Amazon Payments Scam via Cars.com et al

March 11, 2013 by wesleyb

Posted by wesleyb in Bargain Hunters | Mad Monday | Wire Fraud - (18 Comments)

We look at another Bargain Hunter scammer today. I rate this chap higher than last week’s Bargain Hunter scammer because, as you’re about to see, today’s scammer puts a lot more effort into what he does.

So here we go, the Bargain Hunter scam is a four pronged attack which starts at cars.com

1. Scammer Sets the Trap

This ad on cars.com is for a 1998 BMW 323.

* 3/12/2013 update - this scammer has multiple postings on cars.com, here is another *

* 3/20/2013 update - listing from 3/12/2013 update is still active (1993 Mazda Miata MX-5), but seller is now using Devin Briese (devinbriese1@gmail.com) *

* 3/27/2013 update - here’s another listing on cars.com, seller is now using Ray Miller (ray.miller69@comcast.net) *

At $5,100 it’s a pretty sweet deal, but it just gets better the more you chat to the gent behind the sale.

2. Victim Takes the Bait

+1 to this scammer from the get go because from what I can tell he is sampling his replies, i.e., he only replies to 1/ N requests for more information. Through sampling, he is significantly increasing the cost of an investigation and so mitigating the chance of getting caught.

After numerous attempts to make contact, I finally got a hit:

From: Adam Wigner (wigneradam@msn.com)
Subject: Cars.com used car lead for - 1998 BMW 323‏

Hi , 
My name is Adam, and I am emailing you about the 1998 BMW 323i 
Convertible that I have for sale. Here you have more information 
about my car (119,650 mileage , clean title , 6 Cyl. RWD , 
4-wheel ABS , automatic transmission ) Black exterior with an 
excellent condition tan leather interior that is fully loaded 
with options. Flawless interior/exterior condition. I am 
selling it at this final price of $5,100 because my wife died 
in a bike accident few months ago and brings me bad memories 
and that's the reason I want to sell it asap. I along with my
daughter decided to sell the house and we moved to my sister 
in Oklahoma City , OK trying to start a new life.

Thank you

The highlighted line about moving is important. It sets the tone for what is about to come, i.e., the car is no longer in the location it was originally claimed to be (so I can’t see it in person)

3. Scammer Gains Victim’s Trust

I asked the scammer for more pics:

From: 
Subject: Cars.com used car lead for - 1998 BMW 323‏

Forgive my impatience, I did not know the car had such
unfortunate memories for you. Regardless, when you can
could you please send me more pictures? It's hard to
know how good the condition is based upon a single pic.

You surely have a much better life waiting for you in sunny
oklahama. Once again, my deepest condolences for your loss,
ultimately it's still a great car so I hope we can make this a good deal on both sides.

The scammer replies with more pics and tells me again that the car is no longer with him, but that’s okay because it is now with Amazon!

From: Adam Wigner (wigneradam@msn.com)
Subject: Cars.com used car lead for - 1998 BMW 323‏

Hi ,

Please find the pics attached ! As I told you in my first
 e-mail we decided to move to my sister, trying to start 
a new life here. I am located in Oklahoma City (the car 
is in Oklahoma City too). Before leaving I had prearranged
the deal with Amazon Payments. The car is now located at 
Amazon's shipping company sealed with all papers, ready to
be delivered. The deal includes free delivery and it will 
arrive at your address in 3 days along title and bill of 
sale. You will have 5 days to test it and inspect the car 
and if by any reason you find something you don't like 
about it you can send it back at my expense.

If you are interested in knowing more info about how it 
works please click here on Amazon Payments and register, 
once you do that, Amazon Payments will send you the 
invoice with all the payment and shipping details you 
will also have proof that I am covered by them and a 
legitimate seller.

Thank you

Free delivery of a car at that price, now that’s a deal for sure!

The Amazon Payments URL points to http://www.billing-support.com/, which is the real prize in this investigation. It allows us to get an idea of what else this fraudster is up to. From the Services tab:

* 3/20/2013 update – scammer is now using amazon-payments-secure-business.com *

I loved this from the Top Questions section:

Just to be clear: billing-support.com is a scam! Amazon does not provide escrow services of this nature and is in no way affiliated with billing-support.com.

4. Victim Sends Money

I followed the scammer’s instructions and registered with billing-support.com. Shortly thereafter I received the following email claiming to be from Amazon Payments:

From: Amazon Payments (admin@marketplace-safety-transactions.com)
Subject: Amazon FPS Invoice‏

Thanks for using Amazon FPS for this order,   !
The next step is to pay for your item. Check out and pay to get your 
item as soon as possible.

Purchasing Information For Your Secure Amazon FPS Invoice
Seller: Adam Wigner

Buyer: 

Order Summary

Item:                   1998 BMW 323
Item(s) Subtotal:       $5,100.00 
Deposit:                $2,100.00 
Remaining Balance: 	$3,000.00 
Shipping & Handling: 	$0.00
Inspection Period: 	5 calendar days
Amazon Fee paid by: 	Seller
Quantity: 	        1

 	------

Total for this Order: 	$5,100.00

Payment Instructions:

How to make the payment? 

