Briefing speech:
Nina Kollars, also known as Kitty Hegemon, is currently writing a book about the contribution of hackers to national security. She is a political scientist who researches the technological adaptation of users to various cybernetic devices. Collars is a professor in the Department of Strategic and Operational Studies at the Naval War College and has worked at the Federal Research Division of the Library of Congress, the Department of African American Studies at Harvard University, the World Bank, an anti-reflective coatings factory, and at night as a BSides volunteer. As a hobby, she once led a group of DC Cigars, Scotch and Strategy and is still a certified bourbon maker today.
Hi, I'm Kitty, but at work people often call me Nina. Before I begin my presentation, the views expressed here are not necessarily those of the Navy, the Department of Defense, or the US government. I have to say this because I am technically a federal employee, as I am a professor at the Naval War College in the Department of Strategic and Operational Studies. This means that I study the latest technologies and how they affect combat and defense, which will include elements of cybernetics. This is one of the reasons why I follow the DefCon community. However, what I will talk about today has nothing to do with the military industry.
So last August I bought a used Nespresso machine and I wanted to come here and tell you what happened after that. As you know, coffee machines and capsules are bought mainly online. There are several Nespresso boutiques across the country, but by and large, you can buy your Nespresso machine coffee directly from the company's website. Having bought a used car, I realized that coffee capsules on the Nespresso website are quite expensive and decided to look for a cheaper seller.
It turned out that you can buy coffee much cheaper on eBay - the price of capsules was about half what I would have to pay if I bought directly from Nespresso. The only inconvenience was that I had to buy at least 200 capsules at once, but since I drink a lot of coffee, this did not bother me too much, and I made my bet on a batch of capsules. When the auction ended, I saw that I won and paid for the purchase through PayPal.
The goods were delivered to me about a week later. Imagine my surprise when, along with the boxes of coffee, they delivered a box of brand new coffee machines to me. It was the most popular compact model of the $280 Nespresso Pixie coffee machine, which uses small "tablets" of coffee that cost 70 cents each.
I thought I just made a mistake when placing an order and went back to eBay to check if I clicked on something extra there and if I accidentally bought this thing. However, I didn't find anything of the sort.
Then I looked at the stickers on the boxes and saw that both the capsules and the coffee machine came to me from the same sender, and the strangest thing was that Nespresso itself was the sender. However, I ordered the goods not from the manufacturer, but from a third party!
I went back to eBay to look at the details of the transaction and compare them to the invoice, and found out that the eBay seller's name, let's call her Sue from Chicago, was nothing like the Nespresso sender's name, let's call him George from Poughkeepsie. In addition, Sue from Chicago had a zero seller rating and created her account just a couple of weeks before ordering. The only thing she sold was Nespresso coffee.
I thought it looked like a scam, so I decided to look into the matter and called Nespresso. Very reluctant, because I'm a bit greedy and wouldn't mind keeping this coffee machine for myself. I explained to customer service that I didn't order a car, I only ordered capsules, and I didn't buy them from Nespresso, but from a third-party seller on eBay. I was confirmed that the money for both items of my order had indeed been charged to George's credit card from Poughkeepsie.
I thought it would be worth calling this George, who sent me such a wonderful gift, to clarify the situation, but the customer service refused to give me his phone number. I kept suspecting some sort of scam here, but I had no way of understanding who was winning what in this situation. So I told Nespresso, “Please mail me a prepaid return label and once I receive it, I will gladly ship my coffee machine back to you.” It was a ploy on my part, because everyone knows how reluctant manufacturers are to take their goods.
The customer service girl wrote down my details, sent them to the anti-fraud department and told me to monitor my mail. If the company wants to return the misplaced coffee machine, this department will send me a prepaid label so that I don't have to pay my own money for sending the parcel.
As you can see, a year later, I still have the coffee machine. But my conscience is clear - I reported the fraud, and I kept this car. However, I could not understand what really happened, and it constantly bothered me.
