Escrow.com Fraud

Have you been frauded at at an Online Escrow Site? Put your story, questions and comments here!
Click Here to return to escrow-fraud page


Moderators: georg, suziecue, JaxHot

Escrow.com Fraud

Postby lms2009 » Sun Jan 25, 2009 5:36 pm

I was recently interested in buying a used car online, and the seller I was in contact with wanted to do the transaction over Escrow.com. The site seemed completely legitimate (I looked at websites such as this one and everything that came up when I put in Escrow.com scams or Escrow scams into a search engine, and all sites said that Escrow.com is a safe escrow site). I still think that it is a safe site, however, I was almost scammed out of my money.

The person I was in contact with went by the name "John Mosec" with email address "mybabyboy1092@yahoo.com". I emailed him many times looking for details on the car and everything he replied was exactly what I wanted to hear (ie. the perfect used car). I signed up with Escrow.com and read everything on the site since I was very suspicious since the beginning. The site seemed fine, a great way to do a transaction. He said he was in the US and would have to come to Canada to show me the car since it was in his garage (the pictures I saw of the car were on the outside of what looked like a parking garage and no license plate could be seen on the back of the car). He said an Escrow.com transaction would make it worth his while since he knew when he came back to Canada I would show up.

After I was signed up on as a user on Escrow.com I received an email from the seller saying he started the transaction, followed by two emails from "transactions@escrow.com". The first email I received gave me a transaction number "445321", stated what the merchandise and price were, length of inspection period, etc. The second email I received stated the payment details, which said that I should send cash via Money Gram to escrow representative "Michael Kettler" and I was given the same mailing address as what is given on the Escrow.com website. It also asked me to fax a copy of my receipt to the following phone number "1-206-350-8738". The seller then contacted me and gave me a list of Money Gram locations in my current city of residence and told me he had to select this payment method since it was between the US and Canada and the transaction was less that $5,000. I should also note here that the two emails from "transactions@escrow.com" seemed really legitimate, containing the right escrow.com symbol and address, it seemed very real.

How I found out it was a scam: I had already read through the payment methods that Escrow.com uses and Money Gram was not one of them. I emailed the support address they give on the website and asked about the Money Gram method and I was sent a reply that this was not one of their methods of payment and was told not to wire the money. I had also read an email that was sent to me by "transactionsecurity@escrow.com" when there was a change made to my user account which gave security tips and one of them stated that Escrow.com would never give payment instructions via email. I was pretty confused for two reasons: the address that I was supposed to send the money to was the right Escrow.com address and I was being sent emails from an @escrow.com email address giving me false payment details. So, next I called the company since they give a phone number on their website for users who are suspicious or feel as if someone is going to scam their money. I called this number and told the man who answered the phone the transaction number I was given and he told me not to wire the money and that it was a fraudulent number. I said thank you and was disconnected before I had a chance to say anything else so I called him back and asked if he wanted any details about the emails I received and I was told that they were already working on it.

I think that the company still seems legitimate but am very curious as to why I would be given the right address to send the money to and how the person/people that were trying to scam my money were emailing from an @escrow.com site. I just wrote this to warn others to be very careful, even when dealing with sites that seem legitimate like Escrow.com. Be very questioning and read every email and detail on the website thoroughly.
lms2009
NewBorn
 
Posts: 4
Joined: Sun Jan 25, 2009 4:53 pm

Re: Escrow.com Fraud

Postby lms2009 » Sun Jan 25, 2009 5:51 pm

I just had a look on the Escrow.com website to see if anything changed since the man on the phone told me that they were looking into it. I clicked on a link by accident which was "Why can't I receive emails from Escrow.com?" and read there that transactions@escrow.com is an address that should be added into a users address book. This makes me much more suspicious of this website since that is the same email address which emailed me false payment details. (I just double checked the spelling and everything.. it was definitely from that email address)
lms2009
NewBorn
 
Posts: 4
Joined: Sun Jan 25, 2009 4:53 pm

Re: Escrow.com Fraud

Postby lightfair » Sun Jan 25, 2009 6:11 pm

Hello;

I need the headers of the two emails. Please post them here. I suspect that either that guy is "piggybacking" on an escrow.com transaction (he started the transaction on escrow.com and then sent the second mail with the payment instructions himself) or something else. As I said, I need the mail headers first. You might want to "XXXXXX" out your own email address.

