>>So hi, I’m Kitty. >>[audience]
Hi Kitty. >>[laughs] Um I’m
known by you know a couple other handles but mostly um in my work
day people call me Nina. Um
before I give my talk, as you can see on the screen I do have
to say, I’m required actually,
to say um that the views expressed here do not
necessarily represent the views
of the navy, the department of defense, or the US government.
And I’m required to say that
because technically I’m a I’m a fed I guess. In my work day I’m
a professor at the naval war
college inside the strategic and operational research department.
Which really means that I study
um emerging technologies and how they affect warfare and defense
and that would include the cyber
ring. And so that’s part of why I follow your community. But um
all of that actually has
absolutely nothing to do with what I’m talking about today. Um
last year right around August I
bought a used Nespresso maker and so I just wanted to come and
talk about the story about what
happened. Um so with the company Nespresso um the pods and the
makers are purchased mostly
online. There are some boutiques across the country but by and
large, you can buy your coffee
from Nespresso directly from their website and so with my new
used machine I realized that the
pods were really expensive. So I decided that I’d have a look to
see if I could get them
somewhere for cheaper. Um and it turns out you can. Um you can
get them on eBay. Um so in fact
scandalously cheap and I found a listing um in which the current
bid was about half of what I’d
pay if I were buying directly from Nespresso. So um the only
trick was that I had to buy 200
pods at a time. Um it’s not a big deal, I drink a lot of
coffee so it seemed fine. I set
my bid. I wandered off um and when I came back I’d won. So um
so I paid with paypal and I
moved on and a week or so later my coffee arrived. Um but with
it also at my doorstep um in a
separate box um was this little gem. It’s also here on stage. It
was a brand new espresso maker
in addition to the coffee that I’d purchased. Um and so you’re
looking at a Nespresso Pixie.
It’s one of Nespresso’s most compact little espresso makers.
It retails at about 280 dollars
and it takes the small coffee pods that are about 70 cents a
piece. So this initially just
feels like an ordering mistake to me. And so I go back to eBay
to figure out whether I had
accidentally pushed some buy it now function um and uh purchased
it but I hadn’t. Um so I turned
to the packaging and boxes. I opened them both up um and I
look over the tracking label and
I find out that not only um is does the invoice have the same
uh sender and both are intended
to come to me um but they’re shipped directly from Nespresso.
And they weren’t supposed to.
They were supposed to come from some third party. Um so I turn
again to eBay to um to look at
the transaction and compare it to the invoice and I find out
that the sellers name on eBay,
let’s call her Sue from Chicago, um that accountholder’s name is
nothing like the accountholder’s
name on the on the Nespresso side. We’re going to call him
George from Poughkeepsie. Um in
addition Sue from Chicago had a zero zero seller rating and had
just opened her account um just
a couple weeks prior and the only thing she was selling was
Nespresso. So at this point I’m
starting to think this looks a little bit like fraud so I
decide I’m going to escalate,
I’m going to find out and I call Nespresso. A little bit
reluctantly because um I’m sort
of greedy and I would really like to keep the machine. Um so
I explained to customer service
that I had not ordered the machine but I had ordered the
coffee um but I hadn’t purchased
it directly from Nespresso um but instead from eBay and so she
could confirm to me essentially
that yes in fact George from Poughkeepsie’s credit card had
been charged for both items. So
I said you might want to call George and let him know or I’d
be happy to call George and
explain what is going on and find out whether he had really
intended to send me this really
nice gift. Um and she noted that she said she wouldn’t give me
his number. So I had no way to
prove any of this but I kept thinking this is definitely
gotta be fraud but it wasn’t
clear to me who was losing out in the game. Um but I told
Nespresso, please send me a
prepaid mailing label and once I got it I would happily send back
