Unravelling Credit Card Fraud

TL;DR

  • my credit card was fraudently charged
  • i identified an internet domain name involved in the scam
  • i registered the domain when it expired
  • i now have an inside view of the fraudster's activities
  • read below for more information
  • special note: I am *not* involved in any fraud. Please read below if you were victimized. I'd like to hear your story.

Intro

I registered this expired domain sometime after seeing a pending charge on my VISA checkcard. I had my bank reissue my checkcard. I also contacted the vendor noted in the banking transaction entry, reliablechip.com and asked about the charge.

I called the phone number 1-209-690-9828 listed on the reliablechip.com contact page. I spoke with a young man who reviewed the order I had allegedly placed. He read to me my full name, address and credit card number. I asked him why the transaction was marked pending in my bank transaction logs. He said it was because the person who made the order failed to click a confirmation link provided in the order confirmation email. I found this odd as this is typically not the way ordering systems work. (At the time there was a whiz-bang web 2.0 website at the domain, offering techie goods. Now visitors of reliablechip.com are greated with the stock CENTOS Apache2 test page.) The reliablechip.com ordering system required that users pre-registered before being able to place an order. I confirmed this by creating an account with their site.

I asked the man what email address was used to place the order. He told me it was myrealfirstinitial.myreallastname@smartapes.net. This crafted email address is certainly not mine. The man told me he would cancel the order. I asked to speak with his supervisor. I was told that the supervisor, Alex Logan, was not in the office.

I performed a whois lookup for smartapes.net and found it was locked pending deletion by Godaddy. I attempted to register the domain to see if any emails sent to that domain referenced the address created during the reliablechip ordering process.

I left the registration submission tab open in my browser. I would attempt to register the domain every so often only to be told it was pending hold. I tried again on December 08, 2010 and was told the domain was available for registration. I dropped the ten bucks and registered smartapes.net for a year.

   Domain Name: smartapes.net

   Registrant Contact:
      smartapes.net Private Registrant         smartapes.net@proxy.dreamhost.com
      A Happy DreamHost Customer
      417 Associated Rd #324
      Brea, CA 92821
      US
      +1.2139471032
   Record created on 2010-12-08 07:12:48.
   Record expires on 2011-12-08 07:12:48.

I quickly setup the domain for hosting with my web host while DNS propagated the name around the globe. I created a simple index.html, later replaced by DokuWiki, containing cursory information about my motivation for registering the domain. I also created a catch-all email account in order to see what information was being directed to smartapes.net.

Order Emails

It wasn't long before email messages began to flow into the smartapes.net catch-all inbox. First, an account creation message was emailed to a user. Note the email address was crafted to resemble a real email address in the cardholder's name. i.e. r.cxxxxx58@smartapes.net

Subject:   	Welcome to SpTea
From:   	"Timaty Wallen" support@sptea.net
Date:   	Wed, December 8, 2010 8:28 am
To:   	"Rxxx Cxxxxxx" r.cxxxxx58@smartapes.net

Dear Rxxx

We welcome you to SpTea.

You can now take part in the various services we have to offer you. Some of these
services include:

Permanent Cart - Any products added to your online cart remain there until you
remove them, or check them out.
Address Book - We can now deliver your products to another address other than yours!
This is perfect to send birthday gifts direct to the birthday-person themselves.
Order History - View your history of purchases that you have made with us.
Products Reviews - Share your opinions on products with our other customers.

For help with any of our online services, please email the store-owner:
support@sptea.net.

Note: This email address was given to us by one of our customers. If you did not
signup to be a member, please send an email to support@sptea.net.

Minutes later, an order receipt arrived. This processed occurred for subsequent messages sent to the domain. A registration confirmation email followed by an order confirmation email.

Subject:   	Order Process
From:   	"Timaty Wallen" support@sptea.net
Date:   	Wed, December 8, 2010 8:29 am
To:   	"Rxxx Cxxxxx" r.cxxxxx58@smartapes.net


SpTea
------------------------------------------------------
Order Number: 1996
Detailed Invoice: http://sptea.net/account_history_info.php?order_id=1996
Date Ordered: Wednesday 08 December, 2010

Sage Pay Reference ID: {34306F7A-1E9C-BA93-58F8-FF45AA9B5008}

Products
------------------------------------------------------
1 x Garam Masala Powder: Salt Free Blend 1 lb: K () = £11.72
------------------------------------------------------
Sub-Total: £11.72
Flat Rate (Best Way): £0.00
Total: £11.72

Delivery Address
------------------------------------------------------
**REDACTED**
XX Moness Crescent
Aberfeldy, Ph15 2DN
United Kingdom

Billing Address
------------------------------------------------------
**REDACTED**
XX Moness Crescent
Aberfeldy, Ph15 2DN
United Kingdom

Payment Method
------------------------------------------------------
Credit Card or Bank Card (Processed by Sage Pay)


Click to view all emails received by the smartapes.net catchall


Payment Processing

Sage Pay

The order emails I received stated that they were processed through SagePay, a UK payment processor. I contacted SagePay via their web form and notified them of the potential fraud. The email messages stopped after. I have to presume that Sage Pay shutdown the merchant account(s) used to process these illicit payments. It's worth noting that the domains were registered in the UK and the orders I received were all for UK addressees.

