Threat Research

Want to Know What’s in That Online Mystery Box? NOTHING AT ALL

By Val Saengphaibul | December 13, 2022

The holidays are upon us, and in some parts of the world, the month of December (especially in North America) is when many retailers earn the bulk of their revenue. Because the holiday season includes gift giving and sales on desirable merchandise, individuals tend to spend more money than average. At the same time, retailers, small businesses, and mom-and-pop stores also spend more money to stock their shelves.

Affected Platforms: N/A
Impacted Parties: Online Shoppers
Impact: Loss of personally identifiable information and/or money
Severity Level: Low

Because the online marketplace is so competitive, many online retailers offer free shipping and returns during this period. But with increased sales comes an increase in returns and exchanges. The volume of online returns has been increasing steadily over the past five years. Online returns jumped from 10.6% in 2020 to 16.6% in 2021—an overall $761 billion dollar increase.

This year, however, many online retailers have curtailed these benefits, citing inflation and lower profits. But despite this change, when combined with the sheer volume of sales in brick-and-mortar stores, the number of returns is still expected to rise. And rather than repackaging these items for resale, many returns are sent to logistic companies that bundle and sell them in bulk, often for pennies on the dollar.

This has created a burgeoning second-hand market.  These outlets usually resell returns, overstocks, slightly damaged, and used items purchased in bulk from retailers nationwide, often at a steep discount. These stores provide a benefit for the consumer and the environment since many returned products otherwise often end up being incinerated or tossed into a landfill.

Shoppers have been flocking to these new sites looking for great deals on holiday purchases. And as you might expect, scammers and bad actors have also seized on this trend. Our FortiGuard Labs team has uncovered a growing number of scams related to the resale of used or returned items. The example below emphasizes the need to be cyber-aware this shopping season, whether you are purchasing something for yourself, a loved one, or your business.

 

The Amazon Pallet Scam/Mystery Box/Return Pallets

One common technique for reselling returned and overstocked items is to sell mystery items in large boxes or pallets. Social media is filled with videos showing excited consumers opening pallets that contain items of significant value, like iPhones and computers, that were purchased online for a few hundred dollars. These posts have contributed to the interest and frenzy.

 

Figure 1. Various YouTube videos on returns

Many of these are scams. The sheer amount of interest, demonstrated by the volume of trending hashtags on social media, has created an opportunity for threat actors to try and capitalize on unknowing victims. One such scam seeing rapid growth is the Amazon pallet scam, also known as mystery boxes, bulk return pallets, etc.

The following example is a paid advertisement we recently came across on the default Microsoft start page built into Windows 10:

 

Figure 2. Advertisements for Amazon returns on Microsoft default start page

Clicking on the top left advertisement, “Amazon’s unclaimed high-end electronics mystery boxes are being sold at bar [sic],” takes us to the website fundelivereddss[.]com:

The landing page appears convincing to the untrained eye, showing a large warehouse with brown boxes stacked on pallets:

 

Figure 3. Landing page for fundelivereddss[.]com

The viewer is then presented with an interstitial (an inserted web page that displays advertising) that highlights someone in “Conroe” who purchased a return tool pallet only a minute after visiting the site:

Figure 4. Floating interstitial

Clicking on the interstitial brings us to the following page:

 

Figure 5. Amazon Pallet Return tool pallet

The intended victim is presented with several options and brands to choose from, including size, quantity, and price:

Figure 6. Various options to choose from

Red Flags

Typical red flags seen on scam sites are grammatical errors, typos, the misuse of punctuation and spacing, inconsistent logos, etc. This is often due to the fact that the scammers are trying to get their site online as fast as possible to start making money or that the bad actors are non-native English speakers. In this case, we can see that the phrase “Customer Review(40)” at the top of the pages is missing pluralization and does include a space between the word “Review” and the parentheses symbol:

Figure 7. Customer review(s)

 

The first review also contains a fragmented and incoherent review that indicates that the writer is likely a non-native speaker:

It's great to witness his arrival together at this moment. I recommend this store, please don't buy from other stores because I fell down in other places.

Figure 8. Not an actual customer review

Some forensics analysis of the photo shows it was taken from Twitter from an electrical contractor based in the United States:

Figure 9. Stolen image from Twitter

Another clue is that the domain fundelivereddss[.]com was only registered on October 29th.  Recently registered domains are often hallmarks of a potential scam, popping up and then disappearing in time with an event, such as the holidays or the World Cup. Threat actors also know that search engine ranking for their new site will be low, so they use social media promotion to get these sites in front of potential victims.