their machine. This is a ploy
you know cause manufacturers never want the machine back. Um
she took my information, sent it
to the fraud department um and then told me to watch my mail
and if I and if they wanted it
back the fraud department would send me a label. I obviously
still have the machine. But my
ethics are restored right? I’ve reported the fraud and I get to
keep the machine. In the
meantime, I still can’t quite figure out what’s happening. So
um I google around a bit and it
brings me to Krebs own security site and I find this uh graphic
and it helps me explain sort of
what might be happening. So this is triangulation fraud and if
you’re not familiar um you’ve
got a 3 part um triangle there and the whole trick is to
convert a line of credit into
cash using the seams that happen between companies and the last
step in that chain is the mule,
is what they call the mule. That’s the person who is doing
the cash conversion. The
fraudster steals somebodies PI and establishes a credit line or
they just go to a carding site
and get a card. Um the fraudster identifies a major company, in
this case Nespresso, um and
they’re selling some luxury goods um and they set up an
account with that company. The
target company usually has really reliable fast shipping um
and a simple account system that
is um that doesn’t have too many security checks to it. Then the
fraudster sets up their eBay
account, sets up a fake uh profile and starts selling stuff
super cheap. Um when the auction
completes the eBay account um the unsuspecting buyer sends
their money to eBay and they
have now become the mule. Right? They have given the fraudster
the cash they need but remember
they’re selling, the fraudster is selling something they don’t
actually own. And the eBay
process won’t complete until there’s a shipping invoice
that’s that’s uh that’s
generated. So the next thing that has to happen is your
fraudster uses the credit card
to buy the stuff directly from the manufacturer, send it to the
buyer from eBay and then the
whole triangle is complete. The shipping notification is
generated and everyone is happy.
The fraudster takes the money from the sale, it pays eBay it’s
money from the commission and
relists for more items. It’s a seamless triangle uh the buyer
has no idea that they’re a mule
and all that they know is that they’re getting a really good
deal for really legit goods. Um
and so the incentive for everyone to continue is um is to
to participate and keep quiet.
Unless of course that buyer is me and you somehow sent me um an
espresso machine that I didn’t
order and I really wanted to know why I got the extra machine
because I had been already made
happy by paying half price for my coffee. So I had 2 theories.
1, this person or persons sucked
as bookkeepers and so I imagine that maybe they were like copy
pasting from an excel
spreadsheet into the manufacturer’s website and it
accidentally sent me an extra
coffee maker. Or 2, maybe they wanted to buy my love. Like
maybe these triangles are so
fragile that the setup of these accounts and the burn of these
credit cards are so fragile that
they’re trying to make me super happy so that I won’t question
it and that I’ll just keep
buying. So the right thing to do now that Nespresso has given me
this coffee maker um was to
embark on a campaign of research and buy more coffee. [laughter]
I know. I know you’re thinking
I’m a terrible person um but first this this is called
confessions for a reason and
second, I’m still guessing this is fraud but I don’t really
know. Right? Like so how big is
this operation? Um so I needed more data and specifically I
didn’t just need more data from
the 1 seller, what I wanted to know is if this is some sort of
criminal underground gang like a
Nigerian um prince scam or some IRS um gift card scheme. Right?
This should be happening at
scale in some way. Um so I generate a series of questions.
I’ve way overthought this by the
way. I generate a series of questions um and I try and
figure out who these thieves
are. Um to be clear, there are plenty of thieves on eBay. I
just wanted to find these ones
specifically. Alright? So um I ask are there other accounts?
Can I find those other accounts?
How fast do those account burn? Um and most importantly can I
get them to make the same
mistake twice? Can I get them to send me more extra free stuff?
