A friend of mine checked his online bank statement recently and found an unauthorised transaction for O2(UK)LTD PREPAY for £30.00 nestled amongst his porn charges and World of Warcraft subscription. Since he hadn’t used an O2 phone in over a year, this was quite a suprise, and a spot of Googling turned up more than a few people with the exact same problem.
So what is this O2(UK)LTD PREPAY? For starters, it’s a genuine debit on your card made by O2 – formerly BT Cellnet. The problem, of course, is that you didn’t actually make such a purchase, and you’re so paranoid about Credit Card Fraud that you keep your cards in a tinfoil envelope, so how did someone steal your credit card details?
The answer is… they didn’t. Credit Card numbers are generated using an algorithm which makes it possible to easily check their validity before submitting it to a payment processor. Unfortunately, that same convenience means that anybody can whip up a simple program to test 16-digit numbers that pass the validity checks.
So now you have a valid card number, the next thing you need is the expiry date. Since there are only 12 possible expiry date values per year it’s trivial to check until you get a hit. Most cards only last a maximum of five years so you only need check 60 combinations. If you get a hit, congrats – you have a card you can use for fraud.
But wait – surely the only way you can test a card number and expiry date is to actually go ahead and try to buy something? And even then, don’t you have this Verified by Visa step to go through where you have to enter your password? Well ordinarily, yes you would, but if you happen to find a company that is pathetically lax with in the way they accept Online Credit Card payments – for example O2 in the UK – then you can enter just these details and see if the card works.
The O2(UK)LTD PREPAY that you see on your statement is a fraudster testing your card number and an expiry data and getting a hit. If you do not cancel your card straight away, you will soon find your card statement filled with purchases you didn’t make, things like TVs, cameras or more phone topups.
O2 are not the only company who allow anyone to enter any card details to top up any phone. Keep an eye on your bank or credit card statement for any of the following:
O2(UK)LTD PREPAY SLOUGH
ORANGE (A/PG/01) , DARLINGTON
iTunes Purchases
Tesco Mobile Topup
If you didn’t make these purchases, call both your bank and the business involved immediately. Ask the bank to cancel your credit or debit card and issue you with a new number, and ask the business listed on the statement to investigate.
Worryingly, we’ve heard that the bank/business will tell you not to bother contacting the police over the matter. Whether you do or not is up to you of course, and if you get your money back without problems (aside from changing your cards) then you may not want the extra hassle, but the fact remains that a crime has been committed and those businesses with lax online card security have no incentive to improve matters if people don’t complain. I would suggest getting a crime number just for peace of mind – it at least helps you prove to the bank that you are serious about the fraud even if the likes of O2, Orange and iTunes are not.
So why don’t O2 etc put a stop to this? From their point of view, why should they? Airtime actually costs very little for mobile phone companies to provide, so if they have to refund £30 to someone’s card, they actually lose a lot less than that. Add to this the unknown number of transactions that you can guarantee are never spotted by the card owners and you’ll come to understand that O2 are making a profit from this scam.
People should really be complaining to Visa and Mastercard, petitioning them to threaten O2 et al with the loss of their credit card processing facilities unless they tighten up online security. There is absolutely no reason, in this day and age, for this kind of lax attitude to be permitted – they are enabling fraud on a massive scale, profiting from it and appear to have no intention of changing things.
Just recently we’ve heard details of a spate of cold calls from 01274 900 834 and 01274 449 373 featuring India-accented people who claim to have detected that your computer is running slow as a result of a trojan infection and offering to fix the problem for you. Many apparently claim to have got your number from Microsoft. It’s been reported that, should you be convinced enough to hand over your credit card details for the £54-odd one-year service fee, your card will be billed for over £200.
