Fraud alert: digitec does not sell Galaxy S9 for one euro

Dominik Bärlocher

12.2.2019

Translation: machine translated

The Samsung Galaxy S9 for one euro. From digitec. Sounds tempting, if a little strange for a company trading in francs. Fraudsters are behind the offer and the whole website. I take up the pursuit.

Digitec has lost a legal dispute with Samsung and therefore has to sell the remaining stock of the Samsung Galaxy S9 without a margin. According to the website, the price of the S9 will then be one euro.

A scam
.
Or an attempt to deceive the Swiss. The website looks deceptively real, but the site, which at first glance looks like a real one, is a fake. Just like the story on the page. The legal dispute with Samsung does not exist, nor does the interview with Florian Teuteberg, CEO of Digitec Galaxus AG.

In collaboration with the Blick digital editorial team, I went in search of clues.

Analysing the fraud

The aim of the fake Blick is to lure you to another site. There, the site then suddenly talks about a competition.

The scam website is a fairly classic, albeit rather creative, case of phishing. Phishing is an attempt to convince users to disclose certain data. Because if you click on the link to the official campaign page on the Blick fake, you will be asked for your credit card details.

Payment information for a competition? Strange? Not if the phishers have their way. Because they already have an explanation for this.

In other words, you give the scammers the go-ahead to charge your credit card for any amount. What do you get in return? Nothing.

So don't click on the links in the rest of this article. I cannot guarantee that you are safe there or that the danger has been averted.

How to build a hack

Building a site like this from scratch is easy. I'm going to do it quickly.

Ingredients:

1. Name of the biggest newspaper in Switzerland → Google "Biggest Newspaper Switzerland"
2. Name of the largest online shop in Switzerland → Google "Biggest Online Shop Switzerland"
3. Name of the CEO
4. URL of the most visited obvious news site in Switzerland → Alexa Rankings Switzerland
5. Some knowledge of HTML
6. Some CSS knowledge

Then some time.

With the right experience, setting up a site like this takes no more than an hour. Hosting costs around 50 francs, a domain another 20, so you can set up such a scam for 70 francs. Then you have to distribute the link to your fake site either by email or via social media and wait.

Social media: The big problem

When spreading untrue content, be it satire like that of the fake newspaper TheOnion or scams like the one with the Samsung Galaxy S9, they rely on the carelessness of the user. The front pages of newspapers and the like are becoming less and less interesting for precisely this reason. Links to interesting articles are directly distributed. Because the psychological mechanism works like this: If one of your friends shares the link, then it is automatically more trustworthy, because it would be as if the person told you directly. So you go ahead and click on the link with a lot of goodwill towards it. Because your mate wouldn't take the piss, would they?

So it happens every now and then that your mum spreads the latest shock news that is obviously false. But maybe an S9 for a euro sounds pretty good, right?

Who is behind the fake site?

The phisher or phishers - I'm going to assume a single perpetrator from now on, even if I have few clues about a single perpetrator - are making mistakes. These suggest his identity.

I assume the following:

• He is not Swiss: the phisher always talks about euros. Someone who lives in Switzerland or has ever been here knows that we pay in francs.
• He speaks German: In his letters, the phisher uses the capital letter (ß). But we Swiss don't.
• His German is not particularly good: Every now and then he has obvious Google Translate errors in it.

Ignore it and carry on surfing? That would probably be the most sensible thing to do. For me, however, such sites are a real treat. Because I love hunting down people like that. I also don't understand why the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) doesn't do it more publicly. They're guaranteed to do the same if a complaint is made. Which is coming, by the way. Both Blick Legal and digitec Legal are working on the case.

So here are the links. Don't click on any of them. This is not necessarily safe.

The URL that was sent to me is 20mi.ch. The scammer is obviously hoping that people will make a mistake when they try to access the website of the free newspaper 20min.ch. However, 20mi.ch is only a forwarding URL, which means that you will be redirected directly from there. You are actually on ch-nachrichten.com. From there, you'll continue to the fake Samsung competition on goldenppubs.com.

