Page 1 of 2 12 LastLast
Results 1 to 25 of 30
  1. #1
    Join Date
    Dec 2001
    Location
    Fresno, CA
    Posts
    306

    Angry Fraud, fraud... ohh dear, fraud!

    Yesterday we have recieved a very very large fraud orders coming in.

    We recieved about 40 orders yesterday....about 32 or 33 were fraud. We were forced to call up on someone, because these were valid credit cards, but invalid addresses and all came from the same ip block.

    203.162.*.*

    This guy tried changing IP I guess in every order used different e-mail addresses, but always kept it with @yahoo.com . Now I am not sure what Eryxma is doing about this, since they just kept us out form knowing that much information, just told us they notified the authorities, etc, and starting banning this person and well my asssignment was to remove all orders we have gotten from 203.162.*.* and there are a few and looking at them, all from Vietnam. . And looking at our order status page this person has tried to come to our order forms again, and tried to order 29 times today.

    I can't recieve that much info from Eryxma right now, since they aren't saying much.

    But I was wondering and to let you know about this IP, and has this has happened to anyone else?

  2. #2
    Join Date
    Nov 2001
    Posts
    5,383
    Yes we have been hit by many today, let me get the ip's.
    Clustered Hosting With Continuous Data Protection (CDP)
    http://www.solidinternet.com
    8 Years of hosting excellence!

  3. #3
    Join Date
    Jun 2002
    Location
    Australia & The Pacific
    Posts
    75
    has anyone tried hostabuse ?

  4. #4
    Join Date
    Dec 2001
    Location
    Fresno, CA
    Posts
    306
    Look at this, since I monitor humanclick and monitor the order that come in, look what i found:

    Shiekron: How may I help you ?
    Visitor: zbrs.com and son3vil.ws hosting are del ?
    Shiekron: yes sir for fraud
    Visitor: thanks
    Visitor: i'll never fraud
    Shiekron: we have recieved a numerous amount of orders from this IP block and we were forced to do so
    Visitor: do you wanna know how can i have that Credit Card
    Shiekron: Why sir?
    Visitor: here :
    Visitor: http://www.vnlogic.net/cgi-bin/ultimatebb.cgi?
    Visitor: i get it from that forum
    Shiekron: sorry sir, we just don't welcome this, nor do we tolerate this
    Visitor: yes,i know
    Shiekron: Have a nice day.
    Visitor: but
    Shiekron: But what sir?
    Visitor: can i register again with my CREDIT CARD ?
    ----REST CUT OFF---

    I cut off the rest because it was just too violent.

  5. #5
    Join Date
    Nov 2001
    Location
    Singapore
    Posts
    769
    This is quite worrying for hosts. I wonder does the other 3rd-party services like Revecom and 2Checkout have this kind of fraud screening...?

  6. #6
    Join Date
    Jun 2000
    Location
    Southern California
    Posts
    12,136
    Some contact info on the domain. I suggest you try to verify that there are cc#'s being post, contact the host about it if so, and if that doesn't work, try RS abuse. Domain doesn't exactly have contact details (maybe enom would just remove it, heh)...


    Address lookup
    canonical name www.vnlogic.net.
    aliases
    addresses 216.127.70.95


    Domain Whois record
    Querying whois.internic.net with "dom vnlogic.net"...

    Whois Server Version 1.3

    Domain names in the .com, .net, and .org domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

    Domain Name: VNLOGIC.NET
    Registrar: ENOM, INC.
    Whois Server: whois.enom.com
    Referral URL: http://www.enom.com
    Name Server: NS9.VNSTYLE.NET
    Name Server: NS10.VNSTYLE.NET
    Updated Date: 25-jun-2002


    >>> Last update of whois database: Sat, 29 Jun 2002 04:50:21 EDT <<<

    The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
    Registrars.

    Querying whois.enom.com with "vnlogic.net"...

