Thought nobody Would Know huh?
I will explain first, the you can scroll down and see my “evidence”. Please note that I have no paid advertising on this site at all, so I am not doing this for profit. This really happened and I want everyone to know.
Last Saturday, on September 27th, 2008 I was doing my usual Saturday morning routine. I was walking by my home office when I heard the distinct sound of a receiving email. I took a gander and it was an email from my printing website.
Any time a customer goes through the ordering process, the first thing they have to do is create an account. When this account is created they get a “Welcome To PAWS” email. Well, the odd things was I was getting it, I looked a bit further into it and realized someone had created an account with all of my information like my home address and phone number, and they used my email.
As I was reading the email an order came in from this person for 1,000 vinyl window lettering. They used all my information and they used “a**wipe” for a company name. I actually thought it was kind of funny because stuff like that happens often, usually from some dumb kid.
Then my email inbox chimed again. This time it was an email from this customer saying “A**hole..be careful”. Now I’m getting mad because I looked at that as a threat.
The first think I did was log on to my website’s back-end. I immediately found the offending IP address.
This is a screen shot showing how I immediately found the offending IP Address
What this clueless moron didn’t realize was we have a lot of tracking software in the backend of the website. We use oscommerce so we have a feature called “whose online”. This will list every person on our webpage (screen shot above) by IP number, what page they’re on and what action they do. We saw the offenders IP Address instantly. Even without this I would of found them, but it made it easier for me.
Then I went to my weblogs to download the evidence. You see, every action on a website is
This Shows My Weblogs and the time stamps to show the IP address of the offender, and the email threat with the time stamp. they are 2 hours different because of time zones.
recorded on weblogs. Every single click that is done is recorded. I called my internet guru and web designer Patrick Bennett of Modern Blue Web Design and he told me exactly where to find them. As I was reading it, Tracey (my wife) went to a website that shows where IP addresses originate from. Now if this was a person at their house, it wouldn’t tell me much. When it’s a building of a larger company it says it all. The below screenshot shows the name of the company who owns that IP Address, and they are located in downtown Lakeland Florida. Now the town say “Seminole Fl” because that’s where their ISP is located. As soon as I saw the name of the company I put it all together.
As soon as I saw the name of the company I put it all together!
About a week before I started a website in Lakeland Florida where all used car and buy here pay here dealers can post their vehicles online for free. The offending company is located throughout the East Coast and they offer low quality dealer websites for a cheap price. What I mean by “low quality” is the website itself will never show up in a search on any search engine because of it’s lousy coding. If the dealer doesn’t spend money advertising this website, they’ll be lucky if they get 5 visitors a day. The bottom line is they try to hard to be like autotrader or cars.com. Apparently they felt threatened by what I was doing.
I immediately picked up the phone and called the building. Now as I was dialing the number I started getting many confirmation emails for newsletter sign-ups. So now this nerd’s plan was to aggravate me by signing me up for spam. A woman at the building answered the phone. This is how the conversation went as far as I can remember it:
Me: “Hi, is your Internet Department working today”?
Her: “Yes They are”
Me: “Can I speak to the person that just sent me a threat and signed me up for spam please:?
Her: “Can I ask whose calling”?
Me: “Yes, it’s Mike from PAWS Printing”
Her: “And who would you like to speak to”?
Me: “The person who just sent me an email threat and signed me up for spam”
Her: “Can You Hold Please”?
At this point we could see that the offender was back on our website. Then, he disappeared very quickly. Tracey and I were now laughing and we’re like BUSTED! Now she comes back on the phone
Her: “Who is this calling again”?
Me: “Mike from PAWS Printing here in Lakeland”
Her: “What seems to be the problem”?
Me: “One of your employees just sent me a threat from your building. I tracked your IP address and it is coming from your company. So, could I speak with the person please”?
Her: “Can you hold again please”?
Me: “Absolutely”
About 20 seconds later she comes back on the phone.
Her: “Sir, you’re going to have to call back on Monday and speak to the internet manager, his name is Drew”
Me: “No, why don’t you have Drew call me. Here is my number……….”
Now Tracey and I were high-fiving each other because the person knows they just got busted!
Here Are A Couple Of Screenshots of my weblogs, recording every action they made:
This is when they submitted the fake order
This is when they were creating the account using my own name and address
This is when they first added the product to their shopping cart
He’s (or she) obviously a coward. When they sent the threat they created an account using my information to let me know that they knew where I lived, and my phone number. Well, it’s been six days. When should I expect you?
I’m really not sure how I should handle this, but if this happened to you, What would you do?
I’ve been getting a lot of emails from tech saavy people saying “anyone can do that”. This article really isn’t for you because you already know it. There has been over 30,000 people who read this article so far with some great feedback. I never say that I am a “security expert”, like someone implied. This is just a simple short story showing how a “non-IT Person” was able to track this behavior.
Posted under Uncategorized
This post was written by admin on October 5, 2008
Great work! I hope you contacted the police. Do you think you have a lawsuit?
