We helped a retiree win back her money from a PayPal-UPS scam - and uncovered a network of 39 scam sites
Retiree Isabelle Taylor, who is on a fixed income, unknowingly fell for a scam when she tried to buy vitamins online. When she went to PayPal to report the fraud and get her money back, they denied the claim. Luckily, after she contacted CyberNews, PayPal returned her money as a “goodwill refund.”
However, when we began to dig into the scam site that stole her money in the first place, we found that it’s actually just one member of a network of scam sites all purporting to sell vitamins and other nutritional supplements. This CyberNews investigation looks into the aspects of this group and what we can learn from them.
Watch the video below to get a quick version of the story, or read further for all the details:
Falling for the scam
On April 1, 2020, Isabelle Taylor was intrigued by three products from the nutrition supplement company Garden of Life on a website called gardenoflifego.com. They were discounted at a great price – while normally she’d have to pay about $125, this store was selling them for less than $80.
She didn’t consider anything strange about the transaction. “Nothing on this website stood out as suspicious to me,” Taylor told CyberNews. “However, I remember thinking that Garden of Life is owned by Nestlé, so there must be an agreement between the two of them, to allow the website owner’s use of the ‘Garden of Life’ name.”
Within minutes of paying with PayPal, the seller provided her with a UPS tracking number for her package. The only problem? The UPS tracking number was for a product that had already been delivered days earlier.
The UPS tracking number was for a product that had already been delivered five days earlier.
When Taylor received the tracking number, she checked it on UPS’ website. She discovered something odd: the tracking number was for an item that had been sent ten days earlier, and delivered five days before Taylor even ordered the Garden of Life products.
Immediately, she tried calling the seller, but the number didn’t work. Next, she tried emailing them but never received a response. She went to file a fraud case on PayPal, but discovered there was no fraud filing at all, so instead she filed an unauthorized use case, and waited for help that never came.
When she went to check back on the seller’s website, it was no longer working. Even worse, PayPal refused to refund her because the seller had provided them with a tracking number – the one that was for an older item – and they sided with the seller.
A few months later, Taylor contacted us after reading our article on how the 73-year-old former technician John Richards was able to beat scammers from stealing his money in a complex PayPal-Facebook scam.
“Being a grandmother, a volunteer and a young retiree on a fixed income,” Taylor told CyberNews, “I have to be wise in my monthly purchases.”
When we contacted PayPal, a spokesperson told CyberNews:
“In this case, Ms Taylor opened a Buyer Protection claim when her purchase didn’t arrive. When we consulted the seller, they were able to provide tracking information, and as a result we rejected her claim. Given the time that has passed, we are no longer able to verify Ms Taylor’s claims in relation to this tracking information being suspicious. However, we have issued a goodwill refund to bring the dispute to a positive resolution.”
While Taylor is happy to have her money back, she is disappointed in how PayPal dealt with the entire affair. “Through every step of my claim process, I felt PayPal failed me as a customer.”
"Through every step of my claim process, I felt PayPal failed me as a customer.”Isabelle Taylor
Following the scammers
The original scam site that stole Taylor’s money, gardenoflifego.com, had already been taken down by the time she approached CyberNews. However, there was an archived version of the site available on the Wayback Machine.
Unfortunately, the archived version of the site did not include the address and phone number Taylor claimed did not work when she tried to call them. A search on our side for those contact details proved fruitless.
But when we analyzed the site, we noticed there were a few aspects that could lead us to find more information about the scammer or their operation. The archived Terms of Service page led us to a very specific address in Atlanta, Georgia:
When we searched for this address, we came across another site – colovitamins.com – that had the same address in its Terms of Service page. This live site also sold Garden of Life and other nutritional supplement products. However, it did not appear to be officially connected to the nutritional supplement company at all, even though it had the Garden of Life logo and details in the site’s footer.
Beyond that, colovitamins.com seemed to be a duplicate site of gardenoflifego.com. We ran its IP address through the VirusTotal Graph and discovered that there were 37 websites on the same server that appear to be connected to this cluster of scam sites. There also seem to be related malicious files (seen on the right side of the graph below, in red).
VirusTotal Graph visualization of the apparent scam cluster
We then noticed that a lot of the sites were connected to a site called “vitamincheapest.com”. Many of the sites either still have the logo for VitaminCheapest, or contain the email address “[email protected]”. When we searched for these keywords, we were able to add another 16 sites to the 37 discovered through the VirusTotal tool, for a total of 53 sites.
