This little piggy went to the affiliate market

May 14, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Wire Fraud - (2 Comments)

Piggycoupons.com ranks in the top quarter million sites in the world and almost in the top 100k for the US (see Alexa). If you are an ordinary user looking for a coupon then you won’t notice anything out of the ordinary when browsing through this site.

Piggycoupons is an affiliate that has an indirect relationship with a number of online merchants via an affiliate network. For each merchant, Piggycoupons receives a tracking or click link that it will use when trying to market the merchant. Much like publishers in the online advertising world publish ads that are relevant to their content (hopefully resulting in more click throughs), affiliates try to market their merchants in an effort to get their users to click through on their affiliate links and buy something. Instead of being paid per click, an affiliate is paid if the end user buys something from the merchant after a click.

So a user could browse Piggycoupons today, click through on one of their merchants and only decide to buy something tomorrow. If a sale occurs, the merchant pays the affiliate network and the affiliate network pays the affiliate. The reason this transaction does not have to happen in a single browsing session is because tracking cookies are placed on the user’s machine upon clicking on one of the links handed to an affiliate by the affiliate network.

Enter the Rogue Affiliate

Rogue affiliates try to get around the click part of a transaction by forcing the click to happen no matter what. This results in the tracking cookies being stored on the user’s machine without an affirmative action (a click) from their side. The hope of the rogue affiliate is that the user will eventually end up buying something, and if they do then this affiliate will be paid (even if he did not earn it!)

Rogue affiliates are tough to compete with because they don’t play fair. By forcing the click through they will simply overwrite the cookies of honest affiliates.

This Little Piggy

If you fire up your favorite DOM inspector and take a closer look at this page on Piggycoupons, you will find that line 261 of their HTML has the source of an image set to an affiliate click link.

The browser will try to render this image by following the click link and storing all associated cookies that come back. This is faking a click. Since this is not a valid image link, the browser will be unable to render anything so a broken image icon will be displayed. Piggycoupons knows that what they are doing is wrong and that a broken image will give them away, so they try to hide what they are doing by setting the width and height of the image to 1 pixel.

In the image below we don’t notice the broken image:

I modified the DOM of Piggycoupons and altered the width and height of the malformed image, red arrows lead the way:

Remember, this affiliate is not playing fair. Having a malformed image setup in this manner forces clicks to every user that visits this page. The net effect has this affiliate potentially stealing revenue from honest affiliates and/or claiming unearned revenue from merchants.

Merchants impacted by Piggycoupons are logogarden.com and zalora.com.hk

Fraudster Score

This fraudster scores a pitiful 1/10:

1 point for the most basic form of Cookie-Stuffing

* Update 5/16/2013 *

The folks from Piggycoupons got in touch with me, insisting that this was an innocent mistake made by their editor, who intended to paste an image tracking link and not a click link on the several pages that were guilty of Cookie-Stuffing. Piggycoupons assured me that all traces of Cookie-Stuffing have now been removed from their site.

From previous posts, we know that accidental Cookie-Stuffing is definitely possible. Hopefully this was an innocent mistake and Piggycoupons is trying to play the affiliate game fairly after all.

On cutting out the middle man

May 1, 2013 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | PPV | Typosquatting - (0 Comments)

I recently received a number of emails from readers asking me to provide more samples of abuse in Hostgator’s affiliate program. At the time I could not help but wonder to myself why the sudden interest, specifically from what seemed to be concerned Hostgator affiliates.

Having discussed Hostgator a few times [1, 2, 3], we know that Hostgator runs their affiliate program without a middleman, so there’s no affiliate network in between them and their affiliates. It looks like they also run through the CJ affiliate network, but their own affiliate program seems to take priority over this.

Now if I were a business looking to start an affiliate program, I’d certainly consider the option of setting up my own affiliate program from scratch and completely excluding the affiliate networks. I think it would come down to a few deciding factors, the biggest one of which (at least for me) is fraud.

One can make the argument that it is not within the interest of an affiliate network to completely crush fraud, so why should merchants sign up with them? If you read through post after post on this blog, you might find yourself making this argument. That’s not to say all affiliate networks are bad and not to be trusted, just that one should carefully select an affiliate network before moving in their direction. Some of the affiliate networks are phenomenally proactive and hell bent on ridding their networks of fraud, obviously these are the ones you want to steer towards.

I think it’s important to select the right affiliate network because when one decides to cut them out of the picture and implement one’s own affiliate program, then one has to earn the intellectual capital required to tackle the complexities of affiliate fraud.

Businesses that run their own affiliate programs are massive targets for affiliate fraudsters

Detecting affiliate fraud is not trivial. Sure, loading a page that you already suspect of the most basic type of fraud (a 1/10 on our rating system) and checking the cookies folder for a false drop is trivial, but this type of fraud is for kids.

Sifting through millions of pages to find the page of a career fraudster, recreating the context expected in order to reproduce the fraud using hundreds of machines spanning dozens of countries around the world 24/7 is not for kids. Understanding how huge complex systems the likes of what the advertising networks bring to the table and how they can be exploited to the advantage of rogue affiliates does not happen over night. Now add malware, suspect toolbars and adware to this picture then combine all of this with the services offered by PPV “partners” and you’re in for quite a ride.

Don’t get me wrong, this is not an insurmountable problem. But it’s not an easy one either. If you’re a business thinking of cutting out the middle man in your affiliate program then I’d strongly recommend to think it over one more time. The right affiliate network is out there and they are probably better at detecting fraud than you are.

“Enough talk, show me some LIVE examples!”

Example #1

www.webhostingdeals.org is a Hostgator affiliate who is Cookie-Stuffing their visitors. Load up this page and scroll down until you see the Hostgator logo:

The red arrows above are highlighting an iframe that loads the Hostgator page via an affiliate link. This is essentially falsifying a click through to Hostgator. Upon seeing this page in your browser, if you sign up to Hostgator within a short period of time then the affiliate behind this scam will be paid an unearned commission. A packet trace of the infraction for your convenience. The code responsible for kicking off the redirect is on line 198 of the source HTML for the page:

This practice is clearly against the Hostgator Terms of Service, see section 5:

In addition to the foregoing, we will immediately terminate your participation in the Program if we believe you have engaged in any of the following:

Unsolicited mass e-mail solicitations, IRC postings or any other form of spamming, including but not limited to, newsgroups or AOL customers or otherwise violate the anti-spamming policies of HostGator or state law;
Provide inaccurate or incomplete information to HostGator concerning your identity, address or other required information;
Attempt to cheat, defraud or mislead us in any way;
Misrepresent to the public the terms and conditions of our sites or your sites;
Engage in popup advertisement network activities;
IFrames may not be used unless given express permission by HostGator, sales made through hidden IFrames or Cookie Stuffing methods will be considered invalid

This site targets another two merchants (who also happen to run their own affiliate programs) using a similar tactic:

www.ipage.com is being targeted via affiliate 609616
www.fatcow.com using affiliate id 580982

The offending Hostgator affiliate id in this scenario is darenshawn-review, which is very similar to the next affiliate id that is up to the same mischief.