Credit Card or Bank Card (Processed by Sage Pay)

Domains Involved (WIP)

domain IP webhost registrant status payments MX site phone
sptea.net TBD webhost david_perret67@hotmail.co.uk down sagepay TBD TBD
reliablechip.com 91.218.36.7 infiumhost.com reli@mail15.com down TBD TBD 209-690-9828
hdoffice.net 66.98.145.18 theplanet.com hddcoltd@yahoo.com down TBD MX TBD
kazimier.com 66.118.146.68 sagonet.com skasimiras@yahoo.com down sagepay google TBD
car-dan.cc 188.190.96.8 infiumhost.com contact@privacyprotect.org 504 Gateway Time-out TBD google site phone
ellinex.co 85.17.143.71 leaseweb.com 3f0090a3560e1bb59189660e1b272150-1308017@contact.gandi.net live TBD google 607-216-9850
www.parts4bikes.co.nz 210.5.50.34 net24.co.nz ktm@xtra.co.nz live TBD isx.net.nz 07 3087654
ivandras.com 91.204.75.15 (ru2.hostplus.ws) imhoster.net john nash (ivandras@aol.com) live TBD google 01614085061

I received account creation and order confirmation emails for two domains in addition to reliablechip.com. The domains were sptea.net and hdoffice.net. Both sites hosted a web store at the time. Both domains are now locked by their registrar. "High Quality Host Company". hdoffice.net now redirects to google.com. sptea.net no longer resolves to a website.

whois info

ellinex.com

Domain Name	ELLINEX.CO
Domain ID	 D5200649-CO
Registrar-Reseller Name	 GANDI SAS
Sponsoring Registrar	 .CO GATEWAY
Sponsoring Registrar IANA ID	 2020
Registrar URL (registration services)	 http://whoisinfo.my.co
Domain Status	 clientTransferProhibited
Registrant ID	 JS5991-GANDI
Registrant Name	 JUDITH SILVERMAN
Registrant Organization	 JUDITH SILVERMAN
Registrant Address1	 2722 WASHINGTON AVENUE
Registrant City	 CHEVY CHASE
Registrant State/Province	 MD
Registrant Postal Code	 20815
Registrant Country	 United States
Registrant Country Code	 US
Registrant Phone Number	 +1.2069844450
Registrant Email	 3f0090a3560e1bb59189660e1b272150-1308017@contact.gandi.net
Administrative Contact ID	 JS5991-GANDI
Administrative Contact Name	 JUDITH SILVERMAN
Administrative Contact Organization	 JUDITH SILVERMAN
Administrative Contact Address1	 2722 WASHINGTON AVENUE
Administrative Contact City	 CHEVY CHASE
Administrative Contact State/Province	 MD
Administrative Contact Postal Code	 20815
Administrative Contact Country	 United States
Administrative Contact Country Code	 US
Administrative Contact Phone Number	 +1.2069844450
Administrative Contact Email	 3f0090a3560e1bb59189660e1b272150-1308017@contact.gandi.net
Billing Contact ID	 JS5991-GANDI
Billing Contact Name	 JUDITH SILVERMAN
Billing Contact Organization	 JUDITH SILVERMAN
Billing Contact Address1	 2722 WASHINGTON AVENUE
Billing Contact City	 CHEVY CHASE
Billing Contact State/Province	 MD
Billing Contact Postal Code	 20815
Billing Contact Country	 United States
Billing Contact Country Code	 US
Billing Contact Phone Number	 +1.2069844450
Billing Contact Email	 3f0090a3560e1bb59189660e1b272150-1308017@contact.gandi.net
Technical Contact ID	 JS5991-GANDI
Technical Contact Name	 JUDITH SILVERMAN
Technical Contact Organization	 JUDITH SILVERMAN
Technical Contact Address1	 2722 WASHINGTON AVENUE
Technical Contact City	 CHEVY CHASE
Technical Contact State/Province	 MD
Technical Contact Postal Code	 20815
Technical Contact Country	 United States
Technical Contact Country Code	 US
Technical Contact Phone Number	 +1.2069844450
Technical Contact Email	 3f0090a3560e1bb59189660e1b272150-1308017@contact.gandi.net
Name Server	 NS7.KUBEZ.BIZ
Name Server	 NS8.KUBEZ.BIZ
Created by Registrar	 .CO GATEWAY
Last Updated by Registrar	 .CO GATEWAY
Domain Registration Date	 Wed Apr 27 11:08:11 GMT 2011
Domain Expiration Date	 Thu Apr 26 23:59:59 GMT 2012
Domain Last Updated Date	 Wed Jul 13 04:54:11 GMT 2011
 	