    Access to eNom's Whois information is for informational
    purposes only. eNom makes this information available "as is,"
    and does not guarantee its accuracy. The compilation, repackaging,
    dissemination or other use of eNom's Whois information in its
    entirety, or a substantial portion thereof, is expressly prohibited
    without the prior written consent of eNom, Inc. By accessing and
    using our Whois information, you agree to these terms.


    Domain name: vnlogic.net

    Registrant Contact:
    XXX
    XXX XXX (huu_tu@yahoo.com)
    XXX
    FAX: XXX
    xxx
    xxxx, 10400
    MA


    Billing, Administrative Contact:
    XXX
    XXX XXX (huu_tu@yahoo.com)
    XXX
    FAX: XXX
    xxx
    xxxx, 10400
    MA


    Technical Contact:
    xxx
    xxx xx (huu_tu@yahoo.com)
    xxx
    FAX: xxx
    xx
    xxx, 10400
    MA



    Status: ACTIVE
    Note: To help prevent fraudulent or erroneous
    transfers, we encourage registrants to place their domains on "lock"
    status with their current registrar.

    Name servers:
    ns9.vnstyle.net
    ns10.vnstyle.net

    Created: 01/08/02 03:10:14
    Expires: 01/08/03 03:10:14
    --------------------------------------------------------------------------------
    This information was provided by Enom, Inc. an accredited ICANN registrar.
    http://www.enom.com
    Register your domain name today!

    Network Whois record
    Querying whois.arin.net with "216.127.70.95"...

    Everyones Internet, Inc. (NET-EVRY-BLK-10) EVRY-BLK-10
    216.127.64.0 - 216.127.95.255
    Azeem Butt (NETBLK-AZEEM) AZEEM 216.127.70.88 - 216.127.70.95

    To single out one record, look it up with "!xxx", where xxx is the
    handle, shown in parenthesis following the name, which comes first.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.
    Querying whois.arin.net with "!NETBLK-AZEEM"...

    Azeem Butt (NETBLK-AZEEM)
    39867 Potrero Dr
    Newark, CA 94560
    US

    Netname: AZEEM
    Netblock: 216.127.70.88 - 216.127.70.95

    Coordinator:
    Administration, DNS (DA37-ORG-ARIN) hostadm@SIRIUS.COM
    +1-415-865-5080
    Fax- +1-415-865-5004

    Record last updated on 13-Oct-1999.
    Database last updated on 28-Jun-2002 19:59:48 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.
    DNS records
    name class type data time to live
    www.vnlogic.net IN A 216.127.70.95 86396s (23h 59m 56s)
    vnlogic.net IN MX preference: 10
    exchange: mail.vnlogic.net
    86396s (23h 59m 56s)
    vnlogic.net IN SOA server: ns9.vnstyle.net
    email: webmaster@vntoday.org
    serial: 6
    refresh: 3600
    retry: 600
    expire: 86400
    minimum ttl: 3600
    3600s (1h)
    70.127.216.in-addr.arpa IN SOA server: ns1.ev1.net
    email: admin@ev1.net
    serial: 1022774587
    refresh: 10800
    retry: 3600
    expire: 432000
    minimum ttl: 38400
    38400s (10h 40m)

    Service scan
    FTP - 21 220 ProFTPD FTP Server ready.
    SMTP - 25 220 ns9.vnstyle.net ESMTP Sendmail 8.11.6/8.11.6; Sun, 30 Jun 2002 02:17:01 -0600
    HTTP - 80 HTTP/1.1 200 OK
    Date: Sun, 30 Jun 2002 08:17:06 GMT
    Server: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_jk/1.2.0 mod_perl/1.24_01 PHP/4.1.1 FrontPage/5.0.2 mod_ssl/2.8.5 OpenSSL/0.9.6b
    Connection: close
    Content-Type: text/html

    POP3 - 110 +OK POP3 ns9.vnstyle.net v2000.70rh server ready
    NNTP - 119 Error: Connection refused

