# Repeated Fraud from the Same /24



## Nick_A (Jun 3, 2013)

It seems at least twice a week I receive a fraudulent order from the 114.79.13.0/24 subnet. It's always someone paying with a compromised PayPal and not using a coupon. They usually have "Angga" somewhere in their name, but it varies between first and last name. Has anyone else seen repeated fraud from that IP block? I banned the entire /24 but it turned out that at least one legitimate customer also had an IP in that range :/


----------



## Marc M. (Jun 3, 2013)

That looks like a Wireless ISP in Indonesia. Banning that entire /24 subnet might end up being counter productive. Instead you could just make a quick phone call to verify when you get an order from an IP in that range.


----------



## Aldryic C'boas (Jun 3, 2013)

Looks like an Indonesian kid just resetting his DSL modem to get a new IP.  We have 8 active clients (confirmed ID) on that range - looks like you might just have to keep an eye out for that guy.


----------



## shovenose (Jun 3, 2013)

But calling each customer gets expensive, when you're selling a LowEnd VPS.


----------



## Aldryic C'boas (Jun 3, 2013)

Not everyone tries to fit the "low end" niche.  Some folks, such as Nick there, provide quality service and just happen to have a few pricing points that are considered "low end".. which I feel diminishes the value of the product.  Cramming 80+ 2G VMs on a single node is _low end_.. the providers not interested in the whole top#/RAM race/etc mess simply provide *normal* service.  Don't make assumptions on his budget and operation based on the price points of a couple of his plans.


----------



## jarland (Jun 3, 2013)

I've been getting nothing but trash lately originating from that same ISP. Injection attempts when I have non-client tickets on (for presales) and fraudulent orders when I turn those off. Someone over there seems to be really motivated for little potential return.


----------



## Aldryic C'boas (Jun 3, 2013)

jarland said:


> I've been getting nothing but trash lately originating from that same ISP. Injection attempts when I have non-client tickets on (for presales) and fraudulent orders when I turn those off. Someone over there seems to be really motivated for little potential return.


Heh, well, there's more to the situation than meets the eye.  I'll PM you and Nick, since stating openly would tip off the kids involved.


----------



## Nick_A (Jun 3, 2013)

Yeah, I don't really need to waste time calling anyway since the PayPal account owners typically file an unauthorized payment claim within a few hours of them ordering. It's so obnoxiously obvious when these people place orders that I'm just shocked they continue to try.


----------



## drmike (Jun 3, 2013)

Yowzers.  Glad you folks are powwowing about the perp(s).  Sounds like multiple levels of attacks and quite a few compromised PayPal accounts.


----------



## A Jump From Let (Jun 3, 2013)

marcm said:


> That looks like a Wireless ISP in Indonesia. Banning that entire /24 subnet might end up being counter productive. Instead you could just make a quick phone call to verify when you get an order from an IP in that range.


That's why banning IP ranges is not an exact option, some ISPs worldwide has clients connecting through NAT or anyway leading to vast use of same IP.


----------



## Mon5t3r (Jun 3, 2013)




----------



## darknessends (Jun 3, 2013)

Why dnt u confirm their orders by call ? If they aren't submitting bulk orders or so.


----------



## ryanarp (Jun 3, 2013)

darknessends said:


> Why dnt u confirm their orders by call ? If they aren't submitting bulk orders or so.


Nick mentioned earlier it is just easier to handle the Paypal dispute when it comes up.


----------



## vRozenSch00n (Jun 3, 2013)

The 114.79.13.0/24 subnet belongs to the fastest and cheapest prepaid wireless provider in Indonesia, and yes there are many hackers club in Indonesia which makes other legit users have to swallow the bitter pill. 

One of the problem in Indonesia, many people here are still unaware about the identity theft. 

Due to the very tough competition many financial institution uses third party marketers to sell credit cards in malls and public areas. Most of these marketers are paid with a minimum transport and meal and $5 - $10 for every approved credit cards.

If we are interested to have a new credit card and we already have one from other bank, usually the marketer help us to fill in the form, ask us a photocopy of front end and back end of our existing credit card and ID Card (they even "help" us to copy our cards to a nearby photocopy shop). 

By providing a copy of our existing credit card, there will be no on-site verification to our address, therefore many people tend to choose this method.

Now imagine. They have all our personal data in the form along with a copy of our existing credit card and ID card. Another scary scenario, the possibility if they copy our credit card using a skimmer when they "help" us to make a photocopy of our cards.

There are many more, but I think the brief explanation might give a picture of why Indonesia is known as one of the most high risk country in on-line transactions.


----------



## ChrisM (Jun 3, 2013)

Nick_A said:


> It seems at least twice a week I receive a fraudulent order from the 114.79.13.0/24 subnet. It's always someone paying with a compromised PayPal and not using a coupon. They usually have "Angga" somewhere in their name, but it varies between first and last name. Has anyone else seen repeated fraud from that IP block? I banned the entire /24 but it turned out that at least one legitimate customer also had an IP in that range :/


When I ran URPad and the other FTN brands we had a similar issues. The order would come under an indonesian ip and usually a US address (Sometimes UK or Greece) and always somehow seemed to get by MaxMind even with country mix match set.


----------



## KuJoe (Jun 3, 2013)

Does their Paypal address match their client address?

Check -> Tick this box to request a shipping address from a user on PayPal's site
Check -> Tick this box to force using client profile information entered into WHMCS at PayPal

Additionally, if you are adept at regex I can provide you my duplication IP detection hook and you can alter it to send you an e-mail when somebody in that IP range signs up.


----------



## ChrisM (Jun 3, 2013)

KuJoe said:


> Does their Paypal address match their client address?
> 
> Check -> Tick this box to request a shipping address from a user on PayPal's site
> 
> ...



Unfortunately this wouldn't protect those accepting Paypal alternatives.


----------



## KuJoe (Jun 4, 2013)

Chris Miller said:


> Unfortunately this wouldn't protect those accepting Paypal alternatives.


That is true but Nick specifically said Paypal so it should protect him.


----------



## qps (Jun 5, 2013)

We just got a fraud order from the same subnet. Guess he got tired of harassing Ramnode and decided to harass us instead...


----------



## MartinD (Jun 5, 2013)

I've been fighting them off for a week and have refunded on quite literally 20 minutes ago.

It's getting might annoying!


----------



## 365Networks (Jun 5, 2013)

We have removed PayPal as an option for any high-risk countries, and we also do not mind doing a phone/SMS verification (gotta love world wide calling for free) if required. It is a shame that one or two people can ruin it for the rest of the them.


----------

