Throughout November 2008 we received some 30 odd purchases of our Benign software through a single affiliate.
Affiliate programs like ours give sellers a percentage of each sale, so people with their own website can promote products and earn a commission.
However as we generally give our Benign program away for free to people who upgrade from MailWasher Free to MailWasher Pro (though it can still be purchased), these sales through one affiliate with no known promotion was unusual for this time period. Whilst that in itself isn't a smoking gun, it most certainly raises our collective eyebrows when we get a chargeback for one of these sales.
A chargeback, if you don't know, is when a payment is reversed by the consumer or the bank that issued the card, this is common when a Credit Card has been fraudulently used.
Upon receiving a chargeback from a victim who had their Credit Card misused in this manner, we took a look at the affiliate involved and what was going on, then promptly went ahead and refunded all the other transactions to avoid any more potential problems.
We aren’t the kind of people to just hold on to information we have, so we’ll share the scammy love as I’m sure there’s a few other companies possibly getting taken by this person.
First off the affiliate website is http://www.onlythebestsoft.net/
A look at the website details shows it as being hosted in the United States, as well as the Registrant also showing as being in the United States.
The full WhoIs data reads as follows, note the web host as being www.your-site.com
This Registrant information is easily bogus.
William Culp Jr
2208 Bay St
Beaufort, Sc 29902
Domain name: ONLYTHEBESTSOFT.NET
Jr, William email@example.com
2208 Bay St
Beaufort, Sc 29902
Hostmaster, Your-Site firstname.lastname@example.org
16 Maple Street
P.O. Box 963
Hinsdale, MA 01235
413-499-6690 Fax: 413-499-4504
Registration Service Provider:
This company may be contacted for domain login/passwords and general domain support questions. Phone support available Monday - Friday 9am - 6pm EST.
Registrar of Record: TUCOWS, INC.
Record last updated on 06-Feb-2008.
Record expires on 06-Feb-2009.
Record created on 06-Feb-2008.
If we do dig deeper we can prove that William Culp Jr exists at that address, in fact he just had a BBQ for the Heritage Society of Beaufort, I hope that went well Bill, I always liked a good BBQ.
However International Numbering Plans tells us the phone number given in the WhoIs records is a number in New Mexico, not South Carolina as stated for the address.
A message sent to the Juno email address given in the WhoIs have also not yet been replied to.
We assume from this that the name and address is stolen from an innocent party, in this situation William Culp Jr.
A Google search of the domain name "onlythebestsoft.net" essentially revealed no results, which really leads the situation to be more unusual, given if the website was successful and able to draw sales it should have a stronger web presence.
When comparing this above information to the data we received for the affiliate signup, they do not appear to match, instead giving the name Hermansyah and an Australian Address as shown, we should note that Australia was most likely chosen as a filler country as Firetrust does not accept Indonesian affiliates, too many scammers. Here is the details that this person gave when signing up to our affiliate program.
On the 24th November we sent 'Hermansyah'...or maybe it's ' Herman Syah' an email notifying them of suspicious activity,
and that their account would be suspended while an investigation was completed, to which we received this reply from email@example.com
I dont know about fraudulent activity, just promote your product. If you have chargeback or refund, its normally. Ok, i stop to promote your product until this case clearly. I await the complete report out of you, how much my sales, chargeback, refund, and totally my earning commisssion. Often happened owner software closing account of member affiliate with the reason fraud in order not to pay for commission. I hope that non you. Hopefully you can esteem the service affiliate / webmaster which have strained after to promote yours product.
Quoting Nick Bolton :
> Hi brillian
> Your affiliate account with Firetrust has been stopped due to an investigation in to fraudulent activity. If we find fraudulent activity has > occurred your earnings will be forfeited and your account deleted.
> We will let you know the results of the investigation in a few days.
> Nick Bolton
A look into the email header of that email shows the following lines of interest, note email headers read where most recent items/action at the top. So the bottom line is the first route the email took.