The company concerned is called Support On Click and has a website at www.supportonclick.com/.co.uk – a quick check reveals the domain is registered to Pecon Software Ltd in India:
Domain name:
supportonclick.co.uk
Registrant:
Pecon Software Ltd
Registrant type:
Unknown
Registrant’s address:
EN-27, Salt lake city, Sector-V, Kolkata
kolkata
West Bengal
700091
India
The company usually calls from one of two Bradford-based numbers: 01274 900 834 and 01274 449 373 but also have 0800 047 0653 on their website. If they have called, and you want to call them back, I’d suggest doing to on the 0800 number so as not to run up your own bill. You can then chat to them at length about their service. (Edit: They’re also on Twitter).
More:
A posting on this blog claims that the caller asks you to set up remote access on your machine to that they can infect you with a trojan, then sell you software to prevent it happening again, said software being – you guessed it – another trojan/virus/whatever. It’s worth noting that this complaint is from Australia, so they really are targeting people on a global scale – presumably any English-speaking country is at risk.
Update:
Another blog has touched on the SupportOnClick fiasco – DigitalToast has an article here. Despite protestations from Mr. Shah, the dodgy calls continue to come, cold-calling and all. SupportOnClick are also on Twitter.
Further Update: Although SupportOnClick themselves have apparently commented below, the vast majority of comments are from people who have experienced hard-sell and dishonest sales techniques. Claims of ‘We have a list of satisfied customers’ are easily countered with the list of obviously dissatisfied customers below, and it is obvious that, amongst the more knowledgeable at least, SupportOnClick has lost customer trust.
7th July 2010 PCPro have a new article up on this kind of scam: here
Every now and again you come across an idea you wish you’d thought of first. Swoopo Auctions (here) is just such an idea.
An expensive electronic item is put up for ‘Auction’ – it could be a Nintendo Wii, an iMac, whatever – and people bid for it. Every time you bid, the price of the item goes up by 7p and the remaining time is incremented to give other people a chance to outbid you, just like a real world auction. There’s a final end date/time as well, just to stop people bidding forever.
The genius bit is that Swoopo charges you 50p for each bid.
Let’s have a current Swoopo example: At the time of writing there’s an 80GB PS3 console up for grabs, and the current price is £59.15. It started at 7p, which means 844 bids have been placed to get it up to its current price.
844 bids has earned Swoopo £422.50 in bidding fees, and if the current high bidder wins, he’ll have to pay £59.15 on top of however many bids he’s made, so this £299.00 item has sold for a minimum of £481.65 – nice work if you can get it!
Update:
They’re taking the mick now – an auction for £40 cash has brought in £80+ so far. As someone here said: “Well that’s one way of laundering money.”
It began, as so many adventures do, with a chance tip from a concerned netizen. A lady on the Internet had received an email saying she had won the Lottery and had been in communication with the offenders when she decided she didn’t like the way things were going. She emailed us, and things happened.
Many moons ago I wrote a Lottery Results website. The lady emailed us with an alternate address, revealing that the scammers had copied the entire website – including the list of Lottery Scam Emails – in order to give their 419 Email Scams that added air of legitimacy.
There were several changes, all geared towards getting an unsuspecting user to type in a username and password (supplied in the scammers’ original email) and then enter their legitimate bank account details. No doubt the scammers would plunder the account, leaving the scammee high and dry.
The WHOIS for uknlotteries.com showed it was on a free hosting company, Freehostia, and that the domain was purchased through ns.com / tucows.com on 14th August – just a week before we were told about it. Pinging the domain gave 64.72.119.253 – an IP handled by AlphaRed.com. All of these companies were sent a copy of our 14-Page report.
Next up, we noticed that the ‘Contact Us’ page still contained the IP and Host Name of the person who downloaded the first copy of the site – ironically this was a security thing:
80.178.248.142.satcom-systems.net / 80.178.248.142
Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)
This was an IP address in Israel. A quick search of the server logs showed that users from Satcom Systems had been visiting at least as early as October 2006.
Examination of the source code revealed other domains in use by the spammers: CTBPLC.co.uk (Not working) and GCBOFLONDON.com (A holding page on a Microsoft Office service). Another free hosting company, Multiververs.com, was used for the latter.
The /secured/ folder did not contain an index file and so we were able to examine the other files in that directory. We found IP activity mini-logs from Web2FTP.com for the following IP addresses:
Further examination of other know file paths that were cloned revealed that 82.206.163.11 was the IP of the user who had uploaded the files to the fake domain.
