I Hate Fraud attempts in my online store

[benos]

Friday there were 10 fraud order attempts (on my "Donate" page) in my store, for $2000.00 each. Fortunately they were all either declined or held for review by my Authorize.net's "suspicious transaction" filter. Not only do I hate that, but if one actually approves - and I don't catch it to void it before it batches through - I have to pay transaction fees not only on the original fraud order, but on the refund as well. So I really hate that.

be

[XRe]

[Kingman]

It is pretty rediculous when you think about that mess.

[robomanusa]

That sucks.....only thing you might be able to do is block ntelos's entire net range, give them a call if you have all the records of times and dates.....that ip is dynamic so isnt like you can block just that one.

the company is in VA, so atleast its US based which helps..

+1-540-946-2638

216.12.80.0 - 216.12.81.255

you can also use mod_rewrite to redirect those IP addresses to there own error page....create a trap basically

Edited July 13, 2007 by robomanusa

[benos]

Thanks Rob.

I called that number and just a got a stupid message telling me to hang up and dial 611. So I called:

Ntelos, Inc., dns@ntelos.net

877-468-3567

... and got a tech guy who told me to call back tomorrow because there was no one there that could deal with it.

And this happened after I posted... as I'm working with my "Donate.html" page, I notice a new text file in my (ftp) "Store" folder, and I remember the letters "...ftp..." in the files name. So I finished editing the Donate page, then after I uploaded the page I went back to download the new text file, but then it was gone! Yikes. So I changed all the ftp and server passwords. Then when I was talking to EV1/The Planet Servers, the tech guy was looking around the server and said there were repeated attempts to log in to the server (root) today. So he blocked that IP address, which was 210.83.183.14.

Scary stuff.

be

[Merlin Orr]

ME TOO! And times like this is when you need that 22-250!!!!

Edited July 14, 2007 by Merlin Orr

[Adam B]

here is a better idea of the area in where he is located

http://www.ip-adress.com/details.php?c=VjJ...GZXVzl5YXc9PQ==

The ISP knows what customers have what IP addresses, maybe a fellow member knows someone that works at the ISP.

[ChuckS]

arin whois shows this! :

Search results for: 210.83.183.14

OrgName: Asia Pacific Network Information Centre OrgID:

APNIC

Address: PO Box 2131City: MiltonStateProv: QLDPostalCode: 4064Country: AUReferralServer: whois://whois.apnic.netNetRange:

210.0.0.0

-

211.255.255.255

CIDR: 210.0.0.0/7 NetName:

APNIC-CIDR-BLK2

NetHandle:

NET-210-0-0-0-1

Parent: NetType: Allocated to APNICNameServer: NS1.APNIC.NETNameServer: NS3.APNIC.NETNameServer: NS4.APNIC.NETNameServer: NS-SEC.RIPE.NETNameServer: TINNIE.ARIN.NETNameServer: DNS1.TELSTRA.NETComment: This IP address range is not registered in the ARIN database.Comment: For details, refer to the APNIC Whois Database viaComment: WHOIS.APNIC.NET or

http://www.apnic.net/apnic-bin/whois2.pl

Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet RegistryComment: for the Asia Pacific region. APNIC does not operate networksComment: using this IP address range and is not able to investigateComment: spam or abuse reports relating to these addresses. For moreComment: help, refer to

http://www.apnic.net/info/faq/abuse

Comment: RegDate: 1996-07-01Updated: 2005-05-20OrgTechHandle:

AWC12-ARIN

OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100OrgTechEmail: search-apnic-not-arin@apnic.net# ARIN WHOIS database, last updated 2007-07-13 19:10# Enter ? for additional hints on searching ARIN's WHOIS database.

If contact information is out of date or incorrect, please contact hostmaster@arin.net. Include all relevant information in your e-mail and ARIN will investigate the matter.

