Dumbest CC fraud ever - I hope

[JeffL]

So I am checking my bank account online, and I see a charge for $13.50 to some name that is unfamiliar. I check with my wife, hey, did you put anything on the debit card to so-and-so? Nope, she replies. Hmmm.

So I suspect it must be an annual auto-renewal to some online something I'd subscribed to a year ago, or something in that vein. I do a google lookup of the name listed on the transaction, and it turns out it is some job hunt/hire site. A place that apparently will put your resume out on a lot of sites for you or, if you are hiring, hunt a lot of sites for resumes for you. (Anker Solutions LLC, fwiw.)

OK - I know for sure I never signed up to these guys. So I send them an email asking what's up, never subscribed to you guys, here's the charge. They reply back the next morning - sorry, we do occassionally see online fraud, we're crediting your bank account, here's the info we have on this new account.

And it is my name, username chosen was jefflackey, and they give me an IP address that was logged with the transaction. They tell me that they will lock the account, do some further investigation to determine who committed the fraud, etc.

So I enter the IP address into a lookup site, and it is a SWB DSL account in St. Louis (I'm in KC) and the organization listed is a guy's name. Google that name, and I get a lot of hits and it's a guy who runs a website for gays in St. Louis.

A couple of thoughts:

1. OK, guy is pretty visible, lots of interviews pop up with him talking about gay rights issues in St. Louis (his picture was attached to one blog, looks to be a young guy, maybe in his 20s,) is it possible someone is trying to mess with him? But this would be the most obtuse way in the world to screw with someone - "Hey, let's use a debit card we scammed and purchase a membership on a relatively unknown resume site, and somehow do it from his IP domain! Maybe he'll get caught!" Seems convoluted, plus how would they enter the transaction from his IP?

2. Someone has somehow obtained my debit card info (already canceled and reported with my bank, of course) fraudulently. There's been only one charge in the last few days. Of all things to use a scammed card, a jobs/resume site? For $13? What in the heck does that do for you? You can't even really use it, because the name you've used for your account is not yours! (I did ask the website to check what activity was conducted on this account, to make sure that someone didn't post a lot of fraudulent resumes in my name, etc.)

Of course, what bugs me a lot is how anyone got my debit card info to begin with.

Not a good way to end the week - sigh.

[Houngan]

The guy in St. Louis is probably just a zombie from a trojan.

H.

[Kael]

When you drink to much you browse gay hookup forums and dream about a career change. Im sorry you had to find out like this.

[Tim]

Your account numbers and name are not secrets (you share them all the time, the issuer transmits them in very insecure ways all the time). I would not worry about how someone got the info.

I saw dumber fraud. A florist had an order charged back as fraudulent, I worked at the company that did their credit card processing. She had all the details, name & contact info for the guy (call him Mr Dumas) who ordered a fancy arrangement for delivery, the card message. In this case, the cardholder's bank had sent us all the related dispute documentation.

It seems that Mrs Dumas was the primary cardholder and certainly had not ordered any flowers from this local shop and had checked with Mr Dumas, who was an authorized user, who also had not done so. The florist confirmed that Mr Dumas was her customer, but the flowers were delivered to a Ms Hoochie. The card message was "Thanks for a great time in the parking lot last night".

I advised her to check with Mr Dumas one more time, to see if he had inadvertently forgotten this order. If not, she now had full contact info for Mrs Dumas and would see if any of the details were recognizable to her. And that he should bring cash by the end of the day.

[Hans Lauring]

Well played.
I assume she got the money?

[Morberis]

When I read a few Credit Card scan stories apparently what they do with a newly obtained credit card number is charge some low cost (so neither you nor the bank notice) items to it , online, that are easily verifiable to make sure that the info they have is good. So what they likely did was charge that site to test out your card to see if it was valid. If you hadn't of caught the transaction and then cancelled your card you likely would have seen other transactions show up.

Regardless of the fact that you cancelled the card they may also have obtained other personal info, so you should check your credit report and the common advice is to apparently monitor it for a year to make sure nothing pops up. And to continue to check it quarterly or yearly afterwards because your info may then be sold to someone new who may try using it.

Finding out that someone took out a $50,000 credit card in your name, and then maxed it, is not fun. Trust me it happened to me Dad after AFSC had a breach - apparently they just walked in and physically removed the paper files. - Agriculture Financial Services Corporation (AFSC) is a provincial crown corporation with a private sector Board of Directors that provides farmers, agribusinesses and other small businesses loans, crop insurance and farm income disaster assistance.

