Rss

Archives for : November2015

How scammers use eBay as their personal ATM

When someone steals your credit card information, how do they cash it out? Increasingly, it’s through so-called ‘triangulation fraud’.

credit card id theft on line image www.scamsfakes.com

Once a scammer steals credit card details online, they can launder the money on eBay before too many red flags go off. Photo: Getty Images

How do fraudsters “cash out” stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they don’t yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder.

So-called “triangulation fraud” — scammers using stolen cards to buy merchandise won at auction by other eBay members — is not a new scam. But it’s a crime that’s getting more sophisticated and automated, at least according to a victim retailer who reached out to me recently after he was walloped in one such fraud scheme.

The victim company — which spoke on condition of anonymity — has a fairly strong e-commerce presence, and is growing rapidly. For the past two years, it was among the Top 500 online retailers as ranked by InternetRetailer.com.

How triangulation fraud works chart image www.scamsfakes.com

How triangulation fraud works. Photo: eBay Enterprise

The company was hit with over 40 orders across three weeks for products that later traced back to stolen credit card data. The victimised retailer said it was able to stop a few of the fraudulent transactions before the items shipped, but most of the sales were losses that the victim firm had to absorb.

The scheme works like this: An auction fraudster sets up one (or multiple) eBay accounts and sells legitimate products.  A customer buys the item from the seller (fraudster) on eBay and the money gets deposited in the fraudster’s PayPal account.

The fraudster then takes the eBay order information to another online retailer which sells the same item, buys the item using stolen credit card data, and has the item shipped to the address of the eBay customer that is expecting the item. The fraudster then walks away with the money.

One reason this scheme is so sneaky is that the eBay customers are happy because they got their product, so they never complain or question the company that sent them the product. For the retailer, the order looks normal: The customer contact info in the order form is partially accurate: It has the customer’s correct shipping address and name, but may list a phone number that goes somewhere else — perhaps to a voicemail owned and controlled by the fraudster.

“For the retailer who ships thousands of orders every day, this fraudulent activity really doesn’t raise any red flags,” my source — we’ll call him “Bill,” — told me. “The only way they eventually find out is with a sophisticated fraud screening program, or when the ‘chargeback’ from Visa or MasterCard finally comes to them from the owner of the stolen card.”

In an emailed statement, eBay said the use of stolen or fraudulent credit card numbers to purchase goods on eBay is by no means unique to eBay.

“We believe collaboration and cooperation is the best way to combat fraud and organised retail crime of this nature, working in partnership with retailers and law enforcement,” wrote Ryan Moore, eBay’s senior manager of global corporate affairs. Detecting this type of fraud, Moore said, “relies heavily on the tools that merchants use themselves, which includes understanding their customers and implementing the correct credit card authorisation protocols.”

Moore declined to discuss the technology and approaches that eBay uses to fight triangulation fraud — saying eBay doesn’t want to tip its hand to cybercriminals. But he said the company uses internal tools and risk models to identify suspicious activity on its platform, and that it trains hundreds of retailers and law enforcement on various types of fraud, including triangulation fraud.

Quad fraud

Moore pointed to one education campaign on eBay’s site, which adds another wrinkle to this fraud scheme: Very often the people listing the item for sale on eBay are existing, long-time eBay members with good standing who get recruited to sell items via work-at-home job scams. These schemes typically advertise that the seller gets to keep a significant cut of the sale price — typically 30 per cent.

Interestingly, the guy selling carded goods stolen from Bill’s company has been on eBay for more than a decade and has a near-perfect customer feedback score. That seller is not being referenced in this story because his feedback page directly links to transactions from Bill’s company.

Bill said he believes fraudsters targeted his company because it is relatively small, and is less likely to rely on sophisticated fraud tools that can sort out fraudulent orders. In his company’s case, it wasn’t spending any money on such fraud prevention tools until all this eBay fraud started.

“It wasn’t a huge order size, just random products we sell,” Bill said. “They’re going after us as a medium-sized retailer because we’re not yet to the size where we have all the fraud software built-in.”

Tri-fraud bots

According to Bill, the company thought it had figured out a fraud pattern to help block future phony charges, which it found all came from different internet addresses at Amazon’s Elastic Compute Cloud (EC2) service. After a block was put in place, visitors coming from EC2 servers could still browse the site, but they would be blocked from placing orders.

Bill said he believes the orders may have been placed by automated “bot” programs running on instances of Amazon’s EC2 platform (instances that were also likely paid for with stolen card data).

“The fraud kept going until we put in some things that blocked his bots at Amazon EC2 from transacting with our site,” Bill said.

Bill allowed that he can’t prove it wasn’t just a human manually transacting from all those EC2 systems. However, another security measure that Bill’s company established to fight triangulation fraud lends credence to the theory that some sort of automated EC2-based bots may indeed be involved in placing the unauthorised product orders. Bill’s firm put new data fields in the part of the checkout process where customers type in their name and address. This trick uses data fields that are hidden from regular website visitors but that are still visible on the site to computers and web crawlers.

The idea is to separate orders made by humans from those entered by automated bots. Although the latter may dutifully supply some phony requested data in the new data fields, legitimate, human customers would never input data into those extra fields because they can’t see the information being requested in the first place.

‘Blocking EC2 purchases and the data fields have worked really well blocking this fraudster’s bots from spamming our email forms,” Bill said.

Bill’s company also just signed up with MaxMind, a company that gives retailers multiple clues about potentially fraudulent orders based on the geography of the order. For example, was the order placed from an internet address that is located near the shipping address?