Escrow.com is indeed legit, however they would never use MoneyGram or something like this (as you already found out). I wouldn't rule out the possibility that you're a victim of a pharming attack - more about this after I had a look at the mail headers (please make sure that those are the "complete headers" or "long headers").
lightfair
Master
 
Posts: 865
Joined: Sat Sep 09, 2006 12:54 pm

Re: Escrow.com Fraud

Postby lms2009 » Sun Jan 25, 2009 7:02 pm

1st:

Return-Path: <mrsivam@jangomail.com>
Received: from mailserv4.its.unb.ca ([131.202.1.27] verified)
by email.unb.ca (CommuniGate Pro SMTP 5.2.10)
with ESMTP id 178962708 for MY EMAIL; Wed, 21 Jan 2009 19:33:44 -0400
Received: from mx1.nbpei-ecn.ca (mx1.nbpei-ecn.ca [198.164.163.194])
by mailserv4.its.unb.ca (8.13.6.20060614/8.13.6) with ESMTP id n0LNXfgm011492
for <MY EMAIL>; Wed, 21 Jan 2009 19:33:44 -0400
Received: from mx1.nbpei-ecn.ca (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id BAB9614C398
for <MY EMAIL>; Wed, 21 Jan 2009 19:33:41 -0400 (AST)
Received: from bombay.jangomail.com (bombay.jangomail.com [38.192.4.42])
by mx1.nbpei-ecn.ca (Postfix) with ESMTP id 238E014C35D
for <MY EMAIL>; Wed, 21 Jan 2009 19:33:41 -0400 (AST)
Accreditor: Habeas
X-Habeas-Report: Please report use of this mark in spam to http://www.habeas.com/report/
Message-ID: <2096502282020761@jngomktg.net>
Subject: Transaction 445321 - Started
Sender: "Escrow.com Transactions" <transactions@escrow.com>
From: "Escrow.com Transactions" <transactions@escrow.com>
Date: Wed, 21 Jan 2009 23:33:28 +0000
To: MY EMAIL
X-Priority: 3
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: N/A
X-UserID: 209650.228202076
X-VConfig: 1
Content-Type: text/html; charset="ISO-8859-1"
X-PMX-Version: 5.4.6.354141, Antispam-Engine: 2.6.1.350677, Antispam-Data: 2009.1.21.231626
X-PerlMx-Spam: Gauge=XI, Probability=12%, Report='CTYPE_JUST_HTML 0.848, HTML_50_70 0.1, LINK_TO_IMAGE 0, __CT 0, __CTE 0, __CTYPE_IS_HTML 0, __FRAUD_419_MONEY 0, __FRAUD_419_MONEY_VALUE 0, __HAS_HTML 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_PRIORITY 0, __MIME_HTML 0, __MIME_HTML_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __STOCK_PHRASE_24 0, __STOCK_PHRASE_7 0, __TAG_EXISTS_HTML 0'
X-Virus-Scanned: ClamAV version 0.94.1, clamav-milter version 0.94.1 on mailserv4.its.unb.ca
X-Virus-Status: Clean


2nd:

