Once or twice per month, we receive a hosting request from out-of-state. The names and intentions of the sites are unfamiliar, and there's sometimes missing data, but we receive complete and valid address and credit card information. Invariably, these are fraud victims.
The seemingly-valid credit card information used to initiate the account with us was obtained from a previous success at phishing. I'm certain that if we set up the hosting account, it will be used to host another phishing site. We would host a Citibank or a Wells Fargo replica, or possibly have our servers used for mass mailings demanding a log in and personal information to correct a "corrupted database" or to verify suspicious account activity. Unsuspecting account holders would then use our servers to supply their personal and account information, and then our servers would be used to store or relay this data to our malicious clients. Until we find out - on our own or through a legal or law-enforcement entity - and stop it.
This is precisely why we don't auto-approve new accounts.
I admit that I was kind of excited the first time this happened. First, we're small enough that it feels good to be noticed. I was curious about how they would go about their misdeeds, and I was tempted to set up hosting for them somewhere outside of our production network. But I didn't have the time to set up a whole new honeypot environment, so I let it pass.
Now, it's just old.
They've gotten pretty sophisticated. It used to be Mrs Mabel Johnson in Florida, who hails from m4ster0p@yahoo.com. I could call poor Mabel, describe the situation, and ask her to call her credit card company. But now they don't include valid phone numbers, or the phone numbers dump to voicemail.
Which means I have to choose between letting it go and reporting it to the card holder's financial institution. If I let it go then the victim's card is just gong to be used somewhere else. If I decide to report it, I lose 20 minutes of my life wading through phone trees.
All we know about a card is that it's a "visa" or a "mastercard". Unfortunately, there's no such thing as customer service or fraud reporting at that level. The care and feeding of these cards is in the hands of the issuing financial institution, and until I can sleuth out who that is there's little I can do. After a lot of legwork, I have come up with the following numbers:
- Visa issuing bank numbers: (800) 847-2750 #2
- Mastercard issuing bank numbers: (800) 622-7747 #1, #2
After providing the card number at the above hotlines, you can get the phone number for the customer service department of company that issued the card. Now, you're faced with phone tree madness at that institution. Some are better than others, but for such a non-standard request, you need to get to a human being. I found it nigh impossible to get to a CSR at Wells Fargo, without being able to validate the checking account number attached to my stolen check card.
I'm happy we have never perpetuated fraud, and I can only hope that it becomes easier to stop it.