[laughter] There’s no there’s no
greed in this it’s fine. [laughter] Using eBay’s auction
search tool and the initial
account as the template I try and find other recently created
account with 0 ratings selling
Nespresso. So 3 things. I need them to sell Nespresso. I need
them to have the 0 rating and I
need that account to be relatively new. Um so if the
fraud triangle is sloppy, as I
think they probably will be, then there’s probably some
laziness. There’s some
duplication in description and the use of images which makes
the search easier. If these
triangles are fragile, that means they burn really fast and
I have to look at them often,
like every day. Alright? So eBay lets you automate these searches
so I set my template and I set
the search for 200 capsules at 99 dollars. I searched for an
espresso machines as well but it
doesn’t it doesn’t kind of creates any good pooling data so
I stick with just looking for
capsules. Um and each day I get in my email inbox a report of
the results. Usually 100 or so
and I have to weed through them. And at the outset it’s a little
bit hard. It takes me time to
find my specific set of coffee thieves um because um while it’s
easy to find someone selling a
lot of coffee, it’s harder to figure out where there when the
account is brand new and when
the account has a 0 rating. And that’s actually due to eBay uh
to eBay’s design. So if you look
up at the image um you will see those stars up there. One would
think that that’s the seller
rating. That’s not a seller rating, that is actually a
generic review of what people
think of Nespresso coffee. But it makes the buyer think that
that might be a seller rating
and so you feel calmer, you feel like you’re more reassured. In
fact they bury the seller rating
for brand new accounts near the bottom in tiny font. And then
similarly you have to click
through to find out when that account was built. Now, that
takes some time. But the good
news is is that eBay’s website wants to help me. Right? So
every time I do the search and I
resolve it it’s watching me do that and so even when my clicks
proved unsuccessful it would
offer on the bottom of the screen, here is some similar
items. Maybe you want to buy
from these people. And so often I ended up uncovering uh the
accounts that I was looking for
through their own website offering stuff to me. Um so like
a good researcher, I created a
spreadsheet to track each of the unique accounts with their
opening date uh with their
ratings over time and eventually when the counts go dormant,
everything they sold and how
much they profited. Um then I selected 2 accounts opened
within 6 days of one another.
With those 2 accounts I made 2 separate purchases to try and
see um if they could send me
extra stuff. A week later I received 200 pods of coffee plus
200 pods of coffee. [cheering]
Then a few days later I received 200 pods of coffee plus a brand
new milk frother. [laughter]
Retail value 119 dollars. I didn’t really care for the
frother because I wasn’t really
a cappuccino person [laughter] but I tried it out and it turns
out it’s really amazing so thank
you [laughter] fraudster overgiver. I have upgraded to
cappuccino. Uh remarkable
really. Um but more importantly [laughs] I found them.
[cheering] I found them Right?
And so by looking at these 2 brand new accounts, buying from
these 2 accounts, opened roughly
the same time um I I’d managed to locate them. Right? Um they
were yes, using the same images.
Yes, using the same descriptions. Um I tried to
write them emails and chat back
and forth, ask for different flavors of coffee, sometimes
just to say hello. Um but they
never wrote back. Um I also did by the way, look on eBay’s
reports page to try and report
these accounts because I realized like that this is not
good. I shouldn’t participate in
this. Right? So it turns out you can’t report fraud on eBay’s
website if you actually receive
the item. So there’s a thing for “didn’t receive the item.”
There’s a thing for “damaged
goods received” but there’s nothing for “I got extra stuff
and I’m trying to report this.”
Right? [laughter] So it didn’t work out. So anyway okay so um
so I give up. So ok um so we’re
now 3 orders deep in my research campaign. I isolate 2 other
closely paired sets of accounts.
I completed another 2 purchases and the first order arrives
again. 200 pods. 200 more pods.
Alright? So I get twice the amount of coffee again. But the
second one, something finally
interesting happens, the fraudster wrote me a letter. It
looks like this. “Hello friend,
first thanks a lot because you choose my listing to buy.
Second, I’m so so sorry because
this product is not in best condition so I can’t send it to
you because I always want
everything best for you. My mom has sick on hospital now so I
can find any other item in best
condition to ship to you and I have to go to the hospital with
her now so um I hope you
understand for me and let me cancel oder. Thank you and god
bless you!” What a nice guy. And
my money was refunded to me. So of course I replied, “I’m super
sorry your mom is sick, um I
will order again in the future”. Uh that account did close about
a week later. I was weirdly
sorry to see it go. [laughter] Um but it was a super polite
fraudster and I really hope his
mom is okay. [laughter] On the research side, I took that
letter of course as data. I
spent a few hours searching for a tool. In my wild imagination I
was hoping that perhaps someone
had created a um like an language engligh language
grammatical error guessor.
