Published:
February 11 2008, 06:50 PM
by
Benjamin Googins
The Human Story - Devil in the Details
Last week I went over to a friend's house. For purposes of this writing, I will call her Daffodil. As we sat around the kitchen table, Daffodil mentioned she found a strange charge on her Visa statement -- billed to a company she never heard of and on a day she didn't use her card. She is diligent about looking over her statement every month, but generally operates by her "double digit rule." She explained, "If it is under 10 bucks, I don't give it a lot of focus." A lot of people I talk to seem to operate by roughly the same rule. Is a small charge really worth the time it takes to investigate it? The charge was for $9.87 to PICTUREGLOBUS.com. She filed a complaint with Visa and it is pending further investigation. I decided to beat Visa to it and conduct my own investigation. What I learned is that PICTUREGLOBUS.com is not a legit business at all, but the very edge of a larger criminal operation - siphoning millions from unsuspecting card holders by charging small amounts across a lot of people and laundering the funds overseas. PICTUREGLOBUS.com is just one of many fake websites. A few of the others include: imaglobus.com, pictureglobus.com, templateglobus.com, photomeridian.com, gizmosforlife.com, estarlandgames.com, digismarket.com, mfbpsite.com, embintelligence.com, treedonlainsite.com, brookshire-ent.com, bestdigimart.com, and embintelligence.com
An Analysis of PICTUREGLOBUS
I started my investigation by going to PICTUREGLOBUS.com (abbreviated PG for this writing). Even though I saw no indications of malware on PG, I recommend not going there, given my subsequent findings. On the surface, the site generally looked legitimate and professional - purportedly selling stock photo images (see image below).
My first finding: Every link off the main page went to the same place - to a billing page asking for personal information and credit card information. To be clear, Daffodil had never been to that site and definitely never entered her credit card information there. My intent was only to see if the site was a legitimate business and a victim itself to another fraudster. Obviously, I wasn't about to enter my personal credit card number or any other personal data, but still wanted to know what would happen if some unsuspecting user did. What I did was buy a Visa Gift Card - which is anonymous and not tied to me, but lets one make purchases as if it were their own card. I decided that I would try and purchase a weekly subscription - costing $2.99. After entering this information and submitting payment, I was shocked to receive a confirmation email from the "PictureGlobus Support Team," reminding me of my login credentials. I was surprised because if PG is just a front for other illegal operations, I assumed they wouldn't actually have a system in place to process purchases made on PG (the real business is illegally charging stolen credit card data). I checked my Gift Card balance and almost immediately there was a charge for $2.99 - the cost of a weekly "subscription" (see image below).
If this were a fake business, how could they have a legitimate merchant account with ability to authorize charges? PG had to establish itself with a "payment gateway service" - a service that helps facilitate payment between customer and their credit card company. In this case, I believe Authorize.net is the payment service. If PG is based on criminal activity - illegally charging credit cards - how could they possibly pass themselves off as legitimate with Authorize.net who has an interest in minimizing fraud flowing through their systems? Maybe my suspicion was unfounded, PG is a bona fide business after all and someone else charged Daffodil's card to gain access to PG. Hmm, nice thought, but that possibility was quickly put to rest. Using the login credentials I just paid for with my Gift Card, I logged into PG. I didn't get too far. All the links looped back to the homepage. There was no actual content available after logging in. PG was looking more and more like a fake.
Finding 2: I dug through the page's source code and found the site was setup to block search engines from finding it (using the robots.txt method) - even blocking access to the homepage (see image below).
It is not unheard of for web sites to do this, but for a site that is suppose to be a business that makes its money by attracting site visitors, it is definitely suspicious PG is blocking what's essentially free advertising through search engines.
Finding 3: Next I looked up who the site belongs to. The current registrant is Domains By Proxy, run by the parent company GoDaddy.com. Domains By Proxy offers private domain registration. This type of service is used by the true registrants to conceal their identity. Though this type of service is not illegal and often used for legitimate purposes, it can slow down efforts to discover the true source of fraud, spam and other illegal activities. On the Domains By Proxy homepage, there are the following links: "if you are in law enforcement click here" and "for our subpoenas policies click here". As of this writing, I have not been able to ascertain the true registrant of PG. I am guessing they would rather I not find out. I sent an email to Domains By Proxy just before this writing asking for contact information of the true registrant. I am curious what reply I receive.
Finding 4: When I first looked over the site, I was bit surprised to see a legit looking privacy policy. From what I could tell, all the key privacy areas were addressed. After searching the web, I found a legitimate picture site with the identical Policy. I am guessing PG swiped the Policy verbatim.
How Did The Criminals Get Daffodils Credit Card Data?
