Got scammed on Amazon.com. So I DOXed him. What next?

[Czestnut]

I posted this on my personal FB page, but since my friend circle may not have hacker types like me, I thought I'd share here.

It started December 9th, with an oddly named seller, selling an IPS191 for $500 USD new, that I wanted to upgrade to from my TG-T3.  Hot price as it's about 3 bills lower than the next seller.

" Something looked fishy about seller's name. Emailed seller. OK. Called Amazon, and they said they were OK. Ordered. Order got cancelled. Email from seller said something wrong with Amazon, asks for mailing address. Smells fishy. I have a feeling they'll ask for CC number over phone or email, or other means outside of the peace of mind Amazon's payment transaction process. "

Seller profile: https://www.amazon.com/sp?_encoding=UTF8&asin&isAmazonFulfilled=0&isCBA&marketplaceID=ATVPDKIKX0DER&orderID=102-0854584-7282609&seller=A23LTITFB72MZ2&tab&vasStoreID "

BLACK FRIDAY OFFERT!B_efore buyIng let me know at: mdkstore24#gmail .COM(Please change the # to AROUND) storefront

Just launchedNo feedback yet"

 

What's really odd is that I called Amazon regarding this seller on the phone, and they assured me he's legit, stating the rigorous process to validate good dealers on their platform.  So I ordered it.

Then it got CANCELLED

 

 

 

[Czestnut]

..and I get an email

[Czestnut]

So I play along with it and send him my ship-to, which is my brother's in NC since I'll be spending my holidays there in a week. Then last night I get this email.

[Czestnut]

Amazon bank transfer????? LMAO! Madrid? ROTFL!
So I check out if it was really sent from Amazon as well as hovered over the click here for assistance... and gives me a phishy domain.
So next I do a WHOIS, and omg, the scammer just created the domain THE SAME DAY!  This guy just spent money on a domain and email address for my $500. 

[Czestnut]

So I decide to DOX him further.   Did some more digging, and BINGO!

 

[Czestnut]

So now I have his name, phone number, and his address... yeah, he lives in a ghetto apartment building: https://www.google.ca/maps/place/Ringslebenstraße+78,+12353+Berlin,+Germany/@52.4178141,13.4456521,267m/data=!3m1!1e3!4m5!3m4!1s0x47a845b791020eed:0x99a6b196bfc573db!8m2!3d52.41802!4d13.44605

So looking up his name, along with his social media sites, also found another email address  rimowals@web.de 

So, what should I do next?  Call him?  Anyone speak German and calls him " We're the police and come to the station and talk to us, you have 2 hours" or whatever?

[Mono]

How do you know the person registering the domain didn't just use this identity unauthorized?

[Donafello]

We deff need to call him. Im doing it now

[Keith]

I can assure you this is happening a lot on Amazon - and Amazon don't seem to give a toss.

I wanted a good pair of binoculars for my holiday and one company had a "shop soiled" pair for half the usual price, unfortunately  they quoted 7-15 days for delivery form Germany to U.K. The latter would be too long so I emailed to ask if I could pay to expedite, the company ignored me and the bins disappeared the next day.

After waiting the requisite time for a reply, I complained to Amazon at the poor service of a brand new company and the next day the whole company had gone. Amazon failed to reply to my complaint. The day after a completely different company was selling the same bins on Amazon, same price, same write up - word for word, I then noticed the "please email us at this address before you raise your order on Amazon" blurb and the penny dropped that they were nothing more than crappy fishers trying to get your card details. I reported the new company to Amazon and the next day they disappeared, Amazon couldn't be bothered to reply to me though. The next day the bins appeared again but his time with a company with a good reputation, closer look though showed it was a company that got its reps for selling organic food products and all feedback stopped a year ago, except for two very pi$$ed of customers who had been scammed that very day, so this time the sh*ts had hijacked another companies I.D., I reported it again. Again they disappeared the next day and Amazon failed to respond to me. I eventually found a reputable dealer on Amazon, at nearly twice the bait price but by now I had so little time I had to pay through the nose for next day delivery, that transaction went well.

By the way, when I tried to put negative feedback on these sh*t companies,Amazon refused to allow it. 

Bottom line is it took less than a day for crooks to get another listing on Amazon, and Amazon's thanks to me was to ignore me completely. I now buy as little as I can from them.

