Results 26 to 50 of 312
Thread: CC Fraud > Drastic action
-
11-29-2001, 10:20 AM #26Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,939
Yes
I have got "the nose" for it as well.
Here's an e-mail sent to one of the two frauds that have got through:
Hello
We have recieved an order form you for web hosting.
We are not processing the order until you have clarified the following
points:
1. You claim to be in Louisiana, but its 6am there at the moment.
2. The domain name you have requested hosting for does not exist:
braila-net2.com
3. You are actually in Israel (194.90.229.195)
4. The address you gave appears to have been cut and pasted into our order
form as there were no carriage returns.
I hope you understand why we are querying this order and look forward to
hearing from you shortly.
Gordon Hudson
Hostroute.com Ltd
http://www.hostroute.net/Formerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
View my Professional Profile: www.gordonhudson.com
-
11-29-2001, 10:35 AM #27Web Hosting Master
- Join Date
- Apr 2001
- Location
- Montana USA
- Posts
- 673
With evidence as clear as in your example, we don't both contacting the attempted thief. We simply nuke them immediately. I'm apt to spend more time tracking down the real card owner to let them know their card's been compromised. Typical phone conversation:
Me: "I'm not going to ask you anything about your credit card information, but if it ends in 4254 and expires 8/02, then your card may have been compromised."
Card Owner: "HOLY S***!!"John Masterson
Former Hosting Company Owner
-
11-29-2001, 06:32 PM #28Account Disabled
- Join Date
- Apr 2000
- Posts
- 1,726
anyone else got any other ips to block other then the ones already submitted?
-
11-30-2001, 05:52 AM #29Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,939
That depends on how strict you want to be or where your market is.
I am considering blocking Israel as we have no customers there and don't really intend to, but its a bit like using a sledgehammer to crack a nut.
We can cope with the odd fraud.
Blocking those 3 main countries reduced our fraud by over 90%
Other countries which are prone to this sort of thing are:
Thailand (but we have had none from there for a long time)
Romania
Russia (again not seen one of these for a long time)
Pakistan
Certainly these are countries our bank is always issuing warnings about.
GordonFormerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
View my Professional Profile: www.gordonhudson.com
-
12-08-2001, 06:40 PM #30Web Hosting Master
- Join Date
- Apr 2001
- Location
- Montana USA
- Posts
- 673
Originally posted by magnafix
Here's our International IP checker.
PHP Code:sscanf($ip, "%d.%d.%d.%d", &$quad1, &$quad2, &$quad3, &$quad4);
switch($quad1)
{
case 57:
case 61:
case 62:
case 80:
case 151:
case 193:
case 194:
case 195:
case 202:
case 203:
case 210:
case 211:
case 212:
case 213:
case 217:
case 218:
case 219:
return true;
case 24:
if($quad2 > 132 && $quad2 < 136) return true;
case 130:
if($quad2 == 237 ||
$quad2 == 242 ||
$quad2 == 243) return true;
case 134:
if($quad2 == 75) return true;
case 141:
if($quad2 < 86) return true;
case 165:
if($quad2 == 21) return true;
case 169:
if($quad2 > 207 && $quad2 < 224) return true;
case 170:
if($quad2 == 60) return true;
case 192:
if($quad2 == 36 ||
$quad2 == 164 ||
$quad2 == 165 ||
$quad2 == 166 ||
$quad2 == 167) return true;
}
return false;
}
Little bug in the above code -- make sure to insert 'break;' where appropriate....John Masterson
Former Hosting Company Owner
-
12-20-2001, 03:14 PM #31Web Hosting Master
- Join Date
- Nov 2001
- Posts
- 852
Here you can add these IP's to your list. This guy has Names, Addresses Zips all matching the cards, but they all come back as chargebacks. A lot of the accounts use this domain/password info **but not all the time**
expl0de.net
870621345
d0pe@expl0de.net
195.24.130.57
212.45.192.10
24.186.135.216
203.146.138.103
24.186.135.216
He has charged about 1000 dollars, but we catch them before the batch runs and void them before they even hit the persons CC
-
12-21-2001, 01:18 AM #32Web Hosting Master
- Join Date
- Nov 2000
- Location
- Boston, MA (USA)
- Posts
- 773
Worst fraud attempt ever.....
Prepaid Dedicated Server that cost $10,000 a year... The order was filled...... Good thing I caught the culprit before Revecom processed it.
