June 17, 2014

The old adage “If it sounds too good to be true, it probably is” no doubt is doubly so when it comes to steeply discounted brand-name stuff for sale on random Web sites, especially sports jerseys, designer shoes and handbags. A great many stores selling these goods appear to be tied to an elaborate network of phony storefronts and credit card processing sites based out of China that will happily charge your card but deliver nothing (or at best flimsy knockoffs).

Screenshot 2014-06-08 02.16.03Earlier this month I heard from a reader whose wife had purchased ladies clothing from bearcrs.co.uk, a site that until very recently billed itself as an official seller of Victoria Secrets goods. Most of the items for sale were roughly 60-70 percent off the retail price advertised anywhere else. The checkout process brought her to payment site called unimybill.com, which took her credit card information and said she’d been successfully charged for her purchases. The goods never arrived.

“They charged her card about $100,” said the reader, who asked to remain anonymous. “I tried to contact them, they never replied back. I started to discover similar websites by entering phrases from bearcrs.co.uk into Google. All websites have the same php engine, same phrases, registered in China, same checkout process, all they sell brand clothes for 30% of real price.”

Bearcrs.co.uk is one of hundreds of bogus storefronts that list products of well-known brands like Nike, Ray Ban, Michael Kors and others, hoping to lure bargain-hunting shoppers. Among the many fraudulent sites is michaelkorshandbags.co.uk, a site that claims to be a merchant in the United Kingdom but whose infrastructure is all Chinese.

The same network is tied to michaelkorshandbags.co.uk and hundreds of other similarly structured sites, all of which have left a trail of complaints online from customers who were charged for goods that never arrived. Order anything from this shop and you are taken to a checkout page at sslcreditpay.com, which tries to assure shoppers that the page is legitimate by posting a number of logos and trust seals from a variety of security and payment security providers such as Verisign, Symantec, Trustwave and the PCI Security Standards Council. Trouble is, none of these organizations actually authorized this payment gateway to use their seals, which are supposed to be clickable icons that provide information to help support that claim.

sslcreditpay.com uses a variety of security seals to make you feel more at ease submitting your credit card for goods you'll never get.

sslcreditpay.com uses a variety of security seals to make you feel more at ease submitting your credit card for goods you’ll never get.

A check with Trustwave showed that the seal was bogus. John Randall, senior product manager for the company, said Trustwave only issues the Trustwave seal for customers that purchase its domain validation or extended validation (EV) certificates, and that the site in question hadn’t done either.

Likewise, the PCI Security Standards Council said it doesn’t authorize the use of its logo for payment processing sites.

“As a standards setting organization we do not validate compliance with PCI Standards – this is managed separately by each payment card brand,” said Ella Nevill, vice president of stakeholder engagement at the PCI Counil. “As such, we don’t provide any sort of compliance ‘seal’ or use of our company logo. What we do provide is use of a PCI Participating Organization logo for our member organizations that pay to be PCI Participating Organizations and be involved in standards development process.”

Sslcreditpay.com is one of many apparently bogus online payment processing sites tied to this fraud network. Other phony payment portals include payitrust.com and paymentsol.com. You can’t reach the payment pages for these processors directly unless you actually check out from an associated online store. At that point, you’ll be directed to a subdomain like https://payment.payitrust.com and https://payment.paymentsol.com.

After agreeing to pay for items from michaelkorshandbags.co.uk, for example, the checkout page takes one to sslcreditpay.com, but the HTML source of the page references a site called wetrustpay.com, whose WHOIS Web site registration records lists a contact email address of “9909680@qq.com.”

QQ is an extremely popular Chinese instant messaging service, but not exactly an address one would hope to see associated with a payments domain. As it happens, this entire scheme fits the profile of a network of scammy sites that was recent the target of a lawsuit filed in Illinois district court last year alleging trademark infringement against a huge swath of brand name merchandisers.