The first deposit of $2,100.00 must be submitted via MoneyGram 
service to the Amazon FPS Verified Agent in charge of your 
transaction. The Amazon FPS Verified Agent will secure the 
payment until you receive, inspect and accept the vehicle. You 
have to pay at any MoneyGram office with CASH using MONEY 
TRANSFER service, from your name and address as a Sender to 
our Amazon FPS Verified Agent name and address as a Receiver .

Find the nearest MoneyGram office in your area. MoneyGram 
agents are post offices, exchange offices or retail locations 
- grocery stores, mail box centers, drug stores, travel 
agencies, depots, other retail locations . Give the form, the 
money(cash), and a proof of identity to the clerk. Pay with 
MoneyGram. It's the easy and fast way to pay online, and it 
lets you shop without sharing your financial details with 
sellers. 

Please note: This is done automatically by our system, choosing 
from the list of available agents, in order to ensure the 
impartiality of this deal.

Amazon FPS Verified Agent

 First Name :	Jonathan E.
 Last Name : 	Griffin
 Address : 	4827 Noble Dr E
 City : 	Mobile
 State: 	AL
 Zip Code : 	36619-1907
 Country:	United States 

Confirm the MoneyGram payment receipt at the following fax number: 
+1 ( 719 ) 362-3997. 

*** Please do not make any marks on the transfer copy. The following 
information must be readable ***

- E-mail us the following details from the payment receipt: 
- Reference Number - 8 digits number from the receipt ; 
- Sender's Name and Address ; 
- Receiver's Name and Address ; 
- Exact Amount Sent . 

Please note: This invoice was sent to the following e-mail address: 
Have questions about this order? Contact Amazon FPS .  
Thank you for using Amazon Payments.
Amazon Flexible Payments Service (Amazon FPS). 
Earth's Biggest Selection.

If you’re new to the Bargain Haunter scam, the fraud here is that our seller does not actually own the car, or at least has no intention of selling it. He wants me to wire money to Jonathan E Griffin in Mobile, AL. The chances are that Jonathan is but a money mule who has been conned into some other scam and is now expecting money to be sent to him. Once I send the money off, I won’t be receiving anything from Amazon Payments, for this is all just an illusion.

When Jonathan E Griffin gets my money, he may keep a small percentage for himself (perhaps as payment for being a Mystery Shopper) and then sends the balance off to another victim (or quite possibly the scammer).

The scammer launders the money through multiple victims so as to introduce complexity, cost and ultimately throw the law enforcement/investigators off of his tail. Sooner or later the money will exit the money mule ring and make its way to the scammer, if you follow the trail for long enough it always does.

Note that the email from Amazon Payments came from marketplace-safety-transactions.com and not the domain that I originally registered with. As a result, marketplace-safety-transactions.com is also in on the scam. If you’re considering any kind of transaction with anyone from this domain, caveat emptor, for you have been warned!

What to score this scammer?

I think it’s only fair to recognize the effort this scammer put into his scam. Note the Vehicle Report I received from Amazon Payments along with the invoice:

Sure it’s all just text and it’s cheap and it does not mean anything, but it does show that he put effort into being the best scammer he could be (which is not that much, but still a noteworthy effort). Most of the bozos I deal with try to quickly pull this off all via one or two emails sent from their gmail accounts. Furthermore, he sent me a unique tracking id when I registered (referred to as a Case Id #), which means he is persisting state on his servers. So he has a little DB running behind this which means he had to develop it himself or invest time and money paying someone who could put this together for him.

At the end of the day, I rate this scammer 5/10

1 point for a classic Bargain Hunter scam
1 point for sampling the emails he responded to
1 point for involving Amazon Payments and leveraging off of a great brand
1 point for registering a sharp looking domain that looks pretty similar to Amazon Payments
1 point for the tracking code

Bargain Hunters, Amazon Payments and Cars.com

March 4, 2013 by wesleyb

Posted by wesleyb in Bargain Hunters | Wire Fraud - (3 Comments)

Today we introduce the Bargain Hunter scam. This scam relies mostly on victims thinking that they are getting an incredible deal for something that they found online, usually on a fairly popular site. Sometimes these scams are so well executed that one can easily be swayed away from the old saying that “if it’s too good to be true then it’s too good to be true“.

Unlike the Mystery Shopper / Work From Home scams, where fraudsters are spamming en masse in the hope of stumbling upon some poor soul eager to make a quick buck, the Bargain Hunter scammer carefully sets his trap and then patiently waits for the victim to come to him (under the pretense that there’s a good deal to be had on both sides). In my opinion, Bargain Hunter scamming is the next step up from Mystery Shopper scammers. The latter being the absolute bottom of the barrel.

