August 1, 2011

Cheating the System

by with 6 comments

One of the benefits of this ’7 Posts –> 7 Days’ project is that I can finally push through some writing that I have put off for far too long.

One such story involves a scamming operation we uncovered with our affiliate program about a year ago. As it begins, we received a series of new affiliates who had Chinese names and listed their residence in Vancouver, British Columbia, Canada. At first we were excited given the steady stream of business they were sending our way. At the end of the first month, we sent out a few hundred dollars worth of affiliate referral fees to these new partners via the PayPal address each supplied.

Shortly after these first payments were made, I noticed a number of customers emailing customer support asking ‘What is SpiderOak?’ and ‘Why did you charge my credit card?’. These inquiries didn’t immediately set off any alarms as we often have contractors or consultants setup accounts on behalf of their employer. However, as the messages started piling up, it became more and more suspicious. After about the fifteenth email in 10 days I decided to start cross referencing these names against the affiliate referees. Rather quickly a pattern appeared.

These new affiliates were using stolen credit cards to purchase SpiderOak accounts under their affiliate umbrella. At the end of the month, we would then send the appropriate affiliate payments thinking the business they had sent our way was legitimate as the payments all successfully landed in our bank account. And before anyone could know any better, they cleanly laundered the money. Clever scam really – providing sufficient separation between the thieves, their victims, and the intermediary (in this case – us).

Once everything was definitive, I sent an email to all of the suspected affiliates asking for further information including websites, marketing techniques, etc… Silence. I emailed again and mentioned that if I did not hear back then I would cancel their affiliate accounts. No word was returned and thus we proceeded to cancel them one by one.

During this time I was also contacting the hundreds of users who signed up under these affiliate links. Many of them had no idea their cards had been compromised and were thankful for the call. However, when they began to ask for refunds we could not comply; instead, we had to turn them onto their credit card company or bank who in turn had to go through the rather tedious chargeback procedures. A complete mess. (On a side note – it has happened to us that we will provide a refund and the user will still file the complaint with their bank. If the bank validates their request then the chargeback also occurs which means we are out double. Luckily this has not happened too often.)

Lastly, I figured we could not have been the only ones perpetrated. As such I decided to call our competitors who offer similar affiliate programs; I figured if they were doing it to us then there was a high probability it could also be happening to them. Sure enough, one of them had known about the issue for a few weeks and three others became aware soon after our conversation.

In the end I am glad to report that these thieves only made out with a few hundred dollars but did manage to capture more than my fair share of time. We did contact the authorities and passed along all the associated information on these phony affiliates but have still yet to hear back. We further never found out how the card numbers were stolen despite staying in touch with several of the victims (a few of which actually signed up for a legitimate SpiderOak account).

We are left to believe that these types of plots are going on everyday and speak to the larger vulnerability issues in this ever growing digital world. And to think how much money these little scams cost both in terms of dollars and time spent – astronomical. As for SpiderOak, we were just happy to play our small part and reaffirm our mission as protectors of our users’ security and privacy.

Comments
  1. Some of these scammers are very clever! Imagine the innovation we would see if they channeled their ingenuity into new products or services.

  2. There's a similar scam going on with Xbox Microsoft Points. Credit cards numbers are stolen, used to purchase Microsoft Points, then the points are loaded onto a temporary Xbox Live! account and the account is sold for below market value.

  3. Interesting…when I signed up for SO my CC called as it was tagged fraudulent (this was almost exactly a year ago). Then again I also had $1000 of ball pit balls I was moving through for a friend on the statement, so their concern was warranted I guess. We'll see if it happens again on renewal.

  4. Trying to roll your own affiliate system is a recipe for disaster.
    There are firms that can handle this for you.

  5. Your decision to roll out your affiliate system and not sub-contracting was correct. Where you went wrong was you put too much trust into faceless numbers and avoided to know personal details treating this the Zero Knowledge way for clients. Your partners are like your family members and zero knowledge attitude about family mostly never works :).
    This was interesting, thanks for sharing!