Internet Theft and the Holidays
This is an older post. It originated over at RJS Smart Security and it just took me a while to get it posted here. Sorry for the delay.
As many of you know, when I am not protecting people and their businesses, I’m often out taking pictures. My camera of choice has been the Nikon d300, which is over five years old now. As with all technology, when cameras age, they become increasingly unreliable and it became apparent over a year ago that my camera was experiencing legacy issues. The weather protection was weakening, the sensor was staring to fail and the batteries were draining faster and faster. If I am going to practice what I preach, it was time to ruthlessly eradicate legacy.
“Ruthlessly eradicate legacy” is one of my mantras when it comes to infrastructure management. Older systems take a surprising amount of resources to maintain and use. Modern technology is easier to update, cheaper to operate and easier for people to use. It also has modern features that can drastically improve capabilities. With servers, this means killing all that no longer get updates (Windows 2000, for example). With cameras, it means time to say goodbye to my old friend and look at other options.
This is not a camera post, however, so I’ll cut short the decision process and say that I settled on a d800 or d800E. For my purposes, there are no differences, so I went out looking for a good deal. After all, Black Friday is coming and now is the time to look for electronics. This, however, is where the story gets interesting.
In doing my research, there were indications that while camera accessories go on sale periodically, the high-end camera bodies and lenses I like only drop in price when a successor comes out. This means I’m stuck at the high end unless I buy used. Moreover, in the Nikon world, warranty is a huge factor and is significantly reduced when you buy used, so it only makes sense to look at that option if you are going to save over 20% off the purchase price.
Which is why, when I found a d800E on Amazon, I got a little excited. In fact, I got a little too excited. I almost got scammed.
The list price on a new d800E is $3,299.99 (which is why my d300 got to be five years old before I considered a replacement), but this camera listed on Amazon.com was just $1,836.73. 56% off is clearly a better deal than 20% … but the deal is a little too good. In fact, it’s so good that a lot of people are going to leap on the deal, so I had to move fast.
Or did I?
See, the deal was too good. I got suspicious. Luckily, the seller had a note in their little logo icon that said to email with questions, so I did… not before I did a bit of research, though.
The company was Bissinger’s Inc., so I checked them out. They’re a St. Louis-based chocolate company. (Warning, if you click that link, your friends and family will be getting chocolate for Christmas, and your checking account is going to be a fair bit lighter.) At this point, I’m wondering why is a chocolate company selling a high-end camera? But since I want it to be real, I’m concocting ridiculous scenarios to make it seem legitimate. For example … “Maybe they bought the camera to take photos of their chocolates for the holiday season, but it was too complex for them?”
Anyway, there’s no harm in emailing them to find out, so this is what I send:
I am in the market for a D800E and see that you are selling one.
I have to ask before purchasing though, why a chocolatier would be selling a camera.
Is there something wrong with it?
I then cross my fingers, and go to bed with visions of massive megapixels dancing in my head. The next morning, I get this:
the Nikon D800E 36.3 MP CMOS FX-Format Digital SLR Camera (Body Only) is in new condition ( it just had to be listed as ‘Used – Like New’ as the box has been opened), comes with all manufacturer supplied accessories, US model,1 year full warranty. It has not been used. The price is $1,836.73 including delivery.If you are wondering why the price is lower than the usual,it is because we have some promotional prices before holidays.Return policy is full money back in 30 days. If you want to buy send me your full name and delivery address to have your order placed with Amazon.
Heck of a deal, right? Except that, by this time, the camera has vanished off of Amazon. Still not wanting this to be a scam, I think that maybe they pulled it because they’re going to sell it to me. I send them the following:
I do want to buy. Is it still available? I see that it’s no longer listed on Amazon.
Here is the information you requested:
[My address here]
After all, if it’s a scam, all they have is my email address and name (which they had before) and my street address, which as a home owner is a matter of public record. When it comes to payment, it’ll go through Amazon, which links to my credit card. If it’s fraud, all I have to do is call my card company and dispute the charges. Right?
They reply with:
Your order will be processed by Amazon
Thank you and let me know when you will receive the confirmation from them.
And I respond:
Do you need my amazon ID?
I’m curious as to how the payment will get to you.
I’m also curious as to when it will arrive.
Well, several hours go by and I hear nothing. I’m growing concerned. After all, I’m in Minnesota and they’re in St. Louis. They normally sell chocolate for around $50 a box. You’d think an $1,800 sale would be a big deal to them, right? I email them again:
I haven’t heard anything from Amazon yet?
Is there something that I need to do?
No response… and enough concerns have piled up I am suspecting a scam. They never directly addressed my concerns about a chocolate company selling the camera. They implied that they sell other electronics, but they are clearly a chocolate company. And they’re using Amazon in a way I’ve never seen it being used. I suspect it may be a grey market or possibly even a stolen camera. I’m wondering how anti-fraud protections work if you buy a stolen item, and I decide to just call them and get to the bottom of things.
Stepping outside of the Amazon.com system, I find their website and their contact page. I call the corporate office and tell them my story and find out their Amazon account had been hacked and it was a scam. This was deeply disappointing as I had, by that time, hoped I’d be able to get my camera and order chocolates for my family. Alas, such was not to be.
However, it did puzzle me how the scam worked. After all, I hadn’t given them any useful data. How would they get my money? Were they just incompetent criminals? This was well outside the realm of photography and I now had a professional interest. Time, of course, was the determining factor.
Later that night, the following email arrived:
I was informed by Amazon that they send you all the payment and delivery informations. Search your inbox carefully and also check your bulk/spam/junk folder because it might have arrived there. Please let me know asap.
