General Cycling Discussion - Escrow fraud - crafty internet scammers

Crafty scammers these days...

I was checking internet classifieds for a new bike when I found a too-good-to-be-true deal on a Trek 5900. I inquired about it, and asked for various pictures to see if the "seller" actually owned the bike. I got the pictures I requested, and the seller offered to go through an escrow service for safety. Then he sends me a link to something other than escrow.com (which I've used before, and recommend). I followed the link, and it became obvious it was a fake escrow site. No secure protocol, it was easy to defeat the login system, and their verisign link was a forgery. Upon investigation, I discovered the domain name for the site had been registered less than 2 weeks ago.

I offered to make the drive to come see the bike in person and pay in cash - just to hear the reason that would not be possible, and that was the last I heard from him.

Just a warning - this guy may have actually had the bike, so he could answer any questions about it and provide any special photos requested. The fake escrow site looked very professional, and I imagine the untrained eye could very easily fall for it's false sense of security.

Any time you buy something online, the only escrow service I would ever recommend is escrow.com, But cash in person is much better.


PS - I submitted the site and emails to the FBI tip line.

Might want to post the fake escrow site here also?

etrade-escrow.com

But keep in mind, they come and go all the time.

I should also mention that it's possible for someone to code an html link into an email so it looks like you're clicking a link to one site, but it's actually taking you elsewhere. It's a very popular tactic for people hijacking eBay accounts. The site the bum link takes you to emulates an eBay interface in every way - but it's not actually an ebay server. Ebay will NEVER email you and ask you to "update" your account information.

Thanks for the tip. Another reason why I don't buy on-line.

it was easy to defeat the login system ... Upon investigation, I discovered the domain name for the site had been registered less than 2 weeks ago.
1. how were you able to defeat the login system? That might help others from falling prey to possible, passible fakes.
2. how did you determine the 'age' of the site?

cheers

Flag #1 - "to-good-to-be-true". A deal that is well below the normal market value almost always has a catch. Either it's a scam or you don't have all the information.

Flag #2 - Seller recommends an escrow service - usually with some lame reason why he doesn't want to use a well known escrow service. Never, ever, ever use an escrow service recommended by the seller unless you personally know that the services is legit.

Glad to see that you caught on before you lost your money.

']1. how were you able to defeat the login system? That might help others from falling prey to possible, passible fakes.
2. how did you determine the 'age' of the site?

cheers

The password system is embedded into the html of the site. If you click on the "sign-in" button without providing a username/password, there is no verification that you entered anything at all. It takes you to a control panel. You can't do anything from there without a username or password, but the lack of security thusfar was enough to spark interest. A "secure" site wouldn't allow you this far, and you wouldn't be able to see how the logins were verified by looking at source code.

A clever Google search would reveal how to do what I did next, but I don't want to share it due to it's possible malicious uses.

Long story short, I found their admin control panel, and it was not password protected. Then it's just a matter of viewing the usernames and passwords already existing in the database (of which there were not many), or creating my own set.

It all could have just been VERY poor webdesign, but it was most likely just meant to look real, and not actually be tested to that extent.


It really wasn't necessary in the long run, because the lack of https and the fake verisign was enough. It does make for an evening of entertainment, though. :)

The fake verisign link looked to be real, until you view the properties of the "verification" page that pops up when you click it (typically viewable with a right-click if the address bar isn't visible). A real verification page comes from verisign.com's servers, NOT the site in question. That was the immediate giveaway.

The age of the site can be determined with a simple "whois" lookup. www.internic.com provides "whois" lookups. Just type in a domain name and you'll be able to see what company acted as registrar for the end client. They should also list that particular companies own "whois" server. By going to the registrar's "whois" server and typing in the domain name, they will reveal the date the domain was first created, last modified, when it will expire, and the name and address of the administrator (typically the name on the credit card that registered the domain). Mind you, these can be filled in with whatever the end user wants, so it's not solid evidence against identity, but will tell you exactly when the domain was created.

Thanks for the tip. Another reason why I don't buy on-line.

I've bought things on-line before, but never from a private seller. I will only deal with reputable companies that have been around for at least a few years. There are just too many things that can go wrong buying second hand goods on line sight unseen.