Yesterday we have recieved a very very large fraud orders coming in.

We recieved about 40 orders yesterday....about 32 or 33 were fraud. We were forced to call up on someone, because these were valid credit cards, but invalid addresses and all came from the same ip block.

203.162.*.*

This guy tried changing IP I guess in every order used different e-mail addresses, but always kept it with @yahoo.com . Now I am not sure what Eryxma is doing about this, since they just kept us out form knowing that much information, just told us they notified the authorities, etc, and starting banning this person and well my asssignment was to remove all orders we have gotten from 203.162.*.* and there are a few and looking at them, all from Vietnam. :( . And looking at our order status page this person has tried to come to our order forms again, and tried to order 29 times today.

I can't recieve that much info from Eryxma right now, since they aren't saying much.

But I was wondering and to let you know about this IP, and has this has happened to anyone else?

Yes we have been hit by many today, let me get the ip's.

has anyone tried hostabuse ?

Look at this, since I monitor humanclick and monitor the order that come in, look what i found:

Shiekron: How may I help you ?
Visitor: zbrs.com and son3vil.ws hosting are del ?
Shiekron: yes sir for fraud
Visitor: thanks
Visitor: i'll never fraud
Shiekron: we have recieved a numerous amount of orders from this IP block and we were forced to do so
Visitor: do you wanna know how can i have that Credit Card
Shiekron: Why sir?
Visitor: here :
Visitor: http://www.vnlogic.net/cgi-bin/ultimatebb.cgi?
Visitor: i get it from that forum
Shiekron: sorry sir, we just don't welcome this, nor do we tolerate this
Visitor: yes,i know
Shiekron: Have a nice day.
Visitor: but
Shiekron: But what sir?
Visitor: can i register again with my CREDIT CARD ?
----REST CUT OFF---

I cut off the rest because it was just too violent.

This is quite worrying for hosts. I wonder does the other 3rd-party services like Revecom and 2Checkout have this kind of fraud screening...?

Some contact info on the domain. I suggest you try to verify that there are cc#'s being post, contact the host about it if so, and if that doesn't work, try RS abuse. Domain doesn't exactly have contact details (maybe enom would just remove it, heh)...


Address lookup
canonical name www.vnlogic.net.
aliases
addresses 216.127.70.95


Domain Whois record
Querying whois.internic.net with "dom vnlogic.net"...

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: VNLOGIC.NET
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS9.VNSTYLE.NET
Name Server: NS10.VNSTYLE.NET
Updated Date: 25-jun-2002


>>> Last update of whois database: Sat, 29 Jun 2002 04:50:21 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

Querying whois.enom.com with "vnlogic.net"...

Access to eNom's Whois information is for informational
purposes only. eNom makes this information available "as is,"
and does not guarantee its accuracy. The compilation, repackaging,
dissemination or other use of eNom's Whois information in its
entirety, or a substantial portion thereof, is expressly prohibited
without the prior written consent of eNom, Inc. By accessing and
using our Whois information, you agree to these terms.


Domain name: vnlogic.net

Registrant Contact:
XXX
XXX XXX (huu_tu@yahoo.com)
XXX
FAX: XXX
xxx
xxxx, 10400
MA


Billing, Administrative Contact:
XXX
XXX XXX (huu_tu@yahoo.com)
XXX
FAX: XXX
xxx
xxxx, 10400
MA


Technical Contact:
xxx
xxx xx (huu_tu@yahoo.com)
xxx
FAX: xxx
xx
xxx, 10400
MA



Status: ACTIVE
Note: To help prevent fraudulent or erroneous
transfers, we encourage registrants to place their domains on "lock"
status with their current registrar.

Name servers:
ns9.vnstyle.net
ns10.vnstyle.net

Created: 01/08/02 03:10:14
Expires: 01/08/03 03:10:14
--------------------------------------------------------------------------------
This information was provided by Enom, Inc. an accredited ICANN registrar.
http://www.enom.com
Register your domain name today!

Network Whois record
Querying whois.arin.net with "216.127.70.95"...