So I did a little googling and found in the security section of eBay a diagram of the so-called Triangulation Fraud, or “fraudulent triangle”. It is named so because it involves three parties. This scheme helped to understand what could happen specifically in my case.
The whole point of this scam is to cash out from a credit card using the link between the company and the last element of the scheme - the mule, as it is commonly called. This is the person who converts the cash.
The three participants in this scheme are:
- An unsuspecting customer who places an order on an auction or e-marketplace using some form of PayPal credit, debit or tender;
- A fraudulent seller who receives an order and then places that order for a real product on a legitimate e-commerce website using a stolen credit card to pay;
- a legitimate e-commerce site that processes a scammer's order.
More often than not, the scammer will use a legitimate “work from home” seller in their scheme. Such a seller may not even know they are part of a fraudulent network, and some of these sellers have a solid sales history. Fraudulent employers often post job ads seller to sell their goods at a certain percentage, usually 30%, and many sellers agree to such work.
It is the employer who is the real culprit in possession of the stolen credit card information. It provides the seller with a list of "their" items for sale, including full product descriptions.
The seller places the goods in his account on the electronic trading platform. Legitimate customers buy goods, and the seller sends information about the order to his employer.
The employer places the same order on a legitimate website, pays for it with a stolen credit card, and hands over the item's tracker to the seller.
The seller hands over the tracker to the client. Now the fraudulent order is sent to the customer from the legitimate website of the product manufacturing company.
The customer who unexpectedly received the stolen goods and the legitimate manufacturing company are the victims. If fraud is discovered, the legitimate website will issue a chargeback or forfeit the funds received in payment for the order. This site can contact the client to return stolen goods, or the client himself claims this, as happened in my case. The buyer can also file a fraud claim with their bank against the seller.
However, there is another victim - this is a person whose credit card was stolen. He doesn't know anything about the deal until he gets his credit card statement. Naturally, he will try to dispute the purchase, and sometimes this results in a chargeback by a legitimate website.
Usually the scammer represents a large company, in this case Nespresso, and opens an account there. Such companies have a streamlined delivery system and a simple account system that does not contain complex security checks. Then the scammer, if he works alone and is both an employer and a seller, creates his account on eBay, a fake profile and starts selling things very cheaply. When the auction ends, the unsuspecting buyer sends his money to eBay and becomes a mule - thanks to an honest buyer, the scammer gets the cash he needs.
However, it is worth remembering that a scammer is selling a product that he does not actually own. And the buying process on eBay will not be completed until the shipping invoice is closed. This means that the scammer then uses the credit card to buy the product directly from the manufacturer, and then the triangle is complete. The site generates a delivery notification and everyone is happy. The scammer takes money from the sale of the product, pays eBay a commission and pays for additional items, in my case these are capsules for a coffee machine. It's a seamless triangle and the buyer has no idea he's a "mule", all he knows is that he got his item at a bargain price. The incentive to continue the scam is that everyone continues to remain silent. Unless, of course, the buyer is me, who received an espresso machine that I didn't order and really wanted to know why.
I had 2 versions of what happened. The first was an order processing error where someone mistakenly copied an extra line from an Excel spreadsheet on the manufacturer's website and they accidentally sent me an extra coffee maker. The second - the scammers just wanted to buy my love! Perhaps this fraudulent triangle is such a fragile thing, and all these accounts and "scorched" credit cards are such delicate things, that the scammer tried to make me so happy that I would not doubt anything and continue to buy his goods.
So, the right thing to do after getting a free Nespresso coffee machine was to start your own investigation by buying more coffee! I know you think I'm a terrible person, but... firstly, for some reason I still called my speech "confessions", secondly, I just assumed that this was a scam, but I was not in it sure. I don't know how big this operation is, so I need more data.
In particular, I didn't just need more data from one seller, I wanted to know if there was a whole bunch of scammers like "Nigerian princes" or fraudulent gift card sellers operating here. In short, I needed to somehow assess the scale of what was happening.
