FakeCommerce, an exercise in OSINT

2015/02/28

I've been contacted by a friend seeking for help: he bought something on a random ecommerce and after 30 days nothing was shipped and no one was replying to his emails. He wanted to know if he had been scammed.

In the end the item arrived and the ecommerce proven to be somehow legit and the FakeCommerce label might be a bit sensationalistc. Anyhow the quick investigation I performed was a good OSINT exercise worth a share.

The website was pietraneraetna.it.

That was the email he received to confirm his purchase:

Da: auto1@winwservice.comData invio:domenica 18 gennaio 2015 13:20:22A:XXXX=
XXXXX@hotmail.itDear XXXXXXXXX@hotmail.it:You have transferred 91.41 EUR to=
 pietraneraetna.it.--------------------------------------------------------=
-----------------------------------------------------------The order detail=
s are as follows:----------------------------------------------------------=
---------------------------------------------------------Order No.: XXXX-mm=
XXXXss-hpdXXXXSeller website: pietraneraetna.itPayment Date&Time: 2015-01-1=
8 20:20Amount: 91.41 EURPayment No.: HPV15011820154XXXXXXDue to the foreign =
exchange rate=2C the amount displayed on your statement might be a little b=
it different from the real price.You can also check your order status and c=
onfirm the merchandise delivery on our bill support webiste ofPlease note "=
BUTTER UILF" will be displayed on your credit card statement instead of the=
 website from which you purchased the mentioned product.It's just used for =
sending bill statement by the seller's payment processor as a tool.--------=
---------------------------------------------------------------------------=
--------------------------------Should you need any further assistance=2C p=
lease don't hesitate to contact our Customer Services department at service=
@winwservice.comwith the transaction details listed above or visit our bill=
 support webiste of The order on the help site of random codes are 99495512=
62.Tel: +86-0755-83268282Fax: +86-0755-83268282E-mail: service@winwservice.=
com------------------------------------------------------------------------=
-------------------------------------------If you have any question=2C plea=
se don't hesitate to contact us!                      =

Some interesting pieces:

Please note "BUTTER UILF" will be displayed on your credit card statement instead of the website from which you purchased the mentioned product.It's just used for sending bill statement by the seller's payment processor as a tool.

A quick search on BUTTER UILD revealed nothing. But in the email there were some contact details:

Tel: +86-0755-83268282
Fax: +86-0755-83268282
E-mail: service@winwservice.com

So +86 is China country calling code, and 0755 is the Shenzhen prefix. While the site is advertised as a local italian shop looks like it's chinese instead. The copy on the pages have also very likely been machine translated.

The domain winwservice.com is registered by HICHINA ZHICHENG TECHNOLOGY LTD. There is no website attached. A quick search reveals some ripoff reports:

Ordered designer bag from an outlet store on line saying it was in Atlanta, Ga
after giving my credit card payment,received email,Order paid successfully.Order transfered to  1465.49CNY to  wonderchinagoods.com
then goes on to say,due to foreign exchange rate,amount displayed on my credit card,might be different from real price.
said please note"SZ PL CO.LTD" will be displayed on credit card instead of websit you ordered from and that the method is used for sending bill statement by the sellers payment processor as a tool.
this was not displayed on the initial Web site I ordered from, the site had designers Name @ logo, looked very official, and was close to where I reside.
i have replied several time to cancel this order,with no response.,I was going to try get explanation,but with no response, I now have to go through all the inconvenience of reporting it to my credit card company.
this should be illegal and considered fraud.

Back to pietraneraetna.it. The website looks extremely shady and is very similar to the one described on the ripoff report: it is a single brand shop where products are heavily discounted, the copy is badly translated and, even worse, it processes credit cards directly.

A whois reveals that the domain is registered by Mr Xiao Xiaoli. On the same ip 31.222.203.13 there are 13 other sites, many of which resemble a lot the current ecommerce template: single brand, bad copy, heavy discount, direct credit card processing, you get the picture.

The list:

  • anaxo.at
  • archienadon.ca
  • congresslink.it
  • gfzone.it
  • jackorbarn.se
  • kerviaggi.it
  • ludix.be
  • mailserviceijlst.nl
  • pandoraringsuk.eu
  • pietraneraetna.it
  • sindacatosociologi.it
  • summerschoolcomo.it
  • ugg-oultet.nl
  • vitagua.nl

Most TLDs are european, one canadian. This is interesting and rise the suspect there could be a network of this kind of ecommerces spanning trough europe. The registrant names yelds nothing useful: different common names, lot of false positive.

Insted the ip reveals an interesting ASN: AS12327 IDEAR4BUSINESS-INTERNATIONAL-LTD idear4business international LTD (registered Mar 30, 2011).

Let's find the associated ip blocks:

whois -h whois.radb.net -- '-i origin AS12327' | grep -Eo "([0-9.]+){4}/[0-9]+

The resulting subnets:

195.191.102.0/23
31.222.200.0/21
37.148.216.0/21
195.191.102.0/23
37.148.218.0/23
37.148.218.0/23
31.222.200.0/21
31.222.200.0/21
37.148.220.0/22
37.148.220.0/22

A quick manual investigation on the ips revealed some more similar ecommerce sites. DomainTools's IP Explorer has proven to be extremely useful to quickly find populated D blocks.

Next step was to perform a mass reverse ip lookup on those subnets.

Then I did compare the front page of already known fake ecommerces to derive a common pattern, on top of which I started scraping the whole domain list with the help of some curl and grep fu. It took a lot of time.

The pattern was far from perfect (and the scraping is incomplete) but gave an astounding list of over 1000 matches. I suspect there might be some more. The list is here for your delight, with some false positives. Here is an excerpt:

  • 3dblaupause.de
  • abercrombie-zweibrucken.com
  • adrianhoffmann.de
  • airjordansadle.it
  • airmaxnetherlands.com
  • alansvoyant.fr
  • ...
  • www.nikeblazerfemmelb.com
  • www.nikedunksforsales.com
  • www.nikefactory.us
  • www.nikefree30pinkde.de

Most domains are brand related, some others are obviously totally unlinked and might be recently expired domains mass purchased to gain from their previous seo reputation. The whole network deploy scheme looks totally automatized and many sites share the same product catalog.

In the end I can't say if this chinese ecommerce network, while looking shady, is a total scam because my friend received his purchase. Anyhow I still advised him to block the credit card used.

Follow me: @gbrindisi