Published:
October 23 2007, 12:18 PM
by
Mark Wade
Do you ever wonder what is at the other end of the SPAM email that you receive in your inbox? You often see emails advertising cheap software, hot stock tips, and various pharmaceuticals. I think that we have all gotten the v1gra and Cialis emails. One day I decided I would investigate and see just where this little message would take me. So, if you are ready for an adventure, follow me on a virtual trip that will take you all the way around the world. Don’t forget your passport, you will need it.
Our journey begins outside of Washington, DC. I am sitting at my desk, going through my SPAM filtered email, when I see one that catches my eye, “Dreams can cost less repl1ca w4tches from r0lex here”. Sounds interesting I thought, and I could use a new watch. Knowing the harmful effects of opening unsolicited email, I decided to open the email in a controlled virtualized environment. Below is the content of the email:
A T4g Heuer w4tch is a luxury statement on its own. Unfortunately, that luxury comes with a price... Except when you visit Prest1ge Repl1cas, the web's most comprehensive collection of brand name repl1ca w4tches. In Prest1ge Repl1cas, any T4g Heuer is available for just over $200. htxp://www.lagetyo.com
I also opened several other emails with similar subject lines. Each email had the same message, but contained different websites to visit. From the sampling of emails I found nine different URLs. As you can see from the list of URLs, the names seemed to be randomly generated:
- www.sueyhhb.com
- www.sueywhhn.com
- www.aueiwmm.com
- www.syewthhw.com
- www.soiekkj.com
- www.suewywtt.com
- www.ytrueujj.com
- www.slejenbb.com
- www.aeiwkee.com
According to Whois.net these websites are still listed as active, however they no longer resolve. All are registered in NanChang China, and all but 3 are registered to a Liu Tao who, according to Wikipedia, happens to be a famous Chinese actress. I am sure there is no relation.
Going back to the original email I received, I decided to look at who the email was from and who it was actually sent to. According the spam filter email headers, the email was sent from “cherylc@hisplacechurch.com”. I did a quick search on the domain, “hisplacechurch.com”. This led me to a small church in Burlington, Washington. That is Washington state, not Washington, DC. So I peruse the site and find the church staff link where I find Cheryl Neff, the Sr. Pastor’s Assistant. Sure enough, her email was the same. While you might think that Cheryl Neff’s computer is the origin of the email selling prestigious watches, it is actually not. Unfortunately for us, and you the reader, we will never know where the actual email came from. We can be pretty sure that Cheryl’s computer had some kind of Malware on it that contained a mail engine that sent out hundreds or even thousands of emails all around the world promoting these luxurious watches. Unfortunately Cheryl is not alone in this. I received the same email message from many other unsuspecting senders, ranging from various home users to Fortune 500 companies. I have also seen the same email content blindly posted on numerous blogs. Hopefully for Cheryl and the His Place Church, they got their computer systems cleaned up.
So, let’s get back to the email, because I still need a new watch. The first thing I did was start a packet sniffer on my local network to see if the web site was downloading any unwanted software (malware) to my system, or if the site was sending any of my personal information to some third-party destination. With my packet sniffer running, I opened up a web browser, I entered the www.lagetyo.com website, and off I went. It was a very nice site. There were lots of nice looking watches, bracelets, and earrings for sale. There was a shopping cart built into the site, a privacy policy, a testimonial section (which I can’t wait to read later), and a Contact Us link.
I viewed the source code from the site to see if there were any behind-the-scenes deceptions, such as any malicious iFrames. The site looked pretty clean.
I decided to read their privacy policy and see what they had to say. One thing that caught my eye was the use of SSL (Secure Socket Layer), which is good because it sends important information over the Internet in an encrypted state, and when you are sending your credit card across the Internet, you want it safe from prying eyes.
Next I decided to read the “About Us” link on their site. The owners mention that they have been the leading online retailer of quality luxury timepieces since 2003. Oddly enough, every one of the aforementioned websites was only in operation for one or two weeks. As a matter of fact, from the start of this investigation the http://www.lagetyo.com/ website was no longer up and operational. Since my work was not done and I still needed a watch, I went to another one of the websites that was still active. I picked www.aeiwkee.com. Just like the previous site, it was up for a few days, then down just long enough to change the IP address from 218.53.147.152 to 116.199.128.6. I found out that both IP addresses resolve to different companies, Hananet in Korea, and newpower-cn in China. If you enter http://218.53.147.152 in a web browser, you get the message “site not found on our server!” This is a common practice for these types of operations.
Now that I have a site that is up, I think that it’s time to make a purchase. Regardless of their four-year track record of being the #1 online retailer, and Sara Berry’s raving testimonial, I was still leery about using my credit card to make a purchase. In following my gut, I decided to go undercover to make the purchase. I made trip to my local CVS store and purchased a GreenDot Visa debit card. I put $100.00 dollars on the card and proceeded back to the office. For safety precautions, I decided not to use my real name and address when registering the card. So I took on an alias, Alain Tibberman. I needed to find something that cost under a $100.00 dollars. I was not able to find a watch for under that price. Knowing that I could always buy my wife a gift, I decided to look at their selection of earrings. I found a nice pair for only $52.00 (plus $29.00 for shipping and handling). First, I made sure that my trusty packet sniffer was running so I could see everything that was going on behind the scenes. I input all of my personal information - name, address, credit card number, etc. I was really curious where my credit card information was going to be sent. After the transaction was complete, I started going through the packet sniffer logs. Remember earlier when I said that I was happy to see that the web sites shopping cart was using SSL to encrypt the traffic? As you can see from the image below, there is my credit card number and CVV number in plain text. My name, address and email address were also sent in clear text. Good thing Alain Tibberman was a fictitious name.
