If an online credit card scam uses YOUR info, what would the authorities do? A scammer contacts Stronghold Cyber Security – we found out the answer.
Credit card scammers sure work fast. Stronghold Cyber Security is a three-month-old startup, and already we have been targeted by fraudsters. However, trying to dupe a cyber security company into participating in a reshipping scam is about as smart as mooning the police.
On May 23rd, I received an email from “Scary Cooper” from a Gmail address attempting to impersonate the name of a real company in Texas. For the record, the perp’s name is not really Scary Cooper — he is using a stolen identity, so we are using a fake name to protect the identity theft victim. The subject line read “Quote Proposal Needed!”, and the email read:
We need a quote proposal on the item with the model number below: 1) Seagate Backup Plus Slim 2TB External USB 3.0/2.0 Portable Hard Drive …100 Units
Please advise price and availability.
Payment by credit card as soon as we receive the final total cost. Shipping to be determined but expedite delivery is requested for long lead-time I look forward to your response asap.
Best Regards, [REDACTED] Cooper
[REDACTED], TX [REDACTED]
Wow, that’s funny, we don’t even offer anything like that for sale on the website. Obviously, I knew right away this was a scam, but as a cyber security professional, I decided to reply:
Hello Mr. Cooper!!
Where do you need the items shipped to? This information is required so that we can provide you with an accurate total.
Mr. Cooper replied fast with his location and zip code. Not wanting to disappoint a “potentially valued customer”, I hopped on Newegg.com and priced the items out. To be extra nice, I even knocked off 10% and threw in free shipping for an even $6500 right to the door – what a deal! After that, Mr. Cooper replied that he would forward his credit card information to process the order. He did not disappoint. The following afternoon, I received a follow-up email with a purchase order attached, in the form of a .docx file. Here is a copy of the email and purchase order, sanitized to protect the victims:
Please find the PO as attached file including credit card information to process for this order.
Awaiting order acknowledge with credit card receipt asap.
Unsurprisingly, Mr. Cooper does not practice online safety regarding credit cards – he sent out un-encrypted information directly through email, an unsecure transfer method. You’d think that would be the least he’d do with someone else’s valuable credit card information, but I guess not. Truth be told, I was actually a bit surprised; evidently he was dumb enough to try and use a cyber security company as part of a reshipping scam. The items were to be shipped to a third company in Texas who specializes, among other things, in freight forwarding to overseas nations including….wait for it…Nigeria! Who would have thought?
Here is how this credit card scam works. Credit card gets stolen from person Victim-A (the real Scary Cooper). Perpetrator masquerades as Victim-A, claiming to work for legitimate company Victim-B (unnamed in this article), and then sends a purchase order to a second company, (in this case, Stronghold Cyber Security) Victim-C for fulfillment. The purchase order instructs Victim-C to bill the goods to Victim-A, and ship them to a falsified address for Victim-B, which is really the address of a freight forwarding company. Ultimately, the goods get sold on overseas black markets and the credit card company eats the bill. Naturally, these losses are passed on to consumers…you. Brian Krebs, of Krebs on Security, has done much research on reshipping scams.
A few hours later, I received a phone call from the perpetrator, claiming to be Victim-A, Mr. Cooper. He spoke in a foreign accent, and asked for myself. I put the phone on mute, letting him think the call dropped. He called back two more times, which went to voice mail, but he did not leave a message. The number he used matched the number on the fraudulent purchase order, and at first blush appears to be a land line based in Texas.
In the interim, following the receipt of the purchase order, I knew that I had created several hours of work for myself. The first thing I had to do was call the issuing bank to notify them of the fraud. It was in fact a live card, issued by Bank of America, and had a limit in the tens of thousands of dollars. Most likely, the opportunity for more than one credit card scam using that card. I spoke to a helpful lady who locked the account right away, and said she would notify the card holder. Victim-A covered.
Next, I needed to notify law enforcement. I called the FBI field office in Philadelphia, who took a cursory report, but it was obvious they did not care (the FBI does not consider fraud of under $100,000 to be actionable). The FBI referred me to www.ic3.gov to file a credit card scam report, and then gave me the number to the local United States Secret Service (USSS) office. I was told that under these circumstances, the USSS would be the correct investigative body. I dutifully called the USSS. The agent I talked to was pleasant but bemused, and informed me that the FBI and the USSS refer credit card scam calls back and forth all the time “as kind of a thing.” If you call the FBI, you are told to call the USSS. Call the USSS, they tell you to call the FBI. See how funny it is? Ha, ha, ha — your tax dollars at work!
After, I contacted Victim-B, a real company in Texas. I was told that this problem had been ongoing for several months, with their name being used to commit fraud. While annoyed, they were not being materially damaged, and they were also tired of people calling their company asking for Mr. Cooper – it happens at least once a week. I sent them sanitized copies of the fake purchase order, and advised them to make a report with local law enforcement.
Lastly, I contacted my own local law enforcement, who happens to be the Pennsylvania State Police (we live in an unincorporated township). They declined to take a report, stating that there was nothing at all they could do regarding a credit card scam.
Last week I attended a conference, where the keynote speaker was Frank Abagnale, ex-fraudster turned FBI superstar and the subject of the movie “Catch Me If You Can.” During Q&A, I asked Mr. Abagnale what the FBI could do, to help protect small businesses against cyber fraud coming from overseas. As I suspected, his answer was that there was nothing the FBI could do to help.