Posts tagged ‘gary warner’

Krebs on Security: Who’s Behind the Bogus $49.95 Charges?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Hardly a week goes by when I don’t hear from a reader wondering about the origins of a bogus credit card charge for $49.95 or some similar amount for a product they never ordered. As this post will explain, such charges appear to be the result of crooks trying to game various online affiliate programs by using stolen credit cards.

Bogus $49.95 charges for herbal weight loss products like these are showing up on countless consumer credit statements.

Bogus $49.95 charges for herbal weight loss products like these are showing up on countless consumer credit statements.

Most of these charges are associated with companies marketing products of dubious value and quality, typically by knitting a complex web of front companies, customer support centers and card processing networks. Whether we’re talking about a $49.95 payment for a bottle of overpriced vitamins, $12.96 for some no-name software title, or $9.84 for a dodgy Internet marketing program, the unauthorized charge usually is for a good or service that is intended to be marketed by an online affiliate program.

Affiliate programs are marketing machines built to sell a huge variety of products or services that are often of questionable quality and unknown provenance. Very often, affiliate programs are promoted using spam, and the stuff pimped by them includes generic prescription drugs, vitamins and “nutriceuticals,” and knockoff designer purses, watches, handbags, shoes and sports jerseys.

At the core of the affiliate program is a partnership of convenience: The affiliate managers handle the boring backoffice stuff, including the customer service, product procurement (suppliers) and order fulfillment (shipping). The sole job of the “affiliates” — the commission-based freelance marketers who sign up to promote whatever is being sold by the affiliate program — is to drive traffic and sales to the program.

THE NEW FACE OF SPAM

It is no surprise, then, that online affiliate programs like these often are overrun with scammers, spammers and others easily snagged by the lure of get-rich-quick schemes. In June, I began hearing from dozens of readers about unauthorized charges on their credit card statements for $49.95. The charges all showed up alongside various toll-free 888- numbers or names of customer support Web sites, such as supportacr[dot]com and acrsupport[dot]com. Readers who called these numbers or took advantage of the chat interfaces at these support sites were all told they’d ordered some kind of fat-burning pill or vitamin from some random site, such as greenteahealthdiet[dot]com or naturalfatburngarcinia[dot]com.

Those sites were among tens of thousands that are being promoted via spam, according to Gary Warner, chief technologist at Malcovery, an email security firm. The Web site names themselves are not included in the spam; rather, the spammers include a clickable URL for a hacked Web site that, when visited, redirects the user to the pill shop’s page. This redirection is done to avoid having the pill shop pages indexed by anti-spam filters and other types of blacklists used by security firms, Warner said.

The spam advertising these pill sites is not typical junk email blasted by botnet-infected home PCs, but rather is mostly “Webspam” sent via hacked Webmail accounts, said Damon McCoy, an assistant professor of computer science at George Mason University.

“Herbal spam from compromised Webmail accounts is a huge problem,” said McCoy, who has co-authored numerous studies on dodgy affiliate programs.

A support Web site named after the same number that appears on the "customer's" credit card statement.

A support Web site named after the same number that appears on the “customer’s” credit card statement.

Several sources at financial institutions that have been helping customers battle these charges say most of those customers at one point in the past used their credit cards to donate to one of several religious, political activist, and social service organizations online. I may at some point post another story about this aspect of the fraud if I can firm it up any more.

McCoy believes that most of the fraudulent charges associated with these affiliate program Web sites are the result of rogue affiliates who are merely abusing the affiliate program to “cash out” credit card numbers stolen in data breaches or purchased from underground stores that sell stolen card data.

“My guess is these are ‘legit’ herbal affiliate programs that are getting burned by bad affiliates,” McCoy said.

Affiliate fraud was a major problem for the two captains of competing pharmacy spam affiliate programs who are profiled in my upcoming book, Spam Nation. Most of the affiliate programs featured in my book dealt with the problem of scammers trying to use stolen cards to generate phony sales by placing two-week “holds” or “holdbacks” on all affiliate commissions: That way, if an affiliate’s “purchases” generated too many chargebacks, the affiliate program could terminate the affiliate and avoid paying commissions on the fraudulent charges.

But McCoy said it’s likely that this herbal affiliate program is not employing holdbacks, at least not in any timeframe that could deter rogue affiliates from running stolen cards through the system.

“If this affiliate program doesn’t have a holdback, they are a great target for this type of fraud,” McCoy said.

As if in recognition of this problem, the herbal pill Web sites ultimately promoted in these Webspam attacks are tied to a sprawling network of thousands of similar sites, all of which come with their own dedicated customer support Web site and phone number (866- and 888- numbers). Those same support phone numbers are listed next to the fraudulent charges on customers’ monthly credit card statements. In virtually all cases, the organization names listed on these support Web sites are legally registered, incorporated companies based in Florida.

All of the banks I spoke with in researching this story said customers told them that the support staff answering the phones at the 888- and 866- numbers tied to the herbal pill sites were more than happy to reverse the fraudulent charges. The last thing these affiliate programs want is a bunch of chargebacks: Too many chargebacks can cause the merchant to lose access to Visa and MasterCard’s processing networks, and can bring steep fines.

Not that legitimate customers of these dodgy vitamin shops are in for the best customer service experience either.  Very often, ordering from one of these affiliate marketing programs invites even more trouble. A note appended in fine print to the bottom of the checkout page on all of the herbal pill sites advises: “As part of your subscription, you will automatically receive additional bottles every 3 Months. Your credit card used in this initial order will be used for future automatic orders, and will be charged $148.00 (Includes S/H).”

If you see charges like these or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again.