    Traceroute
    Tracing route to www.vnlogic.net [216.127.70.95]

    hop rtt rtt rtt ip address fully qualified domain name
    1 0 0 0 216.46.228.241 port-216-3073265-dal16509b-drtn.devices.datareturn.net
    2 0 0 0 64.29.192.237 port-64-1949933-zzt0prespect.devices.datareturn.net
    3 0 0 0 64.29.192.226 port-64-1949922-zzt0prespect.devices.datareturn.net
    4 0 0 0 209.246.152.201 gigabitethernet3-0-101.ipcolo2.dallas1.level3.net
    5 0 0 0 209.244.15.101 gigabitethernet11-0.core2.dallas1.level3.net
    6 0 0 0 209.247.10.109 so-4-1-0.mp2.dallas1.level3.net
    7 40 30 30 64.159.0.249 so-2-0-0.mp2.losangeles1.level3.net
    8 30 40 30 209.247.10.202 pos9-0.core1.losangeles1.level3.net
    9 40 40 40 129.250.9.33 p4-6-0-0.r00.lsanca01.us.bb.verio.net
    10 30 40 40 129.250.5.25 p16-7-0-0.r02.lsanca01.us.bb.verio.net
    11 50 51 50 129.250.3.210 p4-0-3-0.r01.sndgca01.us.bb.verio.net
    12 50 50 50 129.250.3.205 p4-2-0.r00.sndgca01.us.bb.verio.net
    13 40 40 30 129.250.3.185 p4-1-0.r01.hstntx01.us.bb.verio.net
    14 40 40 30 129.250.29.89 ge-0-2-0.a03.hstntx01.us.ra.verio.net
    15 70 70 70 128.241.2.102 ge-0-0-0.a03.hstntx01.us.ce.verio.net
    16 71 70 80 207.218.223.38 tayhou-223-38.ev1.net
    17 70 70 70 216.127.70.95

    Trace complete
    HostHideout.com - Where professionals discuss web hosting.

    • Chicken

  7. #7
    Join Date
    Sep 2001
    Location
    Vienna, Austria
    Posts
    1,074
    ah goodness.

    i feel a scandal coming on.

  8. #8
    Join Date
    May 2002
    Posts
    542
    Visitor: can i register again with my CREDIT CARD ?
    Jay &#187; jay@frontdrive.com • AIM &#187; FDrive Support
    Front Drive&trade; &#187; Advanced multi-domain solutions
    http://www.frontdrive.com/

  9. #9
    Originally posted by Chicken
    Some contact info on the domain. I suggest you try to verify that there are cc#'s being post, contact the host about it if so, and if that doesn't work, try RS abuse. Domain doesn't exactly have contact details (maybe enom would just remove it, heh)...

    Enom.com. No wonder they have let it go on this long. They respond to abuse complaints as fast as molasses in winter. I've been reporting a pr0n spammer on their network for the last year and a half and the site is still active.

    AVOID reporting anything to Enom for anything. Hit their upstream since they refuse to listen to abuse complaints. Im surprised they are still actively hosting.

  10. #10
    Join Date
    Feb 2002
    Location
    Los Angeles, CA
    Posts
    204
    Report it to abuse ev1.net, or email abuse@ev1.net

    Hackers I beleive are not allowed on their network. They will have it deleted in not time I hope so.
    Or call rackshack
    FastWebHost.com - Business Web Hosting, Reseller Hosting, WordPress & Fast VPS Hosting
    FastWebHost.in Best India Web Hosting Provider. India Web Hosting
    Hosting Websites Since 2002. Locations: USA, Netherlands, Germany and India.

  11. #11
    I have already reported this.

    I hope soon this is solved.

    I can't take it. I blocked all of Vietnam!

    Have a nice day!

  12. #12
    Join Date
    Jun 2000
    Location
    Southern California
    Posts
    12,136
    Originally posted by Annie-Mei
    Enom.com. No wonder they have let it go on this long. They respond to abuse complaints as fast as molasses in winter. I've been reporting a pr0n spammer on their network for the last year and a half and the site is still active.