-
12-30-2001, 10:08 PM #33Web Hosting Guru
- Join Date
- Oct 2001
- Posts
- 264
Originally posted by magnafix
Little bug in the above code -- make sure to insert 'break;' where appropriate....eat me
-
12-31-2001, 01:45 AM #34Junior Guru Wannabe
- Join Date
- Dec 2001
- Posts
- 53
Originally posted by magnafix
Here's our International IP checker.
PHP Code:sscanf($ip, "%d.%d.%d.%d", &$quad1, &$quad2, &$quad3, &$quad4);
switch($quad1)
{
case 57:
case 61:
case 62:
case 80:
case 151:
case 193:
case 194:
case 195:
case 202:
case 203:
case 210:
case 211:
case 212:
case 213:
case 217:
case 218:
case 219:
return true;
case 24:
if($quad2 > 132 && $quad2 < 136) return true;
case 130:
if($quad2 == 237 ||
$quad2 == 242 ||
$quad2 == 243) return true;
case 134:
if($quad2 == 75) return true;
case 141:
if($quad2 < 86) return true;
case 165:
if($quad2 == 21) return true;
case 169:
if($quad2 > 207 && $quad2 < 224) return true;
case 170:
if($quad2 == 60) return true;
case 192:
if($quad2 == 36 ||
$quad2 == 164 ||
$quad2 == 165 ||
$quad2 == 166 ||
$quad2 == 167) return true;
}
return false;
}
-
12-31-2001, 02:09 AM #35Web Hosting Guru
- Join Date
- Oct 2001
- Posts
- 264
Originally posted by dbnet
How do we use this ?
just insert this code in a function and call it from your order form and if it returns true, then you just say "sorry we are currently not accepting orders from your area"
Note tho... that this script blocks 202.* which includes Australia as well!
Cheerseat me
-
02-04-2002, 06:43 PM #36Junior Guru
- Join Date
- Sep 2001
- Posts
- 195
add this IP to your list
202.162.34.30
This guys pissin me off
-
02-13-2002, 11:18 AM #37Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,939
Hello
As the person who started this thread I thought I should give an update.
We are continuing to block certain countries and our credit card fraud rate has decreased to practically zero.
All we get now is the odd malicious chargeback where a real card has been used but someone fancies some free services.
However, we have noticed some very odd logs with repeated multiple (automated?) attempts to access our web sites thousands of times from the same IP's in the countries we have blocked.
e.g.
1 3335 4.04% 0 0.00% 997 0.46% 1 0.02% 202.155.37.233
3335 attempts to access our main website resulting in 0 files being served to the visitor.
The IP is in Indonesia
Our logs are full of these by the thousands from Malaysia and the Philippines also.
SO........... I guess we have pissed some people off big time and they have decided to retaliate.
Not quite a ddos attack but strange none the less.
GordonFormerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
View my Professional Profile: www.gordonhudson.com
-
02-13-2002, 11:44 AM #38Web Hosting Guru
- Join Date
- Oct 2001
- Posts
- 264
Hi Gordon,
Could you post your latest IP list? Much appreciated thankseat me
-
02-13-2002, 11:58 AM #39Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,939
Hello
Haven't really updated it since, but I am about to add the new IP blocks for the three countries i am interested in blocking.
At the time I drew up the original list they had been allocated but not delegated to APNIC.
Now some of them are being used I need to add them.
I will post the list or the raw data when I get round to updating it.
I would also say that the majority of these issues come from IP's on the academic/university networks.
While we are at it, could someone explain why these countries produce credit card fraudsters, but others don't seem to?
I mean, yes these countries have some poor rural areas but they are not that poor.
We have never had a credit card fraud from Singapore but we have from Malaysia (an d we do a lot of business with Singapore).
We have never had a fraud from India but we have from Pakistan.
We have never had a fraud from a central or south american country, even relatively poor countries like ecquador and bolivia where we have customers have not proved to be any problem.
So..... what gives?
Why these countries?
GordonFormerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
View my Professional Profile: www.gordonhudson.com
-
02-13-2002, 12:10 PM #40Web Hosting Guru
- Join Date
- Oct 2001
- Posts
- 264
Culture perhaps?
By the way have you had any experience good or bad with China?eat me
-
02-13-2002, 12:22 PM #41Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,939
Funny you should mention China.
About 10 minutes ago we had a domain registration from the US but an IP in china.
Just phoned the card holder - he has no knowledge of the transaction.
Thats our first fraud for a very long time.
As always it was a 5 year domain registration.
I don't think we have ever had a genuine domain registration longer than 3 years and every 10 year one we have had was a fraud.
GordonFormerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
View my Professional Profile: www.gordonhudson.com
-
02-13-2002, 12:38 PM #42Web Hosting Guru
- Join Date
- Oct 2001
- Posts
- 264
How do you find out / phone the real CC card holder?
Which payment gateway did you use, does the card info get through you first?
Sorry if this is too many questions But I will be opening CC order soon so these things are pretty important.
Thankseat me
-
02-13-2002, 12:55 PM #43Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,939
The fraudster had actually put the card holders real number on the order.
Normally I look them up in one of the online telephone directories.
The purchase had already been cleared so we have lost $4.55 because of the commission we have to pay on the transaction.
We use Worldpay and its possible to do manual authorisation but if you do this it prevents you doing monthly payments as it would all get too complicated.
GordonFormerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
View my Professional Profile: www.gordonhudson.com
-
02-13-2002, 01:23 PM #44Junior Guru Wannabe
- Join Date
- Oct 2001
- Location
- Philadelphia, Pa
- Posts
- 76
Yeah, I've had the same experience where they actually use the correct phone number during signup of the cardholder. God, what a horrible call to have to make!! Needless to say, we no longer have fully automated transactions.
We have also blocked Indonesia, and other similar areas, but...
Just last night, I watched in real time as someone who said they were from Texas
1. signed up with a card from Texas - denied
2. signed up with a card from Florida - denied
3. signed up with card from Montana - ok
4. IP address from MA
Then they provided me the phone number of the credit card bank, which was in New Jersey!
Boy these people are creative
jvBlackStar Web Hosting
www.blackstarhosting.com
-
02-13-2002, 02:34 PM #45Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 3,126
Two Steps we Take
One-We do require phone number and verify it with the address, calling it if at all suspicious.
Two-we require the security code from the back of the card-the three digit code-this is not as readily available and, at least to this point, requires physical presence of card.
-
02-16-2002, 11:36 AM #46Junior Guru Wannabe
- Join Date
- Feb 2002
- Location
- Indiana
- Posts
- 49
Originally posted by muppie
Actually this is much better than putting it in .htaccess
just insert this code in a function and call it from your order form and if it returns true, then you just say "sorry we are currently not accepting orders from your area"
Note tho... that this script blocks 202.* which includes Australia as well!
Cheers
First let me say that it was great to stumble across this thread, it is the most useful material I have ever read on this subject in one place!
We have been dealing with this problem for years and have come to the same conclusions you have. Our deny list was not as complete as the one here however so I am going to update it.
I want to warn you that there are some problems associated with this if you have a high bandwidth site. Artbycheryl.com transfers about 30-40 gb per month and a deny list half as long as the one posted here ground our normally spectacular shared server to a complete halt. Remember that every single request goes through that routine, every image, every document, etc.
Fortunately, our cart that handles orders across all of our domains is located on a different server and has significantly less traffic. We use the htaccess deny list on it and just deny crooks access to our cart for placing fraudulant orders.
Unfortunately, this forces us to allow users from countries who habbitually abuse our goodwill to have access to our popular sites that contribute to the legitimate web community. If I had my way I would deny all of our sites to everyone in those countries. Why should we offer them anything when we could not accept an order from them anyway, they are just wasted bandwidth.
The php script discussed might solve the problem, I can think of a couple of ways to implement it that might work. I dont understand how use it though... can you be more specific? I am perl literate but have worked very little with php... what does the html tag look like to call the function and how (where) do you install the script?
We registered combatfraud.org out of sheer frustration with the system that allows fraud to flourish. It is not complete yet but the content will be very similar to this thread. I am writing it with the new web merchant in mind in order to pass along our trial and error learned knowledge to the less experianced.
I would like to offer this script along with detailed instructions on how to install and implement it. Of course you will get full credit for authoring it and a link if you allow me to share it.
I have some more to add but I will do it in another post. I can't tell you how happy I am to have found a group of people who share and talk about this serious problem! We were really starting to feel like an island under siege here.
Rick Thompson
fortweb.com
artbycheryl.com
photoimpact-objects.com
etc., etc., etc.
-
02-16-2002, 12:06 PM #47Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,939
OK Rick
Well I felt the same way.
Somwthing had to be done.
We don't have the problem because our business sites are on dedicated servers.
The .htaccess deny list works but its not very elegant.
I don't like the php solution suggested because it blocks too many countries including Australia which would lose us money.
We have had three frauds recently.
One from Nepal with someone using a satelite internet connection with a US IP address.
The others from China.