To keep things interesting ip-lookup.net shows it in China

Geobytes.com shows it in China also

And networksolutions.com shows this:

WHOIS Record For

210.83.183.14Record Type: IP Address

OrgName: Asia Pacific Network Information Centre OrgID: APNICAddress: PO Box 2131City: MiltonStateProv: QLDPostalCode: 4064Country: AUReferralServer: whois://whois.apnic.netNetRange: 210.0.0.0 - 211.255.255.255 CIDR: 210.0.0.0/7 NetName: APNIC-CIDR-BLK2NetHandle: NET-210-0-0-0-1Parent: NetType: Allocated to APNICNameServer: NS1.APNIC.NETNameServer: NS3.APNIC.NETNameServer: NS4.APNIC.NETNameServer: NS-SEC.RIPE.NETNameServer: TINNIE.ARIN.NETNameServer: DNS1.TELSTRA.NETComment: This IP address range is not registered in the ARIN database.Comment: For details, refer to the APNIC Whois Database viaComment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.plComment: ** IMPORTANT NOTE: APNIC is the Regional Internet RegistryComment: for the Asia Pacific region. APNIC does not operate networksComment: using this IP address range and is not able to investigateComment: spam or abuse reports relating to these addresses. For moreComment: help, refer to http://www.apnic.net/info/faq/abuseComment: RegDate: 1996-07-01Updated: 2005-05-20OrgTechHandle: AWC12-ARINOrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100OrgTechEmail: search-apnic-not-arin@apnic.net

good hunting

[shred]

here is a better idea of the area in where he is located

http://www.ip-adress.com/details.php?c=VjJ...GZXVzl5YXc9PQ==

The ISP knows what customers have what IP addresses, maybe a fellow member knows someone that works at the ISP.

[Edit] you have to click the button or you'll get a map of dead center on the equator at about zero degrees longitude.. anyway, if the hacker was smart, they bounced off a hacked PC at that IP anyway and are from somewhere else, but it's worth checking into.

[valkabit]

That's not cool, but I do like your response.

+1000

[XRe]

ME TOO! And times like this is when you need that 22-250!!!!

That puny little .22 caliber bullet cannot even begin to unleash enough whoopass for this situation I was thinking more along the lines of many .50 BMG rounds in quick succession might make a better "statement".....

[benos]

How easy it to mask an IP? shred - you said "bounced off"?

be

[shred]

Basically you hack into the computer, then install a program that forwards IP packets for you, so you send your packets to the hacked PC, and it sends them out from it's IP so it looks like the hijacked PC is the culprit, while you're really a continent away sending it commands (much like the old cop-movie staple of finding two payphones taped together when they trace the ransom call.) The really good hackers go through a number of such proxies before hitting a target system-- makes them very hard to track down. It doesn't seem like this guy was that good, or you might never have noticed the hack...

[George]

Chuck, I do not get 210.83.183.14 from any search on 216.12.81.142 which is the IP Brian actually listed as the offender. It comes up in VA, USA as ww.ntelos.net as mentioned earlier.

+1 to Shred on "he must not be very good". If you found him fast, he's just a butt-munch and probably not capable of masking his IP. If he could do things like that cleanly, you would probably have only have found him after the money was gone ;-/

[ChuckS]

Chuck, I do not get 210.83.183.14 from any search on 216.12.81.142 which is the IP Bian actually listed as the offender. It comes up in VA, USA as ww.ntelos.net as mentioned earlier.

I got that address from post #5 of this thread.

but as Shred points out, this is all meaningless. With the ability to change "hardware" mac addresses, real traceability in an IP network is pretty much dead. Unless, of course, you are Chloe at CTU...

[Adam B]

I assumed that he spoofed the IP but it was at least worth looking into since it took a whopping 10 seconds. Truth of the matter is if you use good password scheme and don't run windows os as your server you should be fine, I have run my FreeBSD web servers for 6 years without a single issue, I also don't run standard ports for ssh and other programs.

[ChuckS]

Yeah, Unix and it children tend to be a bit tighter but hardly foolproof. Probably the biggest problem with the net is not the connectivity but the exploit information that can be found. It no longer takes a top-shelf hack to break into stuff. Case in point: In late 2003 I decided to set up a wireless network for home instead of crawling around in the crawl space and attic to pull Cat-V. I got the linksys dejour stuff and set it up using all the security tips of the time: No SSID broadcast, just plain bizarre keys and WEP encryption.

I then did a google for WEP cracking, found a snort-like program and a WEP crack program, loaded it and ran it with about 5 minutes reading. I kicked off a file transfer in my wireless net to get the packet rate up and I cracked the network in about 15 minutes. The total time to find tools, set up, and break into a busy network was little more than an hour. At the time I knew pretty much zip about 802.11. So, just about any normal soul who can read, install somewhat arcane software, and run the stuff can be a fairly capable hacker.