    AVOID reporting anything to Enom for anything. Hit their upstream since they refuse to listen to abuse complaints. Im surprised they are still actively hosting.
    Enom is the registrar of the domain above, not the provider of the hosting services, nor the upstream provider of the host. They do provide DNS services and a 10 page web site, however it is likely you've been complaining to the wrong company, thus the porn spammer is still active. In this case, Enom's upstream has nothing to do with it and they don't provide POP/SMTP services so your spammer isn't using the enom system to send his spam. As I said, it is likely that you're reporting this to the wrong people.
    HostHideout.com - Where professionals discuss web hosting.

    • Chicken

  13. #13
    Join Date
    Feb 2001
    Location
    Nr Cambridge, UK
    Posts
    525
    it's shocking to see the amount of fraud going on.

    I got a promotional email about some McAfee products.. looked legit.. but it wasn't on McAfee's site and their order form wasn't secure. So I went to McAfee's site and no mention of the offer.

    James

  14. #14
    Join Date
    Jun 2002
    Posts
    1,378
    I wanted to hop in here real quick and ask a couple questions...

    First, I fail to understand at all why someone would be entering erroneous information on order forms? Am I misunderstanding this, or are they committing credit card fraud to sign up for... services they probably don't actually want?

    Second, a quick technical question pertaining to netblock assignments (as Chicken has posted them.) Isn't there a way to get these via "whois", as opposed to going to ARIN's site (which is what I do now.)

    Again, while I'm sorry this is going on, I really cannot understand their motives.

  15. #15
    Join Date
    Jun 2002
    Posts
    1,210
    Originally posted by HostInspect
    Look at this, since I monitor humanclick and monitor the order that come in, look what i found:

    Shiekron: How may I help you ?
    Visitor: zbrs.com and son3vil.ws hosting are del ?
    Shiekron: yes sir for fraud
    Visitor: thanks
    Visitor: i'll never fraud
    Shiekron: we have recieved a numerous amount of orders from this IP block and we were forced to do so
    Visitor: do you wanna know how can i have that Credit Card
    Shiekron: Why sir?
    Visitor: here :
    Visitor: http://www.vnlogic.net/cgi-bin/ultimatebb.cgi?
    Visitor: i get it from that forum
    Shiekron: sorry sir, we just don't welcome this, nor do we tolerate this
    Visitor: yes,i know
    Shiekron: Have a nice day.
    Visitor: but
    Shiekron: But what sir?
    Visitor: can i register again with my CREDIT CARD ?
    ----REST CUT OFF---

    I cut off the rest because it was just too violent.
    Looks like he's trying to do a phone wind-up there, he's acting dum a bit like ali g or again peaple who do phone wind-ups, the nid.
    Professor of crime at St Andrews university.

  16. #16
    We've had nothing but bad luck from Vietnamese orders also, they've all been spammers.

    First, I fail to understand at all why someone would be entering erroneous information on order forms? Am I misunderstanding this, or are they committing credit card fraud to sign up for... services they probably don't actually want?
    They need a way to try out the new credit card numbers they've gotten ahold of. Unfortunatly we're an easy target since no shipping information is collected. Also, it's much easier to try out on the internet with a proxy, than to walk into a retail store and buy something. It requires less balls. . I really do feel sorry for those hosts who have "Instant Activation", that's just asking for it.
    http://www.sonichost.net
    Hosting Solutions That Won't Break Your Budget!

  17. #17
    Join Date
    Dec 2001
    Location
    New Jersey
    Posts
    1,152
    Hi did anybody send out a general notice to to 2checkout and the other CC companies we all do business with. if that link is a qualified CC link then I think they would want it.

    mike
    I am Mike From ADEHOST.Com, Multidomain Windows hosting with Cold Fusion and ASP and Dot.NET Also offering multi-domain Unix hosting. silently, each one should ask, Have I done my daily task. Have I kept my honor bright, can I sleep without guilt tonight. Have I done and have I did, everything, to be prepared. - our motto to maintain services.

