Hello folks,
The report below is from a company we know well. Its specifics
don't matter as much as the implicit warning about the lengths credit
card defrauders are willing to take to get your dollars.
This is particularly the case if you are a *merchant*, i.e. accept
credit card payments over the Internet to sell your software or
services.
------- Forwarded message follows -------
Date sent: Wed, 06 Aug 2003 10:01:34 +1000
To: [EMAIL PROTECTED]
From: WebHub Technical Support <[EMAIL PROTECTED]>
Subject: OT: cc fraud scheme
Send reply to: [EMAIL PROTECTED]
I'm sending this as a warning to those of you who operate merchant
accounts.
I wasted several weeks imagining that I was reselling a real product
named Hex Editor Pro for a company supposedly named Escape Software
Inc., aka ES Market Corp. (a Delaware corporation, headquartered in
Washington state, established through valisinternational.com). I
watched their sales climb rapidly -- 3 to 15 sales per day -- high
for a pitiful little hex editor written in 1996 -- and noticed way
too many orders from the same domain names -- but I didn't suspect
that 100% of their orders were fraudulant. They were. And the
purchase price on this product is $12.47.
HREF lost $149.00 to them via check to The Bancorp Bank in Wilmington
Delaware -- not a lot of money in the western world.
They would have scammed a lot more money if HREF had been a larger
company, because the pattern would have been very difficult to detect
until many thousands had been paid to Escape Software.
How they did it is interesting. One or possibly two people registered
over 20 domains. See whois for extradriveltd.net and
spacepark2003.org to see the two registrars. ALL orders from ALL Hex
Editor Customers track back to a domain registered by either of those
two parties, and all in May 2003. Then they made up fake email
accounts to match the names of the people whose credit cards they had
stolen. That was another reason I didn't suspect anything at first,
because my prior experience with fraud had a big disparity between
cardholder name and email address.
They used a different, valid, credit card for each order, with a
matching address. They mismatched on phone numbers. They provided
"bank name that issued the credit card" and they provided the 3 digit
verification number. They had a good list of stolen info and/or they
made a number of educated guesses. They ordered from various IP
numbers, using various browsers. The cards were a mix of visa and mc,
and not all from one bank. Some cards were debit cards. There were
over 140 transactions before I disconnected them.
VALIS International indicates that ES Market Corp. is based in
Bulgaria, which may or may not be true.
The email address behind Dan Soop ([EMAIL PROTECTED]) tracks
to a MACPHISTO.NET Matthias Muehlbradt ([EMAIL PROTECTED]),
49305450552, Baerensteinstr. 42, Berlin--12685, DE. This "person"
may or may not be aware of the scam.
I have filed reports with FBI, local police, two banks, and SwiftPay.
My primary lesson on this one is: just because I can't figure out why
someone would do something doesn't mean they are not doing it!
Here is the blacklist of domains:
const
blackList='|hotmail.com|yahoo.com|' +
{registered on 8-May-2003 by Dan Soop using
http://www.RegisterFly.com}
'extradriveltd.net|superduperco.net|masterofroot.net|XLNTPRICE.COM|'+
'jooodlnk.com|mgmrst.org|ISPOFCA.COM|' +
'loosingmny.com|LEETPPL.NET|PIPELIDER.COM|HOMENETPPP.COM|BULKSPEED.NET|'
+
{registered on 9-May-2003 by "SEE SPONSORING REGISTRAR", which is
R39-LROR}
'spacepark2003.org|CMCDOB.ORG|isp4me.org|LINKPERSON.ORG|VIPSPACE.ORG|24hsupport.org|';
Keep your eyes open.
Ann
------- End of forwarded message -------
cheers,
peter
===========================================
Peter Hyde, Development Director, SPIS Ltd, Christchurch, New Zealand
* TCompress/TCompLHA component sets for Delphi/Kylix/C++
* TurboNote+: http://TurboNote.com -- top-rated onscreen sticky notes
Find all the above and MORE at http://spis.co.nz
--> via Canterbury Software email forum: Success through Connections
Email your messages to [EMAIL PROTECTED]
Searchable list archive: http://www.mail-archive.com/[EMAIL PROTECTED]
Leave or rejoin the list: http://canterburysoftware.org.nz/forum.htm