[HoMiE]

Contact the FBI. Seriously. I used to work in the internet industry. Most local law enforcement don't have personnel to deal with such issues, but the FBI does or at least they will do more for you than the ISP that it's coming from.

[robomanusa]

How easy it to mask an IP? shred - you said "bounced off"?

be

There are still quite a few open proxies left which can be used to help mask the originating IP, its easy enough to do but still leaves traceable tracks, your not as hidden as you think you are .......if it was me I might tend more towards ssh'ing through several servers then using the end machine to do the dirty work, not an open proxy.

Also, as far as root password attempts, when you run a server you see that shit everday, not just root attempts, but you will see attempts at common unix/linux usernames(root, apache, www, mysql and so on...) just dont ever make your passwords easy to figure out and change them on a regular basis, mine gets changed every 2 weeks.

Contact the FBI. Seriously. I used to work in the internet industry. Most local law enforcement don't have personnel to deal with such issues, but the FBI does or at least they will do more for you than the ISP that it's coming from.

Your right most dept's dont have the resources, best bet is the FBI. But for the FBI to get involved you have to PROVE monetary damages before they will even begin to get involved.

[Rob Boudrie]

I spoke to Brian about this, and the type of fraud he is being victimized by is difficult to prevent. People are submitting large bogus charges to his "donate" box. Brian generally catches these before the daily processing and cancels them (otherwise he'll be stuck with transaction and refund fees, and risk losing his merchant account if there are too many chargebacks).

Why? My guess is that someone is attempting to use his site to see if a charge card is valid for large purchases before they hit the street. Gas stations have the same problem as criminals have been known to use self-serve gas pumps to try to validate stolen cards.

[Adam B]

Yeah, Unix and it children tend to be a bit tighter but hardly foolproof. Probably the biggest problem with the net is not the connectivity but the exploit information that can be found. It no longer takes a top-shelf hack to break into stuff. Case in point: In late 2003 I decided to set up a wireless network for home instead of crawling around in the crawl space and attic to pull Cat-V. I got the linksys dejour stuff and set it up using all the security tips of the time: No SSID broadcast, just plain bizarre keys and WEP encryption.

I then did a google for WEP cracking, found a snort-like program and a WEP crack program, loaded it and ran it with about 5 minutes reading. I kicked off a file transfer in my wireless net to get the packet rate up and I cracked the network in about 15 minutes. The total time to find tools, set up, and break into a busy network was little more than an hour. At the time I knew pretty much zip about 802.11. So, just about any normal soul who can read, install somewhat arcane software, and run the stuff can be a fairly capable hacker.

Cracking wep is so easy now days and the tools are readily available, basically "a caveman could do it" WPA security or better or just don't run wireless, I also find it useful to run my wireless in a different subnet..

[robomanusa]

It shouldnt be too hard to write a login script for the donation section to use the member table of the forum.

[AustinMike]

ME TOO! And times like this is when you need that 22-250!!!!

That puny little .22 caliber bullet cannot even begin to unleash enough whoopass for this situation I was thinking more along the lines of many .50 BMG rounds in quick succession might make a better "statement".....

I am SOOOO sick of f'n hackers, virus writers, spammers and the lot. I don't think they deserve to be taken out quickly. I'm thinking more like covering them in honey and tying them to a stake on top of the biggest fire ant mound I can find. Slow and painful....

[tightloop]

If they would work as hard at a legit job, they could probably make some $$...

[Peter K]

210.83.183.14

inetnum: 210.83.183.0 - 210.83.183.63

netname: chengqi-group

country: cn

descr: dongguan city,guangdong province

admin-c: TC254-AP

tech-c: TC254-AP

status: ASSIGNED NON-PORTABLE

changed: t-wangxy2@china-netcom.com 20021105

mnt-by: MAINT-CN-ZM28

source: APNIC

route: 210.82.0.0/15

descr: CNC Group CncNet

country: CN

origin: AS9929

mnt-by: MAINT-CNCGROUP-RR

changed: abuse@cnc-noc.net 20060330

source: APNIC

person: TECH GROUP CNC

address: 9/F, Building A, Corporate Square, No. 35 Financial Street,

address: Xicheng District, Beijing 100032, P.R.China

country: CN

phone: +86-10-88093588

fax-no: +86-10-88091442

e-mail: tech-group@china-netcom.com

nic-hdl: TC254-AP

mnt-by: MAINT-CN-ZM28

changed: zhaomq@china-netcom.com 20010917

source: APNIC