Update from my reader, the small software vendor:
“Mystery solved. The first chargeback came through today for one of the first purchases (June 8th). PayPal opened a claim regarding that purchase with the following: “The buyer stated that they did not authorize this purchase.” Oddly enough, the email associated with the claim is still the same fake email (by fake, I mean it doesn’t exist). So it seems they were just using my order form to test stolen credit cards.
.
“I spent 35 minutes on hold with PayPal, was handed off three times, but finally spoke with a person who seemed to know what was up. I told her there were 19 more purchases that will eventually become chargeback claims. She said having that many claims might flag my account to be reviewed (or frozen). She said that I should proactively refund the amounts because once I do that, a claim cannot be opened regarding the purchase.
.
“She confirmed that I would not be charged twice in the event that the fraudster is also redirecting the refunds. Notably, there is a penalty to me for letting them go to a claim status: if I refund after it has become a claim, then I don’t get the PayPal fees refunded. In the example of the first chargeback mentioned above, I not only have to refund the $79, but I have to cover the $2 or so in PayPal fees. Insane, yes, but I don’t have time to fight over $2. So I’m refunding all of the purchases today.
.
“The most valuable part of the phone call was at the end. She gave me instructions for blocking all non-US payments. After being a mildly international company for 20 years, I’m back to being US-only which is fine by me if I don’t have to mess with any more European fraudsters. Well, at least I hope I don’t.
.
“Thanks again for all the great suggestions in this thread and thanks to Bob for posting this mystery.”
A loyal reader of this column has come to me with a problem that I, in turn, am submitting to all of you. He sells downloadable software over the Internet but lately some customers have been ordering, paying, downloading, yet not requesting the required unlocking key to use their software. Money is piling-up in the reader’s PayPal account and he is starting to worry this is some kind of scam. But if it is, it’s a scam that’s new to me.
The first such order was placed on June 4th and there have been 20 such customers so far, though some of those customers have placed double orders so the total amount is $1,758. The reader is in the USA but the orders have come from Belgium, Norway, Switzerland, France, Germany, Austria, Sweden, Japan, and Israel. Nobody has requested an unlocking key and nobody has requested a refund.
Now it gets stranger. All the orders used legitimate-looking e-mail addresses, yet all except one address bounced back as invalid. The PayPal transactions, however, all went through. PayPal is scratching its digital head, too, saying they have no idea what’s happening.
As an experiment the reader raised the price of his product from $79 to $790. No sales happened at the higher price but then an order went to an alternate distributor who charges $99. Again, no request for an unlocking key. The alternate distributor supplies my reader with an IP address for each transaction and the bogus (is bogus even the right term for this?) order that came through this channel was from 141.135.104.13, which is apparently in Belgium.
Fearing there’s another shoe to fall my reader has pulled his money out of PayPal except for enough to cover refund requests — should they happen — from these weird transactions.
Have you seen anything like this before? What’s going on?
I wonder if these are the new test for carders checking validity of stolen accounts.
You might run that by Brian Krebs, a guru on carders and other scams. http://krebsonsecurity.com/
That’s my thought too – they are checking that the card is valid. It used to be that they would make a small charge of a few cents, hoping to escape scrutiny because the charge was so small – however the credit card processors eventually caught on to this and started denying small unusual charges and flagging the account as compromised.
Credit card processors are also quite strict about international charges on cards that don’t normally purchase items internationally so, regardless of the IP address, so if this is a scam it is probably a US based issue.
I’ll third that. I am familiar with a online retailer who routinely gets a few orders a week placed solely it seems to establish the validity of the credit card. $79 seems a little high (usually its around $20) but I guess if you’re using a stolen card number, it doesn’t matter since it’s all “free” anyway. At only 20 transactions, I doubt Paypal or any of the card companies are going to want to be bothered doing the investigation. Or they are actively looking into it, but not going to acknowledge it.
Agreed – this has all the elements of a “carding attack.”
When a black hat gets access to illicit data, they need to test each record to see if it is still valid. Lists of credits cards with related info (e.g. names, emails, etc… – which is likely the source of the “real looking” emails) are traded and sold and re-traded. Often times a list is so dated and abused that many/most of the records are no longer useful to the bad guys because people have caught on and canceled their cards from as a result of previous bad actors. This isn’t limited to credit cards and can certainly be done with Paypal accounts (or just use credit cards via paypal accounts).