We also had one from Taiwan although it has not been confirmed as a fraud yet (it was warez soI assume the card was a stolen number)
GordonFormerly: Managing Director, Hostroute.com Ltd & Marketing Director, Ultraspeed UK Ltd
View my Professional Profile: www.gordonhudson.com
-
02-16-2002, 12:12 PM #48Junior Guru Wannabe
- Join Date
- Feb 2002
- Location
- Indiana
- Posts
- 49
Originally posted by GordonH
Actually I looked at this page earlier (found it on Google) but I can't work out what should be here:
RewriteRule ^/.* - [F]
The rule needs to point to a file.
I will need to read through the manual.
Gordon
Can you specify an entire path to your 403 file? I am not sure about this but you can try it...
Instead of ...
ErrorDocument 403 /403.shtml
use the entire path to another file located on another server for your 403 error document.
How about this, I think you can pass error messages through the default 403 document like this...
ErrorDocument 403 "We're sorry, but your access has been denied due to idiots who share your IP address.
Rick Thompson
-
02-16-2002, 12:45 PM #49Web Hosting Master
- Join Date
- Nov 2001
- Location
- Singapore
- Posts
- 769
Just want to check - no one is blocking out Singapore, right?
Since recently, I've not been able to access a few web hosting services - including mine with spiral - did you guys block us Singaporeans out by mistake? Cos the ISP that I'm on is quite major in SE Asia
-
02-16-2002, 12:46 PM #50Aspiring Evangelist
- Join Date
- Jul 2001
- Posts
- 449
I posted this on hosting software and control panels forum, this is a freeware and open source script I made that checks a IP mask list and redirects a person to a different page if his IP belongs from a specific mask.
Here are the contents from that thread
Well, I was hit with about 2 fraudlent orders from Indonesia this month, so I decided to make this script, I saw couple of posts by some people with ways to disable access to the site completely using httpd.conf but I really think thats just a way to loose a fraction of customers from asian countries, small fraction but it does matter.
Therefore I made this script, what it does is that if a person's ip belongs to the one in the ipmasks it redirects him to some other page you specify and if it isnt then it redirects him to the order page you specify. On my site I made it redirect to a page where it asks the person to send faxed copy of their CC front and back side and provide other information.
It supports ability to check proxies by opening connections on ports 8080, 8008, 1080 etc (You can add your own by editing config.php) and also the ability to check the extensions of reversed hostmask (say most isps in malaysia use .my hostmasks instead of normal ips, check hostmasks.txt for adding your own) and also the ability to check a certain email address and see if it belongs to the free email providers list.
Here is the extract from readme.txt I wrote:
quote:
--------------------------------------------------------------------------------
//######################
// CC Fraud Checker Script v1.0
//######################
// Copyright (c) 2001 Varun Shoor
// Email: varun@kayako.com
//######################
// You are free to redistribute this script
// provided this header is kept intact
//######################
I made this script in my part time because I had processed about 2 fraudlent orders from indonesia
this month alone and I was getting tired of gettting hit with transaction fees and all.
Requirements:
PHP 4.0.1pl1 or later
Usage:
To use this script, edit the config.php to suit your needs, once you have failed url and success url set up
replace the current order links at your pages with the ones in this script, Example:
<a href="http://www.yourdomain.com/checker/index.php">Click Here to Order!</a>
If the person's IP belongs to the one in mask, he will be redirected to the failed url page else he will be
redirected to the success url page, I recommend you ask the person to fax his credit card's front and back
sides at the failed url page so you dont loose on customers.
Extended Functionality:
You can further make it check the emails, for this purpose you can redirect a person to say:
http://www.yourdomain.com/checker/i...aud@hotmail.com if the email host matches the
one in emailist.txt it will redirect the person to the failed url page. It is recommended you use email functionality
from within your order form script if its in PHP.
Adding more ips, hosts, emails:
Look into ipmasks.txt, all ips should have a * as a wildcard, example: 202.*.54.*
hostmasks.txt contain the last domain name TLD, I have yet to implement wildcard functionality into it
emailist.txt contains the list of free email providers
To add more proxy ports look into config.php
If you have any more questions or improve the listing of ipmasks or hostmasks then do email me at varun@kayako.com
--------------------------------------------------------------------------------
Just thought this might help other people suffering from these problems, I have yet to thoroughly test proxy checking+hostmask checking but AFAIK it should work perfectly.
Hope that helps
Regards,
Varun ShooreSupport - Feature Packed & Robust Support System (Supports email+web based interface)
LiveResponse - The Ultimate Live Support Package (Unmatched features & Speed)
http://www.kayako.com