Much like the previous scams we have discussed, the Bargain Hunter scam is a four pronged attack:

Scammer Sets the Trap: the scammer sets up a post/ad on a popular online trading platform. The item for sale simply does not exist or is not his/hers to sell. Regardless, the post is setup in a way that makes it look like the buyer is going to get a good deal. A great example of this (as we will see further below) is when the scammer sells a car for far below its market value
Victim Takes the Bait: a victim is lured into the spider’s web when he first follows up on an ad. The interesting thing about the Bargain Hunter scam is that the scammers usually do not appear too eager to sell. They act as though they are about to give someone a really good deal, so it’s not within their interest to appear desperate. I believe the scammers behave this way because at the end of the day they make so much money from these types of scams that they can really take their time and be careful with whom they interact. They know that investigators are out there trying to get to the bottom of things, so they do what they can to avoid being busted
Scammer Gains Victim’s Trust: in this scam trust comes in a number of flavors. From my experience the scammer will always offer more information on the item that is being sold. This is information that was not made available in the original ad. So in the case of cars they will offer more pictures, sometimes even offering to send printouts of Carfax reports as well. The coup de grâce is when the scammer introduces a third party, most likely this is one which has already earned the trust of the victim. This third party is an essential component to the scam because it will facilitate the fourth and final phase
Victim Sends Money: the victim thinks that his or her money is being sent to a trusted third party when in fact nothing could be further from the truth. What’s really happening is that the victim is sending money to yet another victim (typically referred to as a money mule) who a) has no idea that it’s all fraud and b) has clear instructions to forward the money on to someone else

Let’s take a closer look at this scam in the wild.

1. Scammer Sets the Trap

This Cars.com classified ad offers a 2002 Toyota Prius at a very good price.

* 3/12/2013 update – this particular scammer has multiple ads on cars.com, here is another *

* 3/18/2013 update - and another *

* 4/4/2013 update - and another, scammer is now using Tina Williams (tinalens434@gmail.com) *

* 4/8/2013 update – and another using Boyce Joly (boycetss078@hotmail.com) *

2. Victim Takes the Bait

So far this just looks like a good deal, nothing else to write home about. However, the deal sweetens upon contacting the seller, for she promises to deliver the car from Oregon to Los Angeles as part of the sale price.

From: Debra J Thorn <debra.j.thorn@gmail.com> 
Subject: Re: Cars.com used car lead for Fenem P. - 2002 Toyota Prius

Hi,

I still have my 2002 Toyota Prius Hybrid Gas/Electric. I will take
only $3600 total price shipping included from Medford OR,i have my
own trailer to have the car delivered to you.It has a clear title 
ready to be signed and notarized on your name.I can offer you 7 
days inspection.

Runs great,never been wrecked,no accidents,garage kept only.Used 
160k miles,VIN# JT2BK12U620039213

More pics attached here:

http://s1281.beta.photobucket.com/user/prislady/library/

Thanks

Now that’s what I call a great deal, too good to be true for sure! Note the addition of pictures that were not available in the original ad.

I asked Debra to confirm that there were no shipping charges, I then asked about payment. Enter phase three of the scam.

3. Scammer Gains Victim’s Trust

From: Debra J Thorn <debra.j.thorn@gmail.com> 
Subject: Re: Cars.com used car lead for Fenem P. - 2002 Toyota Prius

All that you have to pay in the end is $3600. I have a contract with 
Amazon Payments so we can go through their Protection Program and 
you can pay with your credit card online or with cash. 

According with  the Amazon you have 7 days after you receive the car
to inspect it and decide if you want to BUY IT or NOT.

Here is how it will work:

1.First of all I will need  the following details from you:
- Full Name
- Full Address

2. After I will receive the details from you, I will forward them to 
Amazon.

3. After they will process your info, they will send us both invoices. 
You will receive the invoice with the details on how to make a 
refundable payment to Amazon.They will hold your payment while you 
test and inspect the vehicle at your home for a week.

4. Amazon will contact me to ship the car to you. After you receive 
the car you will have 7 days to test, verify and do whatever you need
to the car.  If you will decide to buy the car, then I will get 
the money from Amazon.

5. If you will decide that you do not buy the car,  Amazon will 
refund your payment same day.

I look forward to hearing from you . 

Thank you

Obviously, the scammer is using Amazon’s brand as a way to earn your trust. You already trust Amazon, and Amazon supposedly has a contract with this bozo, so you can deal with this bozo. Right?

Wouldn’t it be nice if Amazon did provide escrow services of this nature. Looking at Amazon Payment’s Terms and Conditions, they clearly do not:

11.6 No Agency.Nothing in this Agreement is intended to or creates any type of joint venture, employee-employer, creditor-debtor, escrow, partnership, or any fiduciary relationship between you, us or our Affiliates. Further, except as expressly provided for the limited purpose of processing payments in accordance with the Specific Terms for Business Accounts and Seller Accounts: (a) neither party shall be deemed to be an agent or representative of the other by virtue of this Agreement, (b) neither party is authorized to, or will attempt to, create or assume any obligation or liability, express or implied, in the name of or otherwise on behalf of the other party, and (c) without limiting the generality of the foregoing, neither party will enter into any contract, agreement, or other commitment, make any warranty or guaranty, or incur any obligation or liability in the name or otherwise on behalf of the other party.