Everyones Internet, Inc. (NET-EVRY-BLK-10) EVRY-BLK-10
216.127.64.0 - 216.127.95.255
Azeem Butt (NETBLK-AZEEM) AZEEM 216.127.70.88 - 216.127.70.95

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
Querying whois.arin.net with "!NETBLK-AZEEM"...

Azeem Butt (NETBLK-AZEEM)
39867 Potrero Dr
Newark, CA 94560
US

Netname: AZEEM
Netblock: 216.127.70.88 - 216.127.70.95

Coordinator:
Administration, DNS (DA37-ORG-ARIN) hostadm@SIRIUS.COM
+1-415-865-5080
Fax- +1-415-865-5004

Record last updated on 13-Oct-1999.
Database last updated on 28-Jun-2002 19:59:48 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
DNS records
name class type data time to live
www.vnlogic.net IN A 216.127.70.95 86396s (23h 59m 56s)
vnlogic.net IN MX preference: 10
exchange: mail.vnlogic.net
86396s (23h 59m 56s)
vnlogic.net IN SOA server: ns9.vnstyle.net
email: webmaster@vntoday.org
serial: 6
refresh: 3600
retry: 600
expire: 86400
minimum ttl: 3600
3600s (1h)
70.127.216.in-addr.arpa IN SOA server: ns1.ev1.net
email: admin@ev1.net
serial: 1022774587
refresh: 10800
retry: 3600
expire: 432000
minimum ttl: 38400
38400s (10h 40m)

Service scan
FTP - 21 220 ProFTPD FTP Server ready.
SMTP - 25 220 ns9.vnstyle.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 30 Jun 2002 02:17:01 -0600
HTTP - 80 HTTP/1.1 200 OK
Date: Sun, 30 Jun 2002 08:17:06 GMT
Server: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_jk/1.2.0 mod_perl/1.24_01 PHP/4.1.1 FrontPage/5.0.2 mod_ssl/2.8.5 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html

POP3 - 110 +OK POP3 ns9.vnstyle.net v2000.70rh server ready
NNTP - 119 Error: Connection refused

Traceroute
Tracing route to www.vnlogic.net [216.127.70.95]

hop rtt rtt rtt ip address fully qualified domain name
1 0 0 0 216.46.228.241 port-216-3073265-dal16509b-drtn.devices.datareturn.net
2 0 0 0 64.29.192.237 port-64-1949933-zzt0prespect.devices.datareturn.net
3 0 0 0 64.29.192.226 port-64-1949922-zzt0prespect.devices.datareturn.net
4 0 0 0 209.246.152.201 gigabitethernet3-0-101.ipcolo2.dallas1.level3.net
5 0 0 0 209.244.15.101 gigabitethernet11-0.core2.dallas1.level3.net
6 0 0 0 209.247.10.109 so-4-1-0.mp2.dallas1.level3.net
7 40 30 30 64.159.0.249 so-2-0-0.mp2.losangeles1.level3.net
8 30 40 30 209.247.10.202 pos9-0.core1.losangeles1.level3.net
9 40 40 40 129.250.9.33 p4-6-0-0.r00.lsanca01.us.bb.verio.net
10 30 40 40 129.250.5.25 p16-7-0-0.r02.lsanca01.us.bb.verio.net
11 50 51 50 129.250.3.210 p4-0-3-0.r01.sndgca01.us.bb.verio.net
12 50 50 50 129.250.3.205 p4-2-0.r00.sndgca01.us.bb.verio.net
13 40 40 30 129.250.3.185 p4-1-0.r01.hstntx01.us.bb.verio.net
14 40 40 30 129.250.29.89 ge-0-2-0.a03.hstntx01.us.ra.verio.net
15 70 70 70 128.241.2.102 ge-0-0-0.a03.hstntx01.us.ce.verio.net
16 71 70 80 207.218.223.38 tayhou-223-38.ev1.net
17 70 70 70 216.127.70.95

Trace complete

ah goodness.

i feel a scandal coming on. :(

Visitor: can i register again with my CREDIT CARD ?

:emlaugh:

Originally posted by Chicken
Some contact info on the domain. I suggest you try to verify that there are cc#'s being post, contact the host about it if so, and if that doesn't work, try RS abuse. Domain doesn't exactly have contact details (maybe enom would just remove it, heh)...