Though any of these findings alone does not concretely conclude guilt, combined they scream fraud. The charge to Daffodil's Visa was fraudulent - period. Also, I still have no idea how the fraudsters got their paws on Daffodil's credit card number (and additional info requisite to process payment like home address and verification code). On a daily basis I analyze malicious software aimed at rounding up personal data off computers and forwarding it to the attacker, so my obvious hunch was that Daffodil was infected with spyware. Long story short, I did a full analysis of her system and found not even a trace of spyware. Next I thought maybe she was a victim of phishing. Phishing is a scheme where a victim is lured into filling out personal information on a website that looks totally legit, but the data is actually routed to a third party attacker. I checked a variety of locations on her system and found no indication of phishing (a include the Temporary Internet Files and History) - though it would be impossible to make any definitive conclusion on this. Daffodil has had the compromised credit card for over two years, so it could have been intercepted any time in between and evidence could be missing or wiped out by now. There are too many variables here to draw any conclusion that her personal information was transmitted directly from her computer, though all indication is that it wasn't.
A Much Larger Problem
Next, I searched the web and found a lot of other folks with nearly identical claims of being erroneously charged $9.87 by PG. Here are a few 1, 2, 3, 4, 5, 6, 7 - and the list continues to grow. If spyware or phishing are not the culprit, how did PG obtain such a long list of credit cards to charge? Unfortunately, for now, any answer to this question is only speculation. Based on a loose survey of people fraudulently charged and posting to forums, here are some characteristics:
- Users have never been to the fake website(s)
- Some users have been charged multiple times
- When victims contacted the fake websites (like PG) for a refund, PG granted it almost immediately
- Fraudsters sent preformatted responses to victims complaints
- A lot of users wrongly assumed PG (and related sites) were legit businesses, but just doing a bad thing or were victims themselves
- Charges have been made to credit cards that have never been used by the victim
- Phone numbers associated with fake sites use prerecorded messages
- No common factor links all victims (like they shopped at the same site, same card type, spyware infection, etc)
- Some of the fake websites have operated for as long as a year
- No common credit card or types were used
These characteristics propose more questions than they answer. Who is behind all of this? How can they continue to operate so relatively seamlessly without significant law enforcement or bank interruption?
When Daffodil called up Visa and reported the $9.87 charge as fraud, she was actually thwarting a powerful criminal organization. In the next few days I will write a follow-up blog to paint a basic picture of how the criminal operation behind this fraud operates. Telling Visa the charge is fraud, as opposed to disputing the charge or requesting a refund, caused a chargeback to fraudsters. Chargebacks can cost the merchant (the fraudsters in this case) as much as $50 - that would cause them a net loss of $40.13. If enough card holders notice the charges and initiate a chargeback, the fraudsters lose. The power lies in the consumer's hands. In addition, when a merchant receives a certain amount of chargebacks, flags are raised with the merchant account provider and bank - leading to a shutdown of that aspect of the operation. Most users are good about spotting erroneous charges if they are significant, but may overlook smaller ones. A fraudulent charge of any size is an indication you've got a real problem on yours hands and it needs to be dealt with. This fraud scheme relies on charging small amounts across a lot of people over a relatively long period of time. This leaves plenty of room for consumers to push back. Your credit card number is in the hands of a serious criminal organization and you need to take action.
If you find a fraudulent charge, here are some things you should do:
- 1) Cancel your credit card. Your card number is in the wrong hands and is likely to be used again for illegal purposes.
- 2) File a complaint with the FBI: Internet Crime Complaint Center (IC3). For any complaint launched, give as complete information as possible including the exact charge amount, company name, phone number and any other information available. The more variables you include, the greater chance investigators can find common factors across victims and nail the criminals.
- 3) Initiate a chargeback by filing a fraud claim with your credit card holder, do not dispute the charges. The distinction here is critical. A chargeback sticks the fraudster with a hefty fee and helps raise the warning flags to banks and merchant account providers.
- 4) Look back over old statements for any missed charges. In many examples, the fraudsters have made multiple charges to the same credit card.
- 5) Even though there is no indication spyware was the culprit for card loss in this case, complete a thorough scan with you anti-virus and anti-spyware products
- 6) DO NOT call the fraudsters and ask for a refund. It is counterintuitive, but in most cases they will grant you a refund immediately to keep banks and authorities out of the picture. Report it as fraud!
Daffodil admittedly got lucky when she spotted the $9.87 charge by PICTUREGLOBUS.com, but she followed up with exactly the right response. In the future, she tells me, "I will keep a close eye on even the smallest charges for possible fraud". And so should you!
Tags: bestdigimart{dot}com, treedonlainsite{dot}com, cyber crime, embintelligence{dot}com, and embintelligence{dot}com -ent{dot}com, fraud, templateglobus{dot}com, gizmosforlife{dot}com, imaglobus{dot}com, mfbpsite{dot}com, digismarket{dot}com, estarlandgames{dot}com, brookshire-ent{dot}com, dpchallenge{dot}com, photomeridian{dot}com, credit card fraud, pictureglobus{dot}com