Krebs on Security
If It Sounds Too Good To Be True…
The old adage “If it sounds too good to be true, it probably is” no doubt is doubly so when it comes to steeply discounted brand-name stuff for sale on random Web site, especially sports jerseys, designer shoes and handbags. A great many stores selling these goods appear to be tied to an elaborate network of phony storefronts and credit card processing sites based out of China that will happily charge your card but deliver nothing (or at best flimsy knockoffs).
Earlier this month I heard from a reader whose wife had purchased ladies clothing from bearcrs.co.uk, a site that until very recently billed itself as an official seller of Victoria Secrets goods. Most of the items for sale were roughly 60-70 percent off the retail price advertised anywhere else. The checkout process brought her to payment site called unimybill.com, which took her credit card information and said she’d been successfully charged for her purchases. The goods never arrived.
“They charged her card about $100,” said the reader, who asked to remain anonymous. “I tried to contact them, they never replied back. I started to discover similar websites by entering phrases from bearcrs.co.uk into Google. All websites have the same php engine, same phrases, registered in China, same checkout process, all they sell brand clothes for 30% of real price.”
Bearcrs.co.uk is one of hundreds of bogus storefronts that list products of well-known brands like Nike, Ray Ban, Michael Kors and others, hoping to lure bargain-hunting shoppers. Among the many fraudulent sites is michaelkorshandbags.co.uk, a site that claims to be a merchant in the United Kingdom but whose infrastructure is all Chinese.
The same network is tied to michaelkorshandbags.co.uk and hundreds of other similarly structured sites, all of which have left a trail of complaints online from customers who were charged for goods that never arrived. Order anything from this shop and you are taken to a checkout page at sslcreditpay.com, which tries to assure shoppers that the page is legitimate by posting a number of logos and trust seals from a variety of security and payment security providers such as Verisign, Symantec, Trustwave and the PCI Security Standards Council. Trouble is, none of these organizations actually authorized this payment gateway to use their seals, which are supposed to be clickable icons that provide information to help support that claim.
A check with Trustwave showed that the seal was bogus. John Randall, senior product manager for the company, said Trustwave only issues the Trustwave seal for customers that purchase its domain validation or extended validation (EV) certificates, and that the site in question hadn’t done either.
Likewise, the PCI Security Standards Council said it doesn’t authorize the use of its logo for payment processing sites.
“As a standards setting organization we do not validate compliance with PCI Standards – this is managed separately by each payment card brand,” said Ella Nevill, vice president of stakeholder engagement at the PCI Counil. “As such, we don’t provide any sort of compliance ‘seal’ or use of our company logo. What we do provide is use of a PCI Participating Organization logo for our member organizations that pay to be PCI Participating Organizations and be involved in standards development process.”
Sslcreditpay.com is one of many apparently bogus online payment processing sites tied to this fraud network. Other phony payment portals include payitrust.com and paymentsol.com. You can’t reach the payment pages for these processors directly unless you actually check out from an associated online store. At that point, you’ll be directed to a subdomain like https://payment.payitrust.com and https://payment.paymentsol.com.
After agreeing to pay for items from michaelkorshandbags.co.uk, for example, the checkout page takes one to sslcreditpay.com, but the HTML source of the page references a site called wetrustpay.com, whose WHOIS Web site registration records lists a contact email address of “email@example.com.”
QQ is an extremely popular Chinese instant messaging service, but not exactly an address one would hope to see associated with a payments domain. As it happens, this entire scheme fits the profile of a network of scammy sites that was recent the target of a lawsuit filed in Illinois district court last year alleging trademark infringement against a huge swath of brand name merchandisers.
A great many of their websites have been suspended thanks to a recent decision of US Federal District Court (PDF). That decision noted that the sites in question all had the same telltale characteristics:
Defendants further perpetuate the illusion of legitimacy on the Defendant Internet Stores by falsely alleging to offer “live 24/7” customer service and making unauthorized use of indicia of authenticity and security that U.S. consumers have come to associate with legitimate retailers, including the McAfee® Security and VeriSign® trademarks.
Additionally, Defendants use other unauthorized search engine optimization (SEO) tactics to increase website rank. As a result, links to Defendant Internet Stores show up at or near the top of popular search results when consumers use one or more of Plaintiffs’ Trademarks to search for goods online and thereby deceive and misdirect consumers searching for one or more of Plaintiffs’ Genuine Products.
The Defendant Internet Stores also include other notable common features, including use of the same domain name registration patterns, unique shopping cart platforms, accepted payment methods, check-out methods, meta data, domain redirection, lack of contact information, identically or similarly priced items and volume sales discounts, the same incorrect grammar and misspellings, and similar hosting services.
Before you shop online at a non-name store, do your homework: A simple Internet search on most of these stores and payment gateways produces plenty of evidence that buying from them is a bad idea. As always, running a simple WHOIS search (domaintools.com is a favorite tool for this) on these domains shows that most were registered very recently.
Here are some (this is by no means a comprehensive list) of the other scammy payment gateways associated with these phony storefronts.