So, before a bad guys tries to use a card to do purchase something for their benefit, they will test the record with a low price point solution, usually that requires a minimal amount of additional data (i.e. probably no shipping address). Seems like other posters are already on this, but thought a bit more background might be illuminating.
Sometimes cleverly implemented CAPTCHA techniques can stop or at least slow down the process such that it is inefficient for the black hat to use a particular site for his/her carding attack. Then, they just move on to someone else.
I wouldn’t use PayPal on a bet. Twice I had an account over the years, twice it got hosed up. Never again.
Looks evil to me, but you might run it by Mikko Hypponen of f-secure. He’s usually on top of these kinds of scams. Maybe try to tweet him? https://twitter.com/mikko
Ciao,
B
In the past week or so, I’ve suddenly been getting fishy emails from paypal. I won’t even open them. Something rotten is going on with PayPal. I haven’t used it in two or three years and I consider it rotten, radio active, toxic.
It should be simple for PayPal to retrieve the credit card information associated with each PayPal account, and contact the owner of the credit card. Or else contact the financial institution behind the credit card, and have the financial institution notify their customer.
Then they could confirm the legitimacy of the transaction, or alert the cardholder of the possibility of fraud.
Why haven’t they done this yet?
Have you ever tried contacting someone at PayPal? Its impossible.
Impossible? Seems like it, but in reality, just phone:
(888) 221-1161
from within North America
I just tried that phone number which does lead to PayPal automated robot voice system. Tried it twice. Both times it said it couldn’t hear anything when I answered it’s question about not having a one-time passcode; next it gives you the option to answer via the dial pad, but again it didn’t hear any response, ultimately hanging up on me. I could hear them loud and clear. Perhaps it’s a one-way connection issue. Would anyone else like to share their experience calling that number as I did?
I tried it again. This time the robot asked me some id questions, told me the balance, then asked me to say why I’m calling. At that point I hung up, since I didn’t have a problem in mind.
>Blubber Gut< I agree, anyone who has an account with PayPal, especially those who link their credit card or checking account to PayPal, is risking a lot. PayPal has all the power of a banking institution with none of the regulations. I've read stories where PayPal has taken thousands of dollars from accounts with no recourse for the account holder.
As for this mystery, testing the validity of a credit card account seems likely. One would need to see other charges on the same accounts. It's also possible that they are testing PayPal account procedures.
I'm sure we'll find out eventually.
I have had a credit card tied to PayPal for many years without issue, but I will never link my debit card/bank account to them.
Moi aussi. And we are not alone, since PP dropped the limit before you have to link a bank account some years ago.
I can 2nd this. I’ve used PP for many years without a SNAFU. My daughter regularly buys things from PRC & Korea without a problem. But I always use a credit card to back it.
My non-profit’s website is recording legitimate payments from PayPal, yet they aren’t showing up on PayPal on the summary page. “We’re working on it” is all PayPal says. No ETA for a resolution, or any idea why it’s happening. I’m seriously considering switching payment processors.
No idea but I have to say all the hysterical kneejerk paypal paranoia in the comments here is ludicrous. My business has used it for 6 years and its a great service.
Is the key valid for each individual download only or is it a generic one? If the later then it’s probably posted up on a forum somewhere. If the former then is the key easily cracked? But in either case that seems stupid if you can just get the genuine key you have already paid for.
Is the vendor sure his download procedure is working and that the instructions to obtain the key is being received by the purchaser?
Is this a competitive product, with many sites competing for the same customers. It could be a rival site has paid for stolen cards to be used on the site? The intention being to try and get PayPal to lock the vendors account. Similarly has there been a recent dispute with a customer who is disgruntled and is trying to stop the site from trading with PayPal.
Yeah, I like the fraud angles others have posted. My first thought was that it was being used to hide other fraudulent activity, like money laundering or money movement. If you want to skim from a lot of cards, hide your transaction among lots of random other charges on a lot of cards. Credit card companies are too lazy to investigate deeply enough to find patterns and customers have been rained to throw their hands up because the credit card companies just absorb the charges as a “cost of business.”
_
The tiny volume (20 or so transactions) that otherwise meet the criteria of legitimacy from PayPal’s perspective also means they’re not going to spend a lot of resources to track down either.
_
Maybe I need to start a new business – for $50 I’ll send you an email. No refunds for incorrectly submitted email addresses.
_
I suspect the PayPal angle here is more about the fact that your friend uses PayPal and less about any PayPal problem.
