dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
705448
share rss forum feed

MGD
Premium,MVM
join:2002-07-31
kudos:9

3 edits

8 recommendations

Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

This thread was born from this security forum thread: »Unauthorized charges - digismarket & mfbpsite and specifically this post: »Re: Unauthorized charges - digismarket & mfbpsite

There is far more here than first meets the eye!. digismarket.com and mfbpsite.com card fraud, are only the tip of the iceberg. They are just a fraction of a criminal operation run by a well organized, sophisticated, multi divisional, vertical crime syndicate. That conclusion is the result of tracking and analyzing this syndicate's operations for over two years. They have been running this large criminal enterprise for at least 4 to 5 years, if not longer. Most importantly, it is driven from routine unfettered access to consumer's card account data by this Eastern European crime syndicate.

How long has this been going on?.... How and from where are they getting the card account data?....How exactly does it work?.... Where does the millions of fraudulent cash go?..... Who are they?.

digismarket.com DIGISMARKET.COM 607-821-2630




And:

mfbpsite.com MFBPSITE.COM 310-237-6452




are just two out of the current crop of dozens of fraud sites that are all inter related, and operated by the same crime syndicate in a mutil hub and spoke type organization. The websites are just a front, fake sites, they do not sell anything, They are strictly a laundering vehicle used in an elaborate scheme to convert hijacked card data into cash, and shuttle it out of the country. A criminal conspiracy that has been operating successfully for several years.

Every single charge processed through any of these sites is fraudulent, There are no valid orders that originate from there. They are a front, set up exclusively to launderd hijacked card data into cash, and facilitate the removal of these funds out of the US.

The current group of ebook sites involved in this card laundering process are controlled by the same crime ring that also operated the infamous fake webtemplate sites known as DEVBILL. The Devbill fraud site group also included ebook sites: "Reqwest" advicebyrequest.com and its sister company "Digital Reading" digital-reading.com are two from circa 08/2006. Also in the mix were mobile phone game download sites such as "moball" hosted as moballtech.com "Generex" generextech.com and "McColgan Cellular Games" mobilegamejuice.com. The crime syndicate's operation was directly tied to the Digitalage scam as many of the fraud charges showed up alongside the "Digital Age" charge in the same billing period, or on subsequent periods, if the card was not cancelled. The Digital Age fraud was directly tied to the infamous "Pluto" card charge scam by a common domain contact address.

The current crop of ebook sites can also be directly connected to this same criminal enterprise. There were several different website iterations of this laundering format over the years, these latest group of ebook scam sites can be assigned to a Version 5.0. Though crucial pieces of how the crime ring operated were accumulated from sifting through reams of data along the way, the case was not cracked until version 4.5 of the template scam was underway in the second half of 2006. Persistent cyber forensic analysis began to pay off in November of 2006, when a website manufacturing location was uncovered. Subsequent monitoring and shadowing of their activities produced an entire group or division of fraud sites in various stages of operation. This was followed in the first few months of 2007 by the penetration of the outer ring of the crime syndicate's operation. For the first time this enabled the core operational procedures to be uncovered. No postings updates were made during this period, because in the past the syndicate monitored the noise levels and adjusted their tactics accordingly.

Credit for contributions for some of this discovery should be shared with two other individuals. However, they requested anonymity, once the full scope and extent of this criminal enterprise was realized, and who may be behind it. It was then clear that this entire multi year operation had to be driven by unfettered access to a continuous stream of card account data. At least one division of the crime syndicate presented itself as being based in Lithuania, however, the laundered cash from the fraudulent credit card billings was tracked going to a bank account in Bulgaria. I will go into greater detail later, first lets address the current crop of card laundering fraud sites:

A sample of some of the other current sites ran by this enterprise include:

byersebooks.com Byers Ebooks 201-258-5600




ebsebooks.com AKA Electronic Business Resources 412-927-0410




usefulmart.com usefulmart.com 678-534-2858




bestdigimart.com Bestdigimart 330-871-7932




embintelligence.com embintelligence 404-287-0562




mylibreria.com mylibreria 503-616-3843




smartemarket.com Smartemarket 337-935-0141




There are also recent reports about fraud card charges listed as Crystal Clear Designs, fabri-tex and Vin Designs. Other names surfacing are The Book Cellar Boston, Aslene Reads e-books, and Homebase out of CA . Other names now expired that were associated withthese fraud charges were treedonlainsite.com, Brookshire Enterprises brookshire-ent.com, and bestdigimart.com. It took some serious digging to discover who they really are, as these criminals go to considerable lengths to obfuscate themselves. Many of the names they pick will intentionally resemble legitimate entities. In fact the domain for one of the above, embintelligence.com is registered to an unrelated lady in her 60's residing at Saint Clare's Hospital, Franciscan Oaks Assisted Living Unit, in Denville, NJ, not your typical ebook vendor.

There are many more in various stages of operation, each processing thousands of fraudulent charges a month.

These sites are not set up to generate any internet business, in fact, the items for sale can be routinely obtained for free. They are just one ingredient in an elaborate credit card fraud laundering process. The sites are an essential component in order to deceive multiple banks, and pass a routine vetting process for a card merchant account. Authorize.net appears to be the predominant card processor used by this criminal enterprise.

One obvious sign that they are not intended as sites that random buyers could come across to make purchases from, is that many them are hidden from the internet. They, as intended, cannot be found using any search criteria. Several of the current sites are configured to block any search engine access using a robots.txt file configured as:

User-agent: *
Disallow: /

Examples:




This crime syndicate clearly has unfettered and continuous access to volumes of consumer's card account data at the highest levels. They had access to this data 2 years ago, last year, this year, and they have access to fresh data today. This criminal enterprise has built a sophisticated process that has enabled them to retrieve at least 1,500,000 card data accounts annually, and remove an estimated $15,000,000 a year in laundered card fraud proceeds out of the country. However, the actual amount could be any multiple of that. If they have not laundered a charge through your card already, it is only because they did not retrieve that account data yet. Your card's prior history appears to have no relevance with respect to the odds of getting hit with these specific fraud charges. Also not relevant is the card issuing bank, the charges occur across a broad spectrum of card issuers. Neither is the fact that it is a debit (check card) or credit card, both are billed as CNP transactions, however, they do not have access to the debit pin numbers. Though primarily a Visa / Mastercharge phenomena, it also hits Amex and other card holders.

The current focus on Equifax as a potential source of a leak by the latest crop of victims posting on
Chris Jopin's blog and also discussed in Brian Sullivan's Red Tape chronicles article, is a recurring anomaly with this criminal enterprise's fraud operation. Victims of this fraud tend to look for a prior common transaction which they believe may point to the source of how their account data was compromised. That focus is understandable, however, the long term history of this crime syndicate indicates that the data is not coming from any recent online transaction that the consumer made with their card. After sifting through years of reports the totality of the data points to a significant leak higher up the database chain.

If you were to examine the entire range of victims over a longer time period, you would find that there are many more who do not have any prior charging history in common. During the past few years consumer posting of fraudulent charges that can be tracked to this crime syndicate have reached critical mass at various times. The consensus during these peaks have pointed at one time to Amazon as being the common link, at another time it was PayPal, then various other vendors. The normal instinct is to look at where you last used the card online as a potential source of the leak. That kind of analysis and conclusion actually works in the crime syndicates favor, because it focuses attention to a common vendor, and away from data base storage higher up the chain.

Over the long term, the following anomalies emerge:

• Card holders who have only used their cards at brick and mortar establishments, and have never used their card online, end up with a fraud charge from the syndicate. That is significant, in that the only data captured in card present B&M transactions are the card swipe data. That data only includes the cardholders first & last name, the card number, and the expiration date. I have verified that when this crime syndicate charges your card, they not only submit your card number, name, and exp date, but also your full correct address and the 3 digit CVV2 number. Where is that complete data stored if you never made an online purchase with the card?.