Figure 10. WHOIS information for Fundelivereddss[.]com

More Clues

Another clue we observed was found within the privacy policy page. It includes a reference to herbertm[.]shop. 

Figure 11. Privacy policy referencing another website

This indicates that this template was likely reused by the same actor. To test this theory, we visited herbertm[.]shop to see what it contains. This page appears to be selling fashion items. However, we also see a floating interstitial that appears to be the last chance to order what appears to be Amazon returns: 

Figure 12. herbertm[.]shop
Figure 13. herbertm[.]shop also promoting return pallets

When viewing the link, we found it contains Amazon and EBay references:

Amazon and eBay backlog, picking, liquidation 【Temporary sale】 (herbertm[.]shop)

https://www.herbertm[.]shop/products/products-amazon-and-ebay-backlog-picking-liquidation-temporary-sale?sales_pop=true&spm=..index.0.1

Unfortunately, when we clicked on the link, we found that the page no longer exists, so at this point we don’t have any evidence that this was another pallet scam. However, the pattern used in the herbertm[.]shop and Fundelivereddss[.]com sites and the cross-reference between the two in the privacy policy indicates these were set up by the same perpetrators. So we kept looking. While a Google cache disn’t provide us with any clues, looking at scamadviser.com revealed negative reviews from victims of herbertm[.]shop that make the connection clearer:

Figure 14. scamadviser[.]com on herbertm[.]shop

It appears that some victims of the herbertm[.]shop scam site ordered large pallets as well as individual items. And it also appears from the complaints that some victims were offered a bait and switch. For example, some that had ordered a specific item only had a cheap unrelated item sent to them. And for the pallet scams, one victim stated they only received a video game controller instead of the pallet, and another claimed to have ordered two pallets for $89.98 but did not receive anything.

Figure 15. Complaints for herbertm[.]shop, including those who ordered pallets

Conclusion

Creating professional-looking websites has never been easier.  Many eCommerce platforms come preconfigured with design templates, shopping carts, and payment gateways. Because of this, sites can literally be online within moments. Gone are the barriers that required a retailer to know how to develop a website, figure out how to plug in a payment gateway, and design or incorporate shopping carts into a website. Even the need to work with a bank to process credit cards has been replaced with third-party services that handle billing, simplifying the process for both the entrepreneur and scammer alike.

 

Things to watch out for when shopping online:

When shopping online, there are a number of things you need to check, especially if the site you are shopping at is not a well-known brand.

Domain age. If the domain is less than a few months old, the likelihood that it is a scam website is very high. Many search engines penalize new sites and will not rank them, which means you likely arrived there through some sort of phishing scam. Older sites tend to be owned by more reputable companies, meaning they are less likely to be scams (unless the domain has expired). They are also ranked higher due to the fact that it takes investment to keep a site up and running, so they show up first when running an online search for an item.

Promoted on social media or paid advertisements. This is another giveaway. Just because an advertisement is on a major social media platform or search engine does not mean it is legitimate. Often, advertisements on a page are curated by a third party. Using this strategy, combined with hashtags and other keywords curated for their target audience, helps create a sense of credibility that allows bad actors to connect with their victims. It Is also a lot easier to market to victims this way if thire site is new. 

Outlandish claims. “This is not a scam!” “You will not regret it!” Phrases like these are psychological ploys designed to create FOMO, or fear of missing out, in their victims. Do your own due diligence when purchasing items from lesser-known sellers.

Grammatical issues. This is a major red flag.  Legitimate sites, especially those intending to stay in business, employ copy editors to ensure proper grammar, punctuation, and spelling. Although not necessarily always true (mistakes do happen), egregious grammatical errors in web copy often indicate it was written by someone who is not a native speaker, which is a warning sign that warrants further investigation.

Unusually low prices. Unusually low pricing is often another warning sign. How likely is it that a retailer like Amazon would be willing to let go of thousands of dollars’ worth of high-end products for less than ten percent of their value? High-value items may end up in unsorted returns, but it is rare. And unlike the claims in Figure 6, these returns are usually not collated by brand. Instead, their inclusion is often random and items are returned in various conditions.

 

FortiGuard Protections

All websites mentioned in this blog are blocked by the FortiGuard Web Filtering client.

Fortinet Web Filtering includes two filtering categories that can be used to protect against newly created pages:

-       Newly Registered Domain            Domains that were very recently registered

-       Newly Observed Domain              Domains that are newly configured or newly active, but

      not necessarily newly registered.        

 By enabling blocking of these sites, you can avoid exploitation by sites with little or no reputation.

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.