Black Friday is undoubtedly one of the most important dates of the year for online shopping. This last Friday in November became a happy day for many Internet users after getting that much sought after online bargain but, sometimes, “Cheap can be expensive”.
Some shoppers were unaware that they had fallen victim to an online scam, and while they waited for their fabulous purchases in their homes, the cybercriminals emptied their bank accounts and deleted their fraudulent websites.
This article collects the facts and figures of an online scam where an organized group of cybercriminals swindled hundreds of Spaniards over a weekend. During the investigation I will show details and advice to take into account before making any purchase online. It can be used as a guide to prevent others from being victims of an online scam.
Experiences of a scam
JCCM (initials of the person who was scammed) accessed the website wanting to buy a Nintendo Switch Lite as a Christmas gift, taking advantage of the Black Friday weekend and to get that “bargain” he was looking for.
On Google, he found a direct link to the game console he was looking for with the domain www.tecnologia24h.com. The website did not seem suspicious at all, it had an SSL certificate (secure connection/green padlock), a professional design, a website recommended by other buyers in blogs and well-known forums online.
The prices were very good, and he decided to buy quickly because he wanted to receive his purchase between Monday and Tuesday of the following week, before the end of Black Friday week.
After registering on the site with his personal details, he made the purchase and received this email from the website tecnologia24h.com on 30 November 2019:
With the details sent by the company, he went to his usual bank to make the bank deposit from the cash machine.
Pleased with his bargain, he waited until Monday 2 December 2019, when he went to check the status of his order and the page where he made the purchase did not exist and there was another in its place.
For a moment, he thought he had misspelled the address, but doubts disappeared when he looked for the link sent to his email and the address opened the same empty web page.
At that precise moment, he realised that he had been the victim of an online scam and that he had no idea what procedure to follow to recover his money.
Where did the scam come from?
The scam was done from two online shopping platforms with the domains toyspla.net and tecnologia24h.com. In the first domain they replaced the corporate identity of the brand Toys Planet to move the scam and, in the second, an online store with its own brand.
The latter was the website used in Spain for the campaign “Black Friday 2019”. If we look at the creation date of the domain name, cybercriminals registered it a few days before Black Friday.
In such a short period of time, they got major search engines like Google to index their content quickly to rank fraudulent sites in the top ten search pages. That’s why, in cases like this, it’s always interesting to check the creation date and domain registrant details. To do so, you can use this free online tool.
Another thing that is important to take into account is the low price of the products. If we compare these with other competing websites, we can see differences of between €40 to €100.
This is the hook that cybercriminals use to blind us to make the purchase on their site thinking that we are getting a “bargain”. Of course! It’s Black Friday. What could go wrong?
Another thing that can help us know if it is a scam are the typos and spelling mistakes on the site. Or paragraphs that are poorly translated and do not make sense.
Also, the form of payment offered on the website is another aspect to consider.
Although the site displays Visa and MasterCard logos, it only accepted PayPal payments and bank transfers, something very strange and suspicious on websites of this nature.
Similarly, before making an online purchase using any of the payment methods shown above, we must ask ourselves the following questions: Who are they? Where are they?
In the footer of the web page a CIF (Tax Identification Code) is shown.What is interesting is that the CIF is no longer used as a method of identification in Spain since 2008, it became what we now call NIF (Tax Identification Number).
Also, let’s look at how we might find out about the company through its CIF or NIF on Google or by the name of its company name or activity on this portal. The supposed fiscal data of the company are shown, where we can see that its business activity does not correspond with selling technological products, so we can clearly see that it is a phishing website.
As you can imagine, cybercriminals are very well organized groups with advanced knowledge of hacking, programming, computers and even laws. So, tracking them is very complicated, besides leaving this job to the state forces (police or civil guard) where they have highly qualified professionals.
Alternatively, and as a way to obtain more information about a website, person or company, you can geolocate them using the IP address.
But do we have their IP address? We know their domain name and we also have an email that some automated system or person has sent us to make that bank transfer. Therefore, we have at least two IP addresses that we can use to geolocate their servers, these would help us with the credibility of the site.
Obtaining the IP address of the web domain tecnologia24h.com:
Although in UNIX systems we have specific commands, this free online tool can help us: check-host.net. In this case, the web server is located in Bratislava (Slovakia), something very suspicious for a Spanish company. If there were any doubts, with this evidence it is clear that it would be a serious mistake on our part to make any purchase on this website.
Analysing the headers of the email sent by tecnologia24h.com:
We have an email that we received from the allegedly fraudulent website with the bank details for us to make the transfer and pay for the product we have purchased.
Here is a link that explains how to get the headers depending on the email service used.
Now that we have the headers, all we need to do is track the email with this tool that Google provides us for free:
Knowing the IP address from which the email was supposedly sent. Apparently, the IP address corresponds to a computer on an internal network. Our suspect’s trail ends here.
Summary of how to identify a fraudulent site
• Review the creation date of the web domain and review the registrant’s data (this data may be protected).
• Avoid excessive price differences in comparison with the competition.
• Typos and/or spelling mistakes, fragments of texts that have been mistranslated and/or are meaningless.
• NON-secure payment methods.
• Review fiscal data and location using the name, NIF, telephone number, email address or activity of the company.
• The importance of checking the origin of their servers cannot be overemphasised, countries like Slovakia, Croatia, Russia, China or Nigeria are often used by cybercriminals.
• Analysing email headers to trace their origin can always help us find out the legitimacy of an email.
I’m a victim of an online scam. What should I do?
The first thing to do is to go to the bank from where you made the bank transfer and ask to reverse or cancel it. It is very likely that the bank will charge you a commission (approximately €10). After the request, you must go to the national police station or the Civil Guard to report the facts, all evidence is good (screenshots, web domains used, copy of the email, bank account, etc.).
Cancelling the transfer will depend on the time elapsed since the transfer date. If the payment was made within 24 hours, it is possible to cancel and recover the transfer almost in the act from the bank’s own application. Otherwise, you will have to wait a few days until the bank or state forces inform you.
Happy ending for many victims
After following the above steps, many victims have managed to recover their money within a few days, others not yet, but I am sure that both the bank, the police and the Civil Guard are doing everything possible.
You can follow the thread opened by victims at this address: https://www.signal-arnaques.com/es/scam/view/190576
I hope that this article will help all of us to protect ourselves from the dangers that exist on the net. Cybercriminals don’t keep office hours, they don’t rest, and they’re always one step ahead of us.