Published on

All Things Refunding

Authors
  • avatar
    Name
    n0sec
    Twitter

Refunding

The idea of return abuse was around far before the internet, however, since the beginning of the online return process, return abuse has amplified severely. There are legitimate reasons to return an item in nearly every situation - sometimes items do genuinely come defective. Companies don’t mind refunding a customer a legitimately defunct item, some companies are even eager to issue refunds to improve their reputation. However, online social engineers are aware of this and take advantage of this vulnerability by conducting illegitimate refunds on nearly any e-commerce store. The 'refunding abuse' scheme accounts for $27 billion dollars worth of fraudulent returns annually.

Albeit companies are eager to issue refunds, trust is diminishing between the customer and the support representative for e-commerce websites daily. So refunders must make complex methods and specialize those methods to each e-commerce to receive fraudulent refunds. The methods range from manipulating parcel service labels, photoshopping evidence, and just calling stores until you get enough sympathy from a phone representative for a refund. The market for refunding has become more complex, but the fraudsters have continued to pursue refunding and the market for refunding has remained extremely active across the last year on online blackhat forums.

Refund as a Service (RaaS) and the Restraints

Refunding as a serivce, or RaaS (not ransomware as a service), is common amongst the two forums Cracked.io and Nulled.to,. Refunding services typically charge the customer about 10-20% of the value of the order they would like to be refunded, a small price to pay relative to the full 100% of the order price. Although, limitations are present, such as number of items in the order and order cost. Some refunding services have spreadsheets indicating how much each e-commerce store they have experience refunding on can be ‘hit’ for. For instance, it is much harder to refund $20,000 USD than it is $100 most of the time, as companies would look more into a big order than small, so to avoid having the customer’s refund fail, many refunders will only handle orders with a limit up to $10,000. Additionally, sometimes the number of items in an order is limited because some methods of refunding don't make sense with a high item count, it is far more likely than 1 package doesn’t arrive than 5 packages don’t arrive. A parcel service could possibly make a mistake delivering one item, but the odds of all 5 packages having problems is nearly improbable. It is worth mentioning that some refund methods are specialized to work on high number of products in one order to circumvent these limitations. Another important restriction of refunding is the waiting period. A customer must pay for the products when ordering, and while they will be refunded once the customer finds a refunding service, many customers cannot afford to wait the sometimes weeks of time a company takes to process a refund. Therefore, some customers avoid certain refund services because they take longer to process refunds for certain stores.

RaaS is sold via three means primarily, via blackhat forums, Discord/Telegram servers, and automated websites. Refund.army and Refunding.team are examples of an automated site that conduct refunds for customers. The advantage of a site is that the customer can place the order on site and just wait, there is no need for back-and-forth communication with vendors for refunding services. Nearly any store can be refunded by these refunding services as some refunding services instead of dealing with the store deal with the payment processor, who they will convince to push the refund through. Refunding service providers typically ask for their payment (as previously mentioned, about 10-20% of the value of the order) after the refund has been processed. This attracts customers and creates trust. The refunder also has leverage over the customer as the refunder knows the client’s address (as they see the order information when conducting a refund), and some refunders will go as far to blackmail customers who do not pay the fee.

The 'refunding services' section on the Cracked.io marketplace.
The 'refunding services' section on the Nulled.to marketplace
The 'how it work' section from a refunding site, refund.army

Typically, stores have spreadsheets of the sites that they're able to refund. This includes the package limits (the number of items the refunder can order from the store), the maximum amount of money that the refunders can refund for the customer confidently, and the estimated time it will take for the refund to return to the customer's bank account. It also specifies the limits for different regions, as stores handle refunds differently depending on what area the refunder refunds from, an American refund policy might be different than a French refund policy for a global store like Amazon. Additionally, some refunders charge a variable-rate depending on the store, so it specifies the rate charged for the specific store.