;; QUESTION SECTION:
;ellinex.co.			IN	MX

;; ANSWER SECTION:
ellinex.co.		14400	IN	MX	10 aspmx.l.google.com.
ellinex.co.		14400	IN	MX	20 alt1.aspmx.l.google.com.
ellinex.co.		14400	IN	MX	20 alt2.aspmx.l.google.com.
ellinex.co.		14400	IN	MX	30 aspmx2.googlemail.com.
ellinex.co.		14400	IN	MX	30 aspmx3.googlemail.com.
ellinex.co.		14400	IN	MX	30 aspmx4.googlemail.com.
ellinex.co.		14400	IN	MX	30 aspmx5.googlemail.com.

;; AUTHORITY SECTION:
ellinex.co.		78023	IN	NS	ns7.kubez.biz.
ellinex.co.		78023	IN	NS	ns8.kubez.biz.

;; ADDITIONAL SECTION:
aspmx.l.google.com.	203	IN	A	74.125.91.27
alt1.aspmx.l.google.com. 32	IN	A	209.85.143.27
alt2.aspmx.l.google.com. 32	IN	A	74.125.77.27
aspmx2.googlemail.com.	2096	IN	A	74.125.43.27
aspmx3.googlemail.com.	2255	IN	A	74.125.127.27
aspmx4.googlemail.com.	3011	IN	A	209.85.229.27
aspmx5.googlemail.com.	3011	IN	A	74.125.157.27
ns7.kubez.biz.		6023	IN	A	85.17.143.70
ns8.kubez.biz.		6023	IN	A	85.17.143.71



sptea.net
[Querying whois.verisign-grs.com]
[Redirected to whois.PublicDomainRegistry.com]
[Querying whois.PublicDomainRegistry.com]
[whois.PublicDomainRegistry.com]
Registration Service Provided By: HIGH QUALITY HOST COMPANY
Contact: +1.6462130098

Domain Name: SPTEA.NET 

Registrant:
    arttea
    david perret        (david_perret67@hotmail.co.uk)
    14 Hopton Rise
    Haverhill
    Coleraine,CB97FS
    GB
    Tel. +022.712547889

Creation Date: 03-May-2010  
Expiration Date: 03-May-2011

Domain servers in listed order:
    ns2.google.com
    ns1.google.com


Administrative Contact:
    arttea
    david perret        (david_perret67@hotmail.co.uk)
    14 Hopton Rise
    Haverhill
    Coleraine,CB97FS
    GB
    Tel. +022.712547889

Technical Contact:
    arttea
    david perret        (david_perret67@hotmail.co.uk)
    14 Hopton Rise
    Haverhill
    Coleraine,CB97FS
    GB
    Tel. +022.712547889

Billing Contact:
    arttea
    david perret        (david_perret67@hotmail.co.uk)
    14 Hopton Rise
    Haverhill
    Coleraine,CB97FS
    GB
    Tel. +022.712547889

Status:LOCKED
	Note: This Domain Name is currently Locked. In this status the domain 
	name cannot be transferred, hijacked, or modified. The Owner of this 
	domain name can easily change this status from their control panel. 
	This feature is provided as a security measure against fraudulent domain name hijacking.
hdoffice.net
[Querying whois.verisign-grs.com]
[Redirected to whois.PublicDomainRegistry.com]
[Querying whois.PublicDomainRegistry.com]
[whois.PublicDomainRegistry.com]
Registration Service Provided By: HIGH QUALITY HOST COMPANY
Contact: +1.6462130098

Domain Name: HDOFFICE.NET 

Registrant:
    hdd
    HDD COLTD        (hddcoltd@yahoo.com)
    137
    brent street
    LONDON
    London,NW4 4DJ
    GB
    Tel. +020.81236597

Creation Date: 06-May-2010  
Expiration Date: 06-May-2011

Domain servers in listed order:
    36063.mars.orderbox-dns.com
    36063.earth.orderbox-dns.com
    36063.venus.orderbox-dns.com
    36063.mercury.orderbox-dns.com