Right? And that it would somehow like be a crappy version of
google translate except it would
attach like what other language might be making these mistakes.
Turns out that tool doesn’t
exist. Project for you. [laughter] In its place and in a
moment of poor judgement I
decided to ask my friends who speak other languages whether or
not these errors looked
familiar. Nobody seemed to know what I was talking about and it
started to feel a little racist.
[laughter] So I stopped that line of inquiry pretty fast. But
I’m also you know broadly aware
that um fraudsters will emulate not being able to speak English
to kind of throw you off their
trail so I don’t actually know whether or not they’re domestic
or or um located in the U.S. So
anyway at this point the whole coffee thing had gotten way out
of hand. My conscience
[laughter] is weighing on me. My kitchen is a complete disaster
and it’s time to stop this game.
It really is. Um so I don’t need that much coffee and I was about
a hundred dollars per data
point. Like each time I’m paying about a hundred bucks to learn
more about these people. I am
not independently wealthy. This is not a sustainable venture. So
um ok so here’s the final tally.
Um this is my this is a version of my spreadsheet. All of those
accounts are dead now. Um so um
5 attempted purchases, um 4 were successful. 1200 pods total. 1
frother. 1 espresso machine. I
spent just under 400 dollars. Um the value again, not on sale,
Nespresso has good sales by the
way, um just under a thousand dollars of goods received. Um in
October I took all this data
that I’d collected and complete with the names, the invoices,
the accounts, um and everything
that I had in paperwork and I sent it all to the FBI to try
and see if they could figure out
something to do with it. Um I also reported all of this to
eBay and anybody else who would
listen. Um 30 following that report, I I never got any
response back from the FBI but
30 days following that report um the activity seemed to stop. So
maybe something happened. As far
as finding out who these people were, um I didn’t have very
much. I really wanted to uncover
some kind of cool underground like credit card scheme from
Morocco or something. Um but it
didn’t happen. There was none of that was in the offing. Um but
this isn’t a hero story right?
It’s a confession. So um here’s what I learned. When I started
telling people this story, when
I started explaining what was happening to me, people often
told me that this was a
victimless crime. Um the more I thought about it, that’s just
not true. Right? Um the little I
do know about George from Poughkeepsie, cause I did a lot
of research on him to try to
figure out if I could contact him, um and some of the other
account names, is it that they
were all over or at retirement age. We’re talking about a
vulnerable population here.
Right? Um and these aren’t victimless crimes. The victims
don’t know how to mitigate the
damage that’s happening to them. They don’t even know it’s going
on. Um recovery from identity
theft works for people um uh who are equipped to deal with it but
not the elderly. And so we’re
just not far enough along in this nation trying to figure out
how to protect those people. Um
2, for this kind of scheme it’s easy to be unknowingly
complicit. It’s also super easy
to be knowingly complicit. And this is a story about
thresholds. So under a certain a
certain threshold um the incentive is to cheat. EBay
doesn’t care. Nespresso doesn’t
care. At the end of the day you’re getting you’re your goods
for cheap so your incentive is
to cheat as well. If it exceeds the threshold everybody gets
excited. But before then it’s
all priced into the market. The insurance cards have got it.
Everyone’s got it covered.
EBay’s got themselves covered. And so really the only person
who is going to stop it is you
or me. And I’ve stopped. I won’t do it anymore. It’s not okay. Um
all I have left is this
confession and my promise to walk away from all of this. And
I have a lot of coffee.
[laughter] But maybe one I can do one last good thing so um up
for auction is this wonderful
gently used Nespresso machine. [laughter and applause] Whatever
coffee is left, you can have it.
Um bidding at, this is a terrible idea by the way.
