I know, they don’t look like shoes, but work with me here.
The Internet has always been kind of an Electronic Wild, Wild West.
The Coronavirus Pandemic, however, has taken things to an entirely new level.
Cybercrime is not a lazy man’s way of making a living.
However, given the toxic combination of a lack of other legitimate ways of earning one’s keep, some technical talent, and a total lack of any moral values, cybercrime can allow the generation of significant amounts of revenue with a minimum of actual underlying cost.
Traditionally, parts of the world with systemic structural economic issues have had thriving Internet fraud industries. You can probably create much of the list without exerting yourself too hard – Nigerian Princes, Unclaimed Estate Fund and National Lottery Scams from a whole slew of African nations, Russian Erectile Dysfunction Drug Operations, and the Macedonian Fake News machine that helped to swing public opinion during the US’s last presidential election cycle.
Everything changes, though, when a global disease pandemic creates a global economic implosion that has no parallel in modern, connected times.
Multiple Information Security Threat Intelligence services and specialty journalists have provided evidence for an explosion of Internet Fraud Activity – growing by several levels of magnitude – across the past six months of the coronavirus epidemic. This makes a certain twisted sense in that the rise of illegitimate businesses correlates directly to a corresponding decline in the prospects of legitimate businesses.
What does this look like on a practical, tactical level, though?
I’ll freely admit to being a geek. My favorite footwear are waterproof, elastic sandals made by Keen. Being a geek means I am not afraid to wear mine with socks. This combo provides fantastic comfort, great traction, marvelous breathability, good support, and pretty reasonable service life. I have no commercial relationship with the company other than being a satisfied customer.
Two months or so ago, my wife asked me if I needed another pair of sandals. She had seen an ad on Facebook. Facebook – a major American media company who, theoretically anyway, shouldn’t be a conduit directly to Internet criminals. Everything about the ads looked completely legit – there was a complete and accurate web site, with a complete and accurate product catalog, right down to colors and astute sizing guidance – “sandals run small” – and use of copyrighted trademarks. They’d even hit the sweet spot on pricing where it was low enough to be really compelling but not so low as to be completely unbelievable.
With some tiny feelings of concern, she placed the order.
My cel phone went off almost immediately – first text, then voice. Not a good sign.
It was my credit card provider – wanting to know if we had placed this order because their fraud detection AI had flagged it. I indicated to the Rep on the phone that we had indeed placed this order, but wanted to know if they believed that the merchant in question would not provide the product. The Rep would not share any information on context, and I agreed to allow them a chance to fulfill the order.
That, of course, was another mistake.
I recently had someone direct me to a gag from the Television show, Portlandia, called ‘Instant Garbage’, about a purveyor of cut rate products who had figured out the ‘Perfect Intersection of Price and Hassle’ – just enough to be worth ripping you off for, and not so much that you’d work to get your money back. My new nemesis — Amcor Promuove Yunnan Chn – had taken this concept to the next level. Everything about the next two months was designed to push things just as far as they could go – but no further – in the hope that time and hassle would eventually result in getting to keep my money for nothing (or close to nothing) in return.
Four days after placing the online order, my wife got a fairly standard-looking order acceptance e-mail. Standard looking, but with no contact information or way to respond. The e-mail indicated that a shipping notice could be expected to follow in 5 to 7 business days.
On the seventh business day, a text message was received indicating that the order had been fulfilled, and providing a China Post international shipping tracking number. The text message indicated that it would take several days before the shipment would start to update to indicate movement within the shipping system, and that receipt could be expected to take between 15 to 21 business days. On the surface, this communication looked legit, but really, all it was doing was laying out the structure for a series of stalls – add up all the delays and the whole scam was now scheduled at close to 2 months for an online order.
I joked with my wife that I fully expected, upon the remote possibility that we actually received a shipment, that our two pairs of Keen sandals would be in sizes which were appropriate for a Barbie doll.
Surprisingly, as I actively tracked the progress of the shipment, every time I got to the point where I was ready to abandon hope – remember the ‘Instant Garbage Principle’ – I’d get an update indicating that it was in motion again. For example, there is a central ingest point for foreign mail adjacent to Kennedy Airport in New York City. Our shipment sat there for close to 20 days with no status change.
Then, it was in motion again – Newark, NJ – Newark DE – Baltimore, MD – Laurel, MD – Frederick, MD – Back to Baltimore (huh?) and finally ‘Out for Delivery’. I was at my desk when the mailman placed the day’s mail into my mailbox.
I walked down the driveway to the mailbox, and removed that day’s delivery, holding it easily in my right hand.