• Consumers have been hit with the crime syndicate's charge on two cards, either in the same month or in consecutive periods. The two cards were issued by different institutions and both were never used at the same vendor, nor online

• A consumer reported that shortly after receiving his new card he locked it up in a drawer, and never used it anywhere. Several months later the first ever charge to the card was from the syndicate.

This type of report has occurred repeatedly over the years for this operation:
(Emphasis added)

quote:
Mon, Aug 20, 2007 10:16 pm

I got one of my credit card bills in the mail and noticed a strange charge.

BROOKSHIRE-ENT.COM 2054190624 AL $5.00

Mind you, I haven’t made a charge on this card for maybe two years. I stopped using this card regularly after I accrued a pretty big balance and for the past few years, I’ve only been making payments to it. Heck, I don’t even keep this card in my wallet. It stays locked up in an undisclosed location that is too inconvenient for me to access. So getting a new charge on this card is pretty strange.

I immediately called my credit card company to dispute the charges. I explained a little more to them and they closed my account and will process for me a new account, number and card.

And:

September 3rd, 2007 at 3:15 pm |
Same problem here. This is quite a scam. $15 here. Same company. Inactive but valid Visa. ....................

Source= »slantyeyed.com/wp/?p=905

The current group of sites (Version 5.0) differ from the previous template group in that they are all differently designed webpages. That may be the result of a combination of publicity and also possibly blacklisting by the merchant account provider Authorize.net. Examples of the Ver 4.0 template sites can be found here. The later group of the template sites from late 2006 thru mid year 2007 (Ver 4.5) were never published before as that was during the "shadowing" period when much of the operational tactics were being infiltrated.

Below is a list of the names and domains that were retrieved from the production assembly line during that time. I have uploaded screen shots of the actual web urls and websites that were taken at the time to a Photobucket album This group was labeled as Version 4.5 since the format was a different design than the 4.0 group, note each name in the blue upper right box and the matching url. In fact, the connection between them can be seen as the morphing was caught in the act. A version 4.0 site "Alta Vista Web Designs" reported multiple times for fraudulent charges was caught on the same IP as the new ones, in the process of being re labeled as "ultrahorizonwebdesign.com"

It was from this group or "division" that the laundered proceeds were tracked moving out of US Banks to the Bank in Bulgaria.



DOMAIN CONTACT NUMBER BUSINESS NAME

universal-webdesigns.com +1-(303)-495-3608 Universal WebDesigns, LLC
tws-templates.com +1-(210)-587-7370 Total Webdesign Solutions, LLC.
ptds-templates.com +1-(201)-535-8843 Pov technology design solutions, LLC
pps-templates.com +1-(775)-548-9423 PPS,Inc
lts-templates.com +1-(612)-216-4166 Littlefork Technology Solutions, Inc
kato-technologies.com +1-(313)-281-8090 K.A.T.O. Technology, LLC
icon-concepts.com +1-(386)-951-4388 Icon Design Concepts Inc
gvc-technologies.com +1-(516)-596-8594 GVC Tech Designs, Inc.
fdwc-technologies.com +1-(859)-401-0648 Design Web-Solution,LLC
web-designs-4-u.com +1-(706)-243-4850 Webdesigns4U, LLC
allstar-webtemplates.com +1-(303)-484-6926 All Star Web Designs, LLC
AEP-TEMPLATES.COM +1-(281)-962-4281 AEP WebDesign Solutions, LLC
ere-webdesignsolution.com +1-(207)-669-8257 ERE WebDesign Solution L.L.C
wilson-templates.com +1-(636)-234-0932 Wilson Technologies, LLC
pwd-templates.com +1-(609)-858-5284 Phoenix Web Design LLC
bfm-websolutions.com +1-(608)-531-1939 BFM Web Solutions, LLC
cmc-templates.com +1-(636)-234-0975 CMC Webdesign, LLC
ficas-templates.com +1-(262)-997-9372 FICAS, Inc
kaizer-templates.com +1-(321)-283-4399 Kaizer Services, LLC
ultratech-webdesigns.com +1-(303)-325-3807 ULTRATECH WEB DESIGNS
kamk-templates.com +1-(313)-281-1325 K.A.M.K. Technology, LLC
mgn-templates.com +1-(214)-594-5853 MGN Enterprises, LLC
hoskins-technologies.com +1-(859)-400-0794 Hoskins, corp
webfirstclass.com +1-(202)-640-2764 WEB FIRST CLASS LLC
floridadesign-solutions.com +1-(941)-876-6863 Southwest Florida Web Solutions, LLC.
westernlogos.com +1-(229)-351-4237 Western Logos, LLC
ur-solutions.com +1-(207)-457-5279 RSP Web Design Solution LLC


