On the 9th December 2019, I received an SMS that genuinely piqued my interest.
Ordinarily, I wouldn’t entertain any unsolicited offers but I am a luxury fountain pen fanboy, and Mont Blanc is a highly coveted name. Add to that, the SMS sender had a Sender-ID, (i.e. QP-MONTDE, QP-MONTBI etc.) which (I believe) is not very easy to get – you have to prove that you own and run a business by that name.
FUN FACT: The QP in QP-MONTDE means that the SMS was sent using Videocon’s (Q) SMS gateway in Punjab (P). A list of sender ID prefixes can be found here: https://www.resellersms.in/help/sender-id/what-is-the-meaning-of-prefixes-like-qp-tx-ad-etc/
If I was going to order from this seller (reseller?) I had to be absolutely sure that they were genuine. That meant confirming that the website was genuinely associated with Mont Blanc. To do that, I needed to see what the URL, i.e. https://bitly.com/32AUdoP led to. Thankfully, I knew about bit.ly’s PLUS stats feature, where you can add a ‘+’ sign at the end of a bit.ly link to see details about the URL, i.e. by going to: https://bitly.com/32AUdoP+. As you can see for yourself, the domain name showed montblancindia.com, which seemed like something Mont Blanc might use for their India-specific site from a domain name perspective.
So, I went ahead, selected a pen I liked, and added the discount code.
That’s when I began to see the typical telltale signs of a frauds, such as incorrectly placed capital letters, spelling mistakes and bad punctuation etc.
The cautious thing to do here was to tweet at the official, verified twitter handle of Mont Blanc (@montblanc_world) and get my suspicions confirmed. I got a reply from them, which confirmed my suspicions that this was, in all likelihood, a defrauding scheme of some kind.
As a customer, my first instinct was to forget the whole thing and move on. As a security researcher, I wanted to delve deeper into this defrauding scheme and figure out what their end-goal was. As a Mont Blanc fanboy, I wanted to protect my favorite brand of pens from being used as a scam-bait.
So, I searched for “mont blanc India” on Google, and, lo! The first result was this very site, i.e. montblancindia.com!
Now, you should know that having the first result on Google Search does not mean that a site is genuine. It simply means a site has taken efforts to do some Search Engine Optimization, i.e. to appear at the top of search results. However, the average guy would definitely consider this as a trustworthy development and assume that the site was genuine.
I decided to don the mask of a ‘trusting customer’ and selected a pen (again) for purchase. Only, this time, I ordered it using Cash on Delivery.
Not surprisingly, I got SMS confirmation as well as email confirmation of the order. However, the email went straight to my spam! When I dug some more, I found that the mail had actually come from montblancSindia.com – note the presence of an extra ‘s’ between ‘blanc’ and ‘india’.
A quick whois query reveals that this domain, i.e. montblancSindia (with the S) is privacy protected and hosted behind cloudflare, but the main domain, i.e. montblancindia.com (without the S) is registered by, well, let’s just say NOT Mont Blanc!
Another interesting thing I could note was that montblancSindia.com (the domain from which I received the email) hosts its mail server on Office365, i.e. they don’t mind spending some money on keeping this operation running…
Along with SMS confirmation, I also received a message in WhatsApp from a Business account that had its name set as ‘SB’. If there wasn’t enough suspicion about this whole thing, this certainly should trigger it in any average person. I mean, why wouldn’t Mont Blanc India choose to put their own name on their WhatsApp Business account?
Now, I was one hundred percent sure that this was definitely a fraud but I had already decided to play along, so I continued to do that and decided to update my experience in the same twitter thread that started this investigation. Here’s a link to the thread: https://twitter.com/rohit11/status/1204251790478172162
After the message on WhatsApp, I got a call from a local cell number ‘to discuss’ my order. The person on the other end of the line offered an ‘additional 6% discount’ if I paid them online via GooglePay/PayTM.
My fraud detection meters instantly went crazy because, as everyone knows, if you pay using a wallet, UPI, or netbanking, the money is instantly deducted from your account and is very difficult to get back. There are no chargeback policies offered by any of the vendors in case you accidentally send money or if you happen to fall for frauds like these.
[CONTEXT] PayTM and Google Pay are payments apps (similar to Venmo or CashApp) that are highly popular with Indian users. Accounts on these apps are identified using mobile numbers and you never get to see any bank details while sending or receiving money through these apps.
Typically, in most vishing scams, the caller doesn’t display good command over language. Their intention is to get you to commit to the scheme and defraud you of your money. In this case however, the person I spoke to over the phone seemed well-educated and spoke fluent English. It might have made some people assume/believe that this whole thing was actually run by a classy establishment, and not a fraud scheme.
