Repeated Fraud from the Same /24

Nick_A

Provider of the year (2014)
It seems at least twice a week I receive a fraudulent order from the 114.79.13.0/24 subnet. It's always someone paying with a compromised PayPal and not using a coupon. They usually have "Angga" somewhere in their name, but it varies between first and last name. Has anyone else seen repeated fraud from that IP block? I banned the entire /24 but it turned out that at least one legitimate customer also had an IP in that range :/
 

Marc M.

Phoenix VPS
Verified Provider
That looks like a Wireless ISP in Indonesia. Banning that entire /24 subnet might end up being counter productive. Instead you could just make a quick phone call to verify when you get an order from an IP in that range.
 

Aldryic C'boas

The Pony
Looks like an Indonesian kid just resetting his DSL modem to get a new IP.  We have 8 active clients (confirmed ID) on that range - looks like you might just have to keep an eye out for that guy.
 

Aldryic C'boas

The Pony
Not everyone tries to fit the "low end" niche.  Some folks, such as Nick there, provide quality service and just happen to have a few pricing points that are considered "low end".. which I feel diminishes the value of the product.  Cramming 80+ 2G VMs on a single node is low end.. the providers not interested in the whole top#/RAM race/etc mess simply provide normal service.  Don't make assumptions on his budget and operation based on the price points of a couple of his plans.
 

jarland

The ocean is digital
I've been getting nothing but trash lately originating from that same ISP. Injection attempts when I have non-client tickets on (for presales) and fraudulent orders when I turn those off. Someone over there seems to be really motivated for little potential return.
 

Aldryic C'boas

The Pony
I've been getting nothing but trash lately originating from that same ISP. Injection attempts when I have non-client tickets on (for presales) and fraudulent orders when I turn those off. Someone over there seems to be really motivated for little potential return.
Heh, well, there's more to the situation than meets the eye.  I'll PM you and Nick, since stating openly would tip off the kids involved.
 

Nick_A

Provider of the year (2014)
Yeah, I don't really need to waste time calling anyway since the PayPal account owners typically file an unauthorized payment claim within a few hours of them ordering. It's so obnoxiously obvious when these people place orders that I'm just shocked they continue to try.
 

drmike

100% Tier-1 Gogent
Yowzers.  Glad you folks are powwowing about the perp(s).  Sounds like multiple levels of attacks and quite a few compromised PayPal accounts.
 

A Jump From Let

New Member
That looks like a Wireless ISP in Indonesia. Banning that entire /24 subnet might end up being counter productive. Instead you could just make a quick phone call to verify when you get an order from an IP in that range.
That's why banning IP ranges is not an exact option, some ISPs worldwide has clients connecting through NAT or anyway leading to vast use of same IP.
 

vRozenSch00n

Active Member
The 114.79.13.0/24 subnet belongs to the fastest and cheapest prepaid wireless provider in Indonesia, and yes there are many hackers club in Indonesia which makes other legit users have to swallow the bitter pill. 

One of the problem in Indonesia, many people here are still unaware about the identity theft. 

Due to the very tough competition many financial institution uses third party marketers to sell credit cards in malls and public areas. Most of these marketers are paid with a minimum transport and meal and $5 - $10 for every approved credit cards.

If we are interested to have a new credit card and we already have one from other bank, usually the marketer help us to fill in the form, ask us a photocopy of front end and back end of our existing credit card and ID Card (they even "help" us to copy our cards to a nearby photocopy shop). 

By providing a copy of our existing credit card, there will be no on-site verification to our address, therefore many people tend to choose this method.

Now imagine. They have all our personal data in the form along with a copy of our existing credit card and ID card. Another scary scenario, the possibility if they copy our credit card using a skimmer when they "help" us to make a photocopy of our cards.

There are many more, but I think the brief explanation might give a picture of why Indonesia is known as one of the most high risk country in on-line transactions. :(
 

ChrisM

Cocktail Enthusiast
Verified Provider
It seems at least twice a week I receive a fraudulent order from the 114.79.13.0/24 subnet. It's always someone paying with a compromised PayPal and not using a coupon. They usually have "Angga" somewhere in their name, but it varies between first and last name. Has anyone else seen repeated fraud from that IP block? I banned the entire /24 but it turned out that at least one legitimate customer also had an IP in that range :/
When I ran URPad and the other FTN brands we had a similar issues. The order would come under an indonesian ip and usually a US address (Sometimes UK or Greece) and always somehow seemed to get by MaxMind even with country mix match set. 
 

KuJoe

Well-Known Member
Verified Provider
Does their Paypal address match their client address?

Check -> Tick this box to request a shipping address from a user on PayPal's site
Check -> Tick this box to force using client profile information entered into WHMCS at PayPal

Additionally, if you are adept at regex I can provide you my duplication IP detection hook and you can alter it to send you an e-mail when somebody in that IP range signs up.
 
Last edited by a moderator:

ChrisM

Cocktail Enthusiast
Verified Provider
Does their Paypal address match their client address?

Check -> Tick this box to request a shipping address from a user on PayPal's site


Check -> Tick this box to force using client profile information entered into WHMCS at PayPal

Additionally, if you are adept at regex I can provide you my duplication IP detection hook and you can alter it to send you an e-mail when somebody in that IP range signs up.
Unfortunately this wouldn't protect those accepting Paypal alternatives. 
 

qps

Active Member
Verified Provider
We just got a fraud order from the same subnet. Guess he got tired of harassing Ramnode and decided to harass us instead...
 
Last edited by a moderator:

MartinD

Retired Staff
Verified Provider
Retired Staff
I've been fighting them off for a week and have refunded on quite literally 20 minutes ago.

It's getting might annoying!
 
Top