A great many of their websites have been suspended thanks to a recent decision of US Federal District Court (PDF). That decision noted that the sites in question all had the same telltale characteristics:

Defendants further perpetuate the illusion of legitimacy on the Defendant Internet Stores by falsely alleging to offer “live 24/7” customer service and making unauthorized use of indicia of authenticity and security that U.S. consumers have come to associate with legitimate retailers, including the McAfee® Security and VeriSign® trademarks.

Additionally, Defendants use other unauthorized search engine optimization (SEO) tactics to increase website rank. As a result, links to Defendant Internet Stores show up at or near the top of popular search results when consumers use one or more of Plaintiffs’ Trademarks to search for goods online and thereby deceive and misdirect consumers searching for one or more of Plaintiffs’ Genuine Products.

The Defendant Internet Stores also include other notable common features, including use of the same domain name registration patterns, unique shopping cart platforms, accepted payment methods, check-out methods, meta data, domain redirection, lack of contact information, identically or similarly priced items and volume sales discounts, the same incorrect grammar and misspellings, and similar hosting services.

Before you shop online at a non-name store, do your homework: A simple Internet search on most of these stores and payment gateways produces plenty of evidence that buying from them is a bad idea. As always, running a simple WHOIS search (domaintools.com is a favorite tool for this) on these domains shows that most were registered very recently.

Here are some (this is by no means a comprehensive list) of the other scammy payment gateways associated with these phony storefronts.

mallpayment.com
ccpayment.com
icpayment.com
skygrouppay.com
wedopay.net
realypay.com
hesecurepay.com
paymentsol.com
shortcutpay.com
wetrustpay.com
payitrust.com
sslpaygate.com


65 thoughts on “If It Sounds Too Good To Be True…

  1. raz

    there is a lot of these when it comes to buying luxury watches such as a rolex

  2. Cassandra

    How do these scammers stay in business, let alone make a profit? They ought to be swamped in chargebacks and end up not keeping a dime.

    1. Jason

      My guess is that they do deliver their knock-off products most of the time. They just don’t care about customer service (or charge-backs) for the ones they don’t get done in a timely manner.

  3. Steve

    Related, there is a string of too-good-to-be-true cycling sites, often out of Indonesia, which will gladly accept your bank transfer or cc, submitted in a simple unencrypted http form post. They are buying banner ads on the adroll network:

    mtbsale.com
    rasmtb.com
    street-cycles.com
    leonbicycle.com

    the list goes on

  4. xChris

    Just a simple whois on that bearcrs.co.uk shows not only an non-existent address (just check the address on google maps) and also displays “Registrant contact details awaiting validation” 100% scam

    1. Jason

      WHOIS is a great method as well as contacting their support with a simple question of, “What is your return policy?”

      If they can’t answer that simple question and their WHOIS address info, etc. don’t check out, move on as it is too good to be true and legit.

    2. Terry

      WHOIS bearscrs.co.uk

      Last updated 04 June 2014
      Name servers:
      ns1.suspended-domain.com
      ns2.suspended-domain.com

      DEAD

  5. Mieleke

    Great article,

    Wikihow also has a 9 step guide to spot fakes, and dont forget to report them if you encounter one.

    My tip is: NEVER pay with a creditcard on internet, there will always be a risk factor nomatter how much encryption, sslcerts, firewalls, anti-virus there are, in the end you will never know where your data ends up.

    Also, I never really got why google doesnt filter these sites out better, a lot of people google for something to buy, and a great percentage still is from fake/scam sites

    1. Bruce Hobbs

      Never pay with a credit card where you can get your money back?What do you suggest? A wire transfer which is completely non-reversable? Or do you put cash in the mail?

      1. me

        I think he might mean to use a prepaid card so your potential losses would be limited to the balance of the card.

        1. Chriz

          Prepaid card? You’ll lost much more with a prepaid card than with a credit card where you can request a chargeback.

