I initially found this site:
http://www.discounts-webstore.com/ while looking for cell phones to purchase for resale. In preparation for an order I sent an email to customer service asking if the ulocked motorola v3's they were selling were new with retail packaging. I very promptly received this answer from (sales@discountsweb-encrypted.com):
#################################################
Hello,
All the products are brand new, packed in the original
boxes, and come with all standard manufacturer
accessories.
You will receive with your package the manufacturer
international certificate of warrant.
Also we have a 30 days money back guarantee program
for all the products in our store.
Best Regards,
Michael Connelly
Customer Service Department
Discounts Webstore, Inc.
Phone: +1 877-237-0241
Fax: 407-264-8924
http://www.discounts-webstore.com
################################################## #
Now satisfied that the products were in saleable condition, I began the order process through the website. To my dismay, they only seemed to support Western Union... NOT GOOD. So I followed up by sending Mr. Connelly a new email with the following:
#################################################
I would like to place an initial order for 20 x unlocked Black RAZR V3's, but the only payment option is Western Union. I am not comfortable with that payment method. What other payment methods do you support? I would prefer to pay with a corporate credit card until I am confortable doing business with your firm. If there is an additional fee associated with accepting a credit card, I would be willing to pay it. If you accept other forms of payment such as wire transfer, etc. I would consider that as well.
##################################################
In response, Mr. Connelly sent me this response:
##################################################
Hello,
We also accept credit cards but the price for your
products will be double.
We manage to offer our customers these low prices
only by using Western Union Money Transfer ServiceŽ
(Money in Minutes) as payment method and the minimum
order policy.
So, we use WU for taxes purposes.
Best Regards,
Michael Connelly
Customer Service Department
Discounts Webstore, Inc.
Phone: +1 877-237-0241
Fax: 407-264-8924
http://www.discounts-webstore.com
#################################################
This is the weakest response I have ever seen from a vendor. This guy is definitely a scam. Look at the way he continues to push the Western Union bit. Anyway, in response I sent him:
#################################################
ROFLOL. You have to do better than that. BTW, how is Penang this time of year?
#################################################
If he actually responds I'll post it here. BTW, here's the whois on the domain he is using for his email address (again we see the funky washington street address in Orlando):
[whois.melbourneit.com]
Domain Name.......... discountsweb-encrypted.com
Creation Date........ 2006-10-30
Registration Date.... 2006-10-30
Expiry Date.......... 2007-10-30
Organisation Name.... Discounts Dotcom
Organisation Address. 31 W Washington St
Organisation Address.
Organisation Address. Orlando
Organisation Address. 32856
Organisation Address. FL
Organisation Address. UNITED STATES
Admin Name........... Discounts Dotcom
Admin Address........ 31 W Washington St
Admin Address........
Admin Address........ Orlando
Admin Address........ 32856
Admin Address........ FL
Admin Address........ UNITED STATES
Admin Email..........
discountsdd@yahoo.com
Admin Phone.......... +1.4072536589
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email...........
domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
##############################################
Interesting to note that his advertised fax number is a land based line that belongs to South Central Bell.
BTW, on Monday I when I get back to the office I will pull up the full headers for the email we exchanged and see if I can figure out where he is sending his email from. This should give us at least an idea of where in the world he is located. Potentially, we may be able to identify his ISP. I have a strong feeling that since he's hosting this crap with Yahoo, that he is likely using the webmail interface they provide. Hopefully, that is not the case - but we will see.
BTW, here is the Apnic info for the IP address his
www.discounts-webstore.com is being hosted from:
First we start with a simple nslookup:
Non-authoritative answer:
Name:
www.discounts-webstore.com
Address: 203.121.73.198
Arin tells us this IP belongs in Asia and therefore can be queried using Apnic. This is what Apnic tells us:
% [whois.apnic.net node-1]
% Whois data copyright terms
http://www.apnic.net/db/dbcopyright.html
inetnum: 203.121.64.0 - 203.121.127.255
netname: TIMETELEKOM
descr: TIME Telecommunications Sdn Bhd
descr: Kuala Lumpur
country: MY
admin-c: AM59-AP
tech-c: SM139-AP
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation'"'"'s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-TTNET
mnt-routes: MAINT-MY-TTNET
changed:
hostmaster@apnic.net 20000510
changed:
hostmaster@apnic.net 20010712
status: ALLOCATED PORTABLE
changed:
hm-changed@apnic.net 20040708
source: APNIC
person: Azmy Mohamad Yusof
nic-hdl: AM59-AP
e-mail:
azmy@isp.time.net.my
e-mail:
abuse@isp.time.net.my
address: TIMEdotNet Bhd
address: Level 3, Lot 14 Jalan U1/26 Glenmarie HICOM Industrial Park 40000
address: Shah Alam Selangor Malaysia
address: [abuse]
abuse@isp.time.net.my
phone: +6-03-50326131
fax-no: +6-03-50326204
country: MY
changed:
azmy@isp.time.net.my 20030217
mnt-by: MAINT-MY-TTNET
source: APNIC
person: Sabariah Mohd Norahim
nic-hdl: SM139-AP
e-mail:
sabariah@isp.time.net.my
e-mail:
abuse@isp.time.net.my
address: TIMEdotNet Bhd
address: Level 1, Lot 14
address: Jalan U1/26 Glenmarie HICOM
address: Industrial Park 40000 S.Alam
address: Selangor
address: Malaysia
phone: +6-03-50326200
fax-no: +6-03-50326204
country: MY
changed:
sabariah@isp.time.net.my 20030217
mnt-by: MAINT-MY-TTNET
source: APNIC
############################################
So, this is interesting because his scam website is being hosted out of Kuala Lumpur, MY.
