September 22, 2014

Hardly a week goes by when I don’t hear from a reader wondering about the origins of a bogus credit card charge for $49.95 or some similar amount for a product they never ordered. As this post will explain, such charges appear to be the result of crooks trying to game various online affiliate programs by using stolen credit cards.

Bogus $49.95 charges for herbal weight loss products like these are showing up on countless consumer credit statements.

Bogus $49.95 charges for herbal weight loss products like these are showing up on countless consumer credit statements.

Most of these charges are associated with companies marketing products of dubious value and quality, typically by knitting a complex web of front companies, customer support centers and card processing networks. Whether we’re talking about a $49.95 payment for a bottle of overpriced vitamins, $12.96 for some no-name software title, or $9.84 for a dodgy Internet marketing program, the unauthorized charge usually is for a good or service that is intended to be marketed by an online affiliate program.

Affiliate programs are marketing machines built to sell a huge variety of products or services that are often of questionable quality and unknown provenance. Very often, affiliate programs are promoted using spam, and the stuff pimped by them includes generic prescription drugs, vitamins and “nutriceuticals,” and knockoff designer purses, watches, handbags, shoes and sports jerseys.

At the core of the affiliate program is a partnership of convenience: The affiliate managers handle the boring backoffice stuff, including the customer service, product procurement (suppliers) and order fulfillment (shipping). The sole job of the “affiliates” — the commission-based freelance marketers who sign up to promote whatever is being sold by the affiliate program — is to drive traffic and sales to the program.

THE NEW FACE OF SPAM

It is no surprise, then, that online affiliate programs like these often are overrun with scammers, spammers and others easily snagged by the lure of get-rich-quick schemes. In June, I began hearing from dozens of readers about unauthorized charges on their credit card statements for $49.95. The charges all showed up alongside various toll-free 888- numbers or names of customer support Web sites, such as supportacr[dot]com and acrsupport[dot]com. Readers who called these numbers or took advantage of the chat interfaces at these support sites were all told they’d ordered some kind of fat-burning pill or vitamin from some random site, such as greenteahealthdiet[dot]com or naturalfatburngarcinia[dot]com.

Those sites were among tens of thousands that are being promoted via spam, according to Gary Warner, chief technologist at Malcovery, an email security firm. The Web site names themselves are not included in the spam; rather, the spammers include a clickable URL for a hacked Web site that, when visited, redirects the user to the pill shop’s page. This redirection is done to avoid having the pill shop pages indexed by anti-spam filters and other types of blacklists used by security firms, Warner said.

The spam advertising these pill sites is not typical junk email blasted by botnet-infected home PCs, but rather is mostly “Webspam” sent via hacked Webmail accounts, said Damon McCoy, an assistant professor of computer science at George Mason University.

“Herbal spam from compromised Webmail accounts is a huge problem,” said McCoy, who has co-authored numerous studies on dodgy affiliate programs.

A support Web site named after the same number that appears on the "customer's" credit card statement.

A support Web site named after the same number that appears on the “customer’s” credit card statement.

Several sources at financial institutions that have been helping customers battle these charges say most of those customers at one point in the past used their credit cards to donate to one of several religious, political activist, and social service organizations online. I may at some point post another story about this aspect of the fraud if I can firm it up any more.

McCoy believes that most of the fraudulent charges associated with these affiliate program Web sites are the result of rogue affiliates who are merely abusing the affiliate program to “cash out” credit card numbers stolen in data breaches or purchased from underground stores that sell stolen card data.

“My guess is these are ‘legit’ herbal affiliate programs that are getting burned by bad affiliates,” McCoy said.

Affiliate fraud was a major problem for the two captains of competing pharmacy spam affiliate programs who are profiled in my upcoming book, Spam Nation. Most of the affiliate programs featured in my book dealt with the problem of scammers trying to use stolen cards to generate phony sales by placing two-week “holds” or “holdbacks” on all affiliate commissions: That way, if an affiliate’s “purchases” generated too many chargebacks, the affiliate program could terminate the affiliate and avoid paying commissions on the fraudulent charges.

