Tracking down a puppy scammer

by in Security

Every day, we hear about huge corporate scams; those where adversaries are able to stealthily drain private information and large amounts of money from unsuspecting companies. And every day, people think, "That would never happen to me." But scams happen everywhere, and on every level. 

Puppy scam.pngLooking for a puppy
My wife and I decided that we really wanted a French Bulldog puppy. While we are familiar with purchasing puppies from legitimate breeders, we decided to take a look at local Frenchies so that we could visit the dog and check everything out before we made the purchase. Seems there were plenty of classifieds for puppies. While French Bulldogs normally range from $2000 and up, we saw a LOT of classified ads for $350 and $400. Beyond the price, right away we noticed there were red flags. But hey, I like to live dangerously so let's play along and see how this works. 

Red flags
We saw several red flags that made it fairly easy to determine that they were not legit ads. 

Text us your email address
The seller did not want us to call or request a call back, but insisted on getting our email address. Normally, this may not be too bad, as breeders and sellers want to send you all the details of the puppies. However, I did a reverse lookup on the number and saw it was tied to a cloud-based voice service called Enflick; not an actual cell phone carrier. So the location of the seller could not be determined from that. All of the scam ads I researched used this same service. 


The Pitch 
I set up a fake email account and texted it to the seller. All of the sellers I reached out to had a similar format. The scammer plays on your emotions, hooking you into their story that they have a new job or moving and can't take the dog with them.  They tried to convince me how legitimate they were and how concerned they were for the safety and health of the puppy. So they really needed to know everything about me. My home location, family info, experience with pets, etc.  The emails where all written in broken English ala "Nigerian email" scams. Odd right? Since all of the ads claimed they were from US locations.


Stolen images

I suspect these were probably stock or "borrowed" images; just so cute!  They all looked like they were done at Puppy Glamour Shots (is that a real thing?). Using a reverse image search site, I found that the same images were being used on as many as 20 different sites


The scam
     I used one of my test subjects and I carried it through to the actual scam. Here is where they need payment in advance to deliver the puppy. A total of $650 for a $2000 puppy, what a deal!

Scamming the scammer
     My curiosity got the better of me and I wanted to know more about where the emails were really coming from, so I set up a web page to capture and log incoming IP addresses. From the IP address, I was able to narrow in on a general location of the user. I also had some fun with the scammer while I was at it.  


I then sent a response to all of the scammers letting them know I was interested in their puppies. I was sure to include a link to my "family" website which contained pictures of our house and family so they know the puppy is going to a good home. PS6.png

To my surprise, all of the scammers actually clicked the link which gave me what I was looking for.  Turns out every one of them were located in foreign countries.  Here is a sample: PS7.png

How big is this scam?
It only took a quick search for "puppy scams" to see how amazingly rampant this actually is. Even more surprising, was how many people fell for it. Story after story of people giving the scammers Western Union payments for their puppy only to have it not show up. However, not all ads are scams. There are plenty of honest people and breeders looking to sell their cuddly puppies. Here are some things to look for: 

  1. Make sure to look for any of the red flags mentioned above, especially the extra low price.
  2. The seller should have no problem letting you see the puppy in person.
  3. Sellers often times have a website to see more information about the puppies.
  4. Ask breeders for references to other buyers of their puppies.
  5. Ask for a phone number to their veterinarian as well as the medical history.

One of the scammers actually emailed me back after clicking on my link.  Here was their response:  


 So if that's the case, then it should be perfectly legit :) </sarcasm> 


Ray Kelly, Fortify On Demand Research. Follow me on Twitter: @vbisbest


Application security