A friend of mine recently got duped by an online shopping site here in Japan. I thought I’d elaborate a little on what happened, who was involved and what could be done.
My friend was looking for a piece of furniture. They found it on one of Japan’s largest online shopping sites, Rakuten. But then they did a search around the net and found it for cheaper on another site: RJAKey.com. The site is quite comprehensive, and they offered a 5% discount for buying by bank transfer instead of credit card. So, my friend made the transfer… and waited.
After a couple days there had been no reply from RJAKey.com, so another email was sent. Another couple days and nothing. Getting concerned my friend asked me to get involved and I sourced the info that is in this blog post.
Who Did It
When the order was placed ban transfer information was given:
銀行名：みずほ銀行 (Bank Name: Mizuho Bank)
口座番号：4593492 (Account ID)
店番号：723 (Branch ID)
支店名：仙台支店 (Branch Name: Sendai)
口座名義：リン ヘイスイ (Account holder name: Rin Hei Sui)
I believe it is coincidence that the branch happens to be in Sendai and we are in Sendai.
The website, RJAKEY.com has the following registration information:
Name: WU JUNHUI
Mailing Address: FENGTING TOWN SHANTOU VILLAGE SHANBIAN NO.17, XIANYOU FUJIAN 300312 CN
This person registered the following domains:
rjakey.com,Interior Office One,188.8.131.52,NexteCloud L.L.C./Hostspace
tmmbba.com,Interior Office One,184.108.40.206,NexteCloud L.L.C./Hostspace
qseqan.com,Interior Office One,220.127.116.11,NexteCloud L.L.C./Hostspace
oqfcti.com,Interior Office One,18.104.22.168,NexteCloud L.L.C./Hostspace
srvohp.com,Interior Office One,22.214.171.124,NexteCloud L.L.C./Hostspace
rrrxhh.com,Wine Cellar,126.96.36.199,NexteCloud L.L.C./Hostspace
clrlvg.com,Wine Cellar,188.8.131.52,NexteCloud L.L.C./Hostspace
cfmvnk.com,Wine Cellar,184.108.40.206,NexteCloud L.L.C./Hostspace
lsfzew.com,Wine Cellar,220.127.116.11,NexteCloud L.L.C./Hostspace
lsfzew.com,Wine Cellar,18.104.22.168,NexteCloud L.L.C./Hostspace
zgxe.net,Cloud Computing VIP,22.214.171.124,EGIHosting
But there’s more. I looked up these IPs and found dozens of other domains and other scam sites hosted on them. A lot of them had been shut down, but, here’s a list of them
Hosted on NexteCloud’s 126.96.36.199
atgrdb.com,”Craft Mart: スタイルマーケット ちょっといいものを集めたセレクトショップ”
eoynzy.com,”Craft Mart: スタイルマーケット ちょっといいものを集めたセレクトショップ”
tbvwjn.com,”Craft Mart: スタイルマーケット ちょっといいものを集めたセレクトショップ”
zgjwjj.com,”Craft Mart: スタイルマーケット ちょっといいものを集めたセレクトショップ”
dntecy.com,”Solar Modules: 常州亚玛顿股份有限公司”
hllepa.com,”Solar Modules: 常州亚玛顿股份有限公司”
snidob.com,”Solar Modules: 常州亚玛顿股份有限公司”
ukmioc.com,”Solar Modules: 常州亚玛顿股份有限公司”
vkpngp.com,”Solar Modules: 常州亚玛顿股份有限公司”
vokoty.com,”Solar Modules: 常州亚玛顿股份有限公司”
oqfcti.com,”Interior Office One: 楽天市場】寝具（インテリア・寝具・収納）の通販”
qseqan.com,”Interior Office One: 楽天市場】寝具（インテリア・寝具・収納）の通販”
tmmbba.com,”Interior Office One: 楽天市場】寝具（インテリア・寝具・収納）の通販”
ulinko.com,”Interior Office One: 楽天市場】寝具（インテリア・寝具・収納）の通販”
Hosted on 188.8.131.52
There were lots of dead domain names as well (probably shut down after either police involved or they reached some financial target)
So how does this work?
The domains are bulk registered. They have a premade database of content.
A key fact is that this content has been obtained by scraping legitimate sites and stealing the data. That way, when you search for something their website will come up in the search.
Here’s an example.
One of the scam sites is The Petmart. I picked an item off the homepage and got this ‘product id’: BHK07601
If you google that you will get dozens and dozens of sites selling it. I would imagine almost all of them are sites designed to steal money, but, perhaps there is a legitimate site in there. In this case almost all the sites actually forwarded on to this page.
Another example, where you are looking for a specific product. You go to Rakuten and find something you want. Say, this. You get the description -’65デザイン性溢れるインテリア’ – and google it. Almost all the results are to scam sites, with one legitimate Rakuten link in the mix.
You unknowingly place an order on the scam site (their prices are better and they offer discounts to further entice you). They ask you to transfer money. They withdraw the money then shut down the site after a time.
What can be done to stop this?
1) Follow the incoming money
How do they manage to open a bank account in Japan? I had a hell of a time opening an account. I mean real nightmare! As a foreigner it took me a lot of paperwork to get that account. So, how do these people do it? They must have some legitimate papers and, perhaps crucially, I think they must have help from a Japanese person who acts as a guarantor on the account.
This same scam was reported on this page here. In that case it was again Mizuho Bank, but this time in Nagoya. I think there is a reason that it is Mizuho. Either someone is helping or Mizuho has a process that lets people get the account.
2) Follow the outgoing money
Someone is paying for those domains to be registered. Someone is paying for the servers.
3) Follow the people
These people are all coming from mainland China. But, if the names and contact information are even legitimate, there will be a common bond. I found that many of the people registering these domains came from the same area of China.
4) Connect the dots
In a couple of days I’ve identified hundreds of these sites, with dozens still in operation. Would it be so difficult to place orders on these sites, get the destination banking information and find the people who opened those bank accounts? Someone has to be in Japan to collect that money, unless they can withdraw it from an ATM overseas, but the withdrawal limits would make that very risky.
This kind of scam is unstoppable on a grand scale. But not on an individual scale. The issue of course is that so many jurisdictions are involved that it makes it very tricky. And the criminals know this.
These scams are specifically set up to take money from Japanese people. As – in theory – the only people who speak Japanese are Japanese, there is a level of trust in the online world (because of the inherent belief here in Japan that they are all honest). That a foreigner could set up a believable Japanese website really is outside of the common understanding.
We’ve involved the police. I don’t think they are capable of doing the kind of investigation that I’ve done, but, it is a start. If you have been a victim of this I recommend also contacting the local police.
I would hate for people to get a general fear of shopping online. But, for now at least, the best recommendation is to buy from a retailer you know. There is some added protection in shopping with a credit card, but really something like PayPal, that puts distance between the criminals and any sensitive information, is an even better bet.