But McCoy said it’s likely that this herbal affiliate program is not employing holdbacks, at least not in any timeframe that could deter rogue affiliates from running stolen cards through the system.

“If this affiliate program doesn’t have a holdback, they are a great target for this type of fraud,” McCoy said.

As if in recognition of this problem, the herbal pill Web sites ultimately promoted in these Webspam attacks are tied to a sprawling network of thousands of similar sites, all of which come with their own dedicated customer support Web site and phone number (866- and 888- numbers). Those same support phone numbers are listed next to the fraudulent charges on customers’ monthly credit card statements. In virtually all cases, the organization names listed on these support Web sites are legally registered, incorporated companies based in Florida.

All of the banks I spoke with in researching this story said customers told them that the support staff answering the phones at the 888- and 866- numbers tied to the herbal pill sites were more than happy to reverse the fraudulent charges. The last thing these affiliate programs want is a bunch of chargebacks: Too many chargebacks can cause the merchant to lose access to Visa and MasterCard’s processing networks, and can bring steep fines.

Not that legitimate customers of these dodgy vitamin shops are in for the best customer service experience either.  Very often, ordering from one of these affiliate marketing programs invites even more trouble. A note appended in fine print to the bottom of the checkout page on all of the herbal pill sites advises: “As part of your subscription, you will automatically receive additional bottles every 3 Months. Your credit card used in this initial order will be used for future automatic orders, and will be charged $148.00 (Includes S/H).”

If you see charges like these or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again.


50 thoughts on “Who’s Behind the Bogus $49.95 Charges?

  1. Matt

    Brian,
    I have found just as many of these sites based in Korea as Florida.

    And yeah these guys have become a royal pain lately.

  2. MZ

    Another popular use case for stolen CCs is to card a competitor. If you do so, you’ll incur all kind of fines and fees on them with minimal risk to yourself. With luck, you can cut them off payment processing altogether.

    Obviously, holds don’t work against this sort of attack. A good anti-fraud system would help, but not that many affiliate programs have means and know-how to deploy one.

  3. Greg

    Not all affiliate programs are bad. Amazon, eBay and a huge number of legitimate companies have affiliate programs to push sales. These companies also have strict rules about how the affiliate does their marketing. Amazon and eBay are the most strict in my experience.

    I am pretty sure Brian was not referring to these.

    1. brian krebs

      Of course not all are bad. I was referring to those promoting “products of dubious value and quality” and “products or services that are often of questionable quality and unknown provenance.”

  4. Russ T

    That explains that. I was reviewing my credit card statements a few weeks back and found one of these $49.95 charges. Chase let that transaction through, but didn’t let any transaction through till after I contacted them (and they didn’t send me any notice…). Thanks Chase…..

  5. Nicholas Weaver

    This also suggests a strategy: If you see one of these charges, call your bank FIRST.

    Bad guy programs like this or Fake AV programs have to monitor their chargebacks carefully: too many and the merchant account dies, which is a substantial penalty.

    So give em chargebacks! Don’t call the company responsible for the charge, call your credit card company first.

    1. Keegan

      The bank pays for every chargeback, so its actually better for all involved to call the merchant first.

  6. Greg

    Grrr… My last comment did seem a little “snarky”. I’m working on that.

    Thanks Brian. I appreciate what you do.

  7. Andrew Conway

    We see a lot of spam for phony diet pills at Cloudmark, but it’s not restricted to webmail spam. The same spammers have also been active on SRS, and also social networks such as Pinterest and Facebook. There’s usually several steps to get to the landing page – an initial call to action link on a compromised domain or using a URL shortener, then a landing page on a disposable domain owned by the spammer, and finally a purchase link that takes you to the distributor’s landing page. The spam operation itself looks to be an affiliate program running on top of the distributor’s affiliate program.

    The same spammers are also monetizing via a “Free Cruise” scam and formerly a “Work From Home” scam. The monetization end of that was shut down by the FTC earlier this year, though.

