Security Awareness Blog

Online Shopping Fraud - Advanced Social Engineering

I've noticed recently a growing case of online, bargain shopping fraud happening. Well, I should say the power shoppers in my family have noticed this and helped point this out to me. The scam works by setting up websites pretending to be legitimate, but are really nothing more then fake sites that sell dramatically discounted counterfeit goods, or simply do not deliver at all. Lets take a look at a real world example. Lets say you have a family member with a new baby and you want to buy them a gift, perhaps a new baby carrier. But being the economy the way it is, you also want to find a very good bargain. A well known baby carrier brand is Ergo baby carriers, which you can find online at www.ergobabycarriers.com. This is the legitimate store selling the legitimate Ergo product. Now lets look at a the counterfeit site, www.babycarriergo.com. The website looks highly professional, almost an exact copy of the legitimate site, just with dramatically lowered prices (the bargain we were looking for!). Now if you are lucky, they will deliver you an actual product, perhaps it will even be the real thing. In the worst case scenario you do not get anything delivered and they harvest personal information including email, usernames and passwords, and credit cards numbers. There are several ways to detect these fake sites and protect yourself. Lets take a look first at the email they send confirming an account setup.

  1. Look at the first sentence in their response email, this is terrible grammar. It either went through Google translate, or more likely some very mis-informed translator. "We wish to welcome you to ERGO baby carrier,Cheap baby carrier ERGO, ERGO on sale,Free shipping." The rest of the text is perfect, most likely copied from emails sent by the legitimate businesses.
  2. The email is sent from sales@ergobabycarrierergo.com but the actual website and URL in the email are www.babycarriergo.com. Their support page uses the email address sales@cheapergobabycarrier.com. All these different domains are another big red flag.
  3. The site never uses HTTPS during the online purchase process. They have a nice "We Are Secure" logo, but I never saw HTTPS during any transactions, nor could I find it anywhere in there website code (well, except for their Google Analytics).
  4. Call their support number. Wait ... no support number or no one to call? Another red flag.
  5. The safest bet for your family and friends this season is to shop online only from well known, trusted sites. As always, if something seems too good to be true, then it most likely is.
With the shopping season coming up on us very soon, these type of attacks will unfortunately only become more common.

16 Comments

Posted February 17, 2012 at 3:58 PM | Permalink | Reply

cabelaspromotioncode

Very informative report for online shoppers.Other tips is for shoppers to check if the site has a life chat line.that is functioning and could be used to ask questions.How fast they response will tell how much they appreciate customers.The shopper can go further to read customer reviews about the site before releasing their card details.

Posted February 17, 2012 at 4:33 PM | Permalink | Reply

lspitzner

Great feedback! I see a new OUCH! security awareness newsletter in the making here.

Posted March 9, 2012 at 2:54 AM | Permalink | Reply

Adrienne

Oh no!! I just ordered from this site!! What should I do?!

Posted March 9, 2012 at 3:00 AM | Permalink | Reply

lspitzner

Adrienne, if you believe you made an online purchase from a fraudulent website, call your credit company and explain the situation. You can stop the charges for the purchase. In addition you may want to have your credit card company send you a new credit card (in case your existing credit card number has been compromised).

Posted March 20, 2012 at 4:55 PM | Permalink | Reply

Angie

Adrienne, I ordered from them too!! Did you ever get a response or anything from them?
I just cancelled my credit card through Chase, how upsetting, I thought maybe I could just get a deal''BUT NO! How scary.

Posted March 25, 2012 at 10:57 PM | Permalink | Reply

stephanie

I really wish I would have found the many reviews on the fraudulent company like http://www.babycarriergo.com before I so naively purchased one online. They have not sent me the ERGO that I tried to purchase

Posted March 26, 2012 at 12:24 PM | Permalink | Reply

lspitzner

All these comments posted have raised my awareness on just how large this problem is. Looks like we need to create a OUCH! security awareness newsletter on just this very topic. Will work on this soon.
Thanks for the post folks!

Posted April 2, 2012 at 6:53 PM | Permalink | Reply

ika

I have just started to place the order on fake side http://www.babycarriergo.com. I have entered the info regarding billing address, my email address and password, and on the second step of order proceeding, I have entered the credit card info, but something stoppped me and I did not click "submit". In this case, is there the risk that someone have got my credit card info (without submiting action) ?
Thanks a lot in advance for your feedback!

Posted April 2, 2012 at 7:44 PM | Permalink | Reply

lspitzner

If you did not click the ''submit' button, then the information was not sent to the website. However, since you sent your email address and password, assume they have that information. If you are using that same password on any other websites or other accounts be sure to change it. Best of luck!

Posted June 7, 2012 at 8:33 PM | Permalink | Reply

Misty

I just ordered from "Ergo Baby Carrier Online Store" Does anyone know if this is a scam or if it is legit? It has some of the red flags you mention but it also passes some of them. Help!

Posted June 8, 2012 at 3:09 AM | Permalink | Reply

lspitzner

http://www.ergobaby.com is the legitimate URL. You can find a list of counterfeit sites at http://store.ergobaby.com/Content/AboutUs_Counterfeits#.

Posted August 1, 2012 at 7:05 AM | Permalink | Reply

Lucky3

Sigh, I can't go out shopping lately since I have triplet babies. Am so sick of getting scammed online and wished I had read this post earlier. Found this new website http://www.booroos.com which reviews and rates online shops to see if they are good or fraudsters. Has been helpful to me!

Posted August 1, 2012 at 11:06 AM | Permalink | Reply

lspitzner

We understand your frustration. This is why the August edition of OUCH! (coming out next week) is on how to protect yourself from Counterfeit Websites. OUCH! is a free, monthly security awareness newsletter you can download from http://www.securingthehuman.org/resources/newsletters/ouch.
Thanks!

Posted October 3, 2012 at 5:41 PM | Permalink | Reply

dlove77

I bought a carrier from cheapergobabys.com and it was a complete fraud, they had really bad grammar, sent me an email confirmation without an order #, saying I would receive a tracking # and I never did. I didn't receive the carrier and they didn't respond to any of my email inquiries.

Posted February 21, 2013 at 3:34 PM | Permalink | Reply

Bright Heritage Associates

Great tips. Popularity of internet shopping and online auctions grows, so the number of complaints about transactions is increasing. One example is: Buyers receiving goods late, or not at all.

Posted May 7, 2013 at 4:44 AM | Permalink | Reply

online shopping in india

Hi lspitzner,
Hey you right nowadays internet spam has increased so much we hardly understand, so many tricks are played specially during transactions.
But to my notice I have been through such sites wherein we are secured by our personal account and transactions.I often visit some shopping sites which are secured enough to shop.