While some of these don’t seem to be directly related to fake online shops, we’ve identified 39 fraudulent sites claiming to sell Garden of Life products, as well as some dog food and book resellers, that we believe are also scam sites.
After analyzing all the live sites from the scam cluster, we noticed that these fake Garden of Life/supplement sites have a few standard features. Design-wise, they have footers that explicitly show the Garden of Life logo, and their site logos use a similar style of “vitamin” or health-related blue and green icons.
The scam site that stole Taylor’s money, gardenoflifego.com, had the following logo:
Two other sites within the scam cluster followed the same blue and green design idea, although they simply used the same logo:
Much like with the gardenoflifego.com site, the contact information included in the footer of these sites appear fraudulent – the phone number was invalid and the email went undelivered:
The duplicate Terms of Service pages on the other sites also have the same Atlanta, Georgia address:
The Atlanta address appears to belong to a multi-unit home, which likely does not have any connection to the scammers.
We notified the scam site’s hosting provider, Leaseweb USA, of their phishing activities but haven’t received any response from the hosting provider yet. Nonetheless, it seems that Leaseweb has now taken one of the remaining live scam sites offline.
Unfortunately, the majority of the domains that had initially been taken down seem to have found different hosting providers and are back online. The scam group has now redesigned their websites from being vitamin and supplement-related online stores to default, unedited website templates:
This appears to be a lightly modified version of the free Start Bootstrap theme named ‘Creative’.
We will continue to monitor this scam cluster to see how they update their websites. A full list of the confirmed or suspicious scam domains is included in the table at the end of the article.
How does the PayPal-UPS scam work?
This scam is less complicated than the PayPal-Facebook scam we wrote about earlier.
In this scam, the victim first has to buy an item from a fake website. (Of course, the victim believes they’re buying their favorite product from a legitimate seller.) They are forced to buy the item with PayPal, but because the price is so low, they ignore this red flag.
The payment isn’t immediately credited to the seller’s PayPal account. Because the scam seller is using a suspicious or new account, PayPal puts a hold on the money until they can prove that they’re sending the item to the buyer. The scam seller then submits a (fake) UPS tracking number to PayPal, and PayPal accepts this as proof that the item has been shipped.
The victim gets this tracking number and waits for the package. When the package doesn’t arrive, she realizes that it’s a scam but by then, the scammer is long gone.
The victim gets this fake UPS tracking number and waits for the package. When the package doesn’t arrive, she realizes that it’s a scam but by then, the scammer is long gone.
This particular scam has likely hit thousands of victims since it was first reported as early as June 2019. According to this PayPal Community forum complaint, the fraudulent Garden of Life scammer at gardenoflifego.com has affected at least 8 people, while zalosupplements.com has one complaint and cozgarden.com has another 8 complaints.
On UPS’ side, it is uncertain how scammers are getting a hold of genuine, but “used” tracking numbers. On blackhat forums, various tracking numbers are sold online. However, we are not sure how scammers are able to sort these tracking numbers by city, as Taylor’s fake tracking number was actually valid for her city.
One thread on a related PayPal scam does shed some light on how tracking numbers work though. In offering their scam services, a blackhat seller mentions that they can deliver tracking numbers within 7 minutes if the blackhat buyer sends the victim’s name, address, city, state and zip code:
This implies that these fraudsters are somehow able to access zip code-specific fraudulent tracking numbers and provide that within minutes.
When we asked UPS for comment on the scam, Glenn Zaccara, Director of Media Relations at UPS told CyberNews:
“This situation has been correctly labeled as a “scam” and a result of fraudulent behavior by bad actors. UPS has resources dedicated to preventing, identifying and stopping fraudulent activity. We do not disclose those methods to maintain their effectiveness.”
When we asked specifically about Isabelle’s case, or if it’s possible that someone inside UPS is potentially working with the scammers, Mr. Zaccara told CyberNews, “We have investigated and have not found any evidence suggesting an internal UPS source.
In other versions of this scam, the cybercriminals may also ship empty boxes or envelopes to the victim’s real address. This would cost them a little extra effort and time, but it would provide them with a real tracking number for the item delivered to the real address.
Why PayPal tends to side with the sellers
In all of these complaints, and especially in Taylor’s case, PayPal has tended to side with the seller – even when the evidence clearly indicates that the sale was fraudulent.