  8. Bob

    Just got hit by this, went to my bank, marked the charge fraudulent, marked the debit card hot, rq’d a new one.

    Got a nice letter in the mail, “We’re sorry about this billing error”.

    How many billing errors = suspended bank account?

    I’ve started using 100% cash for my purchases after the home depot breech and your articles on modifying the PCI register to make usb keys look like keyboards. I have been using the debit card for online purchases only.

    Will be discussing with the banker later on about even keeping the cash in there. Credit union looks like a better bet.

    Looking forward to your book Brian, have it on pre-order. : – ).

      1. Andy

        Credit unions are a bad bet. They cut corners behind the scenes to offer .01% better savings rates and other tiny perks while they don’t take information security seriously. The FFIEC, in it’s May presentation, told NCUA members to get ready for a heavy audit focus on vulnerability identification and remediation. Most credit unions would rather add an extra teller at each branch and not have to hire and pay market rate to a dedicated infosec professional. Sure, your money is insured – but your identity isn’t and a year of post breach credit monitoring does nothing for an identity that you’ll have for a lifetime.

        1. O'Really

          “bad bet”? “cut corners”? “don’t take information security seriously”? etc etc

          Oh, really? Got sources?

          Credit Unions offer a much better deal for regular consumers, but it isn’t from “cutting corners” – it’s because they are non-profit and don’t grossly overpay their executives.

          http://www.nerdwallet.com/banking/credit-unions-vs-banks/

          http://money.msn.com/saving-money-tips/post–9-reasons-credit-unions-are-better-than-banks

          http://www.businessinsider.com/should-you-use-credit-unions-or-big-banks-2014-1

          ~~ O’Really ~~

          1. eddieski

            Actually, there is some validity in that CU’s don’t have the capital for security like some banks, or atleast, are slow to adopt.
            e.g. there was a CU I was a member of that had only a 4pin online login, which not until 4 years ago, it became a 15 character login for pwd (that wouldn’t take the usual secure mix of symbols like _ or a space…).
            Talking with departmental mgrs (not tellers..), they looked like owls when I mentioned strong passwords. Afterall its my money.
            Current CU I use has improved, and even has a CC printer so I visit now bi-monthly to have a new card and number. Still, their security isn’t where it should be. (they would rather sponsor vehicle contests with new referrals, new trips or shopping spree than put the money back into compounded interest).

    1. Old School

      Admiral Obvious here: ” I have been using the debit card for online purchases only. ” Please remember that the debit card is a “key” to your checking account. Why take a risk? Use a credit card instead of a debit card.

      1. Ross

        While using a credit card for purchases online and in person may be legally safer because of the fraud coverage required, not everyone can get them or if they can get them, they can’t get them on reasonable terms.

        Easy to say, more difficult to do. What’s the solution? One possibility is legal protection for debit cards and a higher level of authentication signature such as biometrics? PINs are no where near the level of authentication as completely old school paper checks. Don’t expect financial institutions to be jumping at the chance to ‘lead’ in the field of consumer protection.

        1. peter

          I agree – don’t use a debit card. Just don’t.

          If you have to, get a secured credit card. But don’t use a debit card.

          1. Ross

            Secured credit cards are as close to useless as you can get without dumping money into a ‘gift’ card. Sure you can only spend the amount in the account but you’re paying several times the price in useage fees. They eliminate the entire point of ‘convenience’ that cards hold because they are INconvient to use and maintain. Might as well just use checks and mail order again. Even if someone did forge a check, it’s automatically a federal crime and it’s nearly always someone local.

            How about a bit of sensibility and level the playing field between debit cards, checks, and credit cards? Banks can bounce bad checks. There is no reason they can’t do the same thing to debit cards which are “check cards” should the charge prove fraudulent. They also need to get rid of this lack of real authentication. PIN numbers are easily stolen or reset and don’t actually prove the user is legit. Remote vendors don’t even require that and CV2 numbers are a joke. The whole ‘are you really who you say you are’ thing was much easier old school with checks. “Is this your signature, Sir?” “Nope, it’s not.” Problem over, forged signature, matter for the police. All credit cards and debit cards have done is made it far easier for crooks to get away with identity theft.

