Hi,

I got ELM2 recently (it's awesome), and noticed this today (I copied the latter part of the activity):

09:59:39 AM 41.204.45.166 INVC
09:57:20 AM 41.204.45.166 INVC
09:55:41 AM 41.204.45.166 INVC
09:53:06 AM 41.204.45.166 INVC
09:52:18 AM 41.204.45.166 INVC
09:50:30 AM 41.204.45.166 INVC
09:45:18 AM 41.204.45.166
09:45:18 AM 41.204.45.166 OPAY 1076
09:45:18 AM 41.204.45.166 CTAX 1076 0
09:45:18 AM 41.204.45.166 SHIP 1076 0
09:44:06 AM 41.204.45.166
09:44:06 AM 41.204.45.166 OSEL 1076
09:44:06 AM 41.204.45.166 ORDR 1076
....
Prior to this, there was the typical activity... adding of products, searching, etc... Then, the IP address went from 192.168.0.24 to 41.204.45.166 as soon as they got to the LOGN page, after that, as you can see, some weird things happen. There's no AUTH, and yet the INVC page displays 6 times. No order was genereted either, however, my inventory is now inaccurate.

Our "shopper" created an account with a Toronto address, a Kansas City phone#. The IP address is registered in Ghana. Lastly, the a google search of the email address returned a posting in a electronics forum...

http://discussions.consumerreports.org/n/pfx/forum.aspx?msg=5444.1&nav=messages&webtag=cr-0403eltelevi

Sooo, obviously a scammer. My question is, what is he trying to do to my store?... what is he trying to pull?

Thanks,

m.

IP Information for 41.204.45.166
IP Location: Ghana Accra Afrinic

Probably a scam, do you ship to "Ghana Accra Afrinic".

--
Thank you,
Gary Hodder
Support
--
CybrHost Corp. - http://www.cybrhost.com/ - info@cybrhost.com
+1-866-300-MIVA - Professional Miva & E-Commerce web hosting services.

They could be trying to validate stolen credit card.

IP Information for 41.204.45.166

--
Thank you,
Gary Hodder
Support
--
CybrHost Corp. - http://www.cybrhost.com/ - info@cybrhost.com
+1-866-300-MIVA - Professional Miva & E-Commerce web hosting services.

yeah... actually, that makes sense. Probably a stolen card#...

My inventory did return to normal after awhile. I was just wondering if something else was going on. The multiple invoice screens kinda confused me.

Thanks,

m.

update...

This was getting out of control. So, with my ISPs help, I used .htaccess to block 41.204.x.x from my store. I would recommend doing this (unless you ship a lot of product to Ghana), as it reduces bogus traffic, keeps products in stock, and hopefully prevents whatever else these people were up to...

Cheers,

Matthew

Once one of these guys see they can use your site to validate a card, they keep coming back every few months.

I was getting hit by a particular Nigerian scammer resulting in lots of CC chargeback’s. Banning the IP address only slowed him down. Every few mouths he would be back with a new IP address; using a new but similar account name, email address, and always a fake but genuine looking info. I fought this guy off for 6 months but then…

After looking at the customer database file in MS Access I realized he always used the same password. I have re-coded the OPAY screen so that any customer using that specific password gets redirected to a 10mb mp3 file renamed .html

This makes him waste his time of going through the process, creating an account, trying to checkout but never getting through. Instead he gets a very large screen full of gibberish with no explanation as to what caused the problem. The guy showed up twice after that, creating accounts each time and then I never detected him again. Best of all no further chargeback’s.

wow... thanks for the info. I'll keep on top of this.

m.

What can I do do protect my site from stolen-card authorizations?

Walt

First, don't just ship out orders. Actually look at them. Often given scrutiny, bogus orders will look a bit strange; especially international orders.

Research the internet and make sure you do not allow shipments to terrorist nations. The state department has a list. Be suspicious or order from Nigeria, Sumatra. When you find a bogus order or customer, don’t delete them; rename the login to scam_originalname so that later you can search for scam_ and see if there are similarities between these customers or orders. Often you will see variation on name, address and email info (blabla@yahoo.com, blablabla@gmail.com, googooblabla@imail.com) etc. Make sure all emails sent to you have the IP address in the footer. %VAR(s.REMOTE_ADDR)%

Basically be vigilant. Your Merchant Company may have tips on their website and should have a way to report these fraudulent orders.

As I said before banning the IP address will stop them for a while but the professional crooks keep track of what worked. They’ll be back. You have to try to determine a pattern.

Appreciate your response. Yes, I do scrutinize my orders, and haven't yet run into a problem. But I'd like to prevent those jerks from authorizing their (stolen) cards on my site. I don't like to run my customers through too many security hoops (i.e., I allow shipment to a different address than their billing address); but are there <essential> securities that should be implemented... like the card verification numbers, address match, etc.?
Walt

I process each order "by hand" at Authorize.net partly for this reason. It also alerts me to fraud, and I can ban IP there - not that it helps that much, but...

Andree

I just got 2 charge-backs for orders placed a few days apart, 4 months ago. Once I tracked down the transactions, I downloaded the customer database and looked at the the password used. Searching for the password, I found three other accounts created around the same week using the same password. After examining old fraudulent customer accounts, and compairing it to the the new, I determined it was the same guy that was on my site before. (i.e. a last name used once before is now a street address.)

I banned the new password. This particular crook has created a total of 36 accounts over a period of 3 years. Since I started banning the password, his attempts dropped dramaticly. (3 since January) If he ever figures that out...

I should figure out a way to instantly ban the ip address of anyone using one of those passwords. For anyone interested, search your customer database for these 3 passwords. (Note: punctuation inserted to prevent search engine indexing. Remove all punctuation, spacing and underscores)

t-u, n. de.
.ade, t.u. nj_i
~w,, est 2002