So, I come up with a bunch of questions to find out who these thieves are. To be clear, eBay is full of thieves. I just wanted to find these. So, do the scammers have other accounts, can I find them? How quickly do these accounts burn out? And the big question is, can I make them make the same mistake twice? Like “send me more free stuff?”.
Using eBay's auction search tool and the initial account as a template, I tried to find another newly created account with zero ratings for selling Nespresso. So, I needed 3 things: that they sell Nespresso, that they have a zero rating of 0, and that the account was created relatively recently.
I thought that scammers would not try to make each of their ads unique, but would prefer template descriptions and the same picture for several seller accounts. Besides, if these "triangles" are fragile enough and "burn" quickly, I will have to look for such ads every day.
Since eBay allows you to automate searches, I set up my own template for buying 200 Nespresso capsules for $99. I set coffee machines as the third condition, but three parameters create a dubious data pool, so I stuck only to the search for capsules. I received a search report by email and had to check up to 100 emails every day. It was a little difficult at first - it took time to find a lot that exactly matched my selection criteria. Many people sell coffee, but 200 Nespresso capsules for $99 from a seller with a zero rating and a fresh account is a fairly rare lot.
If you look at this slide, you will see stars at the top. So, this is not a seller's rating, as you might think, but people's reviews about this product. But seeing such stars, buyers feel calmer, imagining that this is the seller's rating. In fact, for new accounts, the rating is written in small print at the very bottom of the ad. To view it, as well as find out the date the account was created, you need to click a separate button, which takes time.
The good news is that the eBay website helps me in my searches - even if my clicks did not lead to the results I was looking for, it watched me and placed a selection of ads at the bottom of the page: "we found a similar product for you, it might be of interest to you ". As a result, I soon discovered the accounts of interest to me, and like a real researcher, I created a spreadsheet to track each unique account with the date of its creation, temporary rating changes, the number of lots sold and the amount of sales.
After that, I chose 2 accounts created one after the other within 6 days and made 2 separate purchases to see if they would send me additional items not specified in the order.
As a result, after a week I received 200 coffee pods plus another 200 pods, and after another 6 days, 200 coffee pods and a brand new $119 cappuccino milk frother. It was a very useful gift because I am a cappuccino person, I love it when coffee has foam. In general, I switched from regular coffee to cappuccino, but more importantly, I realized that I had found these scammers. In their ads, they used the same pictures and the same product descriptions. And then I entered into correspondence with them. I wrote them all sorts of nonsense about the product, asked about different coffee products, different types of coffee, sometimes just sent greetings. But they never answered me.
I also looked at eBay's scam page to try and let them know about these accounts because I realized it's not fair, I shouldn't be involved, right? But it turned out that the buyer cannot report fraud on the eBay website if he actually received the item. There is a “I didn’t receive the item I ordered” or “I received a damaged item” complaint form, but nothing like “I received an extra item and I want to report it.” So I gave up on the idea of complaining to eBay about these scammers.
So, I continued my investigation, found 2 more similar accounts and made 2 more orders. I received 200 + 200 coffee capsules again, and then something interesting happened - the scammer wrote me a letter.
"Hello Friend! First of all, thank you for choosing to buy my item. Secondly, I apologize that the product is not in the best condition, and I could not send it to you, because I try to always sell only excellent things. My mother is in the hospital, but soon I will try to find another item in good condition to send to you. I need to go to the hospital to be with my mom, so I hope you will step into my position and let me cancel the order. Thank you and God bless you!"
What a nice guy, right? He canceled the order and I got my money back. His account was closed a week later. He was a very delicate swindler, and I want to believe that everything is fine with his mom. I probably frightened him away with my desire to regularly receive free additional batches of coffee.
Then I spent several hours looking for a certain tool. My wild imagination suggested that maybe someone created something that in English can be called guessor - a "grammatical error generator", something like a crappy version of Google Translate, deliberately distorting the translation into a foreign language. It turned out that such a tool does not exist, so it's up to you to develop something similar!
I started asking friends who speak other languages if they had come across something similar, some of my questions seemed racist, so I stopped looking. The thing is, I figured the scammers would try to feign poor language skills to throw you off the trail by deliberately posting illiterate ads in English, and I should have tracked them down.
Somehow, my coffee business is out of control and I have a guilty conscience. My kitchen is a complete disaster, so it's time to stop this game. I didn't need that much coffee, in fact, I just paid a hundred dollars to collect information about the merchant account. Every time I paid this money, I wanted to know as much as possible about these people.
However, I am not rich enough to constantly conduct such expensive research. Here is the result of my activity, summarized in a table.
Total 5 purchases, 1 return, total received 1200 coffee machine capsules, 1 milk frother, 1 compact coffee machine. My cost was $391,9, the total value of the item I received was approximately $939. In October, I took all the information I collected, invoices, account data, and sent it to the FBI along with the printed documents I had. I was wondering if they would try to do something about it. I also sent the results of my investigation to eBay and anyone interested. I still haven't received a response from the FBI, but after 30 days, the activity of the coffee scammers seemed to have subsided. Perhaps something happened. I couldn't find out who these people were. I really wanted to uncover some kind of cool criminal organization, something like credit card thieves from Morocco or something like that, but this did not happen. But it's not a heroic story, is it? This is my confession.
That's basically everything I found out about the scam triangle on eBay. When I began to tell people this story, began to explain how it works, I was often told that this is a crime without victims. However, it was worth thinking about, and you understand that this is not true, there are no crimes without victims. I didn't know much about George from Poughkeepsie, as I did about the other salespeople, but I found that they were all retired or close to retirement age. This is a rather vulnerable group of the population. And they act as victims who are not able to mitigate the damage they have caused in any way, most of them do not even know what is happening on their behalf. People whose credit cards were stolen, having discovered illegal debits of money, begin to protest them. And the last ones in this chain are not manufacturing companies, but such sellers, elderly people, from whom they can recover money stolen by a fraudster.
As a nation, we have not gone far enough to protect these people. For companies or large sellers, this type of fraud does not deal such a devastating blow as it does for older people. The sad thing is that anyone can easily become an accomplice in schemes of this kind. It would be necessary to establish a certain discount limit to stimulate the buyer, below which fraud begins. This is a real goldmine for crooks. But eBay doesn't care, Nespresso doesn't care either, because when you buy at bargain prices, you keep buying and they keep getting a cut or increasing sales.
You are encouraged to participate in fraudulent schemes, because everyone is delighted with such discounts and free goods. However, in reality, all this is sold at a market price, and large sellers are protected from losses by insurance, which also covers damage from fraud with stolen credit cards. They won't have anything to do with it if they manage to switch the arrows to the one who bought the goods from them for the purpose of further resale - in this case, to John from Poughkeepsie, or to the one whose credit card details were stolen
So really the only person who can stop it is you or me. And I stopped. I won't do it again. It is not normal. All I have left is my confession and my promise to stop buying super cheap stuff. And I still have a lot of coffee left. Perhaps I can do another good thing by auctioning off this carefully used wonderful Nespresso machine.
Bidding, by the way, is a terrible idea. They will start as soon as I post an announcement on my Twitter account. Just go to the site and place your bet. Only cash is accepted. The result of the auction will be announced tomorrow at 10 am, and the winner will be able to come to the Tamper Evident campus and collect their coffee machine. Do not be stupid and do not try to make the maximum bet, so that later you will not come for it. All proceeds will be used to implement the Diana initiative. I promise that I will keep an eye on all these transactions to ensure absolute transparency.
If no one wants to participate, well, it's DefCon, where stuff happens. On the last slide, you see my real Twitter account, so write, thank you so much!
The auction starts with a $1 bid, so I'm going to go post this ad right now. Thanks again guys, you are amazing!
Some ads 🙂
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper in Equinix Tier IV data center in Amsterdam? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com