Administrative Contact:
    hdd
    HDD COLTD        (hddcoltd@yahoo.com)
    137
    brent street
    LONDON
    London,NW4 4DJ
    GB
    Tel. +020.81236597

Technical Contact:
    hdd
    HDD COLTD        (hddcoltd@yahoo.com)
    137
    brent street
    LONDON
    London,NW4 4DJ
    GB
    Tel. +020.81236597

Billing Contact:
    hdd
    HDD COLTD        (hddcoltd@yahoo.com)
    137
    brent street
    LONDON
    London,NW4 4DJ
    GB
    Tel. +020.81236597

www.car-dan.cc
Registration Service Provided By: DOMAIN NAMES REGISTRAR REG.RU LTD.
Contact: +7.4955801111

Domain Name: CAR-DAN.CC

Registrant:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Creation Date: 20-Apr-2011
Expiration Date: 20-Apr-2012

Domain servers in listed order:
    ns1.infiumhost.com
    ns2.infiumhost.com


Administrative Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Technical Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676

Billing Contact:
    PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676
car-dan.cc mail routing
;; QUESTION SECTION:
;car-dan.cc.			IN	MX

;; ANSWER SECTION:
car-dan.cc.		3600	IN	MX	30 ASPMX2.GOOGLEMAIL.COM.
car-dan.cc.		3600	IN	MX	30 ASPMX3.GOOGLEMAIL.COM.
car-dan.cc.		3600	IN	MX	30 ASPMX4.GOOGLEMAIL.COM.
car-dan.cc.		3600	IN	MX	30 ASPMX5.GOOGLEMAIL.COM.
car-dan.cc.		3600	IN	MX	10 ASPMX.L.GOOGLE.COM.
car-dan.cc.		3600	IN	MX	20 ALT1.ASPMX.L.GOOGLE.COM.
car-dan.cc.		3600	IN	MX	20 ALT2.ASPMX.L.GOOGLE.COM.

;; AUTHORITY SECTION:
car-dan.cc.		3338	IN	NS	ns1.infiumhost.COM.
car-dan.cc.		3338	IN	NS	ns2.infiumhost.COM.
kazimier.com
[whois.hostingservicesinc.net]
Registration Service Provided By: GET-NAMES.COM
Contact: +380.505664849

Domain Name: KAZIMIER.COM 

Registrant:
    N/A
    K Sidar        (skasimiras@yahoo.com)
    49 Lodge Lane
    Grays
    Essex,RM17 5RZ
    GB
    Tel. +020.81332947

Creation Date: 10-Jan-2011  
Expiration Date: 10-Jan-2012

Domain servers in listed order:
    ns1.localserver.ru
    ns2.localserver.ru


Administrative Contact:
    N/A
    K Sidar        (skasimiras@yahoo.com)
    49 Lodge Lane
    Grays
    Essex,RM17 5RZ
    GB
    Tel. +020.81332947

Technical Contact:
    N/A
    K Sidar        (skasimiras@yahoo.com)
    49 Lodge Lane
    Grays
    Essex,RM17 5RZ
    GB
    Tel. +020.81332947

Billing Contact:
    N/A
    K Sidar        (skasimiras@yahoo.com)
    49 Lodge Lane
    Grays
    Essex,RM17 5RZ
    GB
    Tel. +020.81332947

IP info
;; ANSWER SECTION:
kazimier.com.		14400	IN	A	66.118.146.68 (66-118-146-68.static.sagonet.net)

;; AUTHORITY SECTION:
kazimier.com.		84147	IN	NS	ns2.localserver.ru.
kazimier.com.		84147	IN	NS	ns1.localserver.ru.

MaxMind GeoIP City/ISP/Organization Edition Results Hostname Country Code Country Name Region Region Name City Postal Code Latitude Longitude ISP Organization Metro Code Area Code 66.118.146.68 US United States FL Florida Tampa 27.9984 -82.4781 Sago Networks Pro Medica 539 813
kazimier.com mail routing

;; QUESTION SECTION:
;kazimier.com.			IN	MX

;; ANSWER SECTION:
kazimier.com.		14400	IN	MX	10 ASPMX3.GOOGLEMAIL.com.
kazimier.com.		14400	IN	MX	10 ASPMX4.GOOGLEMAIL.com.
kazimier.com.		14400	IN	MX	10 ASPMX5.GOOGLEMAIL.com.
kazimier.com.		14400	IN	MX	1 ASPMX.L.GOOGLE.com.
kazimier.com.		14400	IN	MX	5 ALT1.ASPMX.L.GOOGLE.com.
kazimier.com.		14400	IN	MX	5 ALT2.ASPMX.L.GOOGLE.com.
kazimier.com.		14400	IN	MX	10 ASPMX2.GOOGLEMAIL.com.