A French refunding spreadsheet

'DNA', 'EB/PEB', 'DMG', Missing item, Wrong Item, Sealed Box, etc.

When researching refunding, there’s a lot of acronyms to be understood. There are different methods of conducting a refund at a company, and the refund method must be specialized based on the store's return conditions. The applications and specifics of this will be explained with each method discussed in this article.

'Did not arrive', or DNA, is somewhat self-explanatory. The refunder claims that the customer didn't receive the package to their address listed on the order. This is typically used for small item, as a parcel service delivering a refrigerator is far more rememberable to a parcel driver than delivering a small cardboard box. The refunder contacts the victim company two days after the package has been received, telling the representative that the package has in-not been received. Typically, this is done via phone call or live chat with the company, the goal is the same regardless, the refunder must socially engineer the phone representative to believe them and lead the representative to the conclusion that the package wasn't delivered. Sometimes the representative will not believe the refunder and open an investigation on the case, in this scenario the refunder hangs up and calls back immediately. This is because sometimes the representative leave account notes that are negative if they don’t believe the refunder, thereby switching to the next live chat as soon as possible is optimal as if the refunder switches quick enough, the notes won’t have updated on the account yet. Typically, this category of refunds is nowhere near optimal for refunders and is only used for low-value orders. Refunders can fix a failed DNA refund if the representatives don’t fall for it, but they will need to use a different method.

Empty box, EB, along with PEB, partially empty box, is another common refund complaint. This claim once again is rather intuitive, the refunder claims that a package was delivered, but it didn't have any of the ordered items inside the package. These types of errors are typically the victim company’s fault, and not all companies insure packages that had parcel service problems, making this method more adaptable. When the victim company is at fault for a refund claim, it is called a warehouse error. The partially empty box method is used for orders with multiple items in the order, and normally the refunder claim that the cheapest item arrived but the most expensive one did not. So, if someone ordered a PS5, a red shirt, and a cat toy, they would claim that the cat toy and red shirt arrived, but not the PS5. This typically results in a partial refund, which is excellent for the refunder if the refund was set up properly. Sometimes when executing this method, the company will request the refunder ships back the empty box, and at this point the refunder can ship back the empty box. An important objective of the refunder is to slightly push the phone representative to believe that it was a warehouse error opposed to a parcel service error, as many companies aren't liable for parcel errors. This refunding method isn’t mean for refunds larger than $1,000 for most companies as its mostly trust based.

Damaged, shortened to DMG, is a simple method but integrated into more complex, specialized methods. The refunder claims that the item came damaged in some sort of way. There are many applications of this such as the 'leaking battery' or 'shattered glass' method, which claim that the item came with a battery leaking (if the product has batteries), or that the product’s glass broke in transit. The more specialized the claim is, the more realistic the victim company will interpret the claim. Often the victim company will ask for one of two things, images of the damaged item, or for the customer to ship back the item. Refunders have various options here, they can ship back an empty box or use more complex 'fake tracking ID' methods that will be later discussed, or fake photo evidence. Some companies will let the customer get away with claiming that they threw away the item when they found it damaged, but this is seldom and refunders don’t want to rely on luck. If the refunder is going to submit a photo, their goal is to either photoshop a realistic enough image or use the ‘corrupted file’ method. The corrupted file method is what you would expect, the refunder sends files that won't open for the victim company, and the representative will sometimes just give up and issue a refund without seeing a picture. This doesn't always work but is an option for some companies. The limits for this method change depending on the approach, but this is often considered a warehouse error, so this method tends to be successful.