Received : from localhost (b512 [127.0.0.1]) by 5012.user.mail.your-site.com (Postfix) with ESMTP id 6EBDB4ECDB for (firstname.lastname@example.org); Tue, 25 Nov 2008 01:43:48 -0500 (EST)
Received : from 18.104.22.168 ([22.214.171.124]) by webmail.onlythebestsoft.net (Horde MIME library) with HTTP; Tue, 25 Nov 2008 01:43:48 -0500
The rest of the email header shows typical routing information. A look at the IP address 126.96.36.199 tells us that it is in fact an Indoesian IP address connecting to the WebMail account at webmail.onlythebestsoft.net
ISP: T. Telekomunikasi Selular (Telkomsel)
Organization: T. Telekomunikasi Selular (Telkomsel)
So in effect an Indonesian IP address from the ISP www.telkomsel.com connected to a webmail account http://webmail.onlythebestsoft.net which is provided by the Host, www.yoursite.com.
To delay Hermansyah some more we emailed him telling him his account would be closed for 96 hours while an investigation took place, though we did imply that nothing looked out of the ordinary. His response to this had the following.
I want know report investigation about my account.When my account reactivated?
Quoting Chris Gleason :
> Hi Hermansyah
> Just to let you know we are continuing our investigation, however at
> this point nothing appears out of the ordinary, so your account will
> most likely be reactivated soon.
> In any situation where we investigate an affiliate we have a policy of
> holding accounts for 96 hours before we do reactivate them, so it will
> be in a few days time. Apologies for any problem this causes.
> Your promotion went reasonably well, it was about in line with what we
> expect with sales for Benign. Did you do any promotion beyond
> advertising on your website as we could probably find ways to improve
> your sales.
> Chris Gleason
> Internet Brand Justice and Safety Department
> Firetrust Limited
His response to this had the following email header.
Received : from localhost (unknown [10.1.5.11]) (Authenticated sender: email@example.com) by 5011.user.mail.your-site.com (Postfix) with ESMTP id 12E584EC35 for
Received : from 188.8.131.52 ([184.108.40.206]) by webmail.onlythebestsoft.net (Horde MIME library) with HTTP; Mon, 01 Dec 2008 02:11:16 -0500
Through contact with SpyZooka, which was another software program he was selling on his website, we obtained another IP 220.127.116.11 as this was shown as the last logged in IP address for his SpyZooka affiliate account.
The IP address 18.104.22.168 again goes back to the same Indoesian ISP as mentioned earlier, however it's different than the last IP shown in the email header. This implies he is not on a static IP, perhaps a dial up user, or that he is accessing his logons through multiple access points, Internet Cafes, Libraries etc....this could really only be confirmed by the Indonesian ISP.
When we also contacted SpyZooka to warn them that this affiliate was a likely scammer, we got a nice reply that provided a W8 Form. There is an address on this form as SpyZooka only mail checks to new affiliates to prevent fraud, therefore we assume the scammer has some kind of physical contact with this address.
Let’s write that address out nicely in plain text, so it’s more search engine friendly.
JL.KH.Agus Salim GG.Sawo 3 No.51 RT.002 RW.07 Poris Plawad Cipondoh
Tangerang, Banten 15141, Indonesia
Though not documented here we have investigated many of the 30 sales that were performed. All the ones we looked at were all coming from United States IP addresses, and all were different. However if we dig deeper we can see that these IP addresses match open proxies, so with a quick alteration to his browser setup, his true location is hidden behind these.
When we look at the Indonesian IPs, we can find no evidence that they are open proxies, and suspect he failed to cover his tracks when accessing his webmail and logging on to his affiliate account. I suspect too he would be making the same mistake when accessing his Gmail, WebMail and Web Hosting accounts.
Anyway, we hope this helps anyone else that might be getting scammed. We’ll be sure to send this data to all the relevant email providers, web hosts, and other affiliates he was signed up with so they too can investigate his accounts. (Listed below).
We would also like to advise scammers, please continue to purchase software that's generally free from us, please continue to use open proxies that are readily found in Google, please continue to give blatantly false information, and make no effort to hide your tracks properly.
http://www.gamefiesta.com - Already disabled
http://www.spyzooka.com – Already aware