Enom.com. No wonder they have let it go on this long. They respond to abuse complaints as fast as molasses in winter. I've been reporting a pr0n spammer on their network for the last year and a half and the site is still active.

AVOID reporting anything to Enom for anything. Hit their upstream since they refuse to listen to abuse complaints. Im surprised they are still actively hosting.

Report it to abuse ev1.net, or email abuse@ev1.net

Hackers I beleive are not allowed on their network. They will have it deleted in not time I hope so.
Or call rackshack

I have already reported this.

I hope soon this is solved.

I can't take it. I blocked all of Vietnam!

Have a nice day!

Originally posted by Annie-Mei
Enom.com. No wonder they have let it go on this long. They respond to abuse complaints as fast as molasses in winter. I've been reporting a pr0n spammer on their network for the last year and a half and the site is still active.

AVOID reporting anything to Enom for anything. Hit their upstream since they refuse to listen to abuse complaints. Im surprised they are still actively hosting.
Enom is the registrar of the domain above, not the provider of the hosting services, nor the upstream provider of the host. They do provide DNS services and a 10 page web site, however it is likely you've been complaining to the wrong company, thus the porn spammer is still active. In this case, Enom's upstream has nothing to do with it and they don't provide POP/SMTP services so your spammer isn't using the enom system to send his spam. As I said, it is likely that you're reporting this to the wrong people.

it's shocking to see the amount of fraud going on.

I got a promotional email about some McAfee products.. looked legit.. but it wasn't on McAfee's site and their order form wasn't secure. So I went to McAfee's site and no mention of the offer.

James

I wanted to hop in here real quick and ask a couple questions...

First, I fail to understand at all why someone would be entering erroneous information on order forms? Am I misunderstanding this, or are they committing credit card fraud to sign up for... services they probably don't actually want?

Second, a quick technical question pertaining to netblock assignments (as Chicken has posted them.) Isn't there a way to get these via "whois", as opposed to going to ARIN's site (which is what I do now.)

Again, while I'm sorry this is going on, I really cannot understand their motives.

Originally posted by HostInspect
Look at this, since I monitor humanclick and monitor the order that come in, look what i found:

Shiekron: How may I help you ?
Visitor: zbrs.com and son3vil.ws hosting are del ?
Shiekron: yes sir for fraud
Visitor: thanks
Visitor: i'll never fraud
Shiekron: we have recieved a numerous amount of orders from this IP block and we were forced to do so
Visitor: do you wanna know how can i have that Credit Card
Shiekron: Why sir?
Visitor: here :
Visitor: http://www.vnlogic.net/cgi-bin/ultimatebb.cgi?
Visitor: i get it from that forum
Shiekron: sorry sir, we just don't welcome this, nor do we tolerate this
Visitor: yes,i know
Shiekron: Have a nice day.
Visitor: but
Shiekron: But what sir?
Visitor: can i register again with my CREDIT CARD ?
----REST CUT OFF---

I cut off the rest because it was just too violent.

Looks like he's trying to do a phone wind-up there, he's acting dum a bit like ali g or again peaple who do phone wind-ups, the nid.

We've had nothing but bad luck from Vietnamese orders also, they've all been spammers. :angry:

First, I fail to understand at all why someone would be entering erroneous information on order forms? Am I misunderstanding this, or are they committing credit card fraud to sign up for... services they probably don't actually want?

They need a way to try out the new credit card numbers they've gotten ahold of. Unfortunatly we're an easy target since no shipping information is collected. Also, it's much easier to try out on the internet with a proxy, than to walk into a retail store and buy something. It requires less balls. .:D I really do feel sorry for those hosts who have "Instant Activation", that's just asking for it.

Hi did anybody send out a general notice to to 2checkout and the other CC companies we all do business with. if that link is a qualified CC link then I think they would want it.

mike

I am new to credit card processing (and fraud), but it seems to me all the security checks before a credit card is verified and actually accepted online are just for show. My experience below suggests so:

I recently wanted to buy a domain from Godaddy and it just would not accept my card. The helpdesk told me that they do not accept customers from Singapore because of previous fraud(interestingly they do not dare to post such discrimination openly on their webpage).
Well, I went back to the order page and entered an address in Germany (I am German, but this is NOT my card billing address!) and it went through without problems, Singaporean card and all!
Next time I could put in a bogus address and later dispute the charges, right? Too bad I am honest, but it certainly serves them right if other people from the countries they discriminate against are not!

