Friday, July 31, 2020

Documenting a Cyber Fraud case - The Customs Price of a Gift

I mostly have a good acumen to detect if cyber fraud is about to happen or if a person is about to fall prey to a sophisticated cyber fraud - if at all the person in question contacts me at least at the nick of the time. So when a close relative of mine staying in another state contacted me yesterday night casually saying that some of his Facebook friend from London has sent a big gift with lots of items - alarm bells rang in my head and I immediately told him that it is a fraud. However, for some reason, he seemed totally ignorant to me and said that the other person had sent the tracking details of the same. I asked him to share the same with me. This is what he sent (personal details - name and address of recipient is masked for privacy reasons).



Now anyone with some intuition of billing systems will detect obvious issues with this note - different fonts used at various places. The text on the upper right (depicting destination and origin is in white ink - which doesn't exist in real world ;)). Then there are noticeable red flags about photo-shopping: different coloured ink everywhere, that cursor magnifier in the "screen shot", which actually ought to be a photo, a delivery time even before the item is delivered - I haven't found a logistics firm that can predict the delivery to this accuracy -, the missing phone number of the sender etc. And well I haven't even seen any legit tracking site that tell you exactly all the content in the parcel you are supposed to receive - for very obvious reason.

At this point I was pretty sure this is either a fraud or a trap (that the consignment had something else than it was pretending). Next I googled "Air Courier Diplomatic", the "Diplomatic" thing rang another bell - due to recent scandal involving diplomatic courier lines.  That threw this up:



Now that link looked legitimate, so I went to their site and entered the tracking ID. That gave an error - saying "Invalid tracking number". Another red flag. So I called up my clueless relative and asked if he actually checked the tracking number - he said yes, and it is real! I asked him to share the tracking URL and he sent me this: http://aircourierexpservice.com 
Another red flag - "http"!
But then visiting that resulted in the moving to an "https" site of which the certificate looked ok. The site also looked eerily similar to the above result that Google throwed up. I checked the Contact Us page on both these and they looked to give similar addresses to somewhere in UK. Then I checked the tracking number in this second site. And well enough, it showed up there. Even so, I was quite sure that there is something fishy about this whole thing. One thing struck me was that I have never heard of both of these courier companies. And I have had no idea that these worked so efficiently in the days of Pandemic (red flag!). It was late at night so I simply told my relative that it better to just reject the delivery, I also casually mentioned that these people will ask customs money to be paid under the guise of delivery. He was very firm in telling me that this is a real thing and refused to believe my advice. I didn't really spend time in analysing the tracking websites further (more of this in Post Analysis). 

Today morning, my relative again called up asking how to do an NEFT to another Bank. Now that was a super red alert to me. I asked him why he needed to do this - then he said the courier person called and asked to transfer customs charges to an account. I asked him to share this detail and asked him strictly to not to speak to this courier person and not to transfer money. Then he told that since banks are closed today (due to Id), he couldn't go to the bank to do the transfer and that is why he called me! I said thank God, and looked at the back account shared by this "helpful" courier person:


Many red flags here:
- this is a personal account
- this branch is from Patna, Bihar and my relative is from Kerala (super red flag)
- why the heck I need PAN number of the receiver (confidence building measure of the con?)
So I again called up my relative and asked him - in what language did this so called courier person speak - he said Hindi!! LOL. At this point did my relative realise that this is indeed a fraud - no person in Kerala will locally speak Hindi - no matter what. Of course people in Kerala will know Hindi but will never speak it locally. That question to my relative nailed it - but I found it very strange that I had to ask that question - he didn't realise till I asked. 

Post Analysis (sill continuing):
Were the tracking domains not legit?
They are not (most probably). They are only setup for fraud and nothing else. They don't deliver any goods and most likely their customer care number is invalid. For both the sites, the primary contact address seems to be UK - but both these sites seem to have same content but different backend (not yet analysed what is there in backend). A whois lookup on the domains point to registrations in Panama Islands (that itself is a mega red flag). I found another con domain with similar suspicious registrations - rextonexpc.com
How exactly these sites operate and who is behind them will be interesting to dig into. 

A word of advice:
- Never share your personal information with any one on social network of any kind. 
- If you want to share any personal information with the people you already know - use other more secure channels (email or encrypted chat) 
- Nothing in this world is free, earn it, but be good to others who are needy. If you can earn it, you are not needy.