            1. Jonathan E. Jaffe

              (the following is in mode=sarcasm/mod:slight)

              Ross, one of the “advantages” of a debit card (from the issuer’s point of view) is that you can go OVER your account balance and effectively take out a loan that won’t be too expen$ive.

              (mode=serious/mod:PSA)
              For consumers the protections provide by a credit card are the best. Debit cards and pre-paid cards are way behind, laden with fees and limited protections. So why do people use them? For some reason they can’t get a credit card. So why do the hefty fees exist? Sometimes the rich and powerful take from the disadvantaged because they can.

              It is the same reason prisoners can only call out collect at prices that could top $2/minute. A glimmer of good news: FCC put out new rules 2/11/2014 that limit fees to a more reasonable $0.25/minute. (see http://www.fcc.gov/guides/inmate-telephone-service )

              (mode=serious/mod:neutral)
              I went to AutoZone for a spark plug for my weed eater. I paid cash. Now I have to go use the thing!

      2. Heron

        Yes, don’t use a debit card for online purchases. A credit card offers more protection, since no money leaves your account at the point of purchase.

        1. jh

          Or, make sure your debit card never has a lot of value loaded up on it.

          As for this whole scheme described by the shady businesses it is aka MLM (Multi Level Marketing).

  9. Charles McGuinness

    I”m amused that the website says “Were here to help”. Nice to know they were perhaps helpful in the past.

  10. TheOreganoRouter.onion.it

    These affiliate scam emails have been around since the late nineties starting with adult websites offering money for new user accounts being signed up. I might want to add here that links in those spams are either hacked websites or short URL link sites offering their free service.

    1. Jonathan E. Jaffe

      Re short URLs – if a company has a domain name they are more likely to use that to make a marketing impression instead of a TinyURL or similar. If you get an email from a “big” company with a Bit.ly URL alarm bells should ring loudly.

      This alone is one reason why Twitter links should be used only behind strong security. Even if from a source you know and trust could their confidential credentials have been compromised? Perhaps.

      Scam, Scam, everywhere a scam
      (sing to the tune of
      http://www.youtube.com/watch?v=D59ZWa8ehgI 3m 04s)

  11. PAC

    “Several sources at financial institutions … say most of those customers at one point in the past used their credit cards to donate to one of several religious, political activist, and social service organizations online.”

    +1

    and some “hole-in-the-wall” e-commerce merchants that sell auto, motorcycle, bicycle, and/or firearm parts. My guess is poor web security for these merchants or MOTO processor breach.

  12. Moike

    A similar class of customer dupes is the scammy web browser plugin that pops up a “Would you like our risk free trial cosmetic?” dialog just as the customer leaves their bank site. The implication is that the bank is offering a free trial cosmetic. Well, why not? The catch is that they ask for the credit card for “$5.00 shipping”. They never show any sort of total, but before the victim even gets their product, their card is hit for $99/month. An example of this is Pure Youth Solutions. There’s a whole network of this cosmetic-style scam in progress. The web sites last about 6 months before being shut down. [ The product could be legitimate, but the web browser plugin definitely is not ]

    The funny part is that if you search on the product name + “Scam”, an SEO’d YouTube video appears in the search results, and sure enough the YouTube video has “Scam” as one of the keywords!

  13. Jackie

    Brian, you have not mentioned where these “merchants” are getting the card information from. Was it obtained from the cardholder or another source?

    1. BrianKrebs Post author

      Yes, actually, I have. From the story:

      “Several sources at financial institutions that have been helping customers battle these charges say most of those customers at one point in the past used their credit cards to donate to one of several religious, political activist, and social service organizations online. I may at some point post another story about this aspect of the fraud if I can firm it up any more.”