.

Though the ebooks sites operated as a division and in parallel to the template sites as far back as late 2006, they multiplied during the first half of 2007. By the middle of 2007 they became the predominant sites, just as the template operation appeared to be phasing out. The current crop of ebook (et all) sites operate identically to the prior version, down to a common beneficiary.

There are 3 core components to this crime syndicate's operation.

The first ingredient is direct access to a constant supply of card account data. I cannot identify where the long term data is coming from, though access is on going because fresh cards are routinely hit. I can confirm that this criminal enterprise does have the following data on the victims that charges are processed against. In addition to the card number they have the victim's full name and complete address, the card expiration date and the CVV2 security code.

The second component is the ability to set up a web hosting site combined with a merchant billing account to process the card charges and launder them into cash. Though the criminals are adept at successfully passing a vetting process to obtain a merchant account, there is an obvious weakness in the entire process.

The third and crucial component is the ability to set up US bank accounts to receive the funds from the fraudulent charges. This crime syndicate actually has two bank accounts set up for each domain. One to receive the initial funds from the processor, and a second account that the money is then transferred into, to protect it from being reversed. The later account is from where the laundered funds are then wired out of the US in increments below the threshold for any oversight. That set up has been repeatedly documented in the template sites (Ver 4.5), and the identical modus operandi has now been confirmed in use with these ebook site set ups.

To defeat current banking regulations and remain anonymous the syndicate recruits US victims as mules who are hired as unwitting partners in the fraudulent scheme. The process of recruiting and maintaining these cyber mules is a division unto itself of this criminal enterprise. That complex process was also documented in the previous version and is expected to be no different in this version. Be advised that this is not your typical bogus check cashing or carded goods re-routing job, that should send alarm bells ringing in even the most naive individual. There is an indoctrination process that begins at the moment of contact and persists throughout the process. The syndicate actively recruits from multiple venues, including contacting individuals that have resumes listed on Monster and other job seeking sites. It may take an initial interest and response from over 200 people in order to end up with one fully indoctrinated and participating cyber mule. I have spoken with several and the process is effective, none had any idea what they were involved in, especially during the early stages.

I assume by design, all of these cyber mules had little prior knowledge of how an internet business or merchant billing account operates. They are recruited as US partners for a foreign company, and are instructed to set up a Limited Liability Corporations (LLC) naming themselves as the registered agent. They are also instructed to obtain a federal tax id number in the business name. Using that LLC documentation they are then instructed to set up the two US corporate bank accounts. The bank accounts must have online access so the syndicate can remotely access and monitor the incoming fund transfers. However, the wiring of funds back to the syndicate is done by the cyber mules. The syndicate is thoroughly versed in the procedures of how to set up US corporations, and they also appear to have intimate knowledge of the US banking system. They provide detailed instructions for the cyber mules to follow. The brainwashing is so thorough that they even have the mules make a purchase from the site with their own credit card as a test, and then later issue them a credit for the charge. The cyber mules receive compensation in the amount of 10% of the monthly proceeds after expenses. They are reimbursed for the LLC set up cost from the first fraud card run.

