This story starts off over a month a go when someone wanted to buy a couple of hand bags from an ad on Facebook. This wasn’t a random google search but a ad that surely was vetted by somebody on social media, right. That ad landed on a web page which had the products in the right colors ready to ship.
The site even had all these badges to tell you that it is trusted. They don’t give those to just anybody. I would worry about using Norton as a character reference, but that’s just me. Every looks legit and there’s a totally normal checkout experience. The credit card goes through and a receipt shows up in the mail immediately with a link to track the package. Everything seems normal. Another email comes in with a receipt with links back to the store and to view the order online.
Over the next few days the tracking URL updates showing a package going from Ireland to Iowa. That’s the right basic direction so no alarms yet. The last update was a week ago.
A month later, no package. I take a look. The hero image on the web site is a generic clipart image. A search for that image comes up with pages of hits including Forbes and Adobe at the top of the list. The site lists many products from various categories and everything is on sale. Everything shows the price in USD. The other thing I notice is that the domain name is nonsensical and does not appear to have anything to do with the products listed. The logo is also completely generic. The web site navigation is a literal checklist of menus one would expect to be there: About, Contact, FAQS, Privacy, Returns, Shipping, Terms, and then a “Track Your Order” link. Everything is fully functional. The Track Your Order page even validates against actual orders.
On the About Us page text seems a bit generic. The company name is referenced by the domain name, not the company. I grab a sentence from the page and google it. The exact nonsensical text appears on about 12,400 results, most with the same relative path: /pages/about-us.
On the Contact Us page below the same domain name is listed a company name that appears to point to a company in Wales complete with the address and a UK phone number. The first think I notice is that the company information is actually an image and not part of the page’s text. The second thing I notice is that the domain name has been added to the image as sort of an afterthought but in a different font.
At first I thought this company was some how involved with this whole scam so I looked into them. While they are interesting, I no longer think they are in any way willingly complicit in this mess. The company in question appears to be inactive. Interestingly the recently filed a registration change to move their headquarters to Cambridge to an address that appears to be an empty lot.
In the UK there’s a way to search for registered companies by address. This particular address has 928 companies associated with it, not including the one I was searching. While as seemingly bizarre as this might appear. It may have a much more mundane reason behind this. When I look at the map, I can see The Insolvency Service building right next door. My guess is that this is just the final resting place for defunct and bankrupt corporations.
After exhausting that rathole, I’m back to looking at the web site. They make no attempt to hide their IP addresses. They are using AWS EC2 web hosting — no surprise. Email is being routed to Alibaba. The domain is registered with Alibaba Cloud on a Chinese-facing reseller. The domain was registered in May this year. Before that the domain was first registered with GoDaddy back in 2018 but nothing every was done. The site came online sometime before September of this year.
I also managed to find the original store in Kyoto where the product images and storefront images were lifted. Someone had taken the time to replace the logo on the sign and on the front entrance of the store. I assume this store in Kyoto has nothing to do with this scam and is powerless to stop the abuse of their reputation. Sadly their web site is not a slick as the fake site. It must be hard to compete with scammers when you have an actual business to run.
Let’s go back to that emailed receipt. It has a link to web site that appears to specialize in e-commerce and shipping tracking. Under Track My Package is the destination address and a new/different tracking number has been added as of yesterday of what appears to be one town away. It is in the “Shipping Label Created” state but no actual package has been received by USPS. There’s no mention of the journey from Ireland to Iowa on this page.
I’ve seen this trick before. There’s a market for buying tracking numbers. You can specify from and to locations, and get a tracking number that matches your time parameters. My guess is that X Border provides this as a services. Their domain is also running on Alibaba. This domain was registered using GoDaddy back in 2019. There’s no reason to think that it is run by the same bad actors running the storefront. It’s possible they are legit and unwittingly being used. There are just to many complaint pages to support that however.
The trick is that between the delays and all the redirection, a lot of time has passed. There’s enough time that the credit card cycle has closed. I also assume that if you email the company, they will respond with yet another delay tactic. This way they can show that they are being communicative throughout the process.
At this point it is pretty obvious to be that this web site is a scam. The next trick will be to convince the credit card company.
One Reply to “Clever Scammer Website”