    2. Jon Marcus

      Never pay with a credit card? Sorry, but I’d flip that on its head. *Always* pay with a credit card. By law and policy, you’ve got a lot of protection when you use a credit card. If the woman in the story Brian related used a credit card, she could have done a chargeback and been out some time, but little or no money.

      What alternative would you suggest? Use a debit card, wire transfer? Send cash? Bitcoin?? All of those are much riskier than using a credit card. Or you could just never buy anything online, which I’d call a bit of an overreaction.

  6. Penny

    That is why I always use PayPal! The most trusted way to pay and get paid online!

    1. sarah

      Does Paypal at least pay you to advertise for them?

    2. Phil Cooper

      There REALLY needs to be a sarcasm font…

      1. Kaneda

        Why? What is wrong with PayPal really? Ebay seems to have little influence on PayPal’s infrastructure and development.
        PayPal’s security questions policy is the stupidest thing ever, but bedsides that, it looks ok to me.

        1. Craig

          PayPal has the problem of wanting all the perks of being a bank with none of the regulation.

          They’ve made it a habit over the last 10 years of locking peoples’ accounts on a whim, along with all the money those accounts have in them, and making it impossible to sort problems out.

          See their Wikipedia article for a summary of the well known incidents:
          http://en.wikipedia.org/wiki/Paypal#Criticism

  7. Tom

    In such a case, is not the credit card company responsible for allowing payment collection by a bogus entity?

    Is there not also a more general risk when buying very cheap goods online with a credit card from an unknown vendor that instead of actually taking the payment you have agreed to make for the goods the vendor will merely take and abuse your credit card details in some other way, by selling them on for example?

  8. Dennis Baartlett

    Add Bajatech to the list. Alledgedly located in Hong Kong, working through amazon [which haas since cut cable with them], they failed to deliver electronics over 700 customers.

  9. TheOreganoRouter.onion.it

    The problem is that a good percentage of people in the United States are not computer literate enough to know how to properly investigate a site, before making a purchase. The person see’s the price and then immediately makes the purchase , without any thought of it being fraudulent.

    1. meh

      No that is a design problem, the problem is banks, and how money gets transferred.

      1. TheOreganoRouter.onion.it

        No, I would have to disagree with you. it’s educating people who don’t understand the full risk of the dangers which lurk on the internet. To many people are spending to much time on Facebook instead of educating themselves on cyber-crime such as what is being written about in this article.

  10. Cosmic

    A real merchant card processor (e.g. Stripe, etc) is usually not explicitly mentioned on the store site. You may see a hint of it at the point card information is being entered, but that is normally all you will see.

  11. Katrina L

    Are people seriously still falling for this? I can’t believe it. Like Krebs says in the headline “…if it sounds too good to be true…”

    Folks need to be more paranoid while shopping online. I proudly am. LOL. I wouldn’t even be surprised if most of these fraud shops lacked HTTPS encryption during the checkout step…

    1. Chriz

      Well, I bought stuff from “too good to be true” deals and the transaction went fine end-to-end. I just did my homework and limited my risks.

      Like others have said, few people are completely litterate with shopping online. It’s our duty to inform them properly.

  12. Andrew Conway

    The use of fake certification seals is a common trick used on fraudulent web sites. Of course it’s as easy as adding an image tag and does not guarantee anything at all. A series of phony diet pill web sited that are promoted by spam have the following seals near the bottom of the page along with the social media and credit card icons:
    GoDaddy.com Verified and Secured
    GoDaddy.com Website Protection
    TRUSTe Certification
    256 bit Secure SSL
    DMCA Protected and Monitored (in two places)
    Safe Purchase Tested and Protected Guaranteed

    Of course, it’s not SSL, it’s not hosted or registered by GoDaddy, and while you will probably receive pills if you order they will not cause you to lose weight whatever Doctor Oz says, and you will be billed monthly for them on your credit card till the end of time.

    One variant on the email spam sent out by these guys also contains a footer with a seal from Avast! saying it is safe to click on the link has been scanned by Avast! anti virus protection.