Maybe his mom is trying to make his business a success with all these fake (except for the money) orders.
My first thought was currency manipulation. Pay for something with Euros that is purchased in USD, wait a time for the exchange rate to change to be more favorable, then get a refund. You get back the same amount in dollars, but it’s now more in Euros.
I was thinking along a similar line that it is some new form of money laundering using PayPal as a repository. Haven’t figured out who is the dry cleaner.
I wonder if this is a variation of this kind of trolling where large sums are given across payal and after a decent amount of time, when the seller may not have the funds any longer (given they might have been spent), the purchaser (Troll) requests a refund, jamming up the seller for $$$ they no longer have.
Ref: https://www.engadget.com/2016/06/08/paypal-wont-refund-twitch-troll/
In this case, troll purchases a lot of software, never technically ‘buys’ it for not using the provided key (unsure if this does/doesn’t count here), and then 2-3 months down the road they will request a refund attempting to jam up the guy for $$ he might no longer have in his accounts.
If he is selling through a website that pays a referral fee they could be doing it to get the commission and get paid before the compromised account holder finds out what is going on. By the time the sale is disputed they have gotten their payment closed all of the accounts and are nowhere to be found. I had this happen with a direct sale company. People were joining the company “selling” lots of product with stolen cards, getting paid commission, awards, trips… by the time the accounts bounced they were long gone. When I told the credit card company who the charge was from they said that they see it spike every few months.
Could this be money laundering process?
.
What if there was an illegitimate firm with a “similar” PayPal account. They’ve been scamming people but as a result of a typo had the money sent to your friend by accident.
.
What if this was the first step in a money laundering operation. They put money into a random account, then a few days later request a refund for non-delivery of the product. The money is refunded to a different account.
.
Regardless of the circumstances I would recommend your friend follow the same advice as given to folks involved in ID Theft — file a police report, inform your bank, change the account on your PayPal account, put the money aside so that it can be returned.
Re: “file a police report”. Saying: A customer in a foreign country bought, paid for, and received my product, but haven’t gotten around to using it yet. Do something!
Türkiyenin en araştırmacı firması olan emlak dream ile esenyurt konut projeleri ni gözler önüne seriyoruz. Geleceğe yatırım yapmanın en ideal yolu olan emlak sektörünü istanbulun hızla gelişen semtinde gerçekleştirmenizi ve buradaki projeleri incelemenizi isteriz.
Yüzlerce firma ve binlerce konut arasında tercih yapabileceğiniz yatırımlar arasında bir numaralı adresiniz olan emlak dream ile sizleri gelecek adına yönlendirebilmenin mutluluğunu yaşıyoruz.
https://www.emlakdream.com/haber/Esenyurt-konut-projeleri/72561
One time I made a legitimate card charge and paid it promptly. Then another source paid, too, and they reimbursed me by check. By paying the card, the card could not receive the funds. If the owners of stolen numbers don’t notice the fraudulent charges and pay for them, the scammers have probably set up the charge to refund to their scam address. If a small percentage of people pay the charge, the scammers will still have a lot of money.
And to the reader who suspected money laundering, I believe it fits the definition. I would make sure that all refunds go to the address the credit card has for its holders, not the Paypal address.
Many thanks to the commenters here (I’m the software guy that Bob speaks of). I was really stumped by the scam because they send me payments (they show up in my account) and never ask for it back – it’s been 6 weeks since this started. My business has used PayPal for many years without any problems, so I’m generally happy with them. My unlock codes are based on the users name and an ID code that is unique to each computer. The ID code is generated after they install the software. They have to email it to me so there are a few back and forth communications before they get the unlock code. None of the 20 questionable purchasers have ever emailed me back, requested the unlock code, or requested a refund. All the emails that I’ve sent them have bounced except for one. That one did garner a reply from the owner of the domain to say that the email address didn’t exist. The software in question is a niche product in the engineering/hobby software industry – very low volumes, so it was easy to detect these strange purchases. In hindsight, I don’t think they have any interest in my software. From the comments here, it sounds like it’s most likely somebody testing stolen credit cards? I’ll contact PayPal again and keep enough funding available to cover the refunds when the day of reckoning comes.
The question is, why are they downloading the software? If it was just a test of the CC, why bother to download?
Hi Alan, in hindsight it’s doubtful that they actually are downloading the software. I send the download instructions to the email address they provide, but those emails get bounced back. In essence, there is no way for me to contact them.