The wrong item method begins with the refunder receiving the package, contacting the victim company, and claiming they received an item they didn’t order, making it warehouse error-based method. The refunder must first purchase the item that they will claim they received (opposed to the item they should have received), and both items should be close to one another in weight. An example of this method is a customer ordering a pair of $10 headphones and a pair of Airpods near each other in weight. The refunder orders both items, on two separate, non-linkable accounts (using anonymizing software such as VPNs and anti-fingerprint browsers) and claims that they ordered the more expensive item but received the cheap item. The refunder will obviously make no mention to the fact that they ordered both the items, and the representative most of the time won’t be able to tell themselves. They will, however, be able to tell that the ordered that came was indeed purchased at around the same time, which means that the warehouse error wasn’t improbable. The victim company will typically ask for the customer to return the incorrect item, which they can, and in exchange the company will refund them for the more expensive item. This method however, when investigated, can turn against the refunder if they didn't take the proper precautions ordering the item that is 'incorrect', such as if both packages are ordered to the same address, the company may be able to piece what is happening together. To prevent this, many refunders use ‘drop addresses’, addresses that can receive packages but are typically unoccupied.

The sealed box method is simple, the refunder contacts the victim company claiming that they accidentally ordered the wrong item and would like to return it. They claim that the box is perfectly intact and is still 'factory sealed'. Factory sealed indicates that the box was never opened, so the company is less likely to open the package when it is sent back. The refunder takes the item out of the box, puts in dry ice or sand to weigh down the package, and then tries to reseal the box as realistically as they can. This only works on items that are fully covered by the cardboard box and the seal must be kept intact, which isn't impossible, but takes practice. The limits on this aren’t high and this method isn’t strong compared to the upcoming fake tracking ID methods.

"Boxing"

Boxing is the fundamental process that drives the strongest refunding method, 'FTID', fake tracking ID. For some of the aforementioned methods, the refunder was supposed to ship back a product to the victim company, so to bypass this layer of security refunders will ship empty boxes to the victim company. The victim company gives the customer a 'return label' to put on the package, and the victim is supposed to ship back the box with the return label on it. The return label includes the address of the warehouse to the refunding facility and other tracking information so they can link the shipment back to the refunder's account. So, to ‘box’ a company, the refunder request a refund, the company sends a return label, and the refunder proceeds to ship an empty box with the attached return label. It can be as simple as this for some companies, some companies just check the tracking number of the package and if it is delivered, they authorize a refund to the refunder’s account. Additionally, some companies do what is referred to as ‘advanced refunding’, where they refund the client before the box is even completely shipped (however, they reserve the right to take back the funds if the client never ships the box back). Refunders use the ‘boxing’ method in conjunction with the methods previously discussed. However, sometimes an empty box isn’t enough, some companies investigate the boxes of bigger refund claims, so refunders must adapt. This is where the development of FTID begins, not only ‘boxing’ a company, but utilizing other schemes in conjunction with boxing to increase the likelihood of a refund.

Many fraudsters trying to refund items don't want to spend the time to go send a box to the shipping company, or don’t have the resources to. Thus, there are services on blackhat markets where users will ship out boxes to companies for a set price, all the boxing services need is the return label the victim company provides. An example of this service is Hydra Boxing and FTID Club, who both will ship boxes with customer’s return labels the same day the customer ask in some cases.

Hydraboxing.club

Fake Tracking ID, FTID

Fake tracking IDs' have a somewhat misleading name, the tracking identification number isn't fake. The tracking ID is typically untouched, rather the prepaid label that the victim company provided is manipulated by the refunder to fool the parcel service or victim company to believe that they made a mistake.

There is currently about 10 versions of FTID. The reason for the different versions is that many versions of FTIDs are improvements of the previous one. For instance, FTIDv2 is nearly identical to FTIDv1, however it’s more advanced. Another reason for the different versions is that some versions of FTID only work for certain refund policies, for instance FTIDv7 won’t work on a company that doesn’t insure lost packages/parcel service errors. FTID methods are versatile and can be adapted to things outside of just refunding, but to remain focused on the topic of refunding, all versions of FTID will only be discussed in the application of refunding.

FTIDv1 is the boxing method. The refunder sends in a request to refund an item, using one of the previously discussed methods, and then the victim company provides a return label, which the refunder will print and put onto an empty box which they will ship back to the victim company. This method tends to only work for instances where the refunder knows the company doesn’t check the inside of the box, or cases where the refunder told the victim company that they didn't receive any items, such as the empty box method.

FTIDv2 builds on FTIDv1 and works for more situations. FTIDv2 involves modifying the provided refund label by the company, making it harder the package harder to be linked to the order when received by the warehouse of the victim company. The victim company will receive the empty box but will have trouble attributing it to the order, as the shipping label will be pre-stripped of all identifying information by the refunder. Meanwhile, the associated tracking identification number to the package will be marked as delivered, so the company will mark the refund as a 'warehouse error', because the parcel will be marked as delivered to the victim company technically. However, sometimes companies manage to link back orders even with the removed information to the refunder, and nowadays they tend to investigate the empty packages they receive to the warehouse due to how popular refunding has become. The parts of the refunding label that must be removed for FTIDv2 is the 'from' address, the weight, the 'return merchandise authorization (RMA)’ barcode, description, the text 'return service', related reference numbers on the label to the order, and the tracking number should be slightly changed (only slightly to not rise suspicion by the post office). In this case, because the tracking show as delivered, the refunder will wait a few days after the package has been delivered, then ask why they haven’t received a refund. At this point, the company typically issues the refunder a refund without having checked for the package, just going off the fact that a package has been delivered.

FTIDv3 is very similar to FTIDv2 and has a similar goal. The goal of the refunders is to make the victim company believe that the refunder shipped the item back for refund and that the warehouse either lost it or is slow enough to process it to warrant a refund before the insides of the package have been verified. To conduct the FTIDv3 method, the refunder will have to modify the shipping labels delivery address to a nearby location to the return warehouse (along with stripping all the information mentioned in the FTIDv2 method), typically in the same ZIP code, meanwhile the parcel service will store the actual refund address as the one originally on the label (because it is the address linked to the tracking ID in their internal system). The parcel must be in the same ZIP code, or it could arise suspicions to the parcel service. The parcel drivers when delivering don’t use the tracking ID to locate houses, they use the address on the label, which will have been modified to a nearby location. The refunder hopes that the address the package was sent to will accept the package and the package will be marked as delivered. To be clear, some nearby facilities to refunding warehouses are aware of this method and will decline packages, so it is not guaranteed that the nearby address will accept a package (the problem being that if the people at the address decline, the shipping won't be marked as delivered, so the refund won't go through). If the package is marked as delivered, then the refunder will wait a week or so and request a representative refund the transaction because it has been delivered, similarly to FTIDv2.

FTIDv4 however is nearly identical to FTIDv3 but is more tactical and results in less package declines. FTIDv4 has the same label modification procedure, changing the shipping information to a nearby address of the refunding warehouse, stripping all identifying info as mentioned in FTIDv2, but instead of sending a box, refunders send an advertisement. An advertisement is more realistic to most recipients than a box, making it less likely to be declined by the receiving address. This is also sometimes called 'advanced FTIDv3' amongst refunders. It will likely result in the package being marked as delivered, which the refunders will abuse to convince the representative from the victim company to provide a refund.

FTIDv5, like its predecessors, requires more modification to the return label. With the FTIDv5 method, the QR code is changed from the original tracking number to be 1-2 numbers off. Similarly, to FTIDv4, FTIDv3, and FTIDv2, the goal of the refunder is to make the associated tracking number to the label show as ‘delivered’ despite not sending any real product to the victim company. With FTIDv5, the refunder replaces the barcode on the shipping label that associates the package with its tracking ID, meaning when the victim company receives the package, they won’t be able to associate the package with any order, meanwhile the tracking number associated with the label will display as shipped. My research didn’t show many advantages to FTIDv5 relative to the other methods, but there is likely information out of my scope.