;; AUTHORITY SECTION:
kazimier.com.		86400	IN	NS	ns2.localserver.ru.
kazimier.com.		86400	IN	NS	ns1.localserver.ru.


reliablechip.com: Privacy protection removed.

[Querying whois.verisign-grs.com]
[Redirected to whois.PublicDomainRegistry.com]
[Querying whois.PublicDomainRegistry.com]
[whois.PublicDomainRegistry.com]
Registration Service Provided By: WEB FOR ALL (WEB4ALL.RU)
Contact: +7.4012971111
Website: http://www.Web4All.ru

Domain Name: RELIABLECHIP.COM 

Registrant:
    Campbell llc.
    Mary Campbell        (reli@mail15.com)
    319 W. Lawrence Road
    Phoenix
    Arizona,85013
    US
    Tel. +165.5379003

Creation Date: 14-Nov-2010  
Expiration Date: 14-Nov-2011

Domain servers in listed order:
    ns2.infiumhost.com
    ns1.infiumhost.com


Administrative Contact:
    Campbell llc.
    Mary Campbell        (reli@mail15.com)
    319 W. Lawrence Road
    Phoenix
    Arizona,85013
    US
    Tel. +165.5379003
Ed

Technical Contact:
    Campbell llc.
    Mary Campbell        (reli@mail15.com)
    319 W. Lawrence Road
    Phoenix
    Arizona,85013
    US
    Tel. +165.5379003
Domain Name: RELIABLECHIP.COM 

Registrant:
    Campbell llc.
    Mary Campbell        (reli@mail15.com)
    319 W. Lawrence Road
    Phoenix
    Arizona,85013
    US
    Tel. +165.5379003

Creation Date: 14-Nov-2010  
Expiration Date: 14-Nov-2011

Domain servers in listed order:
    ns2.infiumhost.com
    ns1.infiumhost.com


Administrative Contact:
    Campbell llc.
    Mary Campbell        (reli@mail15.com)
    319 W. Lawrence Road
    Phoenix
    Arizona,85013
    US
    Tel. +165.5379003
Ed

Technical Contact:
    Campbell llc.
    Mary Campbell        (reli@mail15.com)
    319 W. Lawrence Road
    Phoenix
    Arizona,85013
    US
    Tel. +165.5379003

Billing Contact:
    Campbell llc.
    Mary Campbell        (reli@mail15.com)
    319 W. Lawrence Road
    Phoenix
    Arizona,85013
    US
    Tel. +165.5379003

ivandras.com

Querying whois.verisign-grs.com]
[Redirected to whois.hostingservicesinc.net]
[Querying whois.hostingservicesinc.net]
[whois.hostingservicesinc.net]
Registration Service Provided By: GET-NAMES.COM
Contact: +380.505664849

Domain Name: IVANDRAS.COM 
Registrant:
    idras
    john nash        (ivandras@aol.com)
    136 mountpleasant road
    london
    London,n176th
    GB
    Tel. +020.88067453
Creation Date: 03-Nov-2011  
Expiration Date: 03-Nov-2012

Domain servers in listed order:
    ns5.hostplus.ws
    ns6.hostplus.ws

Administrative Contact:
    idras
    john nash        (ivandras@aol.com)
    136 mountpleasant road
    london
    London,n176th
    GB
    Tel. +020.88067453

Technical Contact:
    idras
    john nash        (ivandras@aol.com)
    136 mountpleasant road
    london
    London,n176th
    GB
    Tel. +020.88067453

Billing Contact:
    idras
    john nash        (ivandras@aol.com)
    136 mountpleasant road
    london
    London,n176th
    GB
    Tel. +020.88067453
Ivandras.com IP Info:
ivandras.com.		13368	IN	A	91.204.75.15
ivandras.com.		85368	IN	NS	ns5.hostplus.ws.
ivandras.com.		85368	IN	NS	ns6.hostplus.ws.

;; ADDITIONAL SECTION:
ns5.hostplus.ws.	85368	IN	A	91.204.75.15
ns6.hostplus.ws.	85368	IN	A	178.170.164.88
Ivandras.com Mail Routing
;; QUESTION SECTION:
;ivandras.com.			IN	MX

;; ANSWER SECTION:
ivandras.com.		14041	IN	MX	1 aspmx.l.google.com.
ivandras.com.		14041	IN	MX	5 alt1.aspmx.l.google.com.
ivandras.com.		14041	IN	MX	5 alt2.aspmx.l.google.com.
ivandras.com.		14041	IN	MX	10 aspmx2.googlemail.com.
ivandras.com.		14041	IN	MX	10 aspmx3.googlemail.com.
ivandras.com.		14041	IN	MX	10 aspmx4.googlemail.com.
ivandras.com.		14041	IN	MX	10 aspmx5.googlemail.com.

