Honeypot scam or credit card fraud?
Herewith a cautionary tale from the front lines of the Net's danger zone.
I received the following mail several hours ago.
Date: Wed, 25 Jul 2001 21:46:41 +0200
To: dawson at world dot std dot com
From: service@sunbill.net
Subject: BillCards - Your Membership Activated
Your transaction has been processed and membership activated.
Site: http://www.underageclub.com
Login: {not shown}
Password: {not shown}
Price: 39.99
IMPORTANT:
If your password stops working any time during membership period,
please visit the following URL (remember it for future usage):
http://www.billcards.com/misc.cgi?mupdate={some number}
Your credit card has been charged the amount of USD 39.99 + 2.95
transaction fee.
If you wish to cancel the renewal of this membership, please go to
https://www.billcards.com/usr.cgi?use=cancel
All transactions from BillCards will appear on your credit card
statement as "billcards.com".
Please read Member Agreement and other important information at:
http://www.billcards.com/member_agreement.html
http://www.billcards.com/member_FAQ.html
--
We appreciate your dedication to our system and want to satisfy all
your needs. Truly yours, BillCards staff.
mailto:support@billcards.com
I did not order any underage porn from Belgium -- for this is where
underageclub.com is registered. The email did not identify the
credit card in question (e.g., by giving the last four digits),
leading me to posit that no credit card of mine has been compromised.
I immediately replied to the apparent source of this email,
sunbill.net, with a copy to the abuse address at their upstream
supplier, genesis2net.com, asking: Did you send this notice? Who
authorized this charge? What credit card was used? Sunbill is an
apparently legitimate transaction processor whose domain name is
registered in Delaware. Their abuse team quickly responded, "This is
not ours. We know nothing about this."
So the source of the ugliness is apparently billcards.com, which is
registered to an address in Moscow. Using the friendly cover of
SafeWeb's free anonymizing
service, I visited billcards.com's proffered "cancel" page, but
declined to proceed to log in using the credentials my friends in
Moscow had so thoughtfully provided. I do not recommend that any
reader visit billcards.com for any reason.
The scammers' motives remain murky. The whole exercise may be
nothing more than a honeypot designed to vailidate email addresses
for spamming.
I would like to hear from anyone who can shed light on this scam.
Please email dawson at world dot std dot com.