  14. John

    Why does it seem more likely that these people clicked the flashing multicolored ad box “Lose weight, free diet pills” when they were visiting some random site and punched in their card themselves, not reading the fine print about it being a $49.95 subscription?

    I really doubt the 10% or whatever affiliate kickback on a $10-20 purchase is worth wasting a card number on.

    1. BrianKrebs Post author

      Wasting a card? Do you have any idea how cheap CVVs (card numbers sold for shopping online) are? If you’re not stealing them yourself (in which case they’re “free”), they’re usually only a dollar or two apiece. Contrast that with the fact that many affiliate programs will pay affiliates 30 percent of the price of the sale, and then multiply that out by hundreds of fraudulent charges. Starts to add up.

      1. GregFromCos

        But also don’t forget they can use the card over and over again until the person cancels it. Even if you get it refunded every month.

        In my experience they were very willing to reverse the charge if you called them within 2 weeks. But i had one charge that was a month old and they would not reverse that. Had to call my bank to take care of that.

  15. JATny

    Thanks, Brian! The winds, they keep a-blowing crazier every day. I haven’t gotten hit by this one, thank goodness. I noticed that all of these charges are under $50.

    In light of the Home Depot breach, I put activity alerts on my bank and card accounts for charges over $150. Obviously, I need to lower it. I don’t mind a couple extra texts a day. On the other hand, it was depressingly easy to change my mailing address (just moved) and pin numbers by phone. Maybe like others have said, the customer rep saw my caller ID. Unfortunately, there are phone services out there that will let you “call out” with any caller ID name you choose whether it fits the account name or not. I use a call out shield when I work from home. Easy, unfortunately.

  16. Scott

    Hey Brian,

    Thanks for the link to my blog in your post. Hopefully we’ll be able to catch the people behind this. I have now actually had one guy write in on my comments section who said he was a former employee of the “customer service company” that you get when you call their 800-number. Also, I had a current employee email me directly, confirming what the former employee wrote; he also requested that his real name remain private and has since closed his “burner” email address!

    As some of the commenters above said, it is best to not request a refund, as they will gladly oblige, likely somewhat legitimizing them and allowing the scam to continue. Best to call your bank directly and let them deal with it.

  17. GregFromCos

    Don’t think you have it quite right here.

    Take a look at this blog post and especially page 2 and the comments from a reader called Josh.

    http://www.illiteratewithdrawal.com/2014/08/raspberry-ketone-strength-scam/comment-page-3/#comments

    I don’t think the mentioned companies have anything to do with it. I’ve had 4 different charges, 4 different months, from 4 different companies, and had even cancelled the card and got a new one at one point. Not once did I receive any product from any of them. 49.95 every time. And they always had my personal details when I called.

    I think if we want to get to the bottom of this we have to figure out who “CRI Online Sales S.A.” is, and find out which Americans own them, as well as who they work for.

    1. GregFromCos

      And if you read Josh’s response, it makes it seem as if they know these are bogus companies and there never is any product shipped.

    2. 49.95

      @GregFromCos

      “I’ve had 4 different charges, 4 different months, from 4 different companies, and had even cancelled the card and got a new one at one point.”

      I’d venture a guess of a personal data breach somewhere (a credit agency, personal bank, or personal credentials to the bank account).

  18. Ross

    “‘If this affiliate program doesn’t have a holdback, they are a great target for this type of fraud,’ McCoy said.”

    Brian, has anyone looked into whether or not programs without holdback are being used as purpose built money laundering shells? The card thieves could be in collusion with some of these affiliate program people to run as many cards through as possible till someone comes sniffing around the program offices… then like a mob store front, close up shop and move over a block or two, figuratively speaking.

  19. Steve C

    In addition to watching for the affiliate fraud you need to watch for the little “test charges” to see if a card is still valid.