IP WHOIS Info for 82.206.163.11? Yep…
inetnum: 82.206.163.0 - 82.206.163.255
netname: CUST-SUBURBANTELE
descr: Reassignment to Suburban Telecom
country: NG
admin-c: BA771-ripe
tech-c: BA771-ripe
status: ASSIGNED PA
remarks: *************************************************************
remarks: * *
remarks: * For issues of abuse related to this IP address block, *
remarks: * including spam, please send email to at: *
remarks: * *
remarks: * s.ayonote@suburbantelecom.com *
remarks: * *
remarks: *************************************************************
mnt-by: AS22351-MNT
mnt-lower: AS22351-MNT
changed: TAC.OPS@Intelsat.com 20060623
source: RIPE
person: Bruce Ayonote
address: Plot 1105 Durban Street Wuse II
address: Abuja, Nigeria
phone: +234 80 3313 7201
e-mail: bruceayonote@hotmail.com
nic-hdl: BA771-ripe
mnt-by: AS22351-MNT
changed: tac.ops@intelsat.com 20030611
source: ripe
A quick IP WHOIS on the other IP addresses confirmed it – a classic Nigerian 419 Scam.
A copy of everything we’d found was sent to all concerned parties and the website was gone 10 hours later, with Freehostia being first to pull the plug. As of right now, we don’t know if the scammers can still access the domain, so it’s possible that the site will reappear on another hosting company. We’ll have to keep an eye out for that one.
Updated 6th June: It appears the scammers have created more than one site – this one actually made it into Google’s listings. I’ve tipped off the hosting company, as before, as we’ll see what happens.
Updated September 12th: Finally got rid of it. The hosting company in this case was a little less willing to help and had to be reminded, and even then asked for proof that it was a cloned and phishing site.
Over the past few days I’ve had over a million hits from MySpace.com – thousands and thousands of users clicking a link that leads them to a d04.net page. The page explained that the link they’d clicked had been disabled because it had violated our terms and conditions. Straightforward enough, right?
Evidently not for the MySpace crowd! I had hundreds of emails showing a varying level of spelling ability, all asking me why their precious MySpace pages had been blocked. I hadn’t blocked a single person’s MySpace page you understand – just the link to the fake site.
For doing this, I’ve been called a spammer and a hacker. I’ve been told I suck and that people are fed up with my shit. I’ve witnessed a whole gamut of badly-written pleading as people cry about their MySpace, claim they didn’t do anything and won’t ever do anything like it ever again, honest. I’ve even had people send me their login details asking me to fix things – what the hell’s wrong with these people?
So anyway, d04.net is now offline and will remain so until I can be bothered to rewrite it all, making it even more restrictive and even more hassle for me to run – all because some people on the Internet can’t be trusted. And this is why we can’t have nice things.
You’ll understand why I’m in no rush to resurrect it.
UPDATE: (Actually it’s now Sunday, but what the heck)
It appears some of the MySpace users who can’t read a URL have reported d04.net to McAfee Site Advisor which redirects you to a page reading:
“d04.net/ may try to steal your information.
Why were you redirected to this page? We believe this site may be
trying to trick you into entering your financial or personal
information. This is a serious security threat which could lead to
identity theft, financial losses or other dissemination of personal
information. “
I’ve emailed them with an explanation and hopefully they’ll have a real live human with a working brain look at the situation and … ah who am I kidding?
Just recently I’ve been receiving emails to my work address, which has nothing to do with my paypal or home business address, regarding purchases I’ve apparently made using my PayPal account.
The emails are generally a single image, most likely a screencap of a genuine PayPal receipt email, altered to show the purchase of an expensive electronic item – just the type of thing an account hacker would go for. Further down the page is a ‘Dispute Transaction’ link which takes you to the hacker’s fake PayPal front end.
On all occasions so far, the fake site has been removed before I get there, suggesting that PayPal are actually on the ball. Maybe the threat isn’t that bad after all.