We get many many fake successful orders a month, however we call and verify every one now and cancel the account and reverse the charge immediatly if it doesnt go through right. I think a big reason they do it is to test the cards to see if they are good before they take them somewhere to try to card actual merchandise.

-Brendan

WE do not get fruad orders (touch wood) for 3 reasons :D

1. We have banned all free email addresses to submitt order about 300 or so and adding, only ISP address are allowed, this has however not decreased the order rate, but have zeroed the fruad orders.

2. Banned any IP's and ISP's which are known for fruad orders. So that narrows down even more. Even banned proxy servers in our billing .htaccess file.

3. We have strict authorize.net AVS and CVV2 system which also helps us, even if the address is right and zip is not , it declines the orders or vise versa and other tricks.

I see lots of orders being declined due to wrong billing address and 50% of those orders are fruad and 50% users didn't provide right billing address and they do write us an email that why is it declined, and we tell them that their zip or address didn't match the billing address from their bank or card bank and they modify it and order goes through. :)

We do get orders from vietnam and singapore and all are legit with right address in singapre and vietnam so far :D

Most fruadgets rejected by the .htaccess file.

Hope this helps

My God! Thats scary! They have a forum with CC#'s posted. I feel so sorry for the victems cards that are on this site. They need to be contacted themselves to cancel their cards ASAP!

It looks like Rackshack was hosting that forum site. But, as it violates our AUP/TOS. it is no more. We shoudl all watch where this site goes and lat the new host know what is being done on that site.

Robert

Originally posted by fog
I wanted to hop in here real quick and ask a couple questions...

First, I fail to understand at all why someone would be entering erroneous information on order forms? Am I misunderstanding this, or are they committing credit card fraud to sign up for... services they probably don't actually want?

Second, a quick technical question pertaining to netblock assignments (as Chicken has posted them.) Isn't there a way to get these via "whois", as opposed to going to ARIN's site (which is what I do now.)

Again, while I'm sorry this is going on, I really cannot understand their motives.

No kidding, why would you want to commit fraud for such an inexpensive product as shared hosting!

i believe HRbrendan gave one of the major reasons.

Originally posted by HRBrendan
.....I think a big reason they do it is to test the cards to see if they are good before they take them somewhere to try to card actual merchandise.

-Brendan

Oops, missed that.

i would think some of them hope for the "instant setup" hosts, so, they can put up a warez drop for awhile....

hmm. i don't know...it sucks, i know that! =)

There are many other ways to test cards.

Most carders (imo) test their cards via authorize.net xlogins and charge the card $1.

I have come across quite a few sites which also provide this service.

When I first started trading on the internet, I was slugged with $15 000 fraud in the first 5 days of running. Luckily, my bank was on the ball and suspended all the cash before I went on a spending spree.

In the end, all of the transactions ended up being fraudulant.

Since that time, nearly 2 years ago, I have been running around finding carders, where they trade, the methods used to gain credit card numbers and exactly how they get tangable items shipped to them.

At this time, I get approximately 15 valid credit cards per minute which have been trading among these people for other things (laptops, phones, paypal accounts etc)

I had offered to give these lists in real time to VISA, but they were not interested as it is the banks and/or merchants problem.

So now we are on the second stage of beta testing pre-authorisation software which will run over 10 fraud tests on an order in real time.

I will give more information when it's actually available for use, but I think most hosts would be interested anyway ;)

People these days, getting credit cards off of IRC and Website then using them.. shame.

2. Banned any IP's and ISP's which are known for fruad orders. So that narrows down even more. Even banned proxy servers in our billing .htaccess file.

How are you doing this? Are you just assuming it was a proxy and blocking it after an attempt was made? I do not see how you can proactivally block proxies? If you have a way, you should post it to help others out.

I think that he ban Ips of knowed Proxys, there is a thread where Gary (Alaskanwolf) submited a long list of IP that he have banned, and if I'm not wrong he describe to whom correspond each IP or IP block.