For its part, eBay says merchants can fight triangulation fraud by focusing on the products being sold by suspect eBay accounts. “Collaborate with auction and marketplaces that are known to have fraudulent sellers,” the company said in its tri-fraud primer. “Together, you may be able to uncover additional orders that may be part of the scam to help identify fraudulent sellers and/or employers.”

www.clublibido.com (8)

Henry Sapiecha

POSTING SELFIE ON FACEBOOK RESULTS IN STOLEN $900 FROM BARCODE

A woman who posted a selfie of her winning Melbourne Cup ticket – including its barcode – has been fleeced for her $825 winnings.

“Winner winner chicken dinner”, read the caption on the photograph of an elated Chantelle holding her winning ticket.

The Perth woman – whose last name has been suppressed – backed the 100-to-1 shot Prince of Penzance and jockey Michelle Payne in Tuesday’s Melbourne Cup

Prince of Penzance wins the Melbourne Cup image www.scamsfakes.com

But someone else dined out on her winnings after they used the barcode on the clearly displayed receipt to withdraw the cash from an automated machine.

“When we found out we naturally took a bit of a selfie to show my friends,” Chantelle told Merrick Watts on Triple M.

Just 15 minutes later she took her winning ticket to the TAB only to be told it had already been claimed.

auto payout ticket fraud victim image www.scamsfakes.com
The barcode was used by an unknown person to withdraw the $900 winnings from an automated machine. Photo: Facebook

“Someone had a pretty good game at filtering my picture and cutting out my barcode and putting it into an automated machine,” Chantelle said.

The theft was made all the worse after Chantelle realised the culprit must be one of her Facebook friends.

“To the low life who is obviously my friend on Facebook and used my photo to claim our winnings. You’re a massive dick. You ruined my day,” she later posted to Facebook.

“I might need a bit of a Facebook cull now,” she said.

Police were able to track down the machine that was used to withdraw the money and were confident they would be able to identify the person or people involved, Chantelle told Triple M.

The incident served as a warning to social media users posting seemingly innocuous images that may contain sensitive information.

Facebook users were sympathetic and scathing in equal measure once the radio station posted the story online.

“Wow what a scumbag,” wrote one user.

“Wow !!! Who need enemies with a ‘friend’ like that? [sic]” posted another.

Then came: “Stupidity at its worst. Moron.”

“Bahahahaha serves her right,” read another comment.

www.clublibido.com (5)

Henry Sapiecha

TAX REFUND MONIES STOLEN FROM THE ATO

SCAMMERS & ON LINE THIEVES STEALING YOUR TAX REFUND AFTER ID THEFT

The Australian Taxation Office has been targeted more than 11,000 times by identity fraudsters attempting to steal tax refunds in the 2014-2015 financial year.

And a help-service for victims of identity crime says it is being inundated with taxpayers whose IDs have been hijacked and their tax returns robbed.

ato sign on building image www.scamsfakes.com

The ATO recorded 91,000 “revenue fraud incidents” in 2014-15. Photo: Louie Douvis

The 11,000 attempts at ID fraud are part of the wider picture of 91,000 “revenue fraud incidents” recorded on the ATO’s systems in 2014-2015.

Only the efforts that were detected and foiled are recorded, according to the agency, with the full extent of successful frauds unclear.

But iDcare, a service that helps victims rebuild their identities after they have been stolen, says the volume of calls for help it is currently receiving indicates that criminals are reaping a tax-time bonanza from unsuspecting taxpayers.

Managing director Dave Lacey said his staff had dealt with at least 400 cases this financial year involving tax refund theft.

He said taxpayer money was being lost as the ATO’s process was typically to determine an initial refund was fraudulent and then reissue the funds to the victim.

“We’re in tax fraud season at the moment. It’s organised crime. It’s big business. This has been going on for months now,” he said.

Mr Lacey said the biggest impact on victims was often not the initial financial loss but the effect identity theft had on their mental health, with one in five – almost one in four – requiring ongoing mental health support.

He said this was largely because of how victims were treated by government agencies and organisations when they tried to follow up on the fraud, seek answers for how it occurred and re-establish themselves.

“We test these things continuously and regrettably the standards are very low,” Mr Lacey said.

Fairfax Media revealed last week that sophisticated cyber-crims had managed to penetrate employers’ payroll systems, making off with detailed information on unsuspecting workers and using the data to lodge bogus tax returns.

Other victims have told how their legitimate tax refunds had been siphoned off into bank accounts operated by the fraudsters after fake MyGov profiles had been built by the thieves.

The ATO says it stopped about $9 million in refunds going out in 2014-2015 after finding they had been fraudulently claimed and the previous year the figure was even higher, with $17 million prevented from being paid amid 18,000 attempts at ID fraud.

Victims have complained about a lack of police follow-up, but an ATO spokeswoman said the agency had its own investigators who teamed up with the Australian Federal Police when frontline police powers were needed.

“The ATO maintains a criminal investigation capability that investigates significant tax crime matters, which includes identity crime enabled refund fraud and refers briefs of evidence to the Commonwealth Director of Public Prosecutions for consideration and prosecution,” the spokeswoman said.

“The AFP executes search warrants in support of ATO investigations and the ATO refers matters to the AFP for investigation when AFP capabilities are required.”

tax fraud victim image www.scamsfakes.com

ATO tax fraud scam

Paul Francisco has had his tax refund stolen by fraudsters two years in a row. The ATO have been unable to address the problem and to make matters worse they have sent him a request for payment of tax debt.

Do you know more? Email lisa.cox@fairfaxmedia.com.au.

10-4-15-HCUK-INTL-email

Henry Sapiecha