TBTF Log, week of 2001-07-22

TBTF Log

This is the TBTF Log, the place where I report important breaking news in the most timely way possible.

About this Web log.
Link using this permanent URL.
Previous weeks' logs table of contents.

2001-07-25

8:20:07 PM
Honeypot scam or credit card fraud? Herewith a cautionary tale from the front lines of the Net's danger zone.
I received the following mail several hours ago.
    Date: Wed, 25 Jul 2001 21:46:41 +0200
    To: dawson at world dot std dot com
    From: service@sunbill.net
    Subject: BillCards - Your Membership Activated
    
    Your transaction has been processed and membership activated.
    
    Site:                http://www.underageclub.com
    Login:               {not shown}
    Password:            {not shown}
    Price:               39.99
    
    IMPORTANT:
    If your password stops working any time during membership period, 
    please visit the following URL (remember it for future usage):
    
    	http://www.billcards.com/misc.cgi?mupdate={some number}
    
    Your credit card has been charged the amount of USD 39.99 + 2.95 
    transaction fee. 
    
    If you wish to cancel the renewal of this membership, please go to 
    	https://www.billcards.com/usr.cgi?use=cancel
    
    All transactions from BillCards will appear on your credit card 
    statement as "billcards.com".
    
    Please read Member Agreement and other important information at: 
    	http://www.billcards.com/member_agreement.html
    	http://www.billcards.com/member_FAQ.html
    
    -- 
    We appreciate your dedication to our system and want to satisfy all 
    your needs. Truly yours, BillCards staff.
    mailto:support@billcards.com
	
I did not order any underage porn from Belgium -- for this is where underageclub.com is registered. The email did not identify the credit card in question (e.g., by giving the last four digits), leading me to posit that no credit card of mine has been compromised.
I immediately replied to the apparent source of this email, sunbill.net, with a copy to the abuse address at their upstream supplier, genesis2net.com, asking: Did you send this notice? Who authorized this charge? What credit card was used? Sunbill is an apparently legitimate transaction processor whose domain name is registered in Delaware. Their abuse team quickly responded, "This is not ours. We know nothing about this."
So the source of the ugliness is apparently billcards.com, which is registered to an address in Moscow. Using the friendly cover of SafeWeb's free anonymizing service, I visited billcards.com's proffered "cancel" page, but declined to proceed to log in using the credentials my friends in Moscow had so thoughtfully provided. I do not recommend that any reader visit billcards.com for any reason.
The scammers' motives remain murky. The whole exercise may be nothing more than a honeypot designed to vailidate email addresses for spamming.
I would like to hear from anyone who can shed light on this scam. Please email dawson at world dot std dot com.

About this Web log

email address

Subscribe Unsubscribe

This venue presents more timely and less "cooked" TBTF news coverage. You'll read here things that came through my desktop machine mere minutes before.
You can receive a collected week's worth of TBTF Log items by email every Sunday evening; simply fill out the form.

Do you value this service?

The email and Web editions of Tasty Bits from the Technology Front represent my best effort to present engaging, cogent news and analysis on what matters to the life of the Net. The TBTF newsletter will continue as before. Here is the current issue.


TBTF HOME	CURRENT ISSUE	TBTF LOG	TABLE OF CONTENTS	TBTF THREADS	SEARCH TBTF