Or you know it may just be he (the guy who stole your CC info) was stupid.

[JeffL]

Tim, LOL!

I just can't logic out why someone with fraudulent CC/debit card info would use it to open a $13.50 membership at a web resume/job hunting site.

They are either REALLY dumb, or very smart - the latter thinking that perhaps you test it at an obscure web service to see if it works. Then go for the gold.

Still makes no logical sense to me. "Dude, I got a debit card name and number from WereCoolRobbers.com! What should we buy with it?" Dude, that's SO cool! I know, howz about we go join some job seeking site! We can save like $13 AND get a place we can look for a job!" "Cool!"

[mystery]

Quote:

Originally Posted by jeff lackey

They are either REALLY dumb, or very smart - the latter thinking that perhaps you test it at an obscure web service to see if it works. Then go for the gold.

I doubt it was even a person behind the keyboard making that charge. The script-kiddie universe in which CC scammers live thrives on one-off scripts that sign up for sites and then make these insignificant charges. It's how they can sell your personal information as "valid, useful" rather than "an obviously canceled card."

[Jojo]

Quote:

Originally Posted by jeff lackey

I just can't logic out why someone with fraudulent CC/debit card info would use it to open a $13.50 membership at a web resume/job hunting site.

The best explanation I can think of is that a job-hunting site would be relatively innocuous/feasible in these poor economic times, and its not something obviously bogus like a porn site. But yeah, does seem dumb.

[wildpokerman]

I'm going with the test the card hypothesis. They probably used someone else's information that they stole and plan on using the card for bigger purchases later.

[JeffL]

Well, I actually emailed the guy who owns the IP from which the fraud was committed, told him that the fraud with my debit card had been caught, that it was tracked back to his IP, that the company was pursuing it and I was pursuing it with my bank with this information, and that if he had used it anywhere else or given the information to anyone else, I would appreciate him letting me know and I'd take that into consideration, etc.

I expected, if he was innocent, an email reply back pretty quickly saying something like "Please give me more information - I absolutely did NOT use someone's debit card" etc. Not sure what I expected in response if he was not innocent. But it's been a couple of days and I have received no response at all.

I also don't know who else to turn this info over to. My bank is basically crediting me and shut down the card, but it doesn't seem they are going to go further. Visa, who "owns" the debit card, only seems interested in making sure the charge was fraud and the company to whom it was charged goes along with the chargeback. Is there no one who actually goes after the people who committed the fraud or at least investigates?

[wisefool]

If it's the USA, you could maybe try that state's Attorney General. Young bucks trying to make a buck for themselves sometimes need targets.

[JeffL]

Quote:

Originally Posted by wisefool

If it's the USA, you could maybe try that state's Attorney General. Young bucks trying to make a buck for themselves sometimes need targets.

Yeah, it's someone in St. Louis. As I mentioned previously, the IP recorded for the transaction came back with the organization being this guy's name. Should be pretty easy to do at least the first step of the investigation if anyone wants to investigate.

But I can see now how people do this crap with impunity. Here I've got an obvious case of someone fraudulently stealing my CC info and using it. The IP address is clearly captured. Even if someone somehow trojaned through that IP address, I'd assume someone would be at least looking into it.

Yet all the CC company is doing is making sure that the chargeback goes through and the company getting the chargeback doesn't dispute it. All my bank is doing is shutting down the card. No one steps in and tries to at least make a first pass attempt to go after who did it.

[Aeon221]

It isn't exactly cost effective to start up an investigation over a 13$ fraudulent charge.

[JeffL]

Quote:

Originally Posted by Aeon221

It isn't exactly cost effective to start up an investigation over a 13$ fraudulent charge.

Oh, I understand. That's part of my frustration. These guys can test cards with impunity, apparently, in this manner with no worry that anyone will ever go after them. I wish that the fraudulent use of a CC or debit card would be a crime bigger than the amount that was charged.

[TimElhajj]

Quote:

Originally Posted by jeff lackey

I expected, if he was innocent, an email reply back pretty quickly saying something like "Please give me more information - I absolutely did NOT use someone's debit card" etc. Not sure what I expected in response if he was not innocent. But it's been a couple of days and I have received no response at all.

I'm tyring to imagine the content and tone of the message you sent and what I might do if someone send me something similar. I'm pretty sure I would ignore it. Maybe I'm just too suspicious, but there just dosn't seem to be an acceptable way for anyone to explain something like this, without it soundling like some sort of cheap scam targeting the person getting the email. It just sounds too crazy, with no clear benefit for the person getting the email to respond, one way or the other.