    Generally, the more seals you see, the more likely the web site is to be bogus.

    1. Simon

      I think we need a law that if you offer such a seal, you commit to police its use.

      This won’t reduce fraud, but it would reduce the proliferation of meaningless logos on eCommerce sites.

    2. JCitizen

      My reading comprehension may be low, but I was hoping the article would actually mention if any of the victims even tried clicking on any of the seals. I also rely on WOT ratings to help make a preliminary investigation. It is only the beginning of course.

    3. Terry

      On the contrary, I bought some weight-loss pills from a fake Canadian Pharmacy (out of Russia) and experienced a loss of weight in the area of my wallet.

      My doctor put me on a whiskey diet, and in the first week I lost 3 days.

  13. Annie C Bai

    Not only is it too good to be true … many brand-name knockoffs are made in child labor sweatshops. Another reason to avoid shopping for the stuff. Thanks for all the smart tips, Brian.

    1. Chriz

      Until they come up with a “not made by childs in sweatshop” tag, what do you suggest?

  14. Phil Cooper

    This is the reason I block any traffic from Chinese IP-space at my network edge. Also many other countries.

    Anyone know of a tool that will block domains by country of record on registrar?

    1. Phil Cooper

      Forgot to activate the “notify” feature, nothing further to add at the moment…

      1. IA Eng

        China based products aren’t just in China. I have dug into a few websites before, and they can have hosting in the USA , particularly in TX and CA. I didn’t order anything from these sites, but the point is, it gets deeper with deception. If the “average” computer person digs for information on a website, they would have seen these websites I found as being hosted in the USA, so its got to be legit, hunh ? Nope, sorry.

        With the potential of China having a large botnet, I am sure they can circumvent some of the geo-blocks by using redirects. Its a long winded story, but for the short version, placing hops between you and the ultimate payment processor, which doesn’t HAVE to be hosted in China, you end up at their doorstep.

        There are Trusted third party payment centers out there, and most use a specific one. If the payment processing name doesn’t ring a bell, or looks off, close the browser down, and go shop at a reliable store.

        People are always looking for a bargain whether thats via a knockoff website or coupon code website. In the end is usually paying way more than what they bargained for, whether thats for a shoddy product poorly made, filling out fraud paperwork at the bank or trying to contact these places to get their merchandise.

        IF the merchandise was sent, and it is a knock off coming from mainland China, it may take forever to get to you, if it does. I have reserched this some, and I have seen delays up to 40 days. Thats IF you get the merchandise. If it is shipped via a faster method that goes by plane, it will have to go through customs where the Feds will spot check merchandise to see if it is illegal merchandise.

        I have seen sports merchandise at a major superstore that looked exactly like a knock off. If a vendor thats allowed to fill the shelves at a store buys from overseas and charges an average selling price for that object, then they are supporting the fraud, and may well get caught.

        I imagine that if merchandise gets confiscated by Customs, the vendors, store owners and such that participate in buying knock offs from overseas locations will end up losing more money, or simply have their doors knocked in by the Feds, because the Feds are, well, fed up with having to deal with all of this.

        So whether its via a web site store and funky processor, or a merchant or store that carries knocjk offs, you need to make sure what you are buying is the real deal. You pay more for the real thing, but what your getting is quality goods and supporting the businesses that deserve your hard earned cash.

        1. Sastrugi

          Know all the trusted third-party payment centers by name? Seriously? How much stuff am I expected to know before I step onto the internets? It sounds like great advice to “know the trusted payment centers by name”, but it isn’t. How many are trusted? Do I have to memorize their IP addresses too? What about memorizing all those verification logos and their organizations’ policies so I know which ones don’t license their logos out for web sites and therefore which are bogus? Some of us actually have lives to live and don’t have the time to research every minute detail about buying a pair of gloves: the company selling them, the payment center, the date of their goDaddy registration, or how long they have been in business.