[Czestnut]

11 minutes ago, Mono said:

How do you know the person registering the domain didn't just use this identity unauthorized?

He registered the @marketplace-orders-amazon.com domain just minutes before I received his email from that domain.

[Mono]

2 minutes ago, Czestnut said:

He registered the @marketplace-orders-amazon.com domain just minutes before I received his email.

How does that show that it was not identity theft? I understand the person who mailed to you is very likely the same who opened the domain, but how do you know this person didn't steal an identity to do all this?

[Czestnut]

I just found another guy he tried to scam: https://www.scamwarners.com/forum/viewtopic.php?f=6&p=314326

 

4 minutes ago, Mono said:

How does that show that it was not identity theft? I understand the person who mailed to you is very likely the same who opened the domain, but how do you know this person didn't steal an identity to do all this?

Have you seen where he lives?

[Mono]

22 minutes ago, Czestnut said:

Have you seen where he lives?

yes. AFAIK most people in this world don't live in their own house. That's how you know he was not a victim of identity theft? Maybe @Donafello knows more by now. 

[Donafello]

tried calling on skype and whatsapp. no answer. I can tell you this if he did, he was going to be in for treat. 

[Tilmann]

21 minutes ago, Mono said:

yes. AFAIK most people in this world don't live in their own house. That's how you know he was not a victim of identity theft? Maybe @Donafello knows more by now. 

A quick web research (never been there) on that residential address does not turn up anything alarming. Looks like a cheaper residential neighborhood on the outskirts of Berlin, but I could not find any indications for an above average crime rate or social tensions.

What does not compute is the phone number. It's for a wireline connection, so it points to a particular geography. The area code +49 7424 ... is assigned to some small towns south of Stuttgart, some 700km in the south west of Berlin. There could be a legit explanation for this, but it looks odd.

[Mono]

18 minutes ago, Donafello said:

tried calling on skype and whatsapp. no answer. I can tell you this if he did, he was going to be in for treat. 

Just for clarity: he didn't do anything illegal we know of, right? We suspect he would have tried to rip off 500 bugs, if it was him, and that's it, or did I miss something?

[Hunka Hunka Burning Love]

<bows in respect>    I hereby pass on my Sherlock Holmes investigator hat to my fellow Canadian brethren, @Czestnut.

<Casually activates TOR browser and turns on VPN mode>

[Donafello]

1 minute ago, Hunka Hunka Burning Love said:

<bows in respect>    I hereby pass on my Sherlock Holmes investigator hat to my fellow Canadian brethren, @Czestnut.

Yeah if I ever need someone tracked down or a investigator i will be messaging @Czestnut

[Czestnut]

39 minutes ago, Tilmann said:

What does not compute is the phone number. It's for a wireline connection, so it points to a particular geography. The area code +49 7424 ... is assigned to some small towns south of Stuttgart, some 700km in the south west of Berlin. There could be a legit explanation for this, but it looks odd.

Hmmm... maybe I'll ask my boss to call him.  His office is in Boblingen.

14 minutes ago, Hunka Hunka Burning Love said:

<bows in respect>    I hereby pass on my Sherlock Holmes investigator hat to my fellow Canadian brethren, @Czestnut.

I've work in IT for 30 years now, 21 at HP

[Tilmann]

13 minutes ago, Czestnut said:

Hmmm... maybe I'll ask my boss to call him.  His office is in Boblingen.

That's most likely a dead end road: I found the number listed for the FAX line of a seemingly unrelated company: 

LI-Germany, Inh. Vladimir Vukas
Konrad-Adenauer-Straße 1
78549 Spaichingen
Deutschland
Telefon: 07424/703 49 90
Telefax: 07424/9582234
E-Mail: info@li-germany.de
Umsatzsteuer-Ident.Nr.: DE 249972020

Source: https://www.li-germany.de/bestellvorgang/agb/, see also http://www.regional.de/location/100061500/Hotel-Restaurant-Kreuz-Spaichingen-Spaichingen/Tuttlingen

[Czestnut]

Well done Tilmann.

I checked the email headers for an analysis of the originating IP address, and it does seem to come from the Berlin area.

 

[rayna903]

oh, yes, there are many thing happened. we should be careful when we buy things on the website. this is our offical website on amazon:  https://www.amazon.co.uk

thanks.