In fact, one FAQ about a related PayPal scam from a blackhat forum helps shed light on why it is so successful:
According to this service offering, one way to avoid holds and limitations is to use tracking numbers, which PayPal will broadly accept as proof of sale and allow the scammer to win the disputes.
You see, when a seller provides “digital or physical proof that the item was sent by the seller, and proof that the item was delivered by the delivery company,” PayPal’s Seller Protection program kicks in and protects the seller, who in this case is the scammer.
Based on the wording, it appears that PayPal’s Seller Protection program is loose enough that a fraudulent UPS tracking code would be “digital proof” that the item was sent and “delivered by the delivery company” – even if it was sent to the wrong address and delivered five days before the victim bought the item.
In Taylor’s case, she had proof that the UPS tracking number was fraudulent, which in common sense terms should be a clear-cut case of fraudulent activity. However, in a copy Taylor shared with CyberNews, PayPal’s final email to her simply stated:PayPal's initial response to Isabelle Taylor
“We have reviewed this transaction(s) and are denying your case(s). This decision was made because we received shipment tracking from the merchant confirming that the merchandise was delivered.”
While PayPal have refunded the money to Taylor, they have done so as a gesture of “goodwill,” rather than as a correction for an error on their side. In an email to CyberNews, a PayPal spokesperson seemed to imply that the presence of a tracking number is cause enough to reject any Buyer Protection claims:
“When we consulted the seller, they were able to provide tracking information, and as a result we rejected her claim.”A PayPal spokesperson to CyberNews
This comment does not address the logical issue of how a tracking number, for an item shipped 10 days earlier and received 5 days before the item was ordered, was allowed to be used as proof of sale.
This presents a significant loophole for scammers to use PayPal as a gateway for stealing money from more people. Unfortunately, UPS tracking numbers can easily be bought on blackhat hacking forums. Furthermore, as these sites can be easily duplicated when one site shuts down, fraudsters involved in this particular PayPal-UPS scam seem to have no reason to stop.
Full list of scam websites
Below you will find the full list of the 39 confirmed or extremely suspicious sites we uncovered as part of the Vitamin scam cluster.
You will find the Domain, the Current status, and the Type of site. The Current status describes the status of the site based on our most recent checks. There are generally four types:
- Live scamming site – this site is currently an active site claiming to sell vitamin or nutritional supplements. Here is an archived example.
- Template site – this site has a default template that has been very lightly edited. An archived example of such a site can be found here.
- Previously live, now Template – this site was previously a Live scamming site, was taken down at some point, and has now been resurrected as a Template site.
- Currently down – this site is currently down.
When it comes to the Type of site, most of these sites are involved in selling vitamins or nutritional supplements. However, three sites are of an unknown nature, one is a bookseller, and two remaining ones seem to sell dog food.
Due to the nature of this network, these sites are constantly going down, returning, and changing statuses.
|Domain||Current status||Type of site|
|healthzolo.com||Live scamming site||Vitamin|
|gardennewchapter.com||Live scamming site||Vitamin|
|zalosupplements.com||Live scamming site||Vitamin|
|gardenoflifego.com||previously Live, now Template||Vitamin|
|colovitamins.com||previously Live, now Template||Vitamin|
|ongardenlife.com||previously Live, now Template||Vitamin|
|saxgarden.com||previously Live, now Template||Vitamin|
|laxvitamin.com||previously Live, now Template||Vitamin|
|susgardenlife.com||previously Live, now Template||Vitamin|
|lipvitamin.com||previously Live, now Template||Vitamin|
|hexsupplements.com||previously Live, now Template||Vitamin|
|vitaminchapter.com||previously Live, now Template||Vitamin|
|zoigardenvitamin.com||previously Live, now Template||Vitamin|
|mochasupplements.com||previously Live, now Template||Vitamin|
|omegarvitamin.com||previously Live, now Template||Vitamin|
|zilcollagen.com||previously Live, now Template||Vitamin|
|mixcollagen.com||previously Live, now Template||Vitamin|
|zolvitamins.com||previously Live, now Template||Vitamin|
|vitaminmecola.com||previously Live, now Template||Vitamin|
|artdesigntb.tech||*Site that needs to be configured||Vitamin|
|chloewilliams.com||Template site||Other - Unknown|
|kianawilliams.co.uk||Template site||Other - Unknown|
|bookdepositori.com||Template site||Other - Books|
|dryadultdogs.com||Template site||Other - Dog Food|
|dogfooddry.com||Template site||Other - Dog Food|