Example #2

www.reviewhostgator.org is a Hostgator affiliate that is cookie-stuffing their visitors. Load up this page and scroll down until you see the Hostgator logo:

The affiliate id responsible for this scam is darenshawn-reviewhostgator.

Example #3

Typosquatter hoastgator.com (note the additional ‘a’) is laundering traffic through cheap-kingdom.us before forwarding it on to Hostgator via an affiliate link. Hostgator probably has a relationship with Cheap-kingdom, but do they know that Cheap-kingdom is typosquatting? If so, then why does Cheap-kingdom hide the typo URL as a source of the traffic? From this packet trace, note that cheap-kingdom uses http://cheap-kingdom.us/store/web-hosting/web-hosting-3000.php as the referrer for the traffic to Hostgator.

The affiliate id responsible for this is skycrakr

Example #4

Examples 1 - 2 are classic cookie-stuffers. User visits a site on the Web, fraudster drops a cookie and hopes that the user makes his way over to hostgator and signs up within a short period of time so that commission can be sent the fraudster’s way.

Example 3 has an affiliate squatting around the Hostgator mark and redirects anyone who mistakenly types in hoastgator.com through to hostgator.com via an affiliate link. Typosquatters will argue that they are providing a service, but I disagree.

What about users that are not visiting hosting review sites, or did not mistakenly enter the Hostgator address, is there any opportunity to get in on the remaining slice of the pie? Of course there is! Thanks to PPV networks (who will also say they are providing a valuable service), a fraudster can inject himself into almost any transaction and claim unearned commissions. See for yourself in this video.

Wow!!!! Hostgator affiliate chandran paid a PPV network to send visitors of hostgator.com to his own site (hostgatorvps.com) in the form of a popup. The affiliate then routes the visitor back to hostgator using his affiliate link.

If you’re an honest affiliate competing for the same users as chandran, know that you do not stand a chance. Whatever you invested in getting your users to click on your affiliate links will most likely not count at all. The reason for this is simply because the cookies on the machine associated with your affiliate account will be overwritten by chandran’s cookies the moment your visitors land on hostgator.com!

Bargain Hunters, Cars.com & eBay

April 16, 2013 by wesleyb

Posted by wesleyb in Bargain Hunters | Wire Fraud - (0 Comments)

Not familiar with the Bargain Hunter scam? Read up and then let’s get to it.

1. Scammer Sets the Trap

This cars.com ad has a 2005 Ford F150 FX4 available for approximately $3,000 below book value.

As it stands, this looks like a good deal, but not a smokin hot deal that would have me drop everything (including my common sense) and rush off to pay the seller. It’s important that this looks like a good deal and not a ridiculous bargain. The reason for this is to throw fraud investigators off the trail.

“Hmm, a good deal with lots of pics and a brief write-up, this ad looks okay” said the investigator, and moves on to select another ad that is a lot more suspicious.

If this ad was investigated, it was eventually given the a-okay. If it was not investigated, it should have been. But even if it had been, the fraudster behind this ad is slightly above par, so it’s unlikely that it would have been flagged.

So what do we know about this ad so far?

The car for sale is offered at a price that seems quite believable
The ad itself has been active for at least three weeks, this is confirmed by Google’s cache.
Unlike 99% of the Bargain Hunter scammers out there, this ad has been paid for! We know this because the ad has ten pictures. From the seller packages on cars.com we know this costs $20

2. Victim Takes the Bait

So what we have here is a scammer that separates himself from the rest of the drivel by setting carefully laid traps that are designed to throw investigators off of the trail right from the start. If you were to decide to investigate further for yourself, you would be surprised to note that this scammer will probably not even reply to your first inquiry. This is because the scammer is sampling, i.e., he only replies to 1/N requests.

The scammer adds yet another obstacle with the introduction of a delay. So even when he decides to respond to your request for more information on the vehicle, he will only respond once some time has passed. In my investigation, he waited two days before replying.

When we started communicating, he slowly paved the way to the real bargain (designed to have me drop everything and rush to pay before someone else does). His emails follow:

From: WILLIAM RODRIGUEZ (wr75666@gmail.com)
Subject: Re: Cars.com used car lead for W RODRIGUEZ - 2005 Ford F150

Hi,

I am glad that you are interested in my car. I am willing to sell it
for $6.500. This car has NEVER been in an accident. The car comes
FULLY loaded with EVERY option available. All scheduled maintenance,
Always garaged, Fully loaded, Highway miles, Looks & runs perfect,
Maintenance records available, No accidents, Non-smoker. The car is
registered on my name and the title is clear (no lien).

First of all please let me know where are you located ?

I will also need to know if you require a loan ? Or the 
funds are available ?

Thank You

And now what makes this a smokin’ hot deal..

From: WILLIAM RODRIGUEZ (wr75666@gmail.com)
Subject: Re: Cars.com used car lead for W RODRIGUEZ - 2005 Ford F150

The truck is in FL and I am now in HI opening a new business so I
propose to close the deal trough eBay Motors, since they are the
biggest and the most trustworthy online market place, under their
Vehicle Purchase Protection Program. Basically, it's similar to
buying a Car locally, the money will be sent to their holding
account, and they will keep the money until you will receive the
Car. 

After they inform me that they have secured your payment
into their account, I'll deliver the Car to your address and pay
the shipping myself. After you will test drive it, inspect it
for 7 days and decide to keep it, they will forward the money to
me once you have approved them to do so. If you won't like or if
it is not as advertised, which I can assure you it won't be the
case because it's a state of the art vehicle, the Car will be
returned to me at my expense and you get full refund from eBay
Motors.

To register the deal at eBay I need from you these info:

eBay user ID, full name, address, city and state.

As soon you give me these details I will register the deal and
eBay will send you the invoice.

Waiting your reply.

Thank you

Now that’s what I call a deal:

The transaction is managed by eBay Motors
Shipping is paid for by the seller
If I don’t like the car I can return it for a full refund.

Of course, all of this is total nonsense, it’s just a trap to lure me into thinking that this is going to be a win-win deal for me, no matter what.

3. Scammer Gains Victim’s Trust

A day passes and I am contacted from eBay Motors.

Payment instructions followed in a second email.