  15. KathyB

    This topic is near and dear to me since I’d worked (voluntarily) with eBay for a few years to identify counterfeit auctions for removal. This became a big issue when eBay was sued Europe and lost. I also ran an online forum for authentication purposes.

    I’ve also gone head-to-head with sellers of counterfeit goods. They are stubborn, threatening and for the most part not very bright. In one case police paid a visit to a seller in Kansas. Stubborn sellers have been arrested in various part of the US. They tend to play dumb but it doesn’t always work.

    There have been federal cases brought against those who sell counterfeit goods in the US by design houses whose trademark had been violated. There have been big judgments against these individuals. In a way it makes the US a poor place to sell illegal counterfeits.

    Between child labor and funding terrorism, you would think this would be enough to put a stop to the average person buying illegal counterfeit but some reason it doesn’t. When I want a Louis Vuitton, Fendi, Coach, Prada, Dooney or Chanel bag I save my money and buy the real deal. I’m still scratching my head over Michael Kors fakes since they are relatively inexpensive to buy at places like Marshall’s or TJMaxx.

    1. Chriz

      I’ve met a bunch of people looking for fake Louis Vuitton & others only to pretend they own the real thing in front of other people. I’ve been in ChinaTown in New York and a lot of stuff is pure fake, but still, nobody seems to care. Fake items have existed since the birth of modern days and this won’t change over time. I do believe we must continue this fight though.

    2. serena

      People who feel the need to buy the expensive brands but can’t afford them at retail would be better off shopping on eBay. At least there’s a chance of getting their money back if the item doesn’t arrive or turns out to be a fake. But I’m sure the scammy independent web sites are offering their non-existent goods at much lower prices. What a sad society we live in. Scammy sellers abound, and superficial brand-obsessed consumers abound. I always feel sad for the girls I see with the Louis Vuitton bags …. but every other part of their outfit looks like it came from the dollar store.

  16. Louis

    Wait, I am not sure if I am getting this right…

    Was there an actual transaction or not ?

    If there was, that means there is a “guilty” party-ies involved, whether it’s a payment processor and/or acquirer.

    This is where the lawful bang should go, these guys must do KYC on merchants.

    It is not acceptable to provide web site integration details to supposedly merchant companies without vetting them appropriately, *prior to*…

  17. Eric

    Consumers want fake goods. Whether its the latest shoes, purse, medicines or electronics, consumers have made it clear they want these goods.

    In California, ports are flooded with fake goods imported from China and sold online, in China town in Los Angeles and at swap meets. Not to mention south of the border and wherever it is shipped to from CA. The products are nearly identical in quality and prices are slashed, in a tough economy this is very appealling to consumers.

    You can buy a handbag from the vendor at full price, or buy the same bag, made at a factory down the street from the vendors factory in China, with similar quality at a fraction of the cost. No brainer for the consumer.

    However the legit sites selling counterfeit goods comes the scammers riding the coat tails.

    Just the risk these consumers take in ordering fakes online and dealing with the sellers selling an illegal (in the US) product.

    1. serena

      Fakes that I’ve seen are definitely inferior to their real counterparts. I saw a fake Dooney & Bourke bag one time, the real one would have been made from beautiful pebbled leather but the fake was made from vinyl! I saw fake Ralph Lauren sunglasses with the most horrid blotchy lenses. I’m sure if people bought these items online they would have been very unhappy. I totally agree with you about the risk of ordering fakes online. It would be better to buy it out of someone’s car trunk, at least you can inspect it first.

    2. SeymourB

      I imagine a sizable number of those goods are sold on eBay, which seems to be full of more counterfeit than real goods at this point.

      I’m relatively okay with stuff like knockoff Prada bags or the like, (and totally okay with used goods) but when they tread into critical automotive parts, like suspension, brakes, powertrain, etc. that’s when I start wondering why nobody is (dirty word alert) regulating this. When a suspension arm is made of a cheap material that snaps after a few potholes, leading to a multi-car pileup, exactly why should someone be allowed to sell it as the real thing?