The order has been placed. I hope that I get my earrings and I hope that my card information has not been intercepted along the way. I am pretty sure that the end site is storing all user information in an encrypted database, so it should be safe from hackers there.
I checked my newly created email account to see if I have received anything from the vendor. Sure enough, I have received a confirmation thanking me for my purchase and informing me that my order has been successfully processed, also providing an order number. It even provided me with an email address to contact if I need help.
Hmmm, very interesting. I went to domain from the support email, top-esupport.com, and the domain is not longer resolving. Through the Whois database, the top-esupport.com site is registered to a group called CSMJBS Enterprise, located in Las Vegas, NV. So I decided to conduct a Google search on CSMJBS Enterprise to see what I could find. The first site returned in my search was referencing Fake Sites Database, with a WARNING: “Please be aware that the fake banks, lotteries and companies on the list are used by dangerous criminals. We don’t encourage anyone to engage in any form of communication with them. If you chose to communicate them for whatever reason, you will be doing so at your own risk”. I decided to do a little poking around. I called the City of North Las Vegas and inquired about CSMJBS Enterprise. First of all the address that was listed in the Whois database was false. The company went into default in April of 2007. Jeremy Stamper, the head of the company resides in Seattle, Washington and has recently been accused by the Department of Financial Institutions Securities Division as running several fraudulent financial websites that has tricked numerous numbers of people into sending in money. Over $2 million dollars have been seized by Las Vegas police.
So let’s get back to my earrings. I was pretty sure that the vendor was going to charge my card, so I logged into my GreenDot Online account to see what transactions had occurred. Sure enough, there was a charge for $77.00 for the earrings, with the vendor name ElegantReplica.com and a phone number. Ah, another lead. Well, conducting a search on the ElegantReplicate.com led me nowhere. I found a few dead links, but mostly sites complaining about the domain being a part of a spam operation. So then I searched on the phone number. That lead was a little more promising. Out of 5 search results returned, two of them led to websites that resembled www.aeiwkee.com where I purchased the earrings. The other three results lead to web sites that no longer resolved. No surprise there. I did find out that the number is registered to a group called TwoBucks Trading Ltd. located in Nicosia, Cyprus.
So on our virtual tour we started off in Washington state, with the poor church lady; then to Herndon Virginia, where a nosy research started investigating; then to NanChang, China, where the websites were registered. From there it was a short hop to Shenzhen, China, & Seoul, Korea, where the two IP addresses were registered; back to the United State where a suspicious shell company in Las Vegas, Nevada, was registered as the registrant to the support email; back up to Seattle Washington and Jeremy Stamper’s shell companies; then finally to Nicosia, Cyprus, where my money was ultimately collected. That took you across America and got you 3 different stamps in your passport.
I was still wondering if I was going to get my earrings. So I called the phone number in Cyprus, and after calling 5-6 different times I finally got a live person on the other end of the phone who was able to provide me with a tracking number. I plugged my tracking number into the shipper’s website and obtained the following transaction log.
Foreign Acceptance, August 22, 2007, 7:35 pm, CHINA PEOPLES REPForeign International Dispatch, August 23, 2007, 4:09 pm, BEIJING., CHINA PEOPLES REP Foreign Acceptance, August 22, 2007, 7:35 pm, CHINA PEOPLES REPInbound International Arrival, August 25, 2007, 9:58 pm, KENNEDY AMC In route, August 26, 2007, 9:21 am, MERRIFIELD, VA 22081 Arrival at Unit, August 26, 2007, 12:52 pm, RESTON, VA 20190Notice Left, August 26, 2007, 2:19 pm, HERNDON, VA 20171
Unfortunately I never got the shipment. I called the post office and they were not able to locate the package. I guess my post office could have lost it.
As I was wrapping this article I wanted to go back to the www.aeiwkee.com website to see if it was still up and operational, and poof, just like that the site is gone. This is the method of operation for these businesses. They will register many different websites and each site will only be up for a certain amount of time, only long enough to get some business before the Internet SPAM groups and other vigilante groups use the Internet as a public forum and expose the sites. It very well could be that these sites are just recycled and will be selling something else in a few months.
At the end of the day, the things to remember the most about this story is that there are a lot of shady corners on the Internet. If you are about to use your credit card and purchase something online double check to make sure that it is your intended website. There are a lot of replica sites used to fool people. Also ensure that your personal information is really being sent over the Internet by SSL. Both Internet Explorer and Firefox will present a little pad lock indicating that the connection between the client browser and the server are encrypted. And last of all do not believe everything you read or get in an email, even if they are from nice church ladies.