Web and Mail Hosting

sptea.net and hdoffice.net have been disabled by their registrar.

No A record for domain sptea.net

;; QUESTION SECTION:
;sptea.net.			IN	A

Domain hdoffice.net now has a google IP as its A record

;; ANSWER SECTION:
hdoffice.net.		34868	IN	A	66.98.145.18

Reliablechip.com has yet to be crippled by its registrar

;; ANSWER SECTION:
reliablechip.com.	3600	IN	A	91.218.36.7

;; AUTHORITY SECTION:
reliablechip.com.	148289	IN	NS	ns2.infiumhost.com.
reliablechip.com.	148289	IN	NS	ns1.infiumhost.com.

Let's take a look at where the reliablechip site and mail is/was hosted. We'll do a traceroute to the IP 91.218.36.7 and find that it's hosted in the Ukraine.

[me@MyComputer ~]$ traceroute 91.218.36.7
traceroute to 91.218.36.7 (91.218.36.7), 30 hops max, 60 byte packets
 1  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 2  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 3  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 4  xe-0-2-0.cr2.dca2.us.above.net (64.125.31.38)  3.281 ms  3.228 ms  3.146 ms
 5  xe-0-0-0.cr1.dca2.us.above.net (64.125.28.241)  3.398 ms  3.289 ms  3.340 ms
 6  ge-3-3-0.mpr1.dca2.us.above.net (64.125.29.22)  3.517 ms  3.818 ms  3.687 ms
 7  so-1-1-0.mpr1.lhr2.uk.above.net (64.125.31.185)  75.857 ms  75.789 ms  75.758 ms
 8  xe-3-0-0.mpr1.lhr1.uk.above.net (64.125.28.142)  75.604 ms  75.708 ms  75.639 ms
 9  linx-224.retn.net (195.66.224.193)  75.864 ms  75.910 ms  75.963 ms
10  xe200-8.RT.UAR.HRK.UA.retn.net (87.245.232.5)  127.949 ms  127.866 ms  127.977 ms
11  GW-CITOnline.retn.net (87.245.243.222)  127.933 ms  127.866 ms  128.034 ms
12  GW-INFIUMHOST.citonline.com.ua (193.106.28.214)  128.105 ms  128.361 ms  128.190 ms
13  h2.infiumhost.com (91.218.36.7)  128.441 ms  128.303 ms  128.471 ms

Let's take a look at how reliablechip.com is setup to handle email. We'll see that it's configured to use gmail mail exchangers. I contacted gmail about this via their abuse web form but never heard anything back from them.

;reliablechip.com.		IN	MX

;; ANSWER SECTION:
reliablechip.com.	3600	IN	MX	30 ASPMX5.GOOGLEMAIL.com.
reliablechip.com.	3600	IN	MX	10 ASPMX.L.GOOGLE.com.
reliablechip.com.	3600	IN	MX	20 ALT1.ASPMX.L.GOOGLE.com.
reliablechip.com.	3600	IN	MX	20 ALT2.ASPMX.L.GOOGLE.com.
reliablechip.com.	3600	IN	MX	30 ASPMX2.GOOGLEMAIL.com.
reliablechip.com.	3600	IN	MX	30 ASPMX3.GOOGLEMAIL.com.
reliablechip.com.	3600	IN	MX	30 ASPMX4.GOOGLEMAIL.com.

;; AUTHORITY SECTION:
reliablechip.com.	147729	IN	NS	ns2.infiumhost.com.
reliablechip.com.	147729	IN	NS	ns1.infiumhost.com.

;; ADDITIONAL SECTION:
ASPMX.L.GOOGLE.com.	282	IN	A	74.125.113.27
ALT1.ASPMX.L.GOOGLE.com. 282	IN	A	209.85.227.27
ALT2.ASPMX.L.GOOGLE.com. 282	IN	A	74.125.127.27
ASPMX2.GOOGLEMAIL.com.	546	IN	A	74.125.43.27
ASPMX3.GOOGLEMAIL.com.	546	IN	A	72.14.213.27
ASPMX4.GOOGLEMAIL.com.	1194	IN	A	209.85.229.27
ASPMX5.GOOGLEMAIL.com.	618	IN	A	74.125.157.27

