Zeek Rewards Exposed: OFAC, DDOS and compliance

Zeek Rewards banned members from several countries in early April after experiencing an 85% fraud rate in its site transactions. The company initially cited "government policies" and later claimed the Office of Foreign Assets Control (OFAC) mandated the bans. OFAC, a US Treasury Department agency, denied administering sanctions against the listed countries, which included Serbia, Slovenia, Belarus, Egypt, Croatia, and Macedonia.

Internal information indicates the bans were a response to widespread fraud, not OFAC sanctions. In January 2012, hackers breached 1.5 million Visa and Mastercard numbers, which fraudsters then used on Zeekler auctions and bid purchases. Zeekler's business model and technology were easily exploited, allowing fraudsters to cash in on stolen card numbers at an unprecedented scale.

Zeekler lacked adequate fraud protocols to identify the activity immediately. Payment gateways with established fraud detection systems cut off Zeekler due to the high volume of fraudulent transactions. To regain payment gateway access, Zeekler chose to block entire countries where most of the fraud originated, rather than addressing the underlying vulnerabilities.

The company compounded its problems by falsely blaming OFAC. When that explanation failed, Zeek Rewards attributed issues to a distributed denial-of-service (DDOS) attack. Publicly announcing a DDOS vulnerability reportedly drew attention from amateur hackers, potentially escalating attacks.

Alberto Mujica, an associate of CEO Paul Burks, sent an email on April 10 detailing a DDOS attack involving approximately 4,000 IP addresses consuming 2.5 gigabits per second of bandwidth. Zeek's primary defense involved blocking these IPs, a method often ineffective against botnet swarms.

The initial fraud problem was not resolved by blocking IPs, as the system's vulnerabilities remained. Because Zeekler failed to follow Visa's guidelines for handling fraud, payment gateways stopped processing transactions for the company. This forced Zeek Rewards to process affiliate payments manually. The company has since struggled to explain why members cannot use credit cards for certain actions, only stating that it made the decision to stop accepting them, rather than acknowledging that it was cut off.