Rebate Tracking OSINT Techniques

On my show this week, I discussed my recent experiences with online rebate tracking. The episode can be heard HERE. I find this technique more “interesting” than valuable to an investigation, but you might locate a nugget of information which assists you. As an example, let’s look at Menards. Menards is an American home improvement company which pushes rebates in order to make products appear low-priced. When you buy a product, you can retrieve a rebate slip and mail it off. In a few weeks, numerous checks in small amounts begin arriving at your home. This game provides small discounts, but at what risk? This is where the online rebate center comes in.

Let’s start with a visit to https://rebateinternational.com/RebateInternational/tracking.do. This page allows you to enter a first initial, last name, numeric portion of an address, and postal code of your target. This result appears similar to the following.

We now see the purchased items, purchase dates, rebate amounts, and payment details. This gives us a glimpse into the shopping habits of the target and could lead to patterns of behavior which might expose someone’s routines. It could also provide pretext value. I could initiate an email phishing attack focused on a specific purchased item announcing a problem with the rebate. That would be so targeted that the recipient would probably click whatever link I sent. This rebate service even stores all purchases within a static URL which is prone to abuse. If my name were Michael Smith and I lived at 1212 Main Street in Houston, Texas, my URL would be the following.

https://rebateinternational.com/RebateInternational/trackResults/M/Smith/1212/77089

Note that this URL does not require any credentialing and is open to brute-force scraping. Next, let’s take a look at Lowe’s home improvement. They offer a rebate confirmation website at https://lowes-rebates.com/en-us/RebateStatus which allows entry of a cellular number or home address, as follows.

This allows us to potentially translate an unknown cell number into a name and address or vice-versa, as well as obtain shopping history of the target. These two examples are only a small selection of the possibilities. On the show, I explained how I tracked shoppers through the portals for Micro Center, Budweiser, Miller, Kohls, Auto Stores, and other retail establishments. I have found the following three Google searches to assist with finding companies which offer similar options.

https://www.google.com/search?q=intitle:”rebate center”
https://www.google.com/search?q=“track+my+rebate”
https://www.google.com/search?q=“track+your+rebate”