Of course, we don’t stop our investigation here. I sent the scammer my details. A few hours later I received an email from someone at amazonfps.com, claiming to be Amazon Payments:

The reply-to field of this email was set to “Amazon FPS <a.fps@email.com>”. Shortly after receiving the T&C’s I received an invoice from the same group:

Note that they are asking me to wire money to an individual (Joy Rosado) that is supposedly an Amazon FPS Verified Agent. This is absolute rubbish. Joy Rosado is not a verified agent just because they told me so in an email. He is most likely another victim in this scam.

4. Victim Sends Money

Needless to say, I did not send any money the scammer’s way. Of interest is that Debra sent me an email reminding me to check my Junk Mail folder, just in case I did not get the Amazon invoice. I wrote back and confirmed that it was there and that I would send the money chop-chop.

For me, the following reply shows just how greedy these buggers really are:

From: Debra J Thorn <debra.j.thorn@gmail.com> 
Subject: Re: Cars.com used car lead for Fenem P. - 2002 Toyota Prius
Oh Okay.Please let me know when you will be able to send the deposit to 
Amazon so i can prepare the car for the shipping.

  Oh..and i want to ask you for a favour,when you go to complete the 
transaction please inform the Western Union agent that you are sending 
the money to a relative or a friend(if they ask) because in the end 
they will charge me 10% for doing commerce and since i handle the 
shipping it will be a nice thing for you to do, it will help me a lot.

Regards

How to score this scammer?

I give this scammer a 4/10

1 point for a classic Bargain Hunter scam
1 point for providing a VIN and additional pictures
1 point for not taking the bait in my previous attempts to make contact. In an earler exchange Debra even said I could fly down to take a look at the car!
1 point for involving Amazon Payments. Amazon has a great brand, so it just makes sense to include someone that has already earned my trust

As always, lots of room for improvement. I believe this scammer should have put in a little extra effort by attempting to verify my details with a quick phone call. It adds cost to the investigation and so mitigates his risk of being busted. Well that and the human touch when my money is being stolen always does it for me.

* 4/11/2013 update *

The 1991 Toyota MR2 post on cars.com that was highlighted on 4/8/2013 is still going strong. It’s just a matter of time until this guy catches yet another victim.

Since then I have upgraded this scammer to a 5.5/10:

1 point for implementing phone verification. If you receive a call from 229-299-5936 then put your guard up. On a side note, I thought his call to me was quite funny. The email he was using to chat to me was supposedly from a woman, but the verification call I received was from a man with a thick eastern European accent. I asked what happened to the jovial American woman that I was dealing with. He told me it was his mother. When I asked where she was he replied that she was unavailable because of an emergency tracheotomy operation that she underwent a few hours ago. Chortle.
1/2 a point for including eBay into the brands that he mimics. Upon verification by phone, he arranged for separate emails from support@safe-payments-online.com to come through to me. I was supposed to send money via MoneyGram and then follow up by faxing a copy of the receipt to 408 641 4641 (or calling 316 252 1332)

Another Bad Mystery Shopper Score

February 18, 2013 by wesleyb

Posted by wesleyb in Mad Monday | Mystery Shopper | Spam | Wire Fraud - (0 Comments)

The Mystery Shopper scam is so popular that I have no problem covering it over and over again. Today’s fraudster tries to take me for a ride using the classic four pronged attack:

1. Scammer Baits a Victim

On a mailbox that does not exist, I received the following spam:

From: SSN 2013 [mailto:danela@sympatico.ca] 
Sent: Tuesday, January 29, 2013 8:03 AM
Subject: Ms-Network Info

Congratulations

We are accepting applications for qualified individuals to become 
a Mystery of Shopper.

Please reply this email with the following information below to 
sign up :

*~ Full Name                    :
*~ Address (No P.O Box) :
*~ City                              :
*~ Zip                               :
*~ Your Country                        :
*~ Your phone / Land phone :

You will receive a flat amount of $ 200 per assignment.
Full job description will be sent to you prior in your assignment.
You will have access to training materials after you register.
It's very exciting and hopefully will be successful. There is no fee 
to become a shopper

2. Scammer Verifies the Victim’s Details

I replied with the information that was requested. The scammer did not respond or bother to verify my details. Perhaps this scammer is running at such a large scale that he does not have to, for a response alone is enough verification.

3. Scammer Gains the Victim’s Trust

A few days later I received a USPS Priority Mail.

It contained the following:

1 x check for $1980. He is “paying” me for services that have yet to be rendered, this is how he tries to gain my trust

1 x set of instructions. This includes details on the task I have been assigned in addition to the next mystery shopper that I am supposed to wire money to (the scam)

4.Victim Indirectly Sends the Scammer a Check in Return

At this point I am supposed to rush off to the bank and send my own money to the scammer. Once my money has been sent off and after the check from above does not clear, I will have been the victim of wire fraud.

Overall this is not a very good scammer. I can’t help but get the feeling that he is either operating at a very large scale or a very small scale. Both of which would force him to minimize on expenses.

I rate this scammer a 2/10

1 point for a basic Mystery Shopper Scam
1 point for instructing me to wire money to the next Mystery Shopper
1 point for being strictly about business! (see Fraudster Chit-Chat below)
-1 point because the next Mystery Shopper is in the USA (?)