Every URL you can access on the web is registered somewhere. This registration is public unless you specifically state that you want to keep your data secret. Anyone can buy any domain. This means that the person or persons behind 20mi.ch do not necessarily have to be based in Switzerland.

goldenppubs.com - the great unknown

One site in the list raises questions. This is Goldenppubs.com. Goldenppubs does not appear to have any entries in any Whois lists. It's not that the Whois databases tell me that the domain is privacy-protected, but a variation of "No entry available".

ch-news.com - The protected one

The fake Blick article is on ch-nachrichten.com. The trail gets lost quite quickly there too, because the hosting data throws up a privacy protection company:

• Admin Name: Domain Admin
• Admin Organisation: Whois Privacy Corp.
• Admin Street: Ocean Centre, Montagu Foreshore, East Bay Street
• Admin City: Nassau

I doubt the phisher is in Nassau. It's more Eastern Bloc style. China would be flatter, Africa less German and more email. These are gross generalisations and sometimes not true, but something says "Eastern Bloc" to me.

20mi.ch - One name

The situation looks better at 20mi.ch. The same query as above gives me an address. An insertion here: Until this person's guilt is proven, the presumption of innocence applies. All this person may have done is buy a URL. That is not illegal.

• Holder: marko nikolic
• Vojislava Ilica 87
• RS-11000 Belgrade
• Serbia

Belgrade? We can work with that.

The trail leads to Belgrade

"Marko Nikolic? That's quite a common name," says the product management team. The brunette's surname ends in -ic and there is a fan scarf from Partizan Belgrade on her desk. It's a coincidence that the former manager of her favourite club is also called Marko Nikolic. "Imagine Thomas Müller like that. Everyone knows one. That's Marko Nikolic."

However, she knows people in Belgrade. She uses her contacts.

"Don't get your hopes up," she adds with a sigh, "addresses are one of those things."

Because in Serbia, people are often registered at addresses where they don't even live. This has "something to do with taxes and perhaps tenancy law".

This is where the trail gets lost. Because even if a Marko Nikolic lives at Vojislava Ilica 87, we cannot say with absolute certainty that it is the Marko Nikolic who bought the domain. And even if Marko Nikolic at Vojislava Ilica 87 is the buyer of the domain, we cannot say with absolute certainty that he is in collusion with the phishers. Or is guilty of a crime.

France: the phishers' finances explained

A text message from the Blick editorial team reaches me. Another URL pops up: blickk.ch. It also goes to ch-nachrichten.com with the same fake offer. The domain is registered to Clovis Guertin, who lives in Lille, France.

I realise how the phisher or phishers are financing their operation.

Crap.

The criminals have obtained a list of valid credit card details from the internet or the darknet for little money and are now using them to buy domains and web space. Because 20 francs here and 13 francs there don't necessarily stand out on a credit card statement.

Once stolen, fraudsters can charge small amounts to your credit card for years without you realising it. Only then do you notice the Tissot Bridgeport for 2,265 francs. It's not worth it. A criminal does it once, then you open a huge barrel, report it to the police, prosecute and the beautiful Tissot watch has to be delivered somewhere if a criminal wants it. A plan, on the other hand, is elegant. 20 euros a month is subtle enough to fly under the radar. With a bait-and-switch offer like a Samsung Galaxy for one euro, maybe 100 people will fall for it. That's 20×100 euros, so 2000 euros a month.

Even if the scammers aren't based at the address in Belgrade, I can't shake the Eastern Bloc feeling. Let's assume they were the Russians. Then the average monthly wage is 469 euros. A criminal only needs 25 people to fall for him and he can live well. With 100 people fooled, a criminal is already pretty damn well off. The cost of the scam, including the address list, is no more than 150 euros and a little time. It's worth it.

This is where the hunt for the fraudsters ends. Sure, I could go on, but I'd rather tell you about the scam than chase scammers forever. Because this is where it gets difficult. I could invest hours, use tricks from information security, ask colleagues, and so on. But the chance that someone will end up in handcuffs is vanishingly small. Because if the criminal is using Tor Browser, then the search is finished at his exit node at the latest. In the end, there is only one thing to say: be careful, be suspicious and ask too many questions.

You can find our Customer Service Hotline from Monday to Friday between 9 a.m. and 6 p.m. at digitec@digitec.ch or at +41445759500.

So, that's it. Stay safe. And Samsung phones for one euro? What a load of rubbish.

Update 12/02/2019 // 12:50 p.m.

Lorenz Keller, the journalist whose name is mentioned as the author on the scammer page, has published an article on the same topic on Blick.ch.

Dominik Bärlocher

Senior Editor

dominik.baerlocher@digitecgalaxus.ch

Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.

Follow

---

Computing

Follow topics and stay updated on your areas of interest

Follow topic