  18. Buy What? Where?

    personally me only buy online at amazon and ebay. you still have to be careful with third party sellers, particularly if they are outside your country, but at least amazon and ebay/paypal will help you if there is a problem. even if see some product in a commercial of some ad, will check out at their website, but will only buy it if it’s available on amazon. have my parents trained to look on amazon if see something on the tv in a tempting tv informercial where they buy on amazon and not at the website listed in the commercial or advertisement.

  19. Mike

    Interesting article. This reminds me of the Brooklyn camera scammers, like bestpricecamera.com. They had a bunch of phony store fronts, but it was obviously run by the same people. One site would go down, another would pop up. Same deal, at best you’d get a knock off, at worst, your credit card was used for criminal activity.

    1. E.M.H.

      Yep. Same thing happened in computers, and probably still happens to this day. I remember back in the 90’s having to deal with grey market companies undercutting everyone. They’d go out of business, another one would pop up, and the same group of folks would be involved in it.

      But at least most of those gave you a product for your money. Nowadays, too many sites are cash-out-and-run ones.

  20. Phoenix

    I do a little shopping with small retailers who have what I want. I depend on WOT or the BBB. My wife got hit dealing with a small company but that was probably an inside job, a dishonest employee. She got her merchandise and her credit card company revoked the charge so somebody else got burned. Caveat emptor, caveat vendor!

  21. JimC

    It’s very easy to create a believable web store which is how so many people get duped into believing it’s legitimate. Make sure the checkout takes you to a secure site before giving credit card details. Also with more and more retail places offering free Wi-Fi, make sure the network is password protected if you are inclined to make an online purchase in one of these establishments.

  22. JC

    Im amazed that people arent careful about such things.I find peoples login info all the time where i work.Good thing i have a moral center and quietly remove it for them.

  23. Bob Rosenberg

    One way to reduce your risk of your card number being stolen/misused is to use Virtual Card Numbers. These are created and you can set how much the card has on it (like a pre-paid card). Once the number has been submitted by a merchant it will be invalidated for reuse (unless you allow multi-use at creation which still locks the number to the original merchant). The multi-use feature is useful for monthly payments – you just set the value to the sum of the payments.

    Use of a pre-paid card also limits your risk but only if you never add more money. Otherwise the card can be hit again to clean out the added amounts.

  24. mr krabs

    Krebs, have you ratted on Flycracker? He is in jail in Ukraine, your deed?

  25. george

    I think is much better if nothing is sent after one pays by credit card rather than to be sent some knock-off of very poor quality. It gives a much better standing to dispute the transaction and have it reversed.

  26. Terry

    Add these to the list of rogue payment processors

    payworks.com.cn
    pwkpay.com

  27. Terry

    Some ISPs (responsible for allocating the hosting IP address) and some registrars (responsible for sponsoring the domain name) have taken action as a result of complaints. Others have not.

    mallpayment.com has no Address record – Registrar: TODAYNIC.COM, INC.
    ccpayment.com has address 123.127.39.57 – Registrar: GODADDY.COM, LLC
    icpayment.com has address 124.205.59.39 – Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
    skygrouppay.com has no Address record – Registrar: TODAYNIC.COM, INC.
    wedopay.net has address 222.92.117.57 – HICHINA ZHICHENG TECHNOLOGY LTD.
    realypay.com has no Address record – Registrar: TODAYNIC.COM, INC.
    hesecurepay.com has address 123.127.39.60 – Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
    paymentsol.com has address 202.66.147.181 – Registrar: GODADDY.COM, LLC
    shortcutpay.com has no Address record – Registrar: TODAYNIC.COM, INC.
    wetrustpay.com has address 173.254.28.43 – Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
    payitrust.com has address 173.254.28.43 – Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
    sslpaygate.com has address 50.63.202.89 – Registrar: GODADDY.COM, LLC
    payworks.com.cn has address 106.39.2.202 – Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
    pwkpay.com has address 123.127.39.56 – Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.

Comments are closed.