I think I may have figure out the scam. I say "may" because what I'm about to tell you may not even be related (in which case I really need to look for the lesson in all of this!)
Part of the oddness of the identity theft has been that the amounts that were charged to my card were very small: $1, $3.25, 6.95--like that. And most of them were through rebillers for membership sites, not the actual company selling a product. My banker and I scratched our heads over it.
And then last night, in the mail, came a bottle of penis-enhancing pills (I really couldn't make this stuff up, yanno?). They were sent to me, at almost my exact address (the street number was off). I guess my mailman thought he was being a good sort and delivered them.
So, I followed the bread crumbs backwards. Went to the website for the product and called the customer care number listed there--turns out to be the billing folks for the company that makes the pills. Further conversation clued me in to the fact that the pills cost $4.95, and were part of a free trial offer that also enrolled a person in a "club." The club (if you didn't return your sample pills w/i a month and cancel your membership) would then auto-ship more pills (and charge your card) on some set schedule.
I told them what had happened, and they shut down the account, so no more pills would ship or be charged.
Then I went to the actual company's web site (puremeds.com if you care to look), and it's all about internet sales for affiliates. What I learned there is that they pay an affiliate $20 for every sample bottle of pills the affiliate sells. And that, I think, is the game.
The hackers make a purchase through an affiliate ID, charge a card for the low "free sample" price (usually just the S&H), and pocket a much larger payout. Sneaky.
So I sent an email to the company with the subject line: I suspect one of your affiliates is committing identity theft! I went on to tell my story, and asked them if they would provide me with any info they had about the person who placed the order, and/or the affiliate who received the payout. And they told me everything they knew. Here's where it gets really crafty.
The order was placed by an ATT DSL subscriber in St. Louis. It was placed through the affiliate ID for someone in China. I was listed as the billing and ship-to person. The phone number was for a plumbing company here in my town that I've never heard of or dealt with. And the credit card used? Well, all I know for sure is that it wasn't mine.
So I think the game is to place a lot of these free offers (that set people up in memberships with recurring charges) to get affiliate pay outs. They mix up the ordering info in the hopes of confusing everyone. I received the product, but it wasn't charged to my card. Someone else got the charge, but never a product--and if that person's bank traces things back, it will look like I received the product and I'm the hacker.
I'm taking this info to my banker. I'm hoping she can put me in contact, directly, with their fraud department, because I feel certain that this story would make sense to someone who deals with this stuff all day, but probably will utterly confuse my banker.
If any of you have faced anything even remotely like this, please let me know. It gets a little scarier for me now that I know they have my name and address (not exactly the right address, but pretty darn close).