FTIDv1-FTIDv5 all have the goal of fooling the victim company to believe that the refund should be processed as the tracking ID associated with the prepaid label is marked as delivered. These methods require the company to accept that they made a warehouse error and not investigate the whereabouts of the refund package. These methods rely on the representative providing the refund before the warehouse verifies there has been an actual return.

FTIDv6 is different than its predecessors and doesn’t rely on the same factors. The previous methods are warehouse based, while this method is parcel service based (meaning that the error will be in the parcel service opposed to the warehouse of the company, which some companies don't insure). With FTIDv6, the refunder obtains the product, requests a refund, receives the prepaid label, but immediately before shipping out the empty box like the other FTID methods, vandalizes the package. The refunder’s goal is to make it look like someone intercepted and stole from the package by kicking and beating the package. The refunder hopes that the parcel service will inspect the package and mark it as ‘lost in transit’, which in certain circumstances results in a refund for the refunder. However, sometimes parcel services don't mark the package as lost-in-transit, but instead just reject the package. Additionally, this method only works on companies that take responsibility for lost packages, this is typically big companies that work directly with parcel service partners. This method is rarely used and has very little advantages compared to its more modern counterparts.

FTIDv7 is probably the most creative method I encountered while researching the market of refunds. FTIDv7's goal, similar to FTIDv6, is to try to get the package marked as 'lost in transit'. The refunder modifies the label to no longer have a warehouse shipping address, and then will then with transparent ink inserts in the shipping address. This transparent ink results in the warehouse address disappearing from the label within 48 hours, resulting in a shipping error. The parcel service will assume the package has been tampered with and discard of the package. This method can be detected by parcel services as transparent ink doesn't look identical to standard black ink. This method, just like FTIDv6, is limited to working on companies that insure lost packages.

FTIDv8 has a fundamental difference from the other FTID processes. All these aforementioned refunding methods involve returning the package after it arrives, via requesting a refund, receiving a return label, and using a FTID method. However, FTIDv8 is done without the company providing a return label. FTIDv8, sometimes called FTID 'DNA' amongst refunders involves doing FTIDv3, modifying the shipping label to have a shipping address elsewhere, but however is done when the package is received. The refunder takes out the contents of the box, modifies the shipping label to be a different address than their own, sometimes a house in a nearby neighborhood, and gives the item back to the parcel service. The parcel service will then try to ship it to that house on the label, making the package appear as delivered to the house the new label on the parcel service's internal system. This method is basically rerouting the package to a nearby address after receiving it, just modifying the shipping label used by the company to ship to the refunder, opposed to a return label. When the refunder contacts the victim company, the representative will see the package was delivered to the wrong house and could issue a refund depending on the site’s policies.

FTIDv9 and FTIDv10 are both adaptations of FTIDv8, they involve modifying the shipping label on the package, and at no point in the process unlike the other FTID versions is a return label used. For FTIDv9, FTIDv8 is executed but instead of the package being delivered to a different address, the refunder uses the previous ideas from methods like FTIDv6/FTIDv7 to try to get the package as ‘lost in transit’. This means that the representative when the refunder request a refund will see that the package was lost in transit and could issue a refund based on store policies. FTIDv10 involves changing the initial label to be the warehouse address, the goal is to make the package have the status 'reroute to sender'. The steps are exactly what you would suspect, receive the package, take out the contents, change the label to be the sender's shipping address, and ship it back. I am uncertain of the success rate of either of these methods, but while reading blackhat forums it appears that these methods are used often amongst refunders.

The final method I came across during my research was FTID via insider, which appears to be the method with the highest success rate. In an interview with a prominent refunder amongst blackhat communities, they claimed that refunders have been accumulating insiders for companies like Walmart and Amazon, having them process refund orders for customers. Nearly any company is susceptible to an insider threat without the right user access management model. Additionally, I am certain that people are utilizing insiders at parcel services to change the status of packages to make refunds nearly riskless. For instance, some refunders can have an insider from a parcel service such as UPS make a tracking ID become marked as ‘lost in transit’, which the refunder will leverage to the victim company to request a refund. The benefits of FTID via insider are limitless, refunders don’t have to have a physical presence to their crime, they can just pay the UPS insider to mark packages as whatever needed. It is possible that eventually people will begin to phish or crack UPS logins in the future until user access management is better integrated into their system.