Problems with the scam that impact this fraudster’s score:

He did not verify my details. I think a phone call to at least check who is on the other side would have been nice, but perhaps he can’t afford it.
The instructions sent were not of premium quality. There is no company logo and the email address provided as a point of contact is sure to set off alarm bells (sssshopperwilson@aol.com).
Too many people involved: the original email received was from danela@sympatico.ca. The USPS Mail was from Jeffrey M Eastman. The check received was from George L Shashoua and Marilyn Shashoua. The instructions were from Markus Prescott, it has me wiring money to Mark Roberts

So that’s six people involved in this transaction. If the scammer wants a higher conversion rate, it would be within his interest to have fewer people involved.

Now one might say that there are so many people involved because it’s a money laundering scam. In this case the check I received is real and the next victim in the scam is Mark Roberts in Chicago. This is entirely possible. Someone somewhere has been robbed and our scammer is using the Mystery Shopper scam to filter money through the bank accounts of innocent victims (aka money mules).

The interesting thing about money laundering through money mules is that the scammer is the one that has to do the trusting. Instead of withdrawing the amount allocated to me the mule for my services as a Mystery Shopper, I could just cash the check 100% and then do nothing.

There’s enough money being stolen online that I would not be surprised to hear of people making a living doing exactly that.

Fraudster Chit-Chat

On the chance that this may be a money laundering scam, I thought I would have some fun with this fraudster. So I decided to email him (using the contact address posted to me) and let him know that I was having some problems. Enter Jayster the pot-smoking hippie:

To: sssshopperwilson <sssshopperwilson@aol.com>
Sent: Thu, Feb 14, 2013 5:59 am
Subject: Secret Shopper Check Received!

Got your check. Thanks bro! Took my ride to the shop and added
new rims, 22’s lookin real mean and shiny! Oh yeah my old 
lady was bitchin about child payments so I had to take care of
that too, it’s the law. So I am $1200 shy of the $1730 I owe you. 

Okay if I make it up next time?

Jayster

Yet another name enters the picture as the fraudster promptly replies

From: Markus Wilson [mailto:sssshopperwilson@aol.com] 
Sent: Thursday, February 14, 2013 7:28 AM
To: 
Subject: Re: Secret Shopper Check Received!

Follow the instruction and get Assignment done!

Markus Wilson

+1 point to the fraudster for being strictly about business. He stopped responding when I tried to get him to acknowledge that I had spent most of the money, and now “owed” him even less..

Sent: Thursday, February 14, 2013 3:00 PM
To: 'Markus Wilson'
Subject: RE: Secret Shopper Check Received!

Cool bro. We’re kicking it on the 22s, smoking a bud or two 
by the beach. 

Assignment done by weekend then I send you $250 cuz I already 
spent a little extra again ;) 

K bro?

Orbitz Typosquatter

February 11, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Mad Monday | Typosquatting - (6 Comments)

We have discussed typosquatting enough to know that it is most definitely not a solved problem.

Today’s example brings nothing new to the table, but it’s interesting nonetheless. Type orbuitz.com (a fat-fingered typo of orbitz.com) into your browser and you will be redirected through to orbitz.com via an affiliate link (Google Affiliate Network pubid=21000000000018829). Since the Google Affiliate Network is involved, this typosquatter will be paid a commission in the event that the user who typed in orbuitz.com makes a purchase from orbitz.com.

The typosquatter in this scenario may insist that he is providing a service to Orbitz

“Hey I’m just helping users who made a mistake get to your site!”

You and I know that’s absolute drivel. Had the typosquatter not registered the domain, then any modern browser would have detected that it does not exist and sent that off as a query to a popular search engine, resulting in organic traffic flowing as it rightfully should through to the merchant. The traffic belongs to the merchant. The traffic should not have to be paid for. End of story.

Does Orbitz have a relationship with this Typosquatter?

The surprising part about this little example is that Orbitz probably does have a relationship with this typosquatter.

What are you talking about?!

Orbitz (the merchant) probably sees great conversions from the typosquatter (an affiliate), so they don’t question the source of the traffic. They don’t have any reason to do so, you see, for the typosquatter is laundering the traffic before sending it through to Orbitz. Shock!

Using this packet log as a reference, here’s how this works:

User enters orbuitz.com into the browser
This 302 redirects to http://www.linkcounter.com/go.php?linkid=297379
Linkcounter.com then 302 redirects to http://www.e-o-k.com/otbr.htm
JavaScript on the e-o-k.com page waits half a second and then fakes a click on an Orbitz affiliate link!

function link()
{
  setTimeout("document.getElementById('mylink').click()",500);
}

The net result is that Orbitz is seeing the traffic come from e-o-k.com and not the typosquatter domain.

I give this typosquatter a 2/10

1 point for basic typosquatting
1 point for laundering the click through e-o-k.com

Oh my, what a bad score. Lots of room for improvement here!

Mystery Shopper & USPS

February 4, 2013 by wesleyb

Posted by wesleyb in Mad Monday | Mystery Shopper | Spam - (2 Comments)

It’s always surprising to me just how popular the Mystery Shopper scam is. If you’re a chap that has stumbled upon this site because you are investigating what this Mystery Shopper offer you’ve recently received is all about, know this: don’t take a chance, it’s probably a scam!