Bidding starts to uh right now
as soon as I can post it on my Twitter account. Just go ahead
and um bid. It’s cash only. The
bidding tomorrow at 10 am. You can come pick it up at Tamper
Evident Village um by the box um
um please bring. Don’t be a jerk and bid and then not show up.
All of those proceeds will go to
the Diana Initiative. And I promise you’ll watch all of that
transaction. It will be totally
transparent. It’ll be online. Um but definitely um if you don’t
show up you’ll have the force of
public opinion and if this all falls apart well it’s DefCon
anyway. Um that’s my twitter
handle. It’s nothing like my handle but um but I don’t know I
will I will flash this again but
I just wanted to say one last thing, which is thank you. You
guys are awesome. And a shout
out to my Mom and my Dad. Alright so that’s my Twitter
handle so if you’re interested
in in owning this little little baby um it’s all yours uh
bidding starts at a dollar. Just
wait for me to go ahead and raise the um the twitter
account. Thanks. [applause]
Fascinating.
I came across something similar looking on Amazon the other day.
There was this new 3rd party seller selling high end tech products (printers/monitors/DJ equipment) for insane discounts, around the 50% mark. (even amazon was pushing this to me as a bargain for me to look out for as i had some items on a watch list)
However after "buying" the equipment for the nice deal i go to the sellers page and see in broken english a request to first contact the seller via (a non-amazon) email.
To make sure that the item was good to ship at that moment.
After this i get a mail back from this seller requesting me to pay before a deadline (2 days) through a direct bank transfer (outside of amazon's financial system). Meanwhile the official bank transfer that i made during the "buy on amazon" part of the purchase was still listed as "reserved" on my bank account but never actually gotten transferred through to Amazon.
This is where i backed out and canceled the order and cut all coms with the seller. The page where they required me to do the payment a 2nd time looked like the same styling amazon was using but elements like purchase id numbers and URL's were all not matching to an official email from amazon.
However now i am thinking this might have been a similar case. where I "pay" the scammers directly, they order the item. then having the scammers use legitimate ways with stolen cards to ship the item to me. (hopefully while canceling the reserved official transaction).
The other option would be that they would take my direct transferred cash, cancel the order and vanish. (or worse take both the official amazon payment and direct transfer payment) And i would be left without any help from amazon since the money got paid outside of their payment systems.
Did anyone else ever come across this kind of "scam" before and would you think I was at risk of losing the money if I was to comply with their demands. (or would i just have gotten a crazy good deal on something while turning into a money mule for these guys)
Yeah Ebay kinda sucks if you don't know how to allow listings to only be purchased by high feedback sellers. I sold my laptop on ebay like 6 months ago and some guy with 0 feedback won it and was doing the same thing where he wanted me to communicate outside of ebay and was in a huge rush for me to send the laptop even though I had not received any money. I contacted ebay and they showed me how to make listings only buyable with high feedback users and had no issues after that. It amazes me how huge scams and credit card fraud is nowadays.
Just a PSA that being a money mule is not as a win as it may sound. Because on records you are the one receiving goods at your home address that was purchased with stolen credit cards.
Someone please let me know if I have this right:
A thief gets a hold of someone's credit card information. The thief sets up and Ebay account and sells item X for 50% of what it costs anywhere else.
People go on Ebay, see the great deal, and buy it for the 50% normal price. The thief then uses the stolen Credit Card info to purchase the item at normal price from the retailer and send it to the Ebay buyer.
The ebay buyer receives the product at half price. The retailer receives normal price. The stolen credit card owner paid the retailer full price. And the thief received the half price all while remaining relatively anonymous.
Interesting, but it seemed like she knew exactly what happened the first time. She didn’t gain much from the other two orders, besides the cancellation message.
In the end she was charging some victims of identity theft over +$900, and she seemed to know that.
I found sellers doing this with computer parts in late 2018. They were selling high end parts for a lot less than anyone else and they all were using the same photo and they all had zero feedback. I thought it was just a scam where you get an empty package but now I'm thinking it was probably this.
Funny how she is giving away the nespresso...but not the frother.
Great presentation!
I found this to be awesomely inspiring