Ah hah. The payment was not, in fact, to come through Amazon, but would have an alternative system. For an attacker, this makes sense. After all, if they tried to accept payment from Amazon, Amazon can take it back when they are informed of fraud. I dutifully checked my spam folder and there were my instructions.
As you can see, it looks like a regular Amazon email, except that the payment section is a bit different. There are several interesting things to note here.
First, they prefer payment via bank transfer. This is common, particularly with overseas attacks, as once money leaves the American banking system, it can be notoriously difficult to get back. This should be a critical warning for most people, as it’s very different from the usual method of purchasing through Amazon. However, there is a grey market for electronic gear, and a lot of items come from overseas where warranties are different. So, it’s possible that a small percentage of people interested in high-end cameras would continue with the transaction.
Second, while most of the links are legitimate and match that of the Amazon.com template, three are different. The “Confirm Payment” link goes to email@example.com. The “Clicking here” and “Click here” links at the bottom go to firstname.lastname@example.org. They sound good, but a legitimate Amazon email would have all Amazon links. After all, if you bypass the Amazon system to sell your wares, Amazon makes no money. They work very hard to control the transaction.
Third, there was a bit of header analysis. If you like header wonkery, check the bottom of this post, but the three big things to notice are (1) the email came from private address space (10.x.x.x) and was sent through Google and (2) , the source address was “email@example.com”, but appeared to be from “firstname.lastname@example.org”. This is interesting because the email passed the SPF check and had all the expected anti-spam features. If I had not been hosting my email with Google, this likely would have been enough to bypass my filters. Finally, (3) all emails actually used for communication come from free email hosts. In this case, Microsoft and Google. If anyone can create an account there, I could be talking to anybody.
So, at this point, I decided to just wait and see what their next move was. I didn’t have to wait long:
It seems that one of my employees punt in the same package with yours 2 phones instead of 1.
Now you can’t receive the package until you will not send Amazon the same amount.
After you will do that,you will receive the package,but you have to send back the ohone and you will receive the money back for the second one.
Plus i will send you 50 USD as appologies for this inconvenience.
Contact us urgently.
Then, in less than a day:
I have already dispatched the package,but the package is on hold until you will make and send the payment informations to Amazon.
After that i will provide you also the tracking number.
Can you please tell me when are you able to make the payment?
waiting for your email asap.
This is where the attack starts matching the normal scam indicators.
They have so many victims that they can’t track them very well, and confuse my camera purchase with a phone purchase. There are the misspellings that we’ve come to expect from things like this. And finally, we get the social attacks.
Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or Anger. In this case, it’s all about Urgency, Uncertainty and Fear. By setting the price so low, they drive urgency high, as you’re afraid that you might miss the deal. They then compound this by telling me there was an error in the shipment, trying to make me believe they are incompetent and if I act quickly, I can take advantage of their error.
The second email hypes the urgency, trying to get me to pay quickly. I did not reply, but if I had, the next step in a scam like this is to sweeten the deal if I were to act immediately, often by pretending to ship my non-existent camera with a bonus item (like a cell phone) overnight if I give them payment information immediately.
Of course, if I ever did give them my payment information, they’d empty my checking account and, if they’re with a larger attacker group, start using my account to traffic stolen funds.
This is a very long blog post, and I thank you for making it this far. Why did I go into so much detail? Because this Friday is Black Friday and quickly followed by Cyber Monday. Yes, this is the time we get great deals on electronic items, but it is also the time there is a massive uptick in scams. Basically, we’ve primed ourselves to be at risk for “too good to be true” offers, as some legitimate offers seem too good to be true, but are actually real. So, we can no longer rely on the old adage of “if it seems too good to be true, it probably is.” Instead, ask yourself the following questions as you review your deals:
- Is the price low enough you should be suspicious? Are you dealing with someone using only public email accounts? If either is true:
- Do you feel like you have to act immediately? (Urgency)
- Are the terms of the deal unclear in any way? (Uncertainty)
- Are you afraid that if you don’t take the deal, something bad will happen? (Fear)
- Are you paying in a way that you can easily dispute the charges?
If there is any concern, get someone on the phone. It’s a lot harder to come up with lies on the fly and you can often trip them up. If the deal starts to seem like a bad one, just stop. Don’t let them apologize or guilt you into anything. It’s worth paying a little bit more to know it’s not a scam.
If you are interested in a deeper technical dive, here are the headers for the payment email. Enjoy.
Received: by 10.112.148.37 with SMTP id tp5csp212198lbb; Mon, 5 Nov 2012 14:28:26 -0800 (PST)
Received: by 10.50.12.138 with SMTP id y10mr10891413igb.58.1352154505313; Mon, 05 Nov 2012 14:28:25 -0800 (PST)
Return-Path: Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [188.8.131.52])
by mx.google.com with ESMTPS id s10si19571463ice.88.2012.11.05.14.28.24
Mon, 05 Nov 2012 14:28:25 -0800 (PST)
Received-SPF: pass (google.com: domain of email@example.com designates 184.108.40.206 as permitted sender) client-ip=220.127.116.11;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of firstname.lastname@example.org designates 18.104.22.168 as permitted sender) email@example.com; dkim=pass firstname.lastname@example.org
Received: by mail-ie0-f174.google.com with SMTP id k13so10488482iea.33 for ; Mon, 05 Nov 2012 14:28:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
Received: by 10.42.163.5 with SMTP id a5mr3969473icy.37.1352154504571; Mon, 05 Nov 2012 14:28:24 -0800 (PST)
Received: by 10.64.82.201 with HTTP; Mon, 5 Nov 2012 14:28:24 -0800 (PST)
Date: Mon, 5 Nov 2012 17:28:24 -0500
Subject: Your Order with Amazon.com
From: Amazon Services
Content-Type: multipart/alternative; boundary=90e6ba6e843ced2bd504cdc70061