Pablo Hoffman

Introduction

A friend of mine told me he found a guy from Italy who propose to sell him stuff at $200. The weird thing was that this same stuff was at $1000 in ebay, lowest price. So, something is clearly wrong here. To begin with, if he's so desperate he could just have sold the stuff to somebody in his country.

So this guy told my friend that he would send him the stuff through some shipping company called Dorpa (http://dorpa.com) . By the time my friend asked the guy "Why dorpa?. Send it through UPS". he answered: "because it's cheaper!!!. I ALLREADY SEND IT!". My friend started to became worried of losing the deal so he asked my advice because some things "just didn't fit" for him.

Starting point

So, where to begin looking for a scam?. The dorpa.com site of course. I went to that site and it looked pretty much the same as any other company site, which lacked a decent web designer. But that wasn't a reason to believe the site was a scam. Right in the home page it had a Tracking ID box, where you could query shippings. Conveniently enough, if you entered the tracking number my friend recevied it says the "cargo was in its way". No shit!. We must get hurry!

Search engines

The is certainly the first place to begin looking for phishing. So I tried both Google and Alltheweb to find stuff related to dorpa.com. And to my surprise I couldn't find anything about dorpa.com. That was highly suspicious. How come an international shipping company doesn't appear anywhere. I also tried looking for things that related dorpa with phishing like "dorpa phishing", or "dorpa scam". Nothing either.

Netcraft

Okey, next step I pointed my browser to netcraft.com and search for the site http://www.dorpa.com. Netcraft reported that the site was first seen on January 2005 (today is August 2005) and its risk rating for that site was 1/10. So, as long as netcraft was concerned, this site was clean.

Whois information

Next thing I do is issue a whois query to find out more information about the domain. The results follows:

WHOIS information for dorpa.com:

Registrant:
 Dorpa Inc
 47 Belgrave Square
 London,  SW1X 8QB
 UK

Domain name: DORPA.COM

Administrative Contact:
    Dorpa, Inc  support@dorpa.com
    47 Belgrave Square
    London,  SW1X 8QB
    UK
    +4.42074689750
 Technical Contact:
    Dorpa, Inc  support@dorpa.com
    47 Belgrave Square
    London,  SW1X 8QB
    UK
    +4.42074689750

Registrar of Record: TUCOWS, INC.
 Record last updated on 20-Jul-2005.
 Record expires on 28-Oct-2005.
 Record created on 28-Oct-2004.

Domain servers in listed order:
    NS2.MXHOST.NET   64.21.34.57
    NS1.MXHOST.NET   64.21.34.56

Domain status: ACTIVE

Well, what do we have here?. Several things:

• No names or persons in the contact information. Same strange address repeated in all fields. This is against all netiquette rules (and possibly agains law too).
• Look at the domain registration and expiration date. Mmmm. one year registration?. That doesn't look like a site that's gonna last.
• Even more so, look at the domain last updated time?. 20 Jul (this was written on 3 Aug). Seems like the guy who created this domain (whoever he is) was messing around with it recently.
• Finally, looking at the domains server we can see he is hosting his site on mxhost.net whoose page title is: "Free WebHosting - free web hosting, domain name hosting,"

Well, this domain definitely didn't perform very well with the whois test. So, is that it?. Can be say for sure right now that this is a Scam site?. Well, given the kind of company this one is, we can pretty much assure this is a scam by now. The first time you see an international shipping company hosting it's web site for free let me know and I'll remove this paragraph.

Site content

What else?. Is there any other tests available to perform without requiring to contact third parties?. Of course, up until now I haven't looked at the site content. So, I did. And I found the most interesting thing. In the "cargo" section of dorpa.com I found the following photo:

It's easy to see there's no Dorpa banner on this truck whatsoever, just as it's easy to see that there is a phone number written on the truck. What is this phone numbre anyway?. Let's ask the oracle (ie. Google). Wow, guess what?. It's the phone number of another shipping company. And guess what?. It has the same trucks, the same planes and the same boats. Case closed. This a 100% confirmed phishing site.

Whois again (comparison)

Now that we know the real company, we can issue a whois about this domain and compare it to the spurious one. Let's take a look at it:

WHOIS information for shipics.com:

International Courier System,Inc.
   5200 Mitchelldale, Suite D-8
   Houston, TX 77092
   US

Domain Name: SHIPICS.COM

Administrative Contact:
      Ahmed, Shakeel            shakeel@SHIPICS.COM
      International Courier System, Inc.
      5200 Mitchelldale, Suite D-8
      Houston, TX 77092
      US
      (713) 688-4599 fax: (713) 688-3344

Technical Contact:
      Clements, Justin          justin@PORTLAND.CO.UK
      Portland
      5 Portland Avenue
      New Malden Surrey KT3 6AX
      UK
      0961 902429

Record expires on 13-Oct-2006.
   Record created on 14-Oct-1997.
   Database last updated on 3-Aug-2005 11:14:31 EDT.

Domain servers in listed order:

NS1.SWBELL.NET               151.164.1.1
   NS2.SWBELL.NET               151.164.11.218

Clearly, this is a more serious whois information because:

• It contains differente persons in both administrative and technical contact
• The domain is 8 years old (created on 14 Oct 1997)
• The domain servers are not from a "free web hosting" site
• It just seems coherent, though a good scammer could spoof that

Conclusion

I've show you a typical case of Internet phising which doesn't involve tampering with URLs. After going trough all these self-investigation steps I can tell you that it may look that it was pretty obvious from the beginning that this was a scam site but, actually, it wasn't. And when you can a $800 discount deal, there is a lot of pressure for this not being a Scam.

Whichever the case is, you must follow the basic common sense rules which dictate that you should make sure you're not being "phished" before peforming any issue related to money, credit cards or passwords.

Check list

I've compiled a set of rules to follow in order to check the authenticity of an internet site, based on this experience of mine.

• URL address. Check that you really are where you think you are. Address location is the first and most common mode of phishing.
• Google. Search for the URL in Google or Alltheweb. If no one knows it you wouldn't want to be their first costumer :).
• Whois. The whois database can give you a lot of information about a site. Pay special attention to the domain registration and expiration dates, as well as the last domain update time.
• Site content. Look at the site content. Grab some parts of it and search them in Google to find if they're somewhere else. Most scammers don't have time to re-write a site content so they just copy it, which is their doom, well, at least for the people who know this.

Comments

Any comments, corrections, suggestions and improvements to this guide will be greatly appreciated. Just drop them below.