Online Scams: Puppies for Sale or Are They? Probably not! Buyer Beware & Read This before buying a Puppy Online.

Email Address: Your Internet Driver’s License

First things first. We all need an email address in order to do anything meaningful on the the web. You do and the bad guys do too! I would go as far to say that an email address closest thing we have to a driver’s license on the internet today. Without an email address, you are on a read only version of the internet with no way to interact with with world.

By Federal law, you’re not allowed to have an email address until you’re at least 13 years old. This is specified in the FCC’s Children’s Internet Protection Act (CIPA). I often have to advise my clients on these types of issues when deciding who can legally register on a website.

An email address allows you to register on websites by validating your email address. An email address / IP address combo is the easiest and most cost effective way to provide a first pass at knowing who your customers are online.

At least we are supposed to expect that they are at least 13 years old because Google and Yahoo must check this for every email account, right? LOL! This will be important to the story below.

Blue French Bulldog Puppies For Sale or Are They?

First off, let me start by saying you should read this article which is a case study on the Anatomy of a Puppy Scam by Rae Wondersmith. A great primer on the subject!

Next, I will be hiding identity of the suspected scammer while disclosing enough details to be helpful in the analysis of the individual and the patterns observed.

The data I’m sharing comes from anti-fraud systems I’ve designed that are working in production on what I’m hoping will eventually become a popular website for local classified advertising. Maybe I’ll reveal the name of the site at the end of this article.

Blue French Bulldog  Puppies for Sale

Pic of Puppies uploaded by the Scammer

On 11/30/2020 a suspected Puppy Ad Scammer created four (4) accounts in four (4) different cities in a very short period of time.

Three of the accounts came from one ComCast Cable IP in Salem Oregon which matched one of the advertisements which did not raise a red flag initially.

They kept creating new accounts for various cities and creating a single ad for the same dog breed for each account. They targeted Salem Oregon, Kalamazoo, Boston and Lansing.

Then they posted again but IP switched from Oregon Comcast to Verizon Fios in Virginia but anti-fraud tools I built help me see it is indeed the same person registering again from same browser even though the IP had changed. I’m not sure if they are using some sort of VPN to shift the IP / Location.

I know it says “Email NOT VERIFIED” in the screenshots below but they are. I had added an email ban to the system and it reflects back on this view as NOT VERIFIED but they were. The email verification process data sits in its own database table. I collect the IP addresses from the user at start and finish of the email validation process.

I can also see the email exchange in the email server logs files which I also check daily. All of this data can be verified by looking at several system logs.

Connecting Accounts Created by Same Person on Earlier Sessions

Going back thru recent account creations I see another account matching one of the scammers email.

Observations & Fraud Patterns

Broken English or poor grammar.

Example: Breath Taken Blue French Bulldog Puppies Ready Now To GO

Notice poor grammar of Breath Taking as Breath Taken there are other examples through out the text

Phone numbers used

240 Maryland Area code in the phone number used and same phone number using in most of the ads.

Phone number was not used on all of the ads posted by this scammer

Unique Account details repeated

Same password was used on all of the accounts!

This is proprietary but yes, all accounts used the same password.

More Analysis

So far this is what I think I have and is subject to change if new data overrides this.

  • User is probably not native English speaker but may be located physically inside the US.
  • Has methods to change IP via VPN or access to computers in those cities via nefarious methods (hack) in order to hide their real IP address.
  • Its is very easy to create email accounts. This person has many email addresses and personas ready to use or creates them easily and often.
  • Only targeted one breed so far

Raw Data for Analysts

In order to help analysts and law enforcement, below are the actual ad text used in the scam advertisements.

Scam Ad for Puppies #1

Much love we have for them, we are really proud to find them a good pet loving home where they will be spoiled with much love and care. they are home raised, well fed, vet checked, vaccinated and had their first shots, update on shot and dewormed, all in good health and will come with paper we have 240) 242-7140

Suspected Scammer using email address marksmille56@gmail.com for ad posted in Kalamazoo.

Scam Ad for Puppies #2

Akc registered frenchie puppies ready for x-mas ! all shots are up to date. They have already taken flea and tick dose. They have beautiful coatings, are strong,text me (240) 242-7140 for more info

Suspected scammer using email address louisesteel259@gmail.com from ad posted in Boston Mass.

Scam Ad for Puppies #3

We are proud to find a good pet loving home for our cuties. We have lovely, young, pretty healthy males and females available now for a new home. they are home raised, well fed, vet checked, vaccinated and had their first shots, update on shot and dewormed, all in good health and will come with papers. you can contact now for more details

Suspect scammer using email address randyruy71@gmail.com from ad posted in Oregon City, Oregon.

Conclusion

The internet is still the wild wild west and most people don’t understand how it works or how the bad guys use it to take advantage of us.

The above example shows just how hard it is for anyone trying to validate and vet an online user as they create multiple accounts and post data.

I hope the information I’ve provided on this subject is helpful in any research you may be doing on the subject as I expect those would be the only people reading the article down this far.

~Cheers & Happy Hunting!

~Cyber Abyss

Improve Your Developer Skills by Reading Bug Bounty Reports

I’m a professional software developer who likes to dabble in hacking.

I recently started spending time seeking out information security enthusiasts and hacking professionals who publish reports on their bug bounty work.

If you’re not familiar with bug bounties, the simplest explanation is someone putting up a prize or bounty for bugs found on a specific application / website.

Most of the time, bug bounties are official events where you register and are given guidelines in order to collect the bounty and that typically includes a good write up or report on how your discovered and exploited the bug and what type of bug it would be classifieds in to, like a “reflected XSS” cross-site scripting bug.

I’m going to use this bug discovery report from Vedant Tekale also known as “@Vegeta” on Twitter as an excellent bug bounty type of report where you can see the steps a hacker / attacker or bug bounty hunter would take to see if your website has a vulnerability that can be exploited.

As a software developer interested in creating secure applications for our users, we should always be aware of what tactics and techniques a bad actor might use against the products and features we are building.

Vedant’s write up is basically a step by step of what hackers would be looking for. First, look for bugs like XSS, open redirect, server-side request forgery (SSRF), Insecure direct object references (IDOR) but they found nothing.

With persistence, Vedant kept at it and found a bug in the password reset functionality where the password was reset feature was resetting the password to a brand new password on every forgot password attempt.

Also, rate limiting seemed to be missing as 88 password reset attempts went unchallenged so we guessing there was no rate limiting at all.

As a developer with a focus on security, I highly recommend adding reading bug bounty reports to your professional reading list. It will be a big eye opener for you if you’ve never tried hacking a web application before.

I’m on day 5 of chemo treatment for skin cancer and I think this is all I have in the tank tonight but I’m glad I got this blog post out before I have to put another round of chemo on my face for the night. It’s not pleasant. :-\

Hope this helps somebody. 😉
~CyberAbyss