Tuesday, May 26, 2015

Anatomy of a Fraud

(Our fantastic Samsung NX200 camera, packaged up ready to sell)

In the last month Agata and Marcus have been the target of attempted fraud.  And unbelievably to us, last week,  it was attempted for the second time.   It's time to make this public.

Are We Okay?

Luckily, by Marcus's persistence or maybe design I've not lost anything more than my time.


We are selling a large number of items on the Swiss sales website anibis.ch   Our items are listed here

Motivations for our sales include
- Reuse by others of items we no longer need or use
- Effectively recycling then
- All adverts are carefully made
- All items carefully tested and working 100% perfectly
- We don't sell faulty or crapola or misadvertised stuff
- Prices are between reasonable and bargain
- The money we get from any sale is really tiny all things considered.

Elements of this Scam

- This is a Paypal related scam where the buyer offers to pay via paypal.
- The goods that they want to buy are irrelevant, the game is to get you to post the goods, then sting you with a condition, which if you don't agree to mean you'll get nothing
- Faced with the proposition of losing your goods without any payment you are tempted into their trap involving you the buyer sending them money ...

Scam Setup and Execution

3 people

Bogus Buyer
Idiot seller (me)
Third Party (destination of gift)

The third party could potentially be innocent, but I think this is unlikely. More likely part of the criminal team who will deny all knowledge if questioned by police (plausible deniability)  & this is also so the buyers identity is not known.

a - Bogus Buyer offers to buy my camera

b - Buyer offers to pay via Paypal

c - I accepted

d - I receive a fake email from paypal.ch  (spoofed) saying that intention to pay me has been made by paypal

e - I don't check the email sufficiently or visit my paypal.com because being an idiot/ kind soul I am trying to make the last post to send them the item   (Don't know if this is their timing intention)

f - Seller says item is a gift so please post to Third Party at a valid Swiss Name and Address

g - I take item to Post office.
LUCKILY I decided with the value to insist on signed delivery.  Interestingly bogus buyer asked me NOT to do so but I thought, for this value I want a signature.  Maybe that saved me

h - Lucky#2: For signed items in Switzerland you MUST fill in a special label and attach to packet.  I never normally quote my full address (being paranoid) but in this case I did, perhaps because of larger value.

i - I send the buyer confirmation that item is posted, via tracking receipt.  At this point they know I am committed.

j - Next morning early, bogus buyer emails to say there is a problem sending me paypal money

k - They claim that Paypal won't accept the funds until my account is upgraded. So they have ADDED 450 CHF francs to my sale price  (450 + 270) = 720 CHF and this balance will be paid by paypal after I first send them some 450 CHF paysafe tokens:

l - I need to goto a tobacco or other shop in Switzerland.  Buy 450 CHF of paysafe tokens and send them the codes  (effectively sending them 450 CHF)

m - Once they get my 450CHF they will instruct Paypal to send me te 720 CHF

m2 - They implied that paysafe and Paypal are working together necessarily so

n - I called paypal.  They explained there is no account upgrade, which I pretty much knew from his first email and the paypal emails which I can now clearly see are faked. 

o - I told Buyer to pay via paypal or return goods and that I did not care if they already paid paysafe, not my problem.  We exchanged many emails, he kept insisting on payment from me first of the 450 CHF

Clever Bits
This is an attempt extort money from me, the seller of a product!

I traced their IP to outside Switzerland

I liaised with the Swiss Post office to check that the ex directory Swiss name and address is valid, is receiving mail at that name, but we don't know if the destination is an innocent party or part of the fraud.

I found the destination person on facebook, printed out their whole bio, I found their education, job history. I messaged them. I found their parents name and address, their parents quite important jobs.

I intend to take it further, via the police, I need to more closely analyse the internet headers of the emails that I have saved.  They are spooking not just paypal but also paysafe, both using gmail addresses.

Meanwhile I already raised a case with Google.

I got the camera back, that package and other signed letters sent to the Swiss address were refused. (I also sent an identical non signed for letter, that presumably was delivered). 

It is possible that the third party target is innocent, but in this case to refuse all attempts at contact  (facebook, post, email) I find suspicious.

A week or two later this happened again!  Right I thought, now I can investigate.  This time the fraudulent emails are theoretically from paypal.fr  (but mail headers show otherwise)

- I have a precise record of all conversations

- I've established the domains and website that have sent me the emails
- I've reported to Google the illegal activity of any gmail user
- I've made requests to Internet bodies to determine certain information that must be presented publicly
- I've reported to Paypal the illegal activity and offered to work with their fraud team
- I've portscanned the domains with illegal activity proving that activity is coming from inside not from hacked unsecured servers
- I've knowledge of the ISP's of the illegal domains and ultimately owners
- All this information will be passed to the Swiss Cybercrime division
- I will also inform the Swiss Police

Summary Points

- Don't be in a rush to please when the Buyer has done nothing for you

- In Switzerland we traditionally trust buyers and send items prior to payment, but let's insist on prior payment before shipping for foreign transactions or ones that are suspicious.
- Check inbound payment emails from Paypal carefully
- Research the buyer on the Internet, no history or trace can be regarded as suspicious
- If it is Paypal then logon to your account and check pending transactions from the https screen.
- Insist that you send the item to the buyer and not a third party


Anibis safety link
Anibis Fraud Guide
Report Google Gmail abuse

Swiss online purchasing scams
Cybercrime Complaints Form CH

Name and Shame

I'm writing down the exact names of the wankers that I have dealt with here.  I'm excluding the precise names of the third part(ies) involved, since it's just possible though IMHO extremely unlikely that they are innocent. Yes, what a nice guy I am.

IP address of senders  <but it's a tor networks so hmm>
82,239,104,165  Tours, Centre 37100, France

Names Used
Marie Charlotte Poligny
Xavier Stanton
Gaelle Vachet

Email addresses of fraudsters




Delivery Addresses

3rd party address: Ms C D, Ruelle du Chapitre 3, 1950 Sion, Switzerland
3rd party address: 6061 Montignies sur Sambre, Belgium?
3rd party address: Avenue Henri-Golat 12 B,1219 Ch√Ętelaine

And, Unbelievably Idiotic Emails

Yes, well looking in the calm light of day the emails look like shit and has several formatting and other errors making it look questionable.  Example

On the style front we have

- Inconsistent amateurish use of fonts

- senders paypal account (amaelia.grace@gmail.com) not matching in any way the senders email (mariecharlotte.poligny@gmail.com)
- Odd highlighting
- Analysis of the email body shows a host of other email addresses inside the HTML.  Let us name in total