From: eBay Motors (ebay@motor-checkout.com)
Subject: eBay Motors Transaction #160847667439 Payment Information

We are contacting you regarding the eBay Motors Transaction 
#160847667439 (2005 Ford F150 FX4) registered with eBay by 
William Rodriguez.

Our transaction department issued a invoice for your purchase. 
The payment ($6,500.00) must be submitted through bank wire 
transfer to the following Bank Account:

Bank Name: Citizens Bank
Account #: 8203142824
Routing #: 031101143
Beneficiary Name: Bawa Awumbila
Bank Address: 146 Fox Hunt Drive, Bear DE 19701, USA

You must confirm the payment by replying to this e-mail with 
the following payment information:

Case Id #:
Tracking # of the wire transfer:
Sender's Name:
Total Amount Sent:

Please also fax the bank wire transfer documents at: (206)-984-2799.

Please reply this e-mail if you have more questions.

Thank you for using our services, 
eBay Motors Department

Obviously this is not an email from eBay Motors, a quick visit to the site responsible for delivering the email confirms this:

I feel that the perpetrator here has fallen short of what was thus far a well executed Bargain Hunter scam. If he had redirected the victim’s browser through to the real eBay Motors page, it would have been a lot better than the trashy looking parked page that is presented.

4. Victim Sends Money

The scammer gains the victim’s trust by posing as eBay Motors. Upon receiving payment instructions, the victim rushes out to pay eBay Motors through a wire transfer. When one sends money via wire transfer, the money is gone and the transaction cannot be reversed.

“But you can just follow the money”

Well yes, you can just follow the money, but the trick is that the money is siphoned through other innocent victims (aka money mules). The longer the trail of money mules, the harder it is to follow the money. Even if you did follow the money all the way to its very end, you would most likely find that the money has been wired to an individual in a foreign country; so now what are you going to do? Fund an investigation spanning multiple countries for a fellow who lost six thousand dollars? Probably not.

What does this scammer score?

This scammer is above par when compared to the rest of the drivel competing for victims in the Bargain Hunter barrel. I give him a 5.5/10

1 point for a classic bargain hunter scam
2 points for buying an ad on cars.com. I believe he used legitimate resources here as well, i.e., he probably spent his own money. The reason I believe this is because of the length of time that the ad has been running. If he used a stolen credit card, then cars.com would have found out by now that the ad was purchased through illegal means and the ad would have been disabled.
1 point for posting a believable ad and not a ridiculous bargain
1/2 point for sampling replies (and throwing off investigators)
1/2 point for introducing delays (and throwing off investigators)
1/2 point for infringing on the eBay Motors brand

As always, there is a lot of room for improvement. I would have liked to have seen this scammer employ phone verification, by having a chat with me on the phone he introduces additional obstacles to investigators (reducing the chance of him getting caught). I think he should have also invested some time on the falsified eBay Motors domain. What he has running on motor-checkout.com is sloppy, and it will surely cost him.

I’m a Victim! What now?

Your money is gone
Take the time to report this crime
If you were nailed by the same scammer from this post, I believe he may have made a mistake that could help you a little: motor-checkout.com is running ads, so the scammer is a publisher with a payment instrument registered at an ad network (potentially no money mules involved!)

Of course, prevention is better than a cure. From a 2011 FBI Press Release, online shoppers should be cautious of the following situations:

Sellers who want to move the transaction from one platform to another (for example, from Craigslist to eBay Motors)
Sellers who claim that a buyer protection program offered by a major Internet company covers an auto transaction conducted outside that company’s site
Sellers who push for speedy completion of the transaction and request payments via quick wire transfer payment systems
Sellers who refuse to meet in person, or refuse to allow the buyer to physically inspect the vehicle before the purchase
Transactions in which the seller and vehicle are in different locations. Criminals often claim to have been transferred for work reasons, deployed by the military, or moved because of a family circumstance, and could not take the vehicle with them
Vehicles advertised at well below their market value. Remember, if it looks too good to be true, it probably is.

Sneaky Affiliate Targets Multiple Merchants

April 15, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday - (0 Comments)

Travelpixel.com is ranked in the top 100,000 sites in the UK. From their About Us page:

At TravelPixel we hand pick our deals by analysing individual sites one by one. The deals we select then go through our moderation checks to ensure they are valid, offer great value and are clearly displayed.

So they hand pick their deals by analyzing sites one at a time, super, but they hand pick their targets for affiliate fraud one at a time as well, i.e., travelpixel.com is Cookie-Stuffing.

Said the Affiliate: “no, no, it’s all a big mistake!”

It’s easy to say this is all a big mistake and it won’t happen again. Rogue affiliates try to sell this nonsense all of the time. Unfortunately for Travelpixel, the scheme they have concocted here makes it difficult to sell as a mistake.

Said the reader: “alright then, how do they do it?”

If you’re a savvy fraud investigator and have a few moments for a little challenge, then visit this Travelpixel page and try to get to the bottom what’s going on before reading any further. Remember, finding a Cookie-Stuffer is easy, but telling the story of what’s going on and how it’s happening is the challenge.

For those that don’t have a debug environment (or the patience) on the ready, take a look at this packet trace. In a nutshell:

The merchant targeted is holidayextras.co.uk
Affiliate Window is the affiliate network used (affiliate id 69714)
The false click (awclick.php) was triggered as a result of a 302 redirect from travelpixel.com/galaxy.php
travelpixel.com/galaxy.php was triggered as a result of a 302 redirect from travelpixel.com/v4_images/…_travelpixelcom.jpg

The question now is what triggered the lookup of travelpixel.com/v4_images/…_travelpixelcom.jpg? If you browse the HTML of this site (static inspection) you will find no reference to this image. If you fire up a debug environment and browse the DOM of this site (dynamic inspection) you will still find no reference to this image.

So what’s going on?

They know what they are doing is wrong and that investigators will eventually come-a-knocking, so they introduce two obstacles:

First, they thwart a static investigation by obfuscating their activity in JavaScript
Second, they hinder dynamic investigation by removing evidence of their wrong doing from the DOM

The sneaky JavaScript is introduced with a call to travelpixel.com/ajaxify/deal.js:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/
,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[
e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\
\b'+e(c)+'\\b','g'),k[c])}}return p}('$(c).d(4(){2 3=$(\'#0\').1("e");b(3==\'f\'){
8()}4 8(){2 6=$(\'#0\').1("a");2 7=$(\'#0\').1("9");$(\'#0\').s(\'<g p="5" q="r://
n.m.i/h/\'+6+\'j\'+7+\'k.l"/>\');$(\'#5\').o()}});',29,29,'offer_box|attr|var|timer
|function|description_test|merchantid|rander|testLink|date|ident|if|document|ready|
deal|on|img|v4_images|com|_|_travelpixelcom|jpg|travelpixel|www|remove|id|src|http|
append'.split('|'),0,{}))

If you deobfuscate this JavaScript, it boils down to:

$(document).ready(function()
{
  var timer=$('#offer_box').attr("deal");
  if(timer=='on')
  {
    testLink()
  }

  function testLink()
  {
    var merchantid = $('#offer_box').attr("ident");
    var rander=$('#offer_box').attr("date");
    $('#offer_box').append(
      '<img id="description_test" src="http://www.travelpixel.com/v4_images/'
      + merchantid 
      + '_'
      + rander
      + '_travelpixelcom.jpg"/>');
    $('#description_test').remove()
  }
});

This is JQuery that adds an image to the page (using the _travelcom.jpg link we were looking for earlier) and then quickly removes this image from the page directly thereafter.