From an earlier post, we already know that the Mystery Shopper scam can be broken up into four parts:

Scammer Baits a Victim
Scammer Verifies the Victim’s Details
Scammer Priority Mails the Victim a Check. Upon reflection, I think this part should really be renamed to “Scammer Gains the Victim’s Trust”.
Victim Indirectly Sends the Scammer a Check in Return

I recently “fell victim” to yet another scammer in the Mystery Shopper Scam. It’s funny to write about, but it’s not so funny when one considers that real people lose real money on this nonsense all of the time.

In this scam, the scammer followed the classic four pronged attack from above. Here’s what happened:

1. Scammer Baits a Victim

On a mailbox that does not exist, I received the following spam email:

From: Thomas Pelot [mailto:thomaspelot@icloud.com] 
Sent: Wednesday, January 23, 2013 6:34 PM
Subject: Approved: Retail Supervisor

Good Evening,

My name is Thomas Pelot, Hiring & Evaluation Consultant for BP 
Outsourcing LLC. We received your application in response to 
our Email campaign for mystery shoppers in your area. I am writing
 to congratulate you, as you have been selected as our newest 
shopper. You have been shortlisted to participate in our forth 
coming survey evaluation. It is our hope, that your addition to 
the fold will bring another edge and an heightened perspective 
to our surveys in your local city.

I will be contacting you tomorrow with more details on the position. 

Please write back as soon as you read this, to acknowledge receipt.

Thomas Pelot
mysterysupport@me.com
Hiring & Evaluation Consultant
BP Outsourcing LLC
Please find our webpage: WWW.BPOUTSOURCINGLLC.COM

I replied with

Sent: Wednesday, January 30, 2013 12:57 PM
To: 'mysterysupport@me.com'
Subject: RE: Approved: Retail Supervisor

This is such good timing. Thank you thank you!

What do you need from me?

2. Scammer Verifies the Victim’s Details

Shortly after my first reply, the scammer and I had a short e-mail exchange where he asked me for a valid physical address and telephone number that I could be contacted on (which he checked via a quick call!)

3. Scammer Gains the Victim’s Trust

A few days later I received a priority parcel in the mail

The contents of this parcel are a little more interesting than the previous scam we discussed. Instead of one check he sent us two. Remember, he sends us fake checks that look genuine so as to gain our trust; note that these are Postal Money Orders from USPS (very official looking).

Of greater interest than the checks, is that he sent us a cover letter!

The cover letter is a good idea and quite different to what the other scammers are getting up to. Four features in it are quite a nice touch:

I liked the fact that he carefully explains how much I will be paid and for what (the remainder going off to the Philippines)
He makes reference to an external company (bpoutsourcingllc.com). Of course, this could be a totally legitimate company and both this company and the victim would be none the wiser of what’s going on (unless the victim was disciplined enough to double check things). Otherwise there’s absolutely nothing stopping the victim from saying he is affiliated with X Y or Z. Nice one scammer.
The scammer is available for support and questions. How wonderful! I tried to give him a call to ask him some questions but he is no longer picking up his phone.
The last statement in this cover letter is real classy: “Remember, you’re a mystery shopper. You are expressly forbidden to disclose this information to anyone.”

4. Victim Indirectly Sends the Scammer a Check in Return

So he gains our trust by sending us an upfront payment (and more) for services that have yet to be rendered. Call it Terms – 15 (unheard of!). The scam comes in when we deposit the fake money and before waiting for the checks to clear, we rush off to wire our own money to the scammer in the Philippines. A few days later we find out that the checks were fake and did not clear (but our own money has already been sent and received by the scammer)

How not to fall victim to this scam ?

Straight from the FTC’s writeup on the Mystery Shopper scam, don’t do business with mystery shopping promoters who:

Advertise for mystery shoppers in a newspaper’s ‘help wanted’ section or by email
Require that you pay for “certification.”
Guarantee a job as a mystery shopper
Charge a fee for access to mystery shopping opportunities
Sell directories of companies that hire mystery shoppers
Ask you to deposit a check and wire some or all of the money to someone

How to rate this scammer?

This scammer falls short in a few areas. I think he could have done a lot more work when it comes to reducing the number of people involved in the scam. If I was an old Grandpa this is one of the things I would probably be suspicious of:

I originally received an email from Thomas Pelot
The Fedex parcel came from John Timpandis
The checks were signed by William Hinson
The money order was supposed to be wired to Erin Dubois

I know that money laundering is probably the reason why these other folks are involved (some of which could be innocent victims themselves), but I think the scammer would look more legitimate if he reduced the number of people to just one person.

Adding the phone number and contact details was a good idea, but he should have picked up when I called. So much nicer to chat to a real person when my money is being stolen from me.