An image of the inside of the UPS Portal
An image of the inside of the UPS Portal

There are plenty of sites in the market that will handle the FTID process for the customer, like how there are 'boxing services'. The websites ask for information like your return label and for a fee of sometimes as low as $40, they will conduct the desired FTID method for the customer. There are numerous websites that provide services like these, such as: ftid.club, ftid.io, and ftid.shop.To clarify, these FTID services are similar to RaaS, and sometimes even used by those who host RaaS services.

FTIDv1-FTIDv3 provided by ftid.shop
FTIDv3 provided by ftid.shop

!FTIDio's Order Form for FTID](/static/images/refunding/ftidio.png)

Rebills

Rebills are a victim company’s way of trying to retrieve funds from a customer who was found to have conducted a fraudulent refund. The victim company in some cases if they realize that the item was illegitimately refunded will mail a bill to the shipping and billing address associated with the order, or just try to charge the customer’s card for the amount the customer owes the company. Companies typically do this when they realize that something was suspicious about the refund, which normally takes weeks. Companies realize many ways, sometimes for large orders companies will go as far to even review warehouse footage tape to check the legitimacy of a refund claim. These rebills also can happen when a company gives a customer an ‘advanced refund’ and the customer fails to ship back the product. Refunders circumvent rebills via using payment processors like PayPal, where companies aren't authorized to charge the customer without permission. Additionally, refunders use virtual credit cards, VCCs, to pay for items they intend to refund, to isolate the transaction from their real-world identity and to prevent rebills. These VCCs prevent rebills by limiting the amount of balance on the card at a given time, making it where the company won’t be able to take back the balance the customer owes. Virtual credit cards range from sites like Privacy.com to websites like CashApp, where obtaining a 'VCC' is easy and the funds are easily mobilized.

Methods & E-Books

On top of services for about every step of refunding, there are also vendors on the market selling refunding methods. Some refunding methods are sold specifically for certain stores, meanwhile some other methods are meant to just teach a refunder how to do processes like the FTID methods. The most popular e-book I found was Bob's Refunding E-Book, found at Refund.sh. The method however is leaked online for free, and after reviewing it, it appears that e-books like Bob's primarily consist of information findable on any blackhat forum. Here is a link to the latest version of Bob's E-Book if you want a better insight into the minds behind refunding.

Getting Orders Through

One of the most difficult aspects of refunding is getting a site to trust the user. This is because many sites have fraud detection systems and can pick up on the unusual purchasing habits of a refunder. Idealistically, a refunder would just go straight to the product they intend to buy then refund, which would be considered an unusual purchasing habit. Most people who intend to refund a product use a separate account for the merchant's site not linked to any personally identifying information and use a third-party checkout system such as PayPal. To get orders to go through and circumvent fraud systems, refunders know that they must randomly browse the site to look more like an average consumer. Many times, refunders also do one to two small orders from a site before doing a larger $1000+ order that they intend to refund, the previous orders build 'trust' on the site. It appears that many websites approach to solving refunding is detect suspicious orders before they happen, but that only filters out the inexperienced refunders who don’t know how to look legitimate in the eyes of the website.

Conclusion

There is evidently a plethora of ways that refunders conduct refunds for themself and clients. There is nearly unlimited attack vectors refunders take, all changing based on the circumstances of the company. There are even refunding methods that weren’t in my scope of research, such as shoplifting refund fraud, which is based on a more in-person presence. Refunding fraud will likely continue to be a big industry as it hard for a company to keep a strong, strict refund policy while maintaining good public relationships.