Now we'll examine the message source of one of the mail messages sent from the sptea.net ordering system to smartapes.net

Viewing Full Header - View message
Return-Path: 
X-Original-To: r.cxxxxx58@smartapes.net
Delivered-To: xxxxxxxx@x.dreamhost.com <-  My hosting provider
Received: from usa.hostplus.ws (usa.hostplus.ws [174.122.73.2])
     (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
     (No client certificate requested)
     by xdreamhost.com (Postfix) with ESMTPS id 02FC6CF8DD
     for ; Wed, 8 Dec 2010 08:31:32 -0800 (PST)
Received: from artoftea by usa.hostplus.ws with local (Exim 4.69)
     (envelope-from )
     id 1PQMsK-0008SD-LE
     for r.cxxxxx58@smartapes.net; Wed, 08 Dec 2010 19:28:16 +0300
To: "Rxxx Cxxxxxx" 
Subject: Welcome to SpTea
From: "Timaty Wallen" 
MIME-Version: 1.0
X-Mailer: osCommerce Mailer
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: 
Date: Wed, 08 Dec 2010 19:28:16 +0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - usa.hostplus.ws
X-AntiAbuse: Original Domain - smartapes.net
X-AntiAbuse: Originator/Caller UID/GID - [509 505] / [47 12]
X-AntiAbuse: Sender Address Domain - usa.hostplus.ws

This domain usa.hostplus.ws is hosted by ThePlanet

Hostname 	Country Code 	Country Name 	Region 	Region Name 	City 	Postal Code 	Latitude 	Longitude 	ISP 	Organization 	Metro Code 	Area Code
174.122.73.2 	US 	United States 	TX 	Texas 	Houston 	77002 	29.7523 	-95.3670 	THEPLANET.COM INTERNET SERVICES 	THEPLANET.COM INTERNET SERVICES 	618 	713

Other charges

UNICEF

I received a series of receipts for payments make to UNICEF's Libya Crisis Children's Appeal

This email has been sent to you by UNICEF UK

UNICEF House
30a Great Sutton Street
London EC1V 0DU
Tel 0844 8012414
www.unicef.org.uk
helpdesk@unicef.org.uk
-----------------------------------------------------
25 March 2011

Dear Bradley,

Your donation of GBP25 supporting UNICEF's Libya Crisis Children's Appeal h=
as been gratefully received.
With your kind gift we will be able to respond to the needs of children aff=
ected by the escalating violence in Libya. Our priorities include providing =
safe water and sanitation to families who have crossed the borders.We are al=
so preparing to scale up the provision of immediate basic health supplies su=
ch as emergency health kits, nutrition and vaccinations.

UNICEF relies entirely on voluntary contributions as we receive no funding =
from the United Nations budget.


On behalf of everyone at UNICEF and all those who will benefit from your gi=
ft, thank you.

Your support is very much appreciated.

Yours sincerely
David Bull

World of Dating Ltd (UK)


Hello bxxx kxxxxxx,

Thank you for your order dated 2011-03-14 00:10:42 to the amount of 68.79=
 EUR (incl. VAT).=20
micropayment is commissioned to process payment and ordering for the foll=
owing operator:

Operator: World of Dating Ltd.=20
Project: Payment Internet
Product: Payment Internet 37444


For all inquiries, please state the following transaction no.: www.mamboo=
.com-ghhtny5jaw0000000000000

The sum of 68.79 EUR has been credited to the credit-card account you spe=
cified (xxxxxxxxxxxx 5200).=20

A receipt for your order is issued at the bottom section of this email.

+++++++++++++++++++++++++++++++++++++++++++++
TECHNICAL SUPPORT

Please contact the aforementioned operator directly if you have questions=
 concerning content or the technical details of the product you purchased=
.

+++++++++++++++++++++++++++++++++++++++++++++

Kind regards,
Your micropayment=E2=84=A2 Team

+++++++++++++++++++++++++++++++++++++++++++++
Receipt

Transaction no.: www.mamboo.com-ghhtny5jaw0000000000000
Date: 2011-03-14 00:10:42

Seller and operator:
World of Dating Ltd.
9, Devonshire square
EC2M 4YF London
United Kingdom


Customer information:
bxxxx kxxxx
bxxxxxxxxx@smartapes.net


Total amount: 68.79 EUR

Payment type: credit card
Card type: visa
Credit-card no.: xxxxxxxxxxxx 5200



micropayment has accepted this order on behalf of =20
the stated seller and operator.
Check code: 0db894dff66f538de88c4903d86c3416
Your IP: 66.189.189.97
+++++++++++++++++++++++++++++++++++++++++++++

note the client IP of the user who initiated the transaction. 66.189.189.97 (66-189-189-97.dhcp.wntc.wa.charter.com) The scammer in this case is someone in the US