Bottom line: this Mystery Shopper scammer gets a 4/10

+1 for basic mystery shopper scam
+1 for calling me to validate my details
+1 for USPS Postal Money Order
+2 for a cover letter with details and support details. I really liked this.
-1 for not picking up his phone

Bad ad on vivaprograms.com

January 28, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing - (0 Comments)

Vivaprograms.com (Alexa #4850) is Cookie-Stuffing their visitors. Load up their site, click on View->Source and scroll down to line #593:

banner120x600.jpg is not an image. When the browser tries to retrieve this image it will be redirected through a number of servers (sample of the packet trace), eventually landing at hostgator.com via an affiliate link. The browser won’t be able to render the HTML returned from hostgator.com, but it will save the cookies associated with the affiliate. The red arrow below highlights the broken image that was loaded in the vivaprograms DOM:

The net effect is that if the user who visited vivaprograms.com ends up buying anything from Hostgator, then the unscrupulous affiliate is paid an unearned commission (enter Cookie-Stuffing).

I don’t think vivaprograms.com is the fraudster here. Mostly because they have made no attempt at all to conceal what’s going on. Here’s what I think happened:

Vivaprograms is approached by buygoldbacklinks, they want to know what it costs to be an advertiser on their site
Vivaprograms gives them a price
Buygoldbacklinks does the maths on how much they will pay vs how many users they will be exposed to and what rate of success they generally have when Cookie-Stuffing
Buygoldbacklinks calculates that there will be a positive rate of return. So they give Vivaprograms a link to an image that works just fine
Vivaprograms runs the ad
After a little while, buygoldbacklinks switches off the image and turns on the redirect

The fraudster behind this scam is surely a newbie. He scores 1/10 for his efforts:

+1 for basic cookie-stuffing
+1 for scamming vivaprograms to run the ad
-1 for having the broken image show though (it’s a good way to get caught really quickly)

Cookie-stuffing Via barnesandnoble.com

January 21, 2013 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | Mad Monday | Malvertising - (0 Comments)

If you are a legitimate Amazon affiliate, you stand absolutely no chance against today’s fraudster (he is probably stealing your commissions!). Having followed this fraudster for almost an entire year, I am of the opinion that he is laughing all the way to the bank when he receives his check from Amazon every month.

Here’s what he is up to:

Fraudster registers as a premium Google advertiser
Fraudster creates custom display banners that will run on Google’s display network
These banners use a tracking pixel that calls home to a remote third party when loaded. The tracking pixel is not affiliated with the tracking system provided by Google, i.e., it is under the fraudster’s control
When the time is right, the tracking pixel 302 redirects back to Amazon via an affiliate id (essentially faking a click)
This will result in cookies being placed on the machine that signal Amazon to pay the affiliate in the event of a purchase. This is fraud.

So that’s it. The fraudster is using Google’s advertising network to target the user’s of popular publishers.

This attack is very plain, very simple and very effective. We talked about this chap a few times last year:

We know that he is cycling through hundreds of affiliate ids.
We know that he must be getting away with what he is doing because, at the end of the day people, buying Google ads costs money and no self-respecting fraudster would pay for a service that was not profitable.

Here’s a recent example (1/21/2013 6:42:46 PM PST) of our fraudster using Google to run his ads on barnesandnoble.com (good targets for Amazon cookie-stuffing!). Red arrow leads the way:

The ad that has been highlighted with the red arrow 302 redirects the tracking pixel to Amazon using an affiliate id (keep loading the ad and it will keep rotating through different affiliate ids). Note that this happens without having to click on the ad, i.e., just viewing the ad will result in the fraudster claiming a commission on a purchase in the near future from Amazon. Shock!

Want to know more about this fraudster? I will be presenting this chap (and many ~~bozos~~ ~~monkeys~~ gentlemen like him) at the Digital Crimes Consortium in February, so if you are invited then be sure to come and say hello for all of the juicy details.

Otherwise I rate this fraudster 7/10:

4 points featuring on iPensatori a few times now and still managing to slip one past the Amazon fraud detection team
1 point for basic cookiestuffing (302 redirects from an image request)
1 point for exploiting Google’s advertising network
1 point for geolocation (he routes you through to Amazon UK if you are from a UK IP and Amazon DE if from a DE IP — nice!)

An Oldie (but a goodie!)

January 14, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing - (1 Comment)

Today’s fraudster is up to no good through methodsofhealing.com. Point your browser to this page and guess what, you won’t find anything wrong at all. So no forced click means no affiliate fraud and no problem, right? Wrong!

Our fraudster is being sneaky because he has setup a demilitarized zone. Think of this as a proxy or a buffer page, something that he can trust. If you don’t come to this site via the buffer page then you won’t see anything sneaky going on. Unfortunately for our fraudster, the demilitarized zone that he has chosen is actually quite a popular one: Google.

