I just got owned.

by Chris Meidinger

What’s the most embarrassing thing that could happen to someone in the anti-fraud business? For me, it’s definitely surrendering your credit card details to a scammer. Yeah. That just happened.

Embarrassing, but rather than put my tail between my legs and run away I thought I’d use the opportunity to examine the experience and to remind myself to stay hyper-vigilant. Additionally, October is National Cyber Security Awareness Month, so it seems only fitting that I share this story with you.

So what happened?

I’m a huge Buffalo Bills fan. I’ve mentioned it before here on the blog, but I grew up in the 80′s. At the time, the Bills were going from back-to-back 2-14 seasons to making it to four straight Super Bowls. They never won one, and I’ll still physically cringe if you say “Wide Right” near me, but hey, being a Bills fan builds character. I’ve been wanting to get a custom Bruce Smith jersey for a while, and with the Bills looking like they might be relevant past Week 8 this year, I thought I’d finally go ahead and do it. I didn’t want to have Bruce’s name on the modern jersey the team wears today, so I asked The Oracle who would sell a “custom bills throwback jersey” to me. The fifth Google result was this and it looked pretty legit. In fact, it didn’t ring any alarm bells with me and I didn’t even actively consider whether it might be fraud. (I purposefully gave you the real link there. Go ahead and click around on the site. Would you order from them?)

At the end of a very legit seeming order process, having put in my card data, I got this weird “Order not honored. Please pay again.” message when I tried to confirm the purchase. Oh crap. Alarm bells, plenty of them. I had been confused about why the site had two radio buttons to pay by credit card. Poking around a bit I found a connection to sslcreditpay.com. Oh crappity crap. Brian Krebs wrote about them back in June. Unlike some he wrote about, the deal wasn’t “too good to be true” necessarily, as I thought $90 was reasonable for the article I was trying to buy.

Looking at the failed transaction I can’t necessarily tell whether my card number was actually harvested or whether they really tried a transaction which was not “honored” by some payments processor. I can’t imagine the card was actually declined unless the website itself has been blocked by the card processor. Either way, this card was burned and I was on the phone to Chase to cancel it. (Strangely enough, I couldn’t find a way to report a card lost or stolen on the Chase website, but the phone system I used was completely automated and I never spoke to a person. It reminded me of an interesting BlackHat talk I saw this year, on the Lifecycle of a Phone Fraudster. Their paper is here. I wonder if Chase is better able to detect possible card replacement fraud with the phone element than with just the website?)

Ok, anyway, at least I figured it out quickly before there were any fraudulent charges to dispute. So how many warning signs did I miss?

Warning 1: No SSL. (Yeah. No kidding.) But honestly, even if you’re a security person like I am, do you really really truly truly check SSL on every single transaction you make on the web? Be honest. I’d like to say I do, but it’s not fact. I’ve grown complacent as retailers have gotten better.

I didn’t notice that the lock icon and https:// was missing.

Warning 2: Odd page formatting. How often have you seen something like this on a totally legitimate site?

I know I have, on a somewhat regular basis. The infinite number of browser version and plugin combinations make it virtually impossible for every site to render correctly in every browser. It’s not a big deal when it happens on Ticketmaster because I know them and I trust them, but it ought to be a warning sign on some generic site like this.

Warning 3: They didn’t take Paypal. Ok. Now it’s getting embarrassing, but I’m going to slog through this. I generally use Paypal when I can for merchants from whom I don’t buy regularly, and it’s available everywhere. But. They did take. Western Union. Yeah. I know.

Here, at the latest, I should have been running for the hills. It’s not that I ignored these warnings, I just wasn’t paying attention. They were there for me but I didn’t see them. I was multitasking, responding to email, writing text messages, responding to twitter, the things people do these days.

Warning 4: Too many fake security icons. This should have been a red flag, but I wasn't looking for it.

Warning 5: Domain name doesn't match shop name.

This is a much more minor point, but I should have picked up on it as well. I assumed that "lehightsc" meant something else and that I was just in the "NFL Shop" section of their site. Not so, nowhere does the domain name appear to have much to do with the contents.

The lesson I’m going to take out of this personally is to be a bit less cavalier with my cards. Any time there’s a credit card involved don’t just click through 1password to insert a card number and go, but think about whether the place you’re putting your card number is really a good place to put it. On the other hand, professionally, geez. I do cybersecurity all day, make a stupid mistake, and burn a card – no biggie. But what a hard world this is for the non-technical user! I can berate myself for missing the warning signs above, but we can’t really all expect our aunts, uncles, grandparents and other regular users to pick up on those kinds of warning signs. We have to keep getting better with technical solutions. Obviously, DMARC is a technical solution that prevents the user from ever having the opportunity to make a mistake via email, but we need to extend that model to other areas of online commerce better and faster.

One last note: am I sure this is a scammer? Pretty sure. Over at Scamadviser they say it looks safe, but I’m disinclined to trust the site. They take my card data over HTTP, don’t tell me to retry the transaction but rather tell to “Pay again.”, have two payment processors with no differentiation on the website, don’t take Paypal, etc. I never should have put my card in there, regardless of whether I might have gotten some cheap knockoff sports apparel in the end. Never.