You’ve worried about this WAY too much already. Credit card companies do no investigate small frauds. It isn’t worth their time. Spend the money and go on with your life.
One of the bigger longterm issues is taxes. If this continues and say I rack up $10k in “zombie” orders from this guy, I have to report that as income and pay income taxes on it. What happens when the credit card company wants a big refund next year… but I’ve paid thousands in income tax?
You take it as a business expense in the current year.
J, I think there is a good chance you’ll get to keep the money in the end.
I’ve received three mystery payments over the years for small amounts around $10. None was ever revoked.
A naive friend was conned into participating in some money laundering scam. To my surprise, no one ever attempted to recover the money he received.
J,
One other thing: Even though you withdrew your $ from PayPal, you may need to make sure the account(s) tied to it are also protected. If it’s a scam, and if they convince PayPal to give more $ back than you have in your PayPal account, PayPal will happily reach into your non-PayPal accounts to “help”, just like a “friend” who is paying for a pizza with your $.
Can you sell such that it’s only US accounts (for now)?
Look forward to reading the results of this…
Maybe this is totally off-base and it is stolen credit cards, but…
If the software needs a certain number of uses before the license kicks in to lock-out the user, perhaps the users are just using it in trial-mode? Or starting it in the first instance, which may have a nuisance reminder only, and never exiting?
Maybe not, but just wanted to surface this possibility.
Could your product be available for purchase on a website other than your own? This article might be of interest:
https://www.polygon.com/2016/6/20/11982544/indie-dev-says-grey-market-key-seller-cost-them-450k-in-sales
Apparently, there’s a scam in which stolen credit card numbers are used to obtain license keys for software. The person who obtained the keys fraudulently then resells them for far below their retail value on a gray market website, and the maker of the software is left holding the bag when the chargebacks come in.
I’ve read something similar about the Factorio game, the indie studio had to refund the legitimate customers that bought , they describe it in this article
https://www.factorio.com/blog/post/fff-145 (search for “The good deals that are not so good”)
Not at all sure this can be relevant here, from the way the product is described
This is a automatic system, they work based in algorithm
I dropped this riddle on an Aussie forum, and no-one there could figure out what was going on. Were it me running my business in this situation, I’d just call these uncompleted sales failed, and just reverse the transactions. The supposed customer doesn’t have the goods (the code) – so in this virtual world, there has effectively been no stock loss. Reversing the transaction voluntarily would surely look a lot better to Paypal than a chargeback, too – and PP is a tetchy, unpredictable beastie.
According to MaxMind, the IP address mentioned is a proxy, probably one deliberately set up on a hosted machine. Raises the probability of fraud. I’m with the others who say it’s testing of stolen PayPal accounts. But without more details about what’s being sold, actual emails and IPs, and some more context, it’s hard to know for sure. Sometimes things look fraudulent but have legit explanations.
Sooo…. doesn’t someone need to let the credit card owners know that their credit card numbers have been stolen?
Ultimately, it’s up to the credit card holder to verify the charges each month. If something is wrong, they dispute the charge, and it’s up to the credit card company to reverse the charge. If the cardholder doesn’t dispute it, he’s made a voluntary contribution to the bad guys.
So the seller and PayPal are aware of fraudulent charges, and they should just ignore it?
I was responding to TrueRock’s post about letting credit card owners know their card number was stolen. Routinely, my credit card company monitors for fraudulent activity, and will let me know by putting a hold on my card until I call them to approve or disapprove a charge suspicious to them. But if it’s not suspicious TO THEM, it’s ultimately up to me to check my charges, at least once a month.
Yüzlerce kurum arasından sıyrılarak Türkiyenin en kaliteli kurumu olmaya hak kazanan M.E.B onaylı güzel sanatlara hazırlık kursumuz sizlerin tavsiyesini bizlerin tecrübesi ile birleştirerek ayrıcalığını ortaya koymuştur. Eğitim sistemimizdeki kusursuzluk ile sizleri geleceğe hazırlayama niyetliyiz.
Bakırköy resim kursu ile el becerinize yetenek katarak sizleri ilgi alanınız olan çizim hayal gücü dünyasına yönlendiriyor.
Atölyelerimizi incelemenizi tavsiye ederiz.
#bakırköyresimkursu #güzelsanatlarahazırlık #bakırköygüzelsanatlarahazırlık #resimkursu #resimkursubakırköy
http://ruyaavcisi.com/