Return-Path: <mrsivam@jangomail.com>
Received: from mailserv4.its.unb.ca ([131.202.1.27] verified)
by email.unb.ca (CommuniGate Pro SMTP 5.2.10)
with ESMTP id 178962800 for (MY EMAIL); Wed, 21 Jan 2009 19:34:46 -0400
Received: from mx1.nbpei-ecn.ca (mx1.nbpei-ecn.ca [198.164.163.194])
by mailserv4.its.unb.ca (8.13.6.20060614/8.13.6) with ESMTP id n0LNYicK011729
for <MY EMAIL>; Wed, 21 Jan 2009 19:34:46 -0400
Received: from mx1.nbpei-ecn.ca (localhost.localdomain [127.0.0.1])
by localhost (Postfix) with SMTP id 24F1C14C395
for <MY EMAIL>; Wed, 21 Jan 2009 19:34:44 -0400 (AST)
Received: from bombay.jangomail.com (bombay.jangomail.com [38.192.4.42])
by mx1.nbpei-ecn.ca (Postfix) with ESMTP id 0716B14C354
for <MY EMAIL>; Wed, 21 Jan 2009 19:34:42 -0400 (AST)
Accreditor: Habeas
X-Habeas-Report: Please report use of this mark in spam to http://www.habeas.com/report/
Message-ID: <2096502282021211@jngomktg.net>
Subject: Transaction 445321 - Payment Details
Sender: "Escrow.com Transactions" <transactions@escrow.com>
From: "Escrow.com Transactions" <transactions@escrow.com>
Date: Wed, 21 Jan 2009 23:34:29 +0000
To: MY EMAIL
X-Priority: 3
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: N/A
X-UserID: 209650.228202121
X-VConfig: 1
Content-Type: text/html; charset="ISO-8859-1"
X-PMX-Version: 5.4.6.354141, Antispam-Engine: 2.6.1.350677, Antispam-Data: 2009.1.21.232232
X-PerlMx-Spam: Gauge=XI, Probability=12%, Report='CTYPE_JUST_HTML 0.848, HTML_50_70 0.1, LINK_TO_IMAGE 0, __C230066_P5 0, __CT 0, __CTE 0, __CTYPE_IS_HTML 0, __FRAUD_419_CONTACT_ADDY_B 0, __FRAUD_419_MONEY 0, __FRAUD_419_MONEY_FUNDS 0, __FRAUD_419_MONEY_PAYMENT 0, __FRAUD_419_MONEY_VALUE 0, __FRAUD_419_SUBJ_A 0, __HAS_HTML 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_PRIORITY 0, __MIME_HTML 0, __MIME_HTML_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __STOCK_PHRASE_24 0, __STOCK_PHRASE_7 0, __TAG_EXISTS_HTML 0'
X-Virus-Scanned: ClamAV version 0.94.1, clamav-milter version 0.94.1 on mailserv4.its.unb.ca
X-Virus-Status: Clean


Thanks, please let me know more and if there is anything I should do.. I can see now how you can tell from the headers that this was fraud.
lms2009
NewBorn
 
Posts: 4
Joined: Sun Jan 25, 2009 4:53 pm

Re: Escrow.com Fraud

Postby lightfair » Sun Jan 25, 2009 10:57 pm

Hello and thanks for the headers.

I can say with 99.9%% certainty that both mails did NOT come from escrow.com. The giveaway line in both mails is this one:

Code: Select all
Received: from bombay.jangomail.com (bombay.jangomail.com [38.192.4.42])
by mx1.nbpei-ecn.ca (Postfix) with ESMTP id 238E014C35D
for <MY EMAIL>; Wed, 21 Jan 2009 19:33:41 -0400 (AST)


That's the originating point. Now, jangomail.com is some kind of mail service provider. I have serious doubts that a company like escrow.com would outsource such a crucial component as sending their own mail. In fact, I have some genuine mails from escrow.com where the originating point looks like this:

Code: Select all
Received: from [71.143.242.60] (helo=hotrod.corp.escrow.com)
   by mx43.web.de with esmtp (WEB.DE 4.109 #226)
   id 1Kd9As-0000EK-00
   for <MY EMAIL>; Tue, 09 Sep 2008 21:46:54 +0200


This was a mail from customer service at escrow.com, by the way. I think this makes it very unlikely that your mails came from escrow.com. This also is in tune with the Message-ID's:

Code: Select all
Message-ID: <2096502282020761@jngomktg.net>


It's safe to say that both mails did not originate from escrow.com's servers.

Which leads to more questions:

If you log into escrow.com can you actually see your transaction?
Did the scammer (and at this point we can safely assume that this guy is a scammer) send you any files that might have looked like pictures but looked or felt somewhat "funny"?
The reason I'm asking is that escrow.com is very often "pharmed". Here's a wikipedia link that describes this problem: http://en.wikipedia.org/wiki/Pharming

I've seen at least one such a pharming attempt involving escrow.com myself; the result is that you type "www.escrow.com" into your browser but you are redirected to a completely different site instead (while the browser would still display "www.escrow.com" in the address bar).
I can't say exactly how all this came about yet (or if this even involved pharming). As far as the mailing address for the payment goes: This was of course to give you a false sense of safety. The scammer would have used a fake passport at the MoneyGram office to pick up the money.

If you have any other details please let us know.
lightfair
Master
 
Posts: 865
Joined: Sat Sep 09, 2006 12:54 pm

Re: Escrow.com Fraud

Postby lms2009 » Mon Jan 26, 2009 12:51 pm

I could never see a transaction on Escrow.com. I was told in an email that it would not appear until I sent the money (in the fake Escrow emails I believe). The scammer sent a link to pictures, they didn't feel funny to me.. is there anything I should have been looking for? Is it possible that my computer, internet passwords/banking is now unsafe?
lms2009
NewBorn
 
Posts: 4
Joined: Sun Jan 25, 2009 4:53 pm

Re: Escrow.com Fraud

Postby lightfair » Mon Jan 26, 2009 7:08 pm

lms2009 wrote:I could never see a transaction on Escrow.com. I was told in an email that it would not appear until I sent the money (in the fake Escrow emails I believe).


That would be pretty strange in itself, wouldn't it? I mean, after all the whole transaction and everything would have to be set up first (including a way to see the identities of the seller and buyer, the payment instructions, the condition of the merchandise). And all this would become visible just AFTER the money was sent?

So far it appears to me that the scammer just made you register with escrow.com and then sent the fake mails afterwards.

The scammer sent a link to pictures, they didn't feel funny to me.. is there anything I should have been looking for? Is it possible that my computer, internet passwords/banking is now unsafe?


I don't know. From the way it sounds now it doesn't look like a pharming case (in such a case it would have made sense to put the transaction itself on the fake escrow site). But it certainly won't hurt to make a complete scan for any malware.
lightfair
Master
 
Posts: 865
Joined: Sat Sep 09, 2006 12:54 pm

Re: Escrow.com Fraud

Postby Pendragon » Thu Feb 26, 2009 4:03 pm

Hi All... Well, I'm sorry to be able to confirm that this guy is in fact a scammer. (John Mosec)
He just ripped off my 17 yr old daughter for (Can) $2500 for a 2000 Honda civic (Blue). Ad on "KIJIJI.com"
He used the exact M/O as described in the starting post, the only difference was the "Escrow agent's" name... "Michael Safa."
He was supposed to be in California, but the money was received in Chicago. I was too late getting involved to be able to intervene she had already sent the cash to the "Agent" .
He is using different ip addresses for almost every email, with exception to the "Escrow emails which all originate from "Received: from bombay.jangomail.com ([38.192.4.42]) "

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

ReferralServer: rwhois://rwhois.cogentco.com:4321/

NetRange: 38.0.0.0 - 38.255.255.255
CIDR: 38.0.0.0/8
NetName: PSINETA
NetHandle: NET-38-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: NS.PSI.NET
NameServer: NS2.PSI.NET
Comment: Reassignment information for this block can be found at
Comment: rwhois.cogentco.com 4321
RegDate: 1991-04-16
Updated: 2005-10-05

RTechHandle: PSI-NISC-ARIN
RTechName: IP Allocation
RTechPhone: +1-877-875-4311
RTechEmail: ipalloc@cogentco.com

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: noc@cogentco.com

OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311
OrgTechEmail: ipalloc@cogentco.com

# ARIN WHOIS database, last updated 2009-02-25 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US
Comment: rwhois.cogentco.com
RegDate:
Updated: 2008-12-12

ReferralServer: rwhois://rwhois.cogentco.com:4321/

AbuseHandle: COGEN-ARIN
AbuseName: Cogent Abuse
AbusePhone: +1-877-875-4311
AbuseEmail: abuse@cogentco.com

AdminHandle: JKN12-ARIN
AdminName: Knowles, John
AdminPhone: +1-703-657-7904
AdminEmail: jknowles@cogentco.com

NOCHandle: ZC108-ARIN
NOCName: Cogent Communications
NOCPhone: +1-877-875-4311
NOCEmail: noc@cogentco.com

TechHandle: IPALL-ARIN
TechName: IP Allocation
TechPhone: +1-877-875-4311
TechEmail: ipalloc@cogentco.com

# ARIN WHOIS database, last updated 2009-02-25 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


It was all very clear after I checked out Escrow.com and saw all the cautions etc, and how they conduct business (NO MoneyGram, NO Agents). I have to say though, I didn't like the cold shoulder/ brush-off I recieved when talking to Escrow, I asked about the trans# and he asked for the amount of cash and the car info, said, "It's a scam" and hung up on me.
I Personally will never use that shoddy service for anything.
Money Gram was almost as bad, but the authorities will get info out of them, I don't see what the harm is in telling me exactly where (store/address) my daughters money ended up at. Anyway I'll carry on with my investigation.


Karma can be tough... "John"...
Pendragon
NewBorn
 
Posts: 1
Joined: Thu Feb 26, 2009 3:00 pm

Re: Escrow.com Fraud

Postby leary » Tue Mar 03, 2009 3:34 am

Here's what I discovered today. Can anyone validate my findings? Looking at puchasing a motorhome and found an add that was "too good to be true" on an advertising site. Out of curiosity I sent an email response asking for a verification of price. The email I received back confirmed the ad and listed a web link to "escrow.com" stating "100% protection" in the business transaction. Here is the link that was attached to the email:
http://www.escrow.com/solutions/escrow/process.asp
Here is the link that comes up when I copy and paste it to this board:
https://www.escrow.com/index.asp

When you click on the link in the email here is the address that comes up:
http://www.escrow.com/solutions/escrow/process.asp

Now, if you go to http://www.escrow.com (the legitimate site), the address comes up:
https://escrow.com/index.asp

On the legitimate web site home page it states that all official/legitimate escrow.com sites/links start with https://

The site that opens from the email starts with http (minus the s). Interestingly enough when you open this and then hit the 'home" buttom the web site that comes up starts with https-the legitimate web site address. It appears that the "process" page given in the email is a fraud. Is this possible? All because of a missing "s" in the address? Does this make any sense? Can anyone confirm my suspicions?

ADMIN EDIT:
I have notified http://escrow.com about the https issue on their solutions page. If you navigate there from the main page, it would be https but if you navigate directly (by typing it in without the https) you can get to it without the SSL. Which is contrary to their comment on the main page. I am sure it's an oversight and will likely be corrected soon. But know that if you go to https://escrow.com the ssl certificate should give you no warnings as it may with other fraudulent sites.
leary
NewBorn
 
Posts: 3
Joined: Tue Mar 03, 2009 3:08 am

Re: Escrow.com Fraud

Postby lightfair » Tue Mar 03, 2009 9:03 am

Well, there are two different issues here.

The difference between the "http" and "https" versions is not too problematic here. "https" means "secure http" in which the whole communication between you and the web host is encrypted. Still, the same web host is used.

If you call up the direct "root" page (or you may call it home page" of escrow.com you will automatically be switched to secure mode (hence https); this will then also be used for all subsequent pages.

The statement that "all official/legitimate escrow.com sites/links start with https://" is a bit misleading because it is only true if you start from escrow.com's "home" page. It appears that all other pages don't carry that automatic switch to secure communication.

So this is not the problem here.

However, if you read through this very thread you will find that the typical anatomy of this particular scam was to have the victims believe that the transaction would go through escrow.com while the emails were sent from somewhere else (and escrow.com had nothing whatsoever to do with the whole affair).

So, long story short: The link attached to the mail is basically legit. If the offer is legit I can't say but I have certain suspicions here. "too good to be true" definitely rings the alarm bells with me. If you decide to proceed further I would suggest to use extreme caution.
lightfair
Master
 
Posts: 865
Joined: Sat Sep 09, 2006 12:54 pm

Next

Return to Escrow Fraud

Who is online

Users browsing this forum: No registered users and 5 guests

cron