This wasn’t trending well.
Once inside, I took my kitchen shears to the small padded envelope with the ‘China Post’ markings. Inside was a perfectly wonderful looking, but perfectly awful working set of ‘Ray-Ban Wayfarer’ sunglasses. They were in a lovely case whose material seemed… a little ‘off’. They had the required little optical cloth with the Trademark reproduced …strangely badly. The shades were in a bag printed ‘Made In Italy’, which was strange, for a product that had just arrived via China Post. I wrestled the Shades out of the bag and managed to get the clearly cheap hinges to eventually open to reveal very visible ‘Made in USA’ stampings, which was strange, as the products had just arrived in the USA…via China Post. I pulled the glasses on – and the world disappeared. It wasn’t because these lenses were dark … it’s because they weren’t lenses. The things that sat where lenses would normally be was a piece of translucent plastic … one could see through it, but couldn’t focus on anything. Nothing.
In short, what I had was a set of prop sunglasses – great if you wanted selfies of yourself channeling John Belushi’s Jake Blues, less great if you actually needed to see anything.
Estimated retail value, $1.79, tops. Likely less.
Cheap sunglasses. Nothing at all like 2 pairs of sandals. And worth nothing like the $50 that my mind’s eye saw cheerfully waving me ‘Bye Bye!’.
The fact that something ‘of value’ had exchanged hands meant the scammers could claim they had made ‘a fulfillment mistake’, rather than outright theft. The scammers now also had a known good credit card and address combination – they had traceability on the shades to prove they had gotten there. If they were just gathering accounts for a bigger score later, this was a pretty good way of gathering the data.
I got right on the phone to my credit card provider’s fraud department.
I told them the entire story of the massacree accompanied by 8 by 10 glossy color photographs with a paragraph on the back of each one explaining what each one was (Thanks, Arlo!). We concluded by identifying the account that billed my card as a known fraud operation as their AI had predicted, and that it should be flagged to alert again if it ever tried to hit my account. I suspect that many people will not go through the hassle and aggravation of blocking these guys, so some percentage of accounts will be left unprotected, and any percentage they can tap next time is better than none.
My beloved spouse was predictably incensed. She got right back on her computer and went to Facebook to flag the seller’s page, since Facebook apparently didn’t and doesn’t care if its property was used in the commission of crimes. She searched up a “SCAM! SCAM! SCAM!” meme, complete with video of a spinning red emergency light and audio of the standard nuclear reactor meltdown klaxon.
You know, subtle stuff.
A millisecond after she pressed ‘Post’, the AI at the electronic heart of Facebook detected that she was ‘Engaged’ – she had posted something to a site about discount sandals.
And if she liked that one, she’d probably like another one just like it.
Whereupon her feed instantly produced ANOTHER ad post for another, completely legit looking but subtly different seller of discount Keen sandals.
“Ooooooooh no”. She posted the ‘Scam’ meme a second time.
Really, really engaged. Another Keen Deal.
Meme. Another. Meme. Another. Meme. Another.
The cadence and level of interkeyboard violence kept increasing.
After about the 23rd subtly different discount seller of Keen Sandals was dispatched, I reached over to my wife and took her hand.
“Perhaps you shouldn’t post any more of those.”
We turned the laptop off.
My mind was blown. The scope and scale of these scam e-commerce sites was massive. We’d seen more than 20 different ‘nodes’ in less than 2 minutes – all of them with a full e-commerce catalog and credit card processing facilities — if we’d kept clicking, we’d have seen more until our fingers had cramped. How many credit card/address pairs could such an operation gather? How many $50 pops had they already pocketed? How much funds might they be able to steal if they ran $100 or $500 or $1000 against every account they gathered that way all at once?
Facebook, it seems, rather than being a trusted source, has been weaponized by some unknown and toxic gumbo of criminals and/or hostile state actors.
And I don’t think this is by any means the only such operation, and I don’t think that China is the only country in the world setting up for financial crimes on a heretofore unimagined scale. There has to be a similar explanation for the ‘mystery seed packages’ that are arriving unbidden in all 50 states. Federal authorities have investigations into operations across several former Soviet republics in eastern Europe.
The more pressing our economic collapse becomes, the more compelling this kind of e-crime will become – as a lucrative illegitimate business when legitimate opportunities are diminishing. Our e-commerce infrastructure is apparently easily converted to an e-theft infrastructure.
Be careful out there in the ether – especially with methods of payment. Do business with card providers that have mature and robust fraud prevention capabilities. Your gut is usually right – if something seems off in any way in an online transaction, bail.
Oh, and try and buy your shoes from people you know.