I decided to stump the person calling me by telling them that that I already tweeted about it to Mont Blanc and was told that TataCliq was the only authorized reseller. I received a reply saying that they were actually calling from Richemont India and they were clearing their 2017 stock. This is a very believable but it is, most likely, a blatant lie. BTW there could be a possibility of all of this being true but point to note there is action by them is very much fraud like
So, I asked for their money transfer account instead of GooglePay/PayTM. This seemed to fluster the person at the other end of the line but, to their credit, they recovered immediately and ‘informed’ me that the account details they would give me would be those of Richemont India, which deals with reselling luxury products in India.
Here’s an important note for all of you out there: If you ever find yourself in a similar situation, NEVER agree to send money to a ‘different’ account, regardless of what excuses you are given.
I adamantly insisted for Cash on Delivery and hung up.
Around 15 minutes later, I got another call, this time from a non-Indian number (+41225480350) but with the caller speaking in an obvious Indian accent but a very polished English again. The caller informed me that he is calling from the Swiss office of Mont Blanc and repeated the same story, i.e. “it is old stock”, “having a clearance sale and 2 year international warranty”, etc.
When I confronted them about the tweet, I was told that the ‘twitter handle is managed by Amazon as Mont Blanc is an Amazon company now, they don’t want any local reseller and want to sell only via Amazon.’ I’m paraphrasing here, but this was essentially the gist of my conversation with the caller.
Naturally, I immediately tweeted this to the official verified handle of Mont Blanc on Twitter and immediately got a response from them:
A day later, I got a call from another unknown number telling me that my order was dispatched and will reach me soon. The caller insisted that opening the delivery was not allowed before paying the cash to the delivery guy. I was surprised by the insistence on the condition because it is a well-known fact – products are not handed over to customers until the money is handed over. The caller insisting upon this raised another red flag in my head.
At this point I counter-insisted that I wouldn’t pay without opening the box and confirming that the product is genuine. The caller then informed me that it was not possible and that they were returning the package. This was probably meant to instill a sense of FOMO – Fear Of Missing Out – in me, to make me reconsider but I stayed adamant and hung up on the call.
The next day, I received a message on WhatsApp from an unknown number, with the account details claiming to be “Delivery Care Team”.
I reiterated my stance that I wasn’t going to pay unless I was allowed to open the box, to which I received no response. The only update I received in that chat was a message saying that my package was out for delivery.
[CONTEXT] Although e-commerce deliveries in India are managed by private firms or courier services, none of them have sent me any messages of this kind over WhatsApp, AFAIK.
As of today, the status hasn’t changed. I got a call today as well saying the package is out for delivery, and that I can pay via cash as the card-swiping machine is not available with delivery person. I continued to insist that I won’t accept without opening the package, to which the caller seemed to relent. They said they would instruct the delivery person to allow me to open and inspect the contents of the package – a violation of the standard delivery process.
Let me reiterate that: This person, who was at first insistent that they could not violate the standard delivery protocol, was now suddenly okay with violating it, as long as I was ready to pay the money and accept the product. RED FLAG!
The delivery guy still hasn’t come around yet, so all of this still remains unresolved. However, I called up the toll-free number (+1-800-995-4810) I found on the official Mont Blanc website (i.e. montblanc.com) and told them my story. They told me that they were aware of this fraud and that they were indeed taking legal action against this Indian company.
That, sadly, is where things stand as of this moment. If there are any updates to this story, I will certainly add them to this article, as and when they happen.
A Few Observations:
The cost of the pen I purchased is about INR 11,000 (around $130) after ‘discount’, which puts the pen in the ‘luxury goods’ category. In other words, a typical buyer of this pen is likely to be a highly affluent individual, and not the average person who falls in a middle-income bracket.
Sadly, in most cases, these affluent buyers are often either in a hurry, or extremely gullible and, therefore, unlikely to be very cautious. They are highly unlikely to see any of the warning signs that I happened to see, much less go looking for them. If (or, when) they do end up getting defrauded, the affluent buyer will (most likely) ignore a loss of INR11,000 rather than going after the fraudsters. The fraudsters, however, stand to make a good chunk of money. For a fraudster, that makes the perfect mark – someone with tons of money to spend and little to no motivation in recovering any of their sunk cost.
A quick glance at the bit.ly data linked earlier in this article shows that the link in the SMS was clicked by around 25000 people (and counting) since early November. Even if you assume a 1% conversion rate, i.e. 1% of people purchasing these pens online, that’s 250 people losing money to this (evidently) fraudulent scheme!
The fact that these fraudsters INVESTED money in purchasing domain names, privacy features, web-hosting, email servers, premium SMS services, ability to call from international number and hired seemingly well-educated employees tells me this isn’t their first rodeo and it most certainly won’t be their last.
For 1% this could be a genuine operation as well by Richemont India clearing their old stock and if it is, they are certainly handling the operations very very wrong way. They need to take a session on how to handle things properly in ecommerce.
UPDATE – (21st Jan 2020)
montblancindia.com is offline and montblancsindia.com is selling shoes online. May be moved over to next scam.