So let’s try this again. Fire up your favorite Web debugger and modify the first outgoing request to methodsofhealing.com by adding the following header:

Referer: http://images.google.com/imgres?q=

What you’re telling our fraudster is that you’re now visiting him as a result of having viewed images.google.com. This packet trace sample shows what happens:

The browser loads methodsofhealing.com
A server-side script on the fraudster’s site detects that it has been visited from a demilitarized zone (images.google)
It then injects an iframe which will result in Amazon being loaded via an affiliate id (this is a forced click — we know this as Cookie-Stuffing)

The page loads with an invisible iframe which in turn loads Amazon:

I modified the invisible iframe to no longer be invisible:

Unlike a lot of the other bozos we talk about here, this chap has decided not to put all of his eggs in one basket, i.e., he is cycling through affiliate ids. Ordinarily, I would say

“well done fraudster, well done indeed”

But today’s fraudster proves to us that he really is just like the other bozos after all, for he is constantly cycling through affiliate ids. He doesn’t employ any sampling methods (so he always commits the fraud) and he doesn’t drop any of his own cookies to detect previous victims (so he targets the same chaps multiple times). With this in mind, I would be very surprised if Amazon gave me a call and said “we didn’t know about this guy” because at the end of the day, despite using a demilitarize zone, he is basically asking to get caught. The affiliate ids used in this attack are carriebernhei-20, johnrobinso02-20, lisawilliam0b-20 and sarahmartin-20.

I don’t score this chap too high:

1 point for the lamest form of Cookie-Stuffing
1 point for using a demilitarized zone
1 point for cycling through affiliate ids
-1 point for not protecting his affiliate ids

2/10 (pathetic)

On Demilitarized Zones

Believe it or not, but images.google.com is a very popular demilitarized zone. It makes sense, for images.google.com is a great way to preview images. Note that when you preview the images, Google loads the page responsible for showing the image in the background. This makes for a wonderful opportunity to engage in Cookie-Stuffing.

Who better to explain how to engage in this kind of behaviour than the fraudsters themselves. From an anonymous Blackhatter:

When you go to Google, you will see a nice little link that says “Images”. What many people don’t realize is that this is a gold mind. These images work the same as the search engine results, Google simply just takes these images from the websites that it has in it’s search results. However, when you click on any of these images you are actually taken to the website which is in an iframe. By simply stuffing the page that the image is on you will stuff every single person that views the image. Once you have your affiliate link, choose the genre you would like to “attack”. Do a search for images under your keyword and grab and many images as you can. Now that you have your images, start mass creating Web 2.0 sites with a short article about that topic and then include the image. Make sure that the image is tagged with that keyword and that the title of the article is also tagged with that keyword. You can then either stuff your web 2.0 site with the image cookie stuffing code. It is now time to just let Google run it’s magic. Everytime someone views the image from the images search, they will be stuffed.

Hold on a Second, What are you doing?

If you’re my competitor, you’re probably thinking “Hahah! This guy just gave me some great intel, what a sucker!”. But think again, I just gave everyone great intel, for when it comes to detecting Cookie-Stuffing, I happily put myself out of business.

Don’t forget folks (mostly the fraudsters really), Cookie-Stuffing is a very serious offense that can land you behind bars.

Merry Xmas

December 24, 2012 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | Mad Monday | PPV - (0 Comments)

Here’s wishing all of my readers a merry christmas and a happy new year.

Well, not all of my readers, to the fraudsters: if you thought iPensatori was a thorn in your side during 2012, hold as tight as you can onto those little black hats of yours, we’re just getting started!

And now for a little present in your xmas sock. Fire up your favorite Web debugger and point your browser to www.prettygirlnow.info

The savvy fraud investigators out there will quickly determine that Amazon and Bestbuy are the targets of a cookie-stuffing attack (packet log here in case you can’t reproduce). The affiliate id’s being used by this fraudster are scarvesmy-20 for Amazon and 6463248 for Bestbuy (routing through the CJ affiliate network).

This is not where this fraudster ends his attack though. What is interesting about this chap is that he has been spending what surely amounts to a fortune on the PPV networks. Remember that PPV networks allow you to bid on machines that have Adware (and sometimes Malware) on them. Whenever the user on the infected machine does something that the PPV network thinks can be monetized, they sell this event on their market. The winner will then have their code/ad/image executed on behalf of the PPV software on the infected machine.

My automation has detected hundreds of incidents against Amazon, Bestbuy and others that involve this fraudster alone; increasing in frequency around November and peaking over the last few days.

In the first image below, on a machine infected with PPV rubbish, we show us browsing to Amazon.com back in November. The PPV software on the machine sells this event to our fraudster, who *drumroll* has them load www.prettygirlnow.info in a popup (second image). Since prettygirlnow launches a cookie-stuffing attack, the net result here is that if the user buys anything from Amazon (significant probability in this case), the fraudster behind prettygirlnow will be paid an unearned commission.

How to score this fraudster?

Unfortunately for him, he is not the brightest bulb on the christmas tree. He should have cycled through affiliate id’s. But more importantly, he should have setup a demilitarized zone protecting prettygirlnow.info. With that in place, he would push the PPV traffic through the demilitarized zone which routes through to the site that does the attack. Since the demilitarized zone is trusted, or at least more trusted than the anonymous Web, he would have reduced the likelihood of us catching him red handed.

So I give this fraudster 2/10:

1 point for using PPV
1 point for using advanced cookie-stuffing methods. Bonus points to the reader/investigator who sends me an e-mail explaining in detail why he is using advanced cookie-stuffing methods here.