[Timemaster Tim]

Quote:

Originally Posted by Bullhajj

I'm tyring to imagine the content and tone of the message you sent and what I might do if someone send me something similar. I'm pretty sure I would ignore it. Maybe I'm just too suspicious, but there just dosn't seem to be an acceptable way for anyone to explain something like this, without it soundling like some sort of cheap scam targeting the person getting the email. It just sounds too crazy, with no clear benefit for the person getting the email to respond, one way or the other.

I agree. If I received such a message and were innocent, my immediate reaction would be "What the hell type of scam is this? Curious, it didn't come from, Nigeria." And then it would be deleted without another thought, and certainly without a reply.

[EvilIdler]

Quote:

Originally Posted by Aeon221

It isn't exactly cost effective to start up an investigation over a 13$ fraudulent charge.

If one card is stolen, perhaps others are. It could be very expensive to not investigate.

[JeffL]

Quote:

Originally Posted by Timemaster Tim

I agree. If I received such a message and were innocent, my immediate reaction would be "What the hell type of scam is this? Curious, it didn't come from, Nigeria." And then it would be deleted without another thought, and certainly without a reply.

Yeah, I agree with you guys. I tried to write it to make it read as legit as possible. The fact that he DIDN'T reply makes me think that perhaps it was trojaned through his IP address - I would suspect that someone who actually did it might reply in some type of panic. Or not. Sigh.

[AndrewM]

Quote:

Originally Posted by jeff lackey

Yeah, I agree with you guys. I tried to write it to make it read as legit as possible. The fact that he DIDN'T reply makes me think that perhaps it was trojaned through his IP address - I would suspect that someone who actually did it might reply in some type of panic. Or not. Sigh.

You could write him a paper letter. Or send a singing telegram.

[RyanMichael]

Quote:

Originally Posted by AndrewM

Or send a singing telegram.

[DennyA]

I had a Visa compromised in one of the big card approval company data thefts a few years ago. There was plenty of info to nail the guy -- he'd used it to sign me up for a bunch of services to get himself a free iPod when that was all the rage.

He created a Compuserve account, he had the iPod mailed to him, etc. If the CC companies were interested, there was plenty of data to find out who he was. But they showed zero interest in doing so. So there's little incentive for these guys not to pull these kinds of ripoffs, it seems.

[Kael]

Quote:

Originally Posted by DennyA

I had a Visa compromised in one of the big card approval company data thefts a few years ago. There was plenty of info to nail the guy -- he'd used it to sign me up for a bunch of services to get himself a free iPod when that was all the rage.

He created a Compuserve account, he had the iPod mailed to him, etc. If the CC companies were interested, there was plenty of data to find out who he was. But they showed zero interest in doing so. So there's little incentive for these guys not to pull these kinds of ripoffs, it seems.

I suspect that the credit card companies aren't to blame here. They would love to see these guys prosecuted, but they cant do it. Its the lack of focus from the legal/police community thats lacking.

Credit card companies get tired of beating their heads against a wall when the police dont want to take their calls. So they let it go. If they could call an authority, turn over the evidence and let the police handle it Im sure they would.

And in defense of the Police I think the problem is we dont have a very good evidence process for computer crimes. How do you prove anyone did anything? How do you prove there wasnt a hacker involved? How do you prosecute crimes where the person lives in one city and state and never left but used the identity from a person in another city and state to steal from a company in a 3rd city and state (and maybe country).

We need to get better, computer crime is way to profitable. We are getting better but it take a while to shift to new paradigms and the internet is still relativly new. I think most of us remember a time before the internet existed. But its a big issue to tackle.

[JeffL]

Hmmm. Sounds like a good topic for an article....

[EvilIdler]

I guess police don't have a department for economic crime in Americadia?

[Tim]

They don't go after apparent small time crimes very often. It usually takes an extended pattern or very large sum to get any attention from them. I saw a lot of cases in my credit card days where it seemed pretty clear there was fraud and often credible contact information for the culprit(s). For a non-violent case worth one or two hundred dollars, law enforcement was just never interested.
When they do get interested, it can escalate quickly. Visits from the secret service feel pretty exciting. FYI, according my unscientific surveys, 100% of secret service agents think Wild Wild West was a cool show. They are, of course, correct.

[EvilIdler]

I think our police just started a task force especially for this sort of thing. I'm too paranoid to need them, though.