Conclusion

Let's put it all together. Here is the anatomy of this scam

  1. Register a domain name.
  2. Acquire Bulletproof webhosting plan from unscrupulous webhost in Eastern Europe or Russia
  3. Acquire payment processing service using fake information gleaned from the internet.
  4. Setup and populate a web store selling fictitious wares.
  5. Acquire a US VOIP phone number
  6. Staff phone support line with fake customer service reps. whose job is to appease the angry caller and reverse charges. This helps the operator to operate under the radar
  7. Acquire dump of compromised credit card numbers and user information through your standard nefarious channels.
  8. Run credit card numbers through fake web store, substituting fake email addresses crafted to include bits of victims' names.
  9. PROFIT

References

Angry Emails

Despite the fact that I've attempted to shine light on this fraud; and despite the fact that I've spent a number of hours researching this matter, I continue to receive angry emails from people who were wronged by the perpetrators. No amount of explanation will satisfy these people. I feel for them as victims but it's a little bit frustrating when they refuse to accept my explanation. This is my tribute to these victims.

Please folks, read the site! If you think someone used a valid email address in association with this fraud, you're wrong.

from	xxxxx@xxxxxkilt.com
to	r_white26@smartapes.net
date	Tue, Jul 26, 2011 at 10:37 AM
subject	caught you

Hey Idiot, I reversed your charge of my credit card account and I will track you down if you ever attempt to steal from me again.  So don't expect your fishing cap to arrive any time soon.  GET A JOB, ASSHOLE!

note: Mr. White, the people who stole your money have a real job, it just happens to be professional CC fraud. I also have a job as an IT Security Analyst. This has nothing to do with some slacker swiping your card. This is organized crime.

from	Michael xxxx rxxxxxxxx5@yahoo.com
to	bxxxxxxe@smartapes.net
date	Mon, Jul 11, 2011 at 12:20 PM
subject	Order Cancelled
signed-by	yahoo.com

Thanks for trying to use my account to purchase your LED Bulbs, the order has been canceled and Batavia Police Notified

note: I responded to this gentleman by email. I think he half believed my explanation

Subject:  	Question
From:  	"Lisa xxxx" 
Date:  	Tue, April 19, 2011 6:16 am
To:  	j_xxxx@smartapes.net

Who are you?  You've used my credit card number which has now been
cancelled. 
 
Lisa
----
	from	x x x@gmail.com
to	"c_mxxx@smartapes.net" 
date	Sun, Jul 31, 2011 at 8:26 AM
signed-by	gmail.com
	
Can you tell me what the fuck you think you are doing?  This is FRAUD!!
I've contacted smartabes.net and they gave me your whois information, which
has been forwarded to the FBI Internet Crimes Unit.  You are to Cease and
Desist immediately.

Signed,

The REAL Cxxxxx Mxxxx who did NOT make any purchases at Parts-4-Bikes.


	from	MLands xxxx@gmail.com
to	mxxxxxx.xxxxx@smartapes.net
date	Mon, Aug 15, 2011 at 11:20 AM
subject	Fuch You Asshole
signed-by	gmail.com
hide details 11:20 AM (0 minutes ago)
Fuck you asshole. I caught your scam before it went through and the card is cancelled, asshole. Don't forget, HELL is for eternity. Enjoy your here after - asshole... You will be tormented day and night with fire for ever & ever  ever & ever  ever & ever  ever & ever  ever & ever  ever & ever  ever & ever  ever & ever  ever & ever  ever & ever  ever & ever  ever & ever .....asshole.

hmm, this guy was too busy sleuthing to bother reading the website. i won't honor this with a response. note the spelling of the 4 letter word.

----

another nice email i received. the user decided to setup a fake yahoo account but failed to realize that yahoo provides the client IP. doh!

Ura Asse uraass@yahoo.com to 
	
YOU GOT BUSTED!!!  YOU KNOW CREDIT CARD FRAUD IS A FELONY RIGHT??????

I tried explaining why I host this site but she still feels like I'm the one who charged her card because the statement referenced a fake smartapes.net email address. i give up.


an email address with YOUR website is the one that was on the credit card account so
if you are as your website says trying to stop credit card fraud then how could
someone use a @smartapes.net address without you knowing about it?  And btw--the
info you have is incorrect.


Contact

You can reach me by emailing any address @smartapes.net the catchall email account for the domain accepts any username. I'll do my best to help you so long as you are civil. Threatening emails sent by people who did not bother to read the info on this website will be posted, personal details redacted, to the section above.