  18. #18
    I am new to credit card processing (and fraud), but it seems to me all the security checks before a credit card is verified and actually accepted online are just for show. My experience below suggests so:

    I recently wanted to buy a domain from Godaddy and it just would not accept my card. The helpdesk told me that they do not accept customers from Singapore because of previous fraud(interestingly they do not dare to post such discrimination openly on their webpage).
    Well, I went back to the order page and entered an address in Germany (I am German, but this is NOT my card billing address!) and it went through without problems, Singaporean card and all!
    Next time I could put in a bogus address and later dispute the charges, right? Too bad I am honest, but it certainly serves them right if other people from the countries they discriminate against are not!

  19. #19
    Join Date
    Sep 2001
    Location
    Clifton Park, NY
    Posts
    925
    We get many many fake successful orders a month, however we call and verify every one now and cancel the account and reverse the charge immediatly if it doesnt go through right. I think a big reason they do it is to test the cards to see if they are good before they take them somewhere to try to card actual merchandise.

    -Brendan

  20. #20
    Join Date
    Feb 2002
    Location
    Los Angeles, CA
    Posts
    204
    WE do not get fruad orders (touch wood) for 3 reasons

    1. We have banned all free email addresses to submitt order about 300 or so and adding, only ISP address are allowed, this has however not decreased the order rate, but have zeroed the fruad orders.

    2. Banned any IP's and ISP's which are known for fruad orders. So that narrows down even more. Even banned proxy servers in our billing .htaccess file.

    3. We have strict authorize.net AVS and CVV2 system which also helps us, even if the address is right and zip is not , it declines the orders or vise versa and other tricks.

    I see lots of orders being declined due to wrong billing address and 50% of those orders are fruad and 50% users didn't provide right billing address and they do write us an email that why is it declined, and we tell them that their zip or address didn't match the billing address from their bank or card bank and they modify it and order goes through.

    We do get orders from vietnam and singapore and all are legit with right address in singapre and vietnam so far

    Most fruadgets rejected by the .htaccess file.

    Hope this helps
    FastWebHost.com - Business Web Hosting, Reseller Hosting, WordPress & Fast VPS Hosting
    FastWebHost.in Best India Web Hosting Provider. India Web Hosting
    Hosting Websites Since 2002. Locations: USA, Netherlands, Germany and India.

  21. #21
    Join Date
    Jul 2002
    Location
    Orlando Florida
    Posts
    538
    My God! Thats scary! They have a forum with CC#'s posted. I feel so sorry for the victems cards that are on this site. They need to be contacted themselves to cancel their cards ASAP!

  22. #22
    Join Date
    Aug 2001
    Location
    Houston, Texas
    Posts
    695
    It looks like Rackshack was hosting that forum site. But, as it violates our AUP/TOS. it is no more. We shoudl all watch where this site goes and lat the new host know what is being done on that site.

    Robert
    Robert Marsh
    Head Surfer

  23. #23
    Join Date
    May 2002
    Posts
    604
    Originally posted by fog
    I wanted to hop in here real quick and ask a couple questions...

    First, I fail to understand at all why someone would be entering erroneous information on order forms? Am I misunderstanding this, or are they committing credit card fraud to sign up for... services they probably don't actually want?

    Second, a quick technical question pertaining to netblock assignments (as Chicken has posted them.) Isn't there a way to get these via "whois", as opposed to going to ARIN's site (which is what I do now.)

    Again, while I'm sorry this is going on, I really cannot understand their motives.
    No kidding, why would you want to commit fraud for such an inexpensive product as shared hosting!

  24. #24
    Join Date
    Sep 2001
    Location
    Vienna, Austria
    Posts
    1,074
    i believe HRbrendan gave one of the major reasons.

    Originally posted by HRBrendan
    .....I think a big reason they do it is to test the cards to see if they are good before they take them somewhere to try to card actual merchandise.

    -Brendan

  25. #25
    Join Date
    May 2002
    Posts
    604
    Oops, missed that.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •