes-Benz and Alpitronic to roll out 600 kW fast charging in 2026 (electrek.co)

K2 Think (k2think.ai)

The Worst Air Disaster You've Never Heard Of (longreads.com)

Ask HN: Could scammers have infiltrated the IRS callback system?

Comments (3)