    A card which is not my normal use card, very selective what I use the card for (only 10 charges 1/1 to 9/15, 6 of those associated with a trip within the lower 48) yet it was compromised somewhere. What the card issuer described as a test charge of under $5 which they said is often done to see if a card is still valid was made to a metalworking firm in TX…..never been to TX, no reason to be dealing with a metalworking firm anywhere yet there was the charge in my online statement flagged by the card issuer as potentially fraudulent.

    So in addition to the $49.95 keep an eye out for unexplained small charges….you may be being tested.

    Yes the card had been used at HD, but not at a self-service register and quite a few months back.

    Bad guys learning patience are they?

    Is there a so called normal time frame that a compromised card will be used within?

  20. Charles Kader

    Thank you for your hard work in this area Brian. This is all very important information. However, I think that you are going too easy on these “grey/”gray”charge criminal rings. My experience is that in many cases the same toll free number provider is often associated with these charging entities. Ring Central is one toll free provider who I have found many times linked with the business end of these scams. Also, there is a pattern in the payment processors who often handle the merchant accounts for the business end of these scams. If the payment processor information was included in the transaction detail on credit and debit statements, this would be a major blow to the modus operandi that these criminals employ. When I hear from consumers that zombie changes appear on since-closed credit lines, there is a strong suspicion that older account numbers are being put through credit card machines with an updated expiration date to make the transaction proceed, despite the inactive status of these consumers. That is evidence enough for me to reject a cashless economy based on the willingness of banks to allow these charges to go through. Very few are sticking up for consumers like you have been doing Brian. That is the real crime to me.

  21. Heron

    My husband had this happen with Vistaprint. The company called him to say that the transaction looked fishy. He cancelled the credit card and got a new one. The thieves also used his card to purchase a book about iguanas on eBay. We got the account information for the purchaser from the seller, and reported it to the auction company.

  22. MrCoffee

    It seems like Florida pops up a lot in fraud- and crime-related topics. Is there something about Florida that makes it more attractive than other states for this kind of activity, or is it just coincidence (and the fact that it’s a relatively large state)? I’ve seen some similar correlation with Nevada, but not to the same degree.

  23. Charles Kader

    Florida is a popular “short-term” merchant account home address location for sure. Some “businesses”registered there have real short business lifespans indeed. Investigations of apparent consumer fraud should always include the business registration record system in the state(s) involved in the illicit transaction(s), i.e. business look-up

  24. Eaglewerks

    Firstly: Thanks Brian, I read, and often refer to, your column daily.
    Secondly: At my bank I have a Debit Card with attached Credit Card Logo. I never use the card as a debit/pin card, but do use it as a Credit/Signature Required, or on-line @ Amazon and a few other trusted sites only. My bank will reverse ANY debits/charges against my account within the most recent 30 days immediately. My bank has asked me to notify them of any suspicious activity as soon as I note it, primarily so they can enhance their detection processes.
    Thirdly: These somewhat ‘modern’ SCAMS are treacherous, crafty all too often provide tangible proof of an insidious alliance. It’s thanks to Brian we have some discussable insight in how they operate.

    1. Heron

      What if your mortgage/rent payment is due before you get your money back? You may have the money to cover it, but not everyone would.

      I wouldn’t consider Amazon immune to attacks, either.

      It’s still safer to use a regular credit card, since the money doesn’t get withdrawn from your account right away.

  25. mbi

    I got caught in one of these when a small charge every month was appearing on my credit card statement. Every month I asked the bank to reverse it and used the phone number where the person asked for the statement and said it would be investigated. It never was and I eventually insisted on a new card number. Banks and credit card companies should do more like blocking repeated charges on your acccount if you didn’t authorize them. Companies have the responsiblity to prove a purchase directly to the bank if questioned.

  26. milt

    What I would like to dois find these bastards, drive a ten-penny nail in thier nuts, and then hang them by the nail about 50 feet up in a tree. Remove the nail and fall to your death or hang there and suffer.

  27. Brett Diedrich

    Has anyone looked into see if these affiliate programs are either setup to be used as a cash-out method for CCs? Or the “legit” affiliate programs abused to be used for cashing out as well?

Comments are closed.