From the evidence presented, this affiliate is a sneaky bugger that is trying to hide what he is getting up to. Unfortunately for him, the “it was a mistake!” routine just won’t cut it.

Unsurprisingly, he is targeting multiple merchants over multiple networks, a sample of which is as follows:

Using the CJ affiliate network (affiliate id ’1927868′):

www.budget.co.uk
www.ihg.com
www.thomson.co.uk

Using the AffiliateWindow network (affiliate id ’69714′):

www.parkbcp.co.uk
www.holidayextras.co.uk
www.travelsphere.co.uk

Said the fraudster: ‘did I at least get a good score?’

I’m afraid not fraudster, for it’s not like what is being done here is anything new. The obfuscation is a nice touch, but on its lonesome it is simply not enough to get a good score (specially considering what the 5+/10 fraudsters get up to). This site shouldn’t be dropping cookies all of the time (it makes reproduction of the infraction too easy for investigators) and it should be using a demilitarized zone.

As a result, the overall score is a lethargic 3/10:

1 point for basic Cookie-Stuffing
1 point for targeting multiple merchants
1 point for obfuscation and attempts to hinder dynamic and static investigation

Search Arbitrage

April 10, 2013 by wesleyb

Posted by wesleyb in Arbitrage | Malvertising - (0 Comments)

Interesting article from BrandVerity on Search Arbitrage using parked domains.

The gist of the tactic discussed is as follows:

Unscrupulous publisher of an ad network sets himself up as an advertiser and buys low cost search traffic (sometimes from the very same ad Network).
The landing page of the ads are configured to route through to the publisher’s own pages, which look like low-quality parked pages. In the context of previous articles on iPensatori, this landing page is a demilitarized zone. The publisher is using the landing page to hinder automated discovery and/or investigations from ad networks or concerned advertisers
Upon detecting that the source of the traffic is good (not automated), the parked page presents ads, the highest ranked of which is related to the low cost search traffic that was originally purchased. The trick is that these ads are of higher value (when clicked) than the search ads originally paid for, enter arbitrage.

This is a clever scam that is not easily detected.

Bargain Hunters, Craigslist and Google Wallet

April 9, 2013 by wesleyb

Posted by wesleyb in Bargain Hunters | Wire Fraud - (1 Comment)

Today’s scammer adds a little bit of a twist in step four of the Bargain Hunter scam, it’s not a game changer but it’s simple and interesting enough that I thought it deserves a post of its own. If you’re not familiar with the scam, do some quick reading and then let’s get down to brass tacks with the four steps of the scam:

1. Scammer Sets the Trap

This Craigslist ad in Dallas is the same as this one in Miami, they both advertise a 2002 Toyota Camry for $3890:

The car is very well taken care of. Almost all miles on the car are highway miles, and I have routine maintenance done efficiently. I have had absolutely NO body, engine, or any work of any kind since I have owned it. I am the first owner, and have had schedule maintenance done at a Toyota dealer. Never had a single problem and runs like I had originally bought it. Kept extremely clean, with yearly scheduled detail appointments. The price is FIRM, and well below book value so low-ball offers ar not appreciated, nor will they be considered, so please save your time and keep them

At this price, the Camry is a good deal which gets better upon contacting the scammer.

2. Victim Takes the Bait

I sent an email to the address highlighted in the ad (toyocamry34@gmail.com) asking if the Camry was still available. The scammer responded from a different Gmail account:

From: Victor Morgan (vicmorganjk@gmail.com)

Hey,

This is Victor. I just got your email about my 2002 Toyota Camry LE. 
It's in perfect condition, no engine problems. It's exactly like it's
shown in the pictures. I have all manuals, receipts, documents. It 
has no damage, no scratches or dents, no hidden defects. It was always
garaged and never been smoked in. It has been extremely well 
maintained with a full service history. Clean title in hand, with no 
loans or liens on it. It has 120,600 miles, automatic transmission, 
3.0L V6 engine, power moonroof, ice cold a/c, alloy wheels, power seat,
power windows and locks, factory am/fm stereo cd and more. This is a 
worry free car and gas saver. It does not need anything additional to 
function. The price for the car is $3,900. 

To support my argument regarding the condition of the car, I've added 
a brief photo-presentation. Please visit the following link for more 
details: 

https://plus.google.com/u/0/photos/113831052753381702224/albums/5864391620687550417

Email me ASAP if you are interested in buying it.

Thanks

3. Scammer Gains Victim’s Trust

I thanked Victor for the pictures. Such a grand car for such a sweet price. Victor replies with an explanation of why the car is not in the location where it was advertised to be (he is in the military) and that this will be a sale without an in-person inspection. I am told not to worry because the transaction will be proxied through someone that I already trust: Google.

From: Victor Morgan (vicmorganjk@gmail.com)

Hey,

I am currently stationed at Fort Irwin (U.S. Military training base 
in CA) making final preparations before deploying to Afghanistan. 
The car is here with me at the base and if we reach an agreement the 
shipping won't be a problem because military has a considerable 
discount, so I can handle it by myself with no charges whatsoever on
your account. Shipping may take anywhere between 2 to 3 business days 
depending on the destination. All documents you need for ownership, 
manuals and bill of sale will be provided along with the car. 

I am currently signed up with Google Wallet and I would like to close 
the deal through them. If you are not aware of Google Wallet you 
should know that it will allow you to test drive and inspect the car 
before paying me. In this way you're not buying something sight unseen. 

You will have a 5-day inspection period to decide whether you want to 
keep the car or not before they release the funds to me. If you decide 
not to keep it Google Wallet will refund you the money, no questions 
asked, and shipping back will be my concern. I think this is more than 
fair for both of us. If you want to buy it please email me back with:
- your full name and address - required by Google Wallet (you'll receive 
important guidelines + instructions from them.).

I want to point out that because I am going to Afghanistan this sale 
is my top priority and I am looking after a fast transaction, with no 
delays. That is why I decided to lower the price, to avoid wasting time 
with negotiations and find a buyer as soon as possible.

Thanks,
Sgt. Victor Morgan

When I let Sgt Victor know that this all sounds great, he then asked for my personal details so that he could arrange for Google Wallet to contact me.

I supplied these details and was quickly disappointed when he did not take the time to verify who I was. As I have mentioned before, verifying who I am does add a cost to carrying out a scam but it also adds a stumbling block to investigators (reducing the chance that he is busted).

4. Victim Sends Money

A day or so later I received an email from Google Wallet (info@googlewallet-transactions.com):

They asked me to go to MoneyGram and send a payment to the following Google Account Manager (the money mule in this transaction, probably another victim): Ashley Holman from 5541 Walnut St, Pittsburgh, Pennsylvania, 15232

Instead of asking for a smaller deposit, this scammer is asking for the full amount in two separate payments. I would think that this would set off some alarm bells here for potential victims. I’d wager this scammer would increase his profits by not being so greedy. Surely a potential victim would be more inclined to quickly send a deposit of $950 than two separate payments for larger amounts?

Regardless, what’s interesting about this scammer is what he did with the googlewallet-transactions.com domain; it 302 redirects to Google Wallet!

It’s so simple, but I’m guessing very effective! Instead of setting up a domain that looks similar to Google Wallet, he is sending people straight to Google Wallet.

“So if the domain emailing me says it’s from Google Wallet and visiting this domain in my Browser takes me to Google Wallet, then this must be Google Wallet, right?”

Not surprisingly, upon agreeing to pay this bozo, he asks us to tell MoneyGram that he is a relative (saving him unneccessary fees):

From: Victor Morgan (vicmorganjk@gmail.com)

Please do me a big favor, when you will send the money to Google Wallet,
if the MoneyGram clerk asks you what is the transfer for, if you can, 
please just tell them that you are sending the funds to a friend or 
relative, otherwise, I will be charged with some extra fees. This way I 
am trying to avoid some unwanted taxes, and I hope you understand me 
because I already pay shipping, handling and insurance. It will help me 
a lot. I understand if you can't do it.

Thanks,
Victor

What to score this fraudster?

At the end of the day this is an ordinary scam executed by an ordinary scammer. I liked the 302 redirect to Google Wallet but did not like the fact that he didn’t take two minutes to verify my details.

We’ve seen smarter scammers who put a little more effort into their scam by sampling their replies, not being too greedy on the money wired through and even setting up a little ticketing system behind the site that hijacked a popular brand.

In my opinion, this scammer has a long way to go. He scores a deplorable 3/10:

1 point for a classic Bargain Hunter scam
1 point for hijacking the Google brand
1 point for the nifty 302 redirect straight to the official Google Wallet site

Cookie-stuffing Hostgator

April 4, 2013 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | PPV | Wire Fraud - (4 Comments)

Take a look at the following Web site which belongs to a Hostgator affiliate: templatesresourcehosting.com. With an Alexa rank of 2,432,681, this site clearly offers no meaningful content, ergo they have no meaningful presence on the Web. So how is it that this site sets themselves up as a Hostgator affiliate, which may actually make some money for the owner (and Hostgator too)?

This site is Cookie-Stuffing. When ordinary users visit it, their browsers are tricked into clicking on affiliate links that belong to Hostgator. Needless to say, this all happens invisibly so the user is none the wiser. The net impact being that if the user in question now buys something from Hostgator (today, tomorrow or within some limited time period down the road) then the affiliate behind this Web site is paid a commission.

But that still doesn’t answer our question; after all, even if the site is Cookie-Stuffing, it is of such low quality that it could never attract serious traffic to Cookie-Stuff anyway. This is where the drivel that is the PPV market pops up its head and exclaims from the hills:

“We can bring you quality traffic, you just have to pay for it!”

And that’s precisely what this affiliate does. By registering himself on the PPV markets, he bids via a realtime auction for traffic that is of interest to him. The difference between PPV auctions and PPC auctions is that the latter plays the game within the confines of what it rightfully controls (PPC ads on Google or Bing or any of their properties) whereas the former plays the game using their own set of rules and on any property which is of interest to their advertisers.

So in this scenario, the affiliate is an advertiser in the PPV markets. Upon winning a bid, the software controlled by the PPV platform which is installed on the user’s machine, will popup the URL that the affiliate has registered. In the example below, the affiliate bids on the keyword “hostgator”, which results in the following popup:

This packet trace captures the site and the invisible click (Hostgator affiliate ‘dvishnu‘ is the offender here). Nothing special going on in the technique used by this fraudster, basically line 36 from their source (pointing to an image) 302 redirects through to the affiliate link.

How does this fraudster score?

A pathetic 3/10:

1 point for Cookie-Stuffing
1 point for working through PPV markets
1 point for only redirecting when the right referrer is set

If he is so pathetic, then surely Hostgator knows about this affiliate?

Not likely, here’s why: the affiliate is still paying for this traffic on the PPV markets. If Hostgator was aware of what this affiliate was doing, then why would the affiliate still be paying to send PPV traffic through an affiliate id which has been disabled? Now a 3/10 fraudster is not the brightest bulb on the Christmas tree, but hopefully bright enough to know that money paid into a scam should be less than the amount of money earned from the scam.

Edeals.com – Typosquatting

March 18, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Typosquatting - (0 Comments)

Visit this edeals.com page and you’ll see nothing out of the ordinary: a couple of coupons for softsurroundings.com coupled with a variety of other deals (travel and otherwise).

Check out their page on Facebook (w/ 8,500+ likes):

Ranked in the top 50,000 US sites, all indications would have us believe that edeals.com is a legitimate site. Most affiliate managers considering onboarding edeals as a potential affiliate would surely think “this doesn’t look too bad” instead of “wow, this site is typosquatting!”

Now fire up your favourite Web debugging tool and revisit the same Edeals page but set your referer request header to “http://174.143.1.4/1/16″

Shock and horror, for you are automatically redirected through to softsurroundings.com via a Commission Junction affiliate link! The CJ affiliate id used here is 1491825.

Obviously, this is a forced click, but what’s really going on here? When we load the edeals page without the referer header then we get a normal looking page, but when we load the same page with the special referer header then we are automatically routed through to a merchant’s page via an affiliate link. The former case is to address the scenario of an affiliate manager loading the site that claims to be responsible for the traffic he is seeing. The latter case is something special, something that edeals knows is going on but probably wants to hide from an inquisitive affiliate manager: typosquatting!

If you don’t have a Web debugger handy, you can reproduce the typosquatter scenario for yourself by visiting softsurrundings.com (a typosquatter variation of softsurroundings.com, note the omitted ‘o’). Having trouble reproducing? Here’s a handy packet trace of the behavior.

The packet trace breaks down into the following:

User accidentally types in softsurrundings.com
Browser 302 redirects to 174.143.1.4/1/16
174.143.1.4 is the demilitarized zone for the typosquatting adventures of edeals.com. It knows that any traffic that is sent to it is a result of typosquatting and must cleaned and redirected to the appropriate merchant for monetization.
So it returns a form which points to edeals.com/coupons/softsurroundings.com and then automatically clicks on this form via JavaScript. In doing so, a new referer header is introduced (174.143.1.4)
Browser loads edeals.com/coupons/softsurroundings.com with 174.143.1.4 as the referrer. Edeals looks at the referer header and now knows that the traffic is coming from the demilitarized zone (typosquatter traffic), so it prepares another form pointing to an affiliate link which also clicks on itself via JavaScript (and introduces a new referer header!)
Browser redirects through affiliate links and onto the softsurroundings.com the merchant. edeals.com claims itself as the source of traffic and the affiliate manager is none the wiser that it actually came from typosquatting (so this is organic traffic that belonged to softsurroundings.com)

Needless to say, if any user lands up at softsurroundings.com as a result of this typosquatter site and then purchases anything, softsurroundings.com pays the typosquatter (edeals.com) a commission that they did not earn.

Now take a look at http://www.edeals.com/all-stores. Note the number of merchants that edeals has a relationship with. Here are a few that they also have a typosquatter relationship with:

bluehost.com
bluefly.com
metrostyle.com
northerntool.com
statelinetack.com
sportsmansguide.com

What to score this typosquatter?

1 point for typosquatting
1 point for laundering the traffic through a DMZ
1 point for not always hitting the same IP twice
1 point for a sharp looking site and Facebook page

4/10: F

Potential for improvement:

Sample the traffic. It’s easy to reproduce the first time round because the typosquatter targets 100% of the traffic coming through to it. By sampling (only targeting a small percentage of visitors) he would reduce the number of people that are redirected through to the merchant (reducing his profit, but also reducing the likelihood of getting caught)

Amazon Payments Scam via Cars.com et al

March 11, 2013 by wesleyb

Posted by wesleyb in Bargain Hunters | Mad Monday | Wire Fraud - (18 Comments)

We look at another Bargain Hunter scammer today. I rate this chap higher than last week’s Bargain Hunter scammer because, as you’re about to see, today’s scammer puts a lot more effort into what he does.

So here we go, the Bargain Hunter scam is a four pronged attack which starts at cars.com

1. Scammer Sets the Trap

This ad on cars.com is for a 1998 BMW 323.

* 3/12/2013 update - this scammer has multiple postings on cars.com, here is another *

* 3/20/2013 update - listing from 3/12/2013 update is still active (1993 Mazda Miata MX-5), but seller is now using Devin Briese (devinbriese1@gmail.com) *

* 3/27/2013 update - here’s another listing on cars.com, seller is now using Ray Miller (ray.miller69@comcast.net) *

At $5,100 it’s a pretty sweet deal, but it just gets better the more you chat to the gent behind the sale.

2. Victim Takes the Bait

+1 to this scammer from the get go because from what I can tell he is sampling his replies, i.e., he only replies to 1/ N requests for more information. Through sampling, he is significantly increasing the cost of an investigation and so mitigating the chance of getting caught.

After numerous attempts to make contact, I finally got a hit:

From: Adam Wigner (wigneradam@msn.com)
Subject: Cars.com used car lead for - 1998 BMW 323‏

Hi , 
My name is Adam, and I am emailing you about the 1998 BMW 323i 
Convertible that I have for sale. Here you have more information 
about my car (119,650 mileage , clean title , 6 Cyl. RWD , 
4-wheel ABS , automatic transmission ) Black exterior with an 
excellent condition tan leather interior that is fully loaded 
with options. Flawless interior/exterior condition. I am 
selling it at this final price of $5,100 because my wife died 
in a bike accident few months ago and brings me bad memories 
and that's the reason I want to sell it asap. I along with my
daughter decided to sell the house and we moved to my sister 
in Oklahoma City , OK trying to start a new life.

Thank you

The highlighted line about moving is important. It sets the tone for what is about to come, i.e., the car is longer in the location it was originally claimed to be (so I can’t see it in person)

3. Scammer Gains Victim’s Trust

I asked the scammer for more pics:

From: 
Subject: Cars.com used car lead for - 1998 BMW 323‏

Forgive my impatience, I did not know the car had such
unfortunate memories for you. Regardless, when you can
could you please send me more pictures? It's hard to
know how good the condition is based upon a single pic.

You surely have a much better life waiting for you in sunny
oklahama. Once again, my deepest condolences for your loss,
ultimately it's still a great car so I hope we can make this a good deal on both sides.

The scammer replies with more pics and tells me again that the car is no longer with him, but that’s okay because it is now with Amazon!

From: Adam Wigner (wigneradam@msn.com)
Subject: Cars.com used car lead for - 1998 BMW 323‏

Hi ,

Please find the pics attached ! As I told you in my first
 e-mail we decided to move to my sister, trying to start 
a new life here. I am located in Oklahoma City (the car 
is in Oklahoma City too). Before leaving I had prearranged
the deal with Amazon Payments. The car is now located at 
Amazon's shipping company sealed with all papers, ready to
be delivered. The deal includes free delivery and it will 
arrive at your address in 3 days along title and bill of 
sale. You will have 5 days to test it and inspect the car 
and if by any reason you find something you don't like 
about it you can send it back at my expense.

If you are interested in knowing more info about how it 
works please click here on Amazon Payments and register, 
once you do that, Amazon Payments will send you the 
invoice with all the payment and shipping details you 
will also have proof that I am covered by them and a 
legitimate seller.

Thank you

Free delivery of a car at that price, now that’s a deal for sure!

The Amazon Payments URL points to http://www.billing-support.com/, which is the real prize in this investigation. It allows us to get an idea of what else this fraudster is up to. From the Services tab:

* 3/20/2013 update – scammer is now using amazon-payments-secure-business.com *

I loved this from the Top Questions section:

Just to be clear: billing-support.com is a scam! Amazon does not provide escrow services of this nature and is in no way affiliated with billing-support.com.

4. Victim Sends Money

I followed the scammer’s instructions and registered with billing-support.com. Shortly thereafter I received the following email claiming to be from Amazon Payments:

From: Amazon Payments (admin@marketplace-safety-transactions.com)
Subject: Amazon FPS Invoice‏

Thanks for using Amazon FPS for this order,   !
The next step is to pay for your item. Check out and pay to get your 
item as soon as possible.

Purchasing Information For Your Secure Amazon FPS Invoice
Seller: Adam Wigner

Buyer: 

Order Summary

Item:                   1998 BMW 323
Item(s) Subtotal:       $5,100.00 
Deposit:                $2,100.00 
Remaining Balance: 	$3,000.00 
Shipping & Handling: 	$0.00
Inspection Period: 	5 calendar days
Amazon Fee paid by: 	Seller
Quantity: 	        1

 	------

Total for this Order: 	$5,100.00

Payment Instructions:

How to make the payment? 

The first deposit of $2,100.00 must be submitted via MoneyGram 
service to the Amazon FPS Verified Agent in charge of your 
transaction. The Amazon FPS Verified Agent will secure the 
payment until you receive, inspect and accept the vehicle. You 
have to pay at any MoneyGram office with CASH using MONEY 
TRANSFER service, from your name and address as a Sender to 
our Amazon FPS Verified Agent name and address as a Receiver .

Find the nearest MoneyGram office in your area. MoneyGram 
agents are post offices, exchange offices or retail locations 
- grocery stores, mail box centers, drug stores, travel 
agencies, depots, other retail locations . Give the form, the 
money(cash), and a proof of identity to the clerk. Pay with 
MoneyGram. It's the easy and fast way to pay online, and it 
lets you shop without sharing your financial details with 
sellers. 

Please note: This is done automatically by our system, choosing 
from the list of available agents, in order to ensure the 
impartiality of this deal.

Amazon FPS Verified Agent

 First Name :	Jonathan E.
 Last Name : 	Griffin
 Address : 	4827 Noble Dr E
 City : 	Mobile
 State: 	AL
 Zip Code : 	36619-1907
 Country:	United States 

Confirm the MoneyGram payment receipt at the following fax number: 
+1 ( 719 ) 362-3997. 

*** Please do not make any marks on the transfer copy. The following 
information must be readable ***

- E-mail us the following details from the payment receipt: 
- Reference Number - 8 digits number from the receipt ; 
- Sender's Name and Address ; 
- Receiver's Name and Address ; 
- Exact Amount Sent . 

Please note: This invoice was sent to the following e-mail address: 
Have questions about this order? Contact Amazon FPS .  
Thank you for using Amazon Payments.
Amazon Flexible Payments Service (Amazon FPS). 
Earth's Biggest Selection.

If you’re new to the Bargain Haunter scam, the fraud here is that our seller does not actually own the car, or at least has no intention of selling it. He wants me to wire money to Jonathan E Griffin in Mobile, AL. The chances are that Jonathan is but a money mule who has been conned into some other scam and is now expecting money to be sent to him. Once I send the money off, I won’t be receiving anything from Amazon Payments, for this is all just an illusion.

When Jonathan E Griffin gets my money, he may keep a small percentage for himself (perhaps as payment for being a Mystery Shopper) and then sends the balance off to another victim (or quite possibly the scammer).

The scammer launders the money through multiple victims so as to introduce complexity, cost and ultimately throw the law enforcement/investigators off of his tail. Sooner or later the money will exit the money mule ring and make its way to the scammer, if you follow the trail for long enough it always does.

Note that the email from Amazon Payments came from marketplace-safety-transactions.com and not the domain that I originally registered with. As a result, marketplace-safety-transactions.com is also in on the scam. If you’re considering any kind of transaction with anyone from this domain, caveat emptor, for you have been warned!

What to score this scammer?

I think it’s only fair to recognize the effort this scammer put into his scam. Note the Vehicle Report I received from Amazon Payments along with the invoice:

Sure it’s all just text and it’s cheap and it does not mean anything, but it does show that he put effort into being the best scammer he could be (which is not that much, but still a noteworthy effort). Most of the bozos I deal with try to quickly pull this off all via one or two emails sent from their gmail accounts. Furthermore, he sent me a unique tracking id when I registered (referred to as a Case Id #), which means he is persisting state on his servers. So he has a little DB running behind this which means he had to develop it himself or invest time and money paying someone who could put this together for him.

At the end of the day, I rate this scammer 5/10

1 point for a classic Bargain Hunter scam
1 point for sampling the emails he responded to
1 point for involving Amazon Payments and leveraging off of a great brand
1 point for registering a sharp looking domain that looks pretty similar to Amazon Payments
1 point for the tracking code

Bargain Hunters, Amazon Payments and Cars.com

March 4, 2013 by wesleyb

Posted by wesleyb in Bargain Hunters | Wire Fraud - (3 Comments)

Today we introduce the Bargain Hunter scam. This scam relies mostly on victims thinking that they are getting an incredible deal for something that they found online, usually on a fairly popular site. Sometimes these scams are so well executed that one can easily be swayed away from the old saying that “if it’s too good to be true then it’s too good to be true“.

Unlike the Mystery Shopper / Work From Home scams, where fraudsters are spamming en masse in the hope of stumbling upon some poor soul eager to make a quick buck, the Bargain Hunter scammer carefully sets his trap and then patiently waits for the victim to come to him (under the pretense that there’s a good deal to be had on both sides). In my opinion, Bargain Hunter scamming is the next step up from Mystery Shopper scammers. The latter being the absolute bottom of the barrel.

Much like the previous scams we have discussed, the Bargain Hunter scam is a four pronged attack:

Scammer Sets the Trap: the scammer sets up a post/ad on a popular online trading platform. The item for sale simply does not exist or is not his/hers to sell. Regardless, the post is setup in a way that makes it look like the buyer is going to get a good deal. A great example of this (as we will see further below) is when the scammer sells a car for far below its market value
Victim Takes the Bait: a victim is lured into the spider’s web when he first follows up on an ad. The interesting thing about the Bargain Hunter scam is that the scammers usually do not appear too eager to sell. They act as though they are about to give someone a really good deal, so it’s not within their interest to appear desperate. I believe the scammers behave this way because at the end of the day they make so much money from these types of scams that they can really take their time and be careful with whom they interact. They know that investigators are out there trying to get to the bottom of things, so they do what they can to avoid being busted
Scammer Gains Victim’s Trust: in this scam trust comes in a number of flavors. From my experience the scammer will always offer more information on the item that is being sold. This is information that was not made available in the original ad. So in the case of cars they will offer more pictures, sometimes even offering to send printouts of Carfax reports as well. The coup de grâce is when the scammer introduces a third party, most likely this is one which has already earned the trust of the victim. This third party is an essential component to the scam because it will facilitate the fourth and final phase
Victim Sends Money: the victim thinks that his or her money is being sent to a trusted third party when in fact nothing could be further from the truth. What’s really happening is that the victim is sending money to yet another victim (typically referred to as a money mule) who a) has no idea that it’s all fraud and b) has clear instructions to forward the money on to someone else

Let’s take a closer look at this scam in the wild.

1. Scammer Sets the Trap

This Cars.com classified ad offers a 2002 Toyota Prius at a very good price.

* 3/12/2013 update – this particular scammer has multiple ads on cars.com, here is another *

* 3/18/2013 update - and another *

* 4/4/2013 update - and another, scammer is now using Tina Williams (tinalens434@gmail.com) *

* 4/8/2013 update – and another using Boyce Joly (boycetss078@hotmail.com) *

2. Victim Takes the Bait

So far this just looks like a good deal, nothing else to write home about. However, the deal sweetens upon contacting the seller, for she promises to deliver the car from Oregon to Los Angeles as part of the sale price.

From: Debra J Thorn <debra.j.thorn@gmail.com> 
Subject: Re: Cars.com used car lead for Fenem P. - 2002 Toyota Prius

Hi,

I still have my 2002 Toyota Prius Hybrid Gas/Electric. I will take
only $3600 total price shipping included from Medford OR,i have my
own trailer to have the car delivered to you.It has a clear title 
ready to be signed and notarized on your name.I can offer you 7 
days inspection.

Runs great,never been wrecked,no accidents,garage kept only.Used 
160k miles,VIN# JT2BK12U620039213

More pics attached here:

http://s1281.beta.photobucket.com/user/prislady/library/

Thanks

Now that’s what I call a great deal, too good to be true for sure! Note the addition of pictures that were not available in the original ad.

I asked Debra to confirm that there were no shipping charges, I then asked about payment. Enter phase three of the scam.

3. Scammer Gains Victim’s Trust

From: Debra J Thorn <debra.j.thorn@gmail.com> 
Subject: Re: Cars.com used car lead for Fenem P. - 2002 Toyota Prius

All that you have to pay in the end is $3600. I have a contract with 
Amazon Payments so we can go through their Protection Program and 
you can pay with your credit card online or with cash. 

According with  the Amazon you have 7 days after you receive the car
to inspect it and decide if you want to BUY IT or NOT.

Here is how it will work:

1.First of all I will need  the following details from you:
- Full Name
- Full Address

2. After I will receive the details from you, I will forward them to 
Amazon.

3. After they will process your info, they will send us both invoices. 
You will receive the invoice with the details on how to make a 
refundable payment to Amazon.They will hold your payment while you 
test and inspect the vehicle at your home for a week.

4. Amazon will contact me to ship the car to you. After you receive 
the car you will have 7 days to test, verify and do whatever you need
to the car.  If you will decide to buy the car, then I will get 
the money from Amazon.

5. If you will decide that you do not buy the car,  Amazon will 
refund your payment same day.

I look forward to hearing from you . 

Thank you

Obviously, the scammer is using Amazon’s brand as a way to earn your trust. You already trust Amazon, and Amazon supposedly has a contract with this bozo, so you can deal with this bozo. Right?

Wouldn’t it be nice if Amazon did provide escrow services of this nature. Looking at Amazon Payment’s Terms and Conditions, they clearly do not:

11.6 No Agency.Nothing in this Agreement is intended to or creates any type of joint venture, employee-employer, creditor-debtor, escrow, partnership, or any fiduciary relationship between you, us or our Affiliates. Further, except as expressly provided for the limited purpose of processing payments in accordance with the Specific Terms for Business Accounts and Seller Accounts: (a) neither party shall be deemed to be an agent or representative of the other by virtue of this Agreement, (b) neither party is authorized to, or will attempt to, create or assume any obligation or liability, express or implied, in the name of or otherwise on behalf of the other party, and (c) without limiting the generality of the foregoing, neither party will enter into any contract, agreement, or other commitment, make any warranty or guaranty, or incur any obligation or liability in the name or otherwise on behalf of the other party.

Of course, we don’t stop our investigation here. I sent the scammer my details. A few hours later I received an email from someone at amazonfps.com, claiming to be Amazon Payments:

The reply-to field of this email was set to “Amazon FPS <a.fps@email.com>”. Shortly after receiving the T&C’s I received an invoice from the same group:

Note that they are asking me to wire money to an individual (Joy Rosado) that is supposedly an Amazon FPS Verified Agent. This is absolute rubbish. Joy Rosado is not a verified agent just because they told me so in an email. He is most likely another victim in this scam.

4. Victim Sends Money

Needless to say, I did not send any money the scammer’s way. Of interest is that Debra sent me an email reminding me to check my Junk Mail folder, just in case I did not get the Amazon invoice. I wrote back and confirmed that it was there and that I would send the money chop-chop.

For me, the following reply shows just how greedy these buggers really are:

From: Debra J Thorn <debra.j.thorn@gmail.com> 
Subject: Re: Cars.com used car lead for Fenem P. - 2002 Toyota Prius
Oh Okay.Please let me know when you will be able to send the deposit to 
Amazon so i can prepare the car for the shipping.

  Oh..and i want to ask you for a favour,when you go to complete the 
transaction please inform the Western Union agent that you are sending 
the money to a relative or a friend(if they ask) because in the end 
they will charge me 10% for doing commerce and since i handle the 
shipping it will be a nice thing for you to do, it will help me a lot.

Regards

How to score this scammer?

I give this scammer a 4/10

1 point for a classic Bargain Hunter scam
1 point for providing a VIN and additional pictures
1 point for not taking the bait in my previous attempts to make contact. In an earler exchange Debra even said I could fly down to take a look at the car!
1 point for involving Amazon Payments. Amazon has a great brand, so it just makes sense to include someone that has already earned my trust

As always, lots of room for improvement. I believe this scammer should have put in a little extra effort by attempting to verify my details with a quick phone call. It adds cost to the investigation and so mitigates his risk of being busted. Well that and the human touch when my money is being stolen always does it for me.

* 4/11/2013 update *

The 1991 Toyota MR2 post on cars.com that was highlighted on 4/8/2013 is still going strong. It’s just a matter of time until this guy catches yet another victim.

Since then I have upgraded this scammer to a 5.5/10:

1 point for implementing phone verification. If you receive a call from 229-299-5936 then put your guard up. On a side note, I thought his call to me was quite funny. The email he was using to chat to me was supposedly from a woman, but the verification call I received was from a man with a thick eastern European accent. I asked what happened to the jovial American woman that I was dealing with. He told me it was his mother. When I asked where she was he replied that she was unavailable because of an emergency tracheotomy operation that she underwent a few hours ago. Chortle.
1/2 a point for including eBay into the brands that he mimics. Upon verification by phone, he arranged for separate emails from support@safe-payments-online.com to come through to me. I was supposed to send money via MoneyGram and then follow up by faxing a copy of the receipt to 408 641 4641 (or calling 316 252 1332)