🚨 WARNING: FRAUD ALERT 🚨

That issue was years ago and has ZERO to do with the current issue.
My card was compromised after a purchase at Canadian Tire, should I drone on about it till the end of time ?
I dunno. Only you can answer that question about how long you should drone on.

I only made a post about how I was frauded after a purchase, like many others.
 
I bet all of this will be traced to Brampton
A lot of these are happening from overseas.

Perusing the fake site, I was disappointed not to see AR15’s and handguns for sale.

At the very least the fraudsters could have added value by making me nostalgic, as other fake sites have.
 
Do you realize that this "issue" has absolutely zero to do with the store, and there's zero they can actually do about it, other than giving you a warning out of courtesy?
Wow, I’m pretty sure this was an ongoing issue for years and nothing was ever mentioned. I’m pretty sure they have lost a lot of credibility.
 
Pretty sure you joined CGN yesterday, just to schitt on FOC
I don’t think FOC needs any help on sxxting on themselves. After the first fiasco with who knows how many credit card breaches? The amount of members just on here that went thru many problems getting things straightened out, is enough for most that dealing with them ain’t gonna happen. If you like to continue doing business with them that’s fine but don’t condemn those who don’t share your point of view!!
 
I refuse to purchase anything from FOC due to the endless horror stories I’ve heard from individuals who have fallen victim to credit card fraud (often multiple times) buying from this dealer.
 
https://www.whois.com/whois/firearmoutletcanada.store

File a police report and notify authorities of the fraudster.

The perp can be easily ID from the domain registrar if LE submits a warrant for the registrant details.
I hate to be the bearer of bad news, but I work mostly frauds these days (since I recently became a station cat) and they’re often originating in jurisdictions that are uncooperative, and/ or are nearly impossible to find the individual(s) responsible.

It’s unlikely the Police will take a report, or author a warrant.

Fraud is rampant and police aren’t investigating anything unlikely to lead to a suspect, and possibly a conviction.

It just isn’t happening.
 
I hate to be the bearer of bad news, but I work mostly frauds these days (since I recently became a station cat) and they’re often originating in jurisdictions that are uncooperative, and/ or are nearly impossible to find the individual(s) responsible.

It’s unlikely the Police will take a report, or author a warrant.

Fraud is rampant and police aren’t investigating anything unlikely to lead to a suspect, and possibly a conviction.

It just isn’t happening.
Unfortunately true to what you stated.

However, USA jurisdictions take such fraud more actively than the folks in Canada and have the resources to pursue.

And yes it would be a long road to legal justice.

It would be easy to ID the perp via the domain registrar and ISP and available OSINT.
 
Last edited:
I agree with this posters sentiment... They put out a fraud report when it effects them, not when they screwed over customers by not informing them that their credit cards had been breached.

I hope this company fails.
100% agree with you on FOC not notifying their customers when their CC system was hacked.

Disagree with you on wishing them to fail. The industry is tough with this BS Gov antics and wishing a business to fail is only going to to accelerate the death of the firearms sector in Canada.
 
Rewritten: there's simply no value to creating a bigger dumpster fire than this has already been crafted into.

Lets walk through the implications of this sensitive data exposure and try to set a rational tone:
  1. Reputational damage resulting from fraud is a real thing.
    1. FOC is a fellow victim in this case. Not a perpetrator.
    2. FOC has suffered lreputational losses that led to financial damages. Damages that almost certainly exceed affected their customers' inconvenience. I can promise you -- they feel your pain.
    3. No evidence exists that FOC is in any way complicit (through action or inaction) in facilitating the incident.

      So on the basis of these 3 poitns can we agree to be careful not to 'kick the wrong dog' here?
      Threat actors did this. Put that anger where it belongs...

  2. Business maturity is also a real thing.
    1. The Business Maturity Model (BMM) describes an Organization’s posture and ability to react to a security incident including but not limited to their ability to communicate risk with their clients.
      While FOC is repsonsible for their own reasonable standards of care for data in their posssession it just isnt reasonable to try and hold them to the same standards as Mastercard or VISA.

      Let me expand on that second point a bit further...
A Business' Maturity level directly impacts their ability to deal with risk. In this case - the compromise of data Confidentiality that lead to fraud. Is the incident Painfull? Yes. But a low state of maturity is more akin to 'growing pains' and operational realities than it is to negligence. And it is a world away from the shade some folks have attempted to throw on FOC.

Let's be clear on overall scope of what we're talking about here...

FOC slmost certainly:
  1. lacks a Board of Directors to manage risk to the business and drive governance. BoD's are a thing for large, publicy traded entities - not sole proprietorships or partnerships.
  2. doesnt have a CISO mismanaging some Information Security program that they can fire for negligence.
  3. aren’t a major corporation with deep pockets that can afford to implement ISO-27001 compliance
  4. don’t have a Security Steering Comittee exercising oversight to push for PCI-DSS compliance measures as treatment for the credit exposure.
  5. don’t have an Incident Response Team or SOC that can respond to the event.
  6. lacks the infrastructure or budget to afford a SIEM integrating XDM/ to correlate logs, the analysts to investigate root cause or an XSOAR to automate inceidnt responses; and
  7. has about the same expectactions for response from law enfrcement. Calling the RCMP. I did that. In my official role with a much larger (3500 employee) company. Do you have any idea what it costs the RCMP to successfully prosecute a Cybersecurity incident when the threat actors are IN Canada? Let me help you out here. It is substantial.
It would be quicker to enumerate what they do have:
  • There’s a point of sale terminal or two.
    Provided by a 3rd party vendor who hopefully meets some governance standard on at least a few of the things I pointed out above, but who knows for sure.

    Western adoption and compliance for IS security is abysmal. Zero bull####. Its a real issue…

  • And there is a computer system.
    That might be maintained by a one man show.
    Who (lets be honest here) likely repaired dish washers for a living just 5 years ago.

Tell me Im just wrong here...

I attended a course this week for NIST 800-82 compliance (securing OT Networks - think gas plants, factories, pipelines, etc).
It is put on by a recognizable name in the Security industry space. One keynote was that some 95% of Enterprises (companies lacking the sophistication of Saudi Aramco or BP) fail to meet the levels of protection that they actually know are required by Law, Regulation or Industry Standard.

Exposure issues with sensitive credit detail that resuted in a faud attempts aside, FOC has a completely separate, domain squatting issue. Another fraudster is targeting (yes, targeting) the vendor and they are the victim of yet another crime.

Gentle reminder for a more enlightened perspective here.
  • Fraud is rampart
  • Law enforcement, Jurisprudence, Legislators and Industry Regulators alike are struggling to address the threat
  • You are guaranteed personal liability protection by the Canadian Bank Act and consumer protection laws.
  • FOC is a partner in our community. Not an adversary.

We can do better than this...
 
Last edited:
Thanks for all you do for the community FOC.

Best of luck navigating 2025. Your market is a challenging space and the water is full of sharks.

Maybe think about reaching out for some help with risk management to your regional IS community to address some of your blind spots.
It doesn’t have to be all that difficult to adopt a 4 step approach to improving IS and move towards a stronger security posture.
 
Last edited:
Back
Top Bottom