I’m not sure if he has a lawsuit, but the employee should be fired. A large company like that can’t afford to have a rogue employee on their payroll.
Awesome work. I hope you called back and spoke to the manager on monday.
Get him FIRED!
Someone like that needs their life destroyed.
Surely you have a lawsuit under Fraud and Identity Theft as they were using your details and signing up for products in your name.
The fact they were probably aiming it as a threat rather than to get goods & services at your expense shouldn’t matter. If anything that just adds intimidation to the pile.
lol
i would have gone one step further with his ip address
go on their computer and tell them directly “i know what your up to”
that’s usually enough to make them stop =P
I must highly doubt about you telling the truth. You are a used car salesman ffs. It looks to me you are using this blog to get rid of competition.
Definitely call the cops. What he did is called identity theft and I know it’s a felony at least, possible a federal crime. If he did it that casually to you no telling how bad he can mess up others lives when he starts thinking he can get away with it frequently. Plus not everyone he will try and screw over will be able to track and find him so easy.
Responding To John:
Obviously you didn’t read the post. I am not a used car salesman, and I never sold cars in my life. I did work for a dealer once as their internet director, but that’s it.
The competition aren’t car salespeople either. I sell printing for a living and the used car website I started has no advertising and is free for dealers. It is for the public.
That you have evidence is a good thing. If legal action is possible, take it.
Meh. The person has already lost, and by notifying the company, you did your part. Just be sure to submit a complaint and that it’s processed and noted by someone important. I wouldn’t consider it harassment unless it happened again. They didn’t steal anything important or do anything destructive, just being a jerk.
I totally agree that the conduct is unacceptable, but this scare is probably enough to stop it, I would bet.
So, if I understand correctly, you are still waiting to contact “Drew”, right? Six days have elapsed since you communicated with the receptionist and they said to call back on Monday?
I would take the high road, here. Communicate with the owner/president of the company, inform them that you have concrete evidence of the above assault on your privacy and are able to positively connect said actions with their company. However, state that you are prepared to give them the benefit of the doubt that they (the owner/president) were not aware of this, and you would like to give them the opportunity to handle this internally, that you are prepared to forget this incident in its entirety in relation to their company.
However, make it clear that you consider the intent of harm against you to be a serious issue, especially considering they made the effort to physically locate you.
Ask them what immediate and future actions they will take to rectify the situation and to make sure a repeat does not occur, either from that individual or from that company.
I think this allowing them to save face will show significant charity on your part and, though you might not make a friend out of the deal, you at least will have gained some respect.
That, I think, is what I would do, given my knowledge of the situation.
I mean, it probably WAS the owner of the company. I’m from about 30 minutes away, and in case you are wondering, there are quite enough assholes in these here parts to be doing stuff like this.
I would figure out some way to psychologically torture them. In fact, email me, and I’ll be glad to show up in person and participate a wee bit. Hooray.
Yeah dude, you definitely have a case, not only against the person, but possibly against the company as well.
Go after them. They probably mean it as a joke and need to be taught a lesson.
hahahah that’s great. good job.
I would send this web site that you created (very nice BTW) to the police. Have them look at it and take action.
You seem the crafty sort.. if no police action is taken, personally I wouldn’t stop, but that’s just me.
They have a defense against legal action. You will have to establish that there was no covert splicing by a third party into their phone lines, no wireless modems or devices that could allow an unknown party to appear to come from their address. It seems more likely that a civil suit might work as opposed to a criminal case where a much stricter standard of proof would be in play.
Likely, the person wasn’t at all related to the IT department, it was likely coming from the companies proxy/firewall. As a general rule I’d guess it was an executive/owner from the company based on my past experience dealing with tracking people down. This is a prime example of why you should always go through several proxies if you’re doing anything nefarious.
You know, I do believe the FBI has a department for handling this. I forget exactly what it’s classified as, but a quick phone call and an email could be most gratifying.
Why call them a nerd? That is offensive to nerds everywhere. It would be like calling someone who robs an art museum and is dumb enough to get himself on camera an art professor. The fact that this person did not use a proxy reveals who they are: an idiot (almost the opposite of a nerd). Also, using access logs and WHOIS info does not make you a genius, anyone with a clue can do it.
Sorry if this is offensive, but it just seems like you’re glorifying yourself for having “beaten a smart hacker” while insulting nerds/hackers in general when you really just busted an idiot attempting to hack, using very simple methods that nearly anybody could use.
In this generation being a nerd is cool unless maybe you are still in high school.
As far as “being a genius” about reading logs, do you realize how many people don’t know that. I’m just trying to say that there is still hope if someone messes with you.
I never said I “beat a smart hacker” I think we both know that they (whoever) is a moron. This post really isn’t meant for people like yourselves.
I’m not trying to offend anyone by using the word nerd, but I’ve met these people before a while back. Their office stunk like BO and they all needed sunlight in a bog way.