BTW, if you browse to
http://203.121.73.198 you will get the default apache install page for his webserver. It seems he has this server configured for name based hosting and never replaced the default page associated with the IP. VERY SLOPPY. BTW, if you want to have some fun, his website administration page should be located at
http://203.121.73.198/cpanel or
http://203.121.73.198:2082 Of course, you will need to get past his admin username and password.
#############################################
A SYN scan of his webserver reveals the following:
C:\Program Files\Nmap>nmap.exe -sS 203.121.73.198
Starting Nmap 4.11 (
http://www.insecure.org/nmap ) at 2006-11-11 10:55 Eastern
Standard Time
^C
C:\Program Files\Nmap>nmap.exe -sS -vv 203.121.73.198
Starting Nmap 4.11 (
http://www.insecure.org/nmap ) at 2006-11-11 10:56 Eastern
Standard Time
DNS resolution of 1 IPs took 1.76s.
Initiating SYN Stealth Scan against 203.121.73.198 [1680 ports] at 10:56
Discovered open port 443/tcp on 203.121.73.198
Discovered open port 80/tcp on 203.121.73.198
Discovered open port 53/tcp on 203.121.73.198
Discovered open port 21/tcp on 203.121.73.198
Discovered open port 25/tcp on 203.121.73.198
Discovered open port 465/tcp on 203.121.73.198
SYN Stealth Scan Timing: About 22.02% done; ETC: 10:59 (0:01:46 remaining)
Discovered open port 143/tcp on 203.121.73.198
Discovered open port 995/tcp on 203.121.73.198
Discovered open port 110/tcp on 203.121.73.198
Discovered open port 993/tcp on 203.121.73.198
Discovered open port 631/tcp on 203.121.73.198
The SYN Stealth Scan took 79.19s to scan 1680 total ports.
Host 203.121.73.198 appears to be up ... good.
Interesting ports on 203.121.73.198:
Not shown: 1666 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
25/tcp open smtp
26/tcp closed unknown
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
3306/tcp closed mysql
Nmap finished: 1 IP address (1 host up) scanned in 84.141 seconds
Raw packets sent: 3349 (147.336KB) | Rcvd: 1068 (43.216KB)
##########################################
I didn't bother with a UDP scan because they tend to be non-deterministic, but it is interesting to note that he is running a mailserver on port 25. Here's the output of a banner grab to that service:
220-server466.pizda-store.com ESMTP Exim 4.52 #1 Sat, 11 Nov 2006 11:00:16 -050
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
500 unrecognized command
500 unrecognized command
500 unrecognized command
500 Too many unrecognized commands
Connection to host lost.
#################################################
Hmmmm.... ESMTP? It looks like he's running a sendmail compatible mail relay. This is a nice idea if you want the opportunity to "wash" the email you send. This is not a common setup for a webstore front. I would have expected to find sendmail or equivalent here. Not a blatant mail relay. Anyway, we continue. What's this pizda-store.com domain? Yet another whois:
[whois.estdomains.com]
Registration Service Provided By: YOUR WEB POINT - E-GOLD DOMAIN REGISTRATIONS
Contact: +7.3843464245
Website:
http://www.yourwebpoint.com
Domain Name: PIZDA-STORE.COM
Registrant:
Discounts Webstore Inc.
Discounts Webstore Inc. (karri.scrugs@gmail.com)
31 W Washington St
Orlando
FL,32856
US
Tel. +001.8772370241
Creation Date: 11-Oct-2006
Expiration Date: 11-Oct-2007
Domain servers in listed order:
34157.managedns4.estboxes.com
34157.managedns3.estboxes.com
34157.managedns2.estboxes.com
34157.managedns1.estboxes.com
Administrative Contact:
Discounts Webstore Inc.
Discounts Webstore Inc. (karri.scrugs@gmail.com)
31 W Washington St
Orlando
FL,32856
US
Tel. +001.8772370241
Technical Contact:
Discounts Webstore Inc.
Discounts Webstore Inc. (karri.scrugs@gmail.com)
31 W Washington St
Orlando
FL,32856
US
Tel. +001.8772370241
Billing Contact:
Discounts Webstore Inc.
Discounts Webstore Inc. (karri.scrugs@gmail.com)
31 W Washington St
Orlando
FL,32856
US
Tel. +001.8772370241
############################################
Nothing new there. Let's look at his FTP service:
C:\Program Files\Nmap>ftp 203.121.73.198
Connected to 203.121.73.198.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 11:04. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (203.121.73.198
none)): ftp
530 This is a private system - No anonymous login
Login failed.
ftp>
ftp> bye
################################
Well, it doesn't look like he's doing much in terms of file transfers, but it's interesting to note that anonymous ftp is disabled, we're the only user connected, and he's running Pure-FTPD. Unfortunately, we don't know the version. =(
Linear Mode
