A couple of days ago, a friend of mine, James, was the victim of a scam and gave away his credit card number and CVC. The interesting part is that he is not the "standard" victim, but a very security aware person: he's a researcher on the security of embedded systems, a CTF player, and he cares for his privacy. Nevertheless, he fell into the trap of a phishing scam, and the story tends to prove that we will all likely fall for one of these one day. The only difference between James and the ordinary online shopper is that, the next day, he was uneasy with the situation and decided to investigate more.
It all started with a Facebook message, shared from the friend of a friend of friend (etc) (some of you will probably argue that somebody who cares for his privacy does not use social networks, lol.) As you can read below, the ad is about a limited-time offer for nice sports & hiking shoes.
James is not the kind of person who would click on an ad. As a matter of fact, he has all sorts of ad blockers on his computer. However, this promotion did not pose as an official advertisement: instead, it rather looked like a private offer shared among friends. Also, note that the URL (www.salocc.com) is cleverly chosen because it reads as Salo(mon) Occ(asion), where "occasion" means an opportunity in French. So it doesn't really trigger an alarm, especially for private sales. On top of that, my friend was actually searching for new trekking shoes.
The next day, however, he felt concerned about it, probably a hunch, and he asked me about it. Let me retrace our conversation:
James - "Hey, Axelle. Yesterday, I bought some cool trekking shoes online, but I don't know. It doesn't feel right. Could you look at it?"
Me - "Sure. Although, you know, I'm rather into mobile malware & IoT. Not really web & spam. But I can give it a look. What's wrong?"
James - "Well, for instance, they didn't send me any confirmation email, or receipt of any kind."
Me - "Hmm. Could be in your spam folder though, right?"
James - "Let me check...(later)... Yes, indeed. It was in my spam. With a different company name though. Also I am unable to find anything about their company – address, email. I am also unable to contact their support. When I clicked on the support button, nothing happened."
Me - "Strange. Does the website look all right?"
James - "Well, that's the thing. Everything looks globally okay, but I still have a strange feeling about it."
Me - "How did you pay?"
James - "I used my credit card."
Me - "Did it redirect you to an online banking website?"
James - "I can't exactly remember, but yes, I think so."
Me - "Did you keep a receipt of the transaction?"
James - "No, I didn't. I was expecting the website to send me that by email, like most e-shopping websites... I know I sound awfully stupid..."
Me - "Let's check it. Maybe it's just fine. What's the URL?"
James - "www.salocc.com"
Whois doesn't give us any interesting information about this site: no address, no contact email. Only the registrar's URL - but they are not suspicious. nslookup does not show anything else, and online domain health checkers don't know much about this website either. All of this is a bit strange, but not really suspicious for a website created for a limited-time offer.
<div style="margin:0px 4px 5px; border:0px solid #ddd;">
</div> <div class="center-upper-bg"></div>
The page displays an image labeled as support. But there is no Support button code! It's totally fake. It's just an image!!!
At the bottom of the page, we also spot several social networking links, but, suspiciously, those images do not redirect to the corresponding social network, but to itself (www.salocc.com). See the link of the href below:
<li class="fb"><a href="http://www.salocc.com/" target="_blank"><img src="includes/templates/myshop/images/facebook.png" alt=""></a></li>
<li class="twitter"><a href="http://www.salocc.com/" target="_blank"><img src="includes/templates/myshop/images/twitter.png" alt=""></a></li>
<li class="instagram"><a href="http://www.salocc.com/" target="_blank"><img src="includes/templates/myshop/images/instagram.png" alt=""></a></li>
<li class="snapchat"><a href="http://www.salocc.com/" target="_blank"><img src="includes/templates/myshop/images/snapchat.png" alt=""></a></li>
Next, I decided to try and test the payment process. Although PayPal and Amex are listed as payment methods on the front page, only Visa/MasterCard are actually available. Ha! Among available currencies to pay, we spot “GOUJAT” which is a French word for boor.
I added a pair of shoes to my cart, created a fake account, and confirmed I wanted to purchase. I finally got to the payment page. Hmmm. It looks like an online banking payment page, but we are still at salocc.com...this is just a clever credit card phishing website!
As a quick test, I used a fake credit card number, and they refused the transaction.
James's credit card number is probably compromised. Now, what?
In France, there's a brand new online service to access the state police by chat, and it is available 24h/7. It is called the "Brigade Numerique" of "Gendarmerie Nationale." My friend James tried that. The service worked pretty well, and an online police officer inspected the website. He informed James that the website is globally okay with regards to the French law, except that it should have provided a legal contact and address. Unfortunately, this was not enough for an official complaint, and the officer advised James to wait until he can prove he never received his shoes...
While this is a perfectly reasonable answer in terms of law - we can't expect more of the police, can we? - you can also easily understand that this is not acceptable in the case of credit card theft. How long will James have to wait to "prove" he did not receive his shoes? Will he ever get such proof anyway? And meanwhile, the cybercriminals will have had time to use and sell his credit card number...
James called his bank. By the way, he told me he struggled to find the right menu on voicemail to even get somebody on the phone ;) Finally, the bank employee informed him that he had to wait for the transaction to be fulfilled, oppose it, and then finally block his credit card. The procedure sounds a bit complicated to me, since I'd expect the credit card to be immediately blocked. So, my friend waited until the next day to see the transaction and refute it. At this stage, it is still not fully clear what James will have to pay. It seems that because this is a fraud most of the costs will be reimbursed. Note, however, that if the website hadn't actually performed a transaction, and had simply kept the credit card number to sell it, James would probably have had to pay for blocking and re-issuing a new credit card.
Besides the bank and the police, James also sent an email to Salomon (official) representatives to let them know of the scam. He was happy to receive an answer confirming that all of this was entirely illicit, and that had he received any shoes, they would have been counterfeit. The issue has been transferred to their legal department.
This story does not end too badly: perhaps a few euros to cover the inconvenience of a blocked credit card and wasted time. It could have been far worse if James hadn't had his afterthought telling him that something was wrong.
This also shows us all that it is not difficult to fall into a trap like this. Yes, James could have used a one-time credit card number (some banks offer that), or an online payment system to protect his credentials from the website. Yes, he should have refrained from buying on a website he was unsure of. But in real life, there are days where you are tired, or in a hurry, and you can't live your life suspecting everything or everyone...
FortiGuard customers are protected from this scam. The website has been classified and blocked as Phishing.
Disclaimer. This story is real - although names have been redacted. This post shows that cybercriminals have very clever schemes designed for us to fall iton traps and reveal our credentials. There is no criticism in those lines towards the state police, the bank, or Salomon. We believe all of those organizations reacted appropriately to the situation.
Thanks to David Maciejak for his review and insights.
-- the Crypto Girl
For more information on the Threat Landscape, access our latest Quarterly Threat Landscape report here.