While trying to identify who the cyber mules were for the current Ebook sites it became apparent that the obfuscation process had reached new levels with this version 5.0. Remember that this syndicate makes hiding information at every stage an integral part of the process. Some of the websites are difficult to find due to search engine blocking, at least until there are several internet reports of fraudulent charges. In many cases the business name is a craftily altered derivative of the domain name used, making it difficult for one to easily lead to the other. Charges may show up billed under the business name which may not be the exact lettering of the domain name. They intentionally balance the obfuscation, close enough that it does not raise suspicion at the merchant account vetting process during set up, but as difficult as possible to match after the fact when the fraud is under way. See the layout of names on the 4.5 list above. Also some of the latest reports of fraud charges under such names as "Crystal Clear Designs", "The Book Cellar" and "Vin Designs" which are too generic to dig into without additional data.

That is why it is important for anyone reporting these small fraudulent charges to list the complete line data that appears on their card statement including any listed phone number, even a partial one

Also, it is vital that you report these immediately as fraudulent charges to your bank. DO NOT call and "dispute" the charge. Disputing a charge is a process reserved for billing received from a legitimate entity, that you did not make. The dispute process helps the criminals sustain the operation for that domain, because the bank sends them a notice of dispute which (A) takes time, and (B) allows the criminals to issue you a credit and save the cost of a charge back fee, usually around $25.

It is also vital that you cancel and replace the card. These criminals have your com;plete card data. They will continue to make charges to the card. Cancelling and replacing it is your only option.

By now they have many years of experience and have perfected the process. The syndicates goal is to run high volume small charges spread across many bank card issuers, using multiple merchant accounts. They hope to maximize the amount of victims who either do not notice it, or do not bother because of the amount. Once a victim is prepared to contest it, then the syndicate wants to issue you a credit and save the charge back fee. They have a prepared script to deflect the attention away from them by saying that someone must have used your card on our site so we will issue you a credit. They will even go so far as to make up an email address that was used for the purchase. They may even tell you that you should report your card as stolen. Of course when was the last time a thief stole a credit card number and decided to maximize its potential by downloading a $10 ebook. In the past the syndicate had the mules respond to the telephone messages, but in the current version they route the calls and voice mails to Eastern Europe and respond directly. Bypassing the mules extends the longevity of each LLC because they are shielded from the volume of charge backs that grows larger each month. The criminals are also using some of the same service providers for the listed phone numbers as was used in previous versions.

So who are the conned US based cyber mules for the current ebook sites. I began the process of trying to track them down two weeks ago. I know how to find them based on the crime syndicate's know modus operandi, however actually making contact with them has been tedious and difficult at best.

Here is the data so far:
.

digismarket.com »www.google.com/search?hl=en&q=DI···G=Search

Though the domain is registered to a Johanna Ray in with an address in Selden, NY:

Domain name: digismarket.com

Registrant Contact:
digismarket.com
JOHANNA RAY (johanna.market@gmail.com)
+1.6813466445
Fax: +1.5555555555
16 Hudson ST
Selden, NY 11723
US

The crime syndicate's cyber mule will be the individual who registered the LLC,

in the case of Digismarket it is conviently to "no name" at:




That address data cross references to a Steven Bailey:

Steven Bailey
6 Franklin Pl, Apt 2
Farmingdale, NY 11735-2636
Listing Details
Job title: Owner
Company: Digismarket Com LLC

So far I have not been able to locate a listed phone number for Mr Bailey or found a way to contact him.
.

.
mfbpsite.com »www.google.com/search?hl=en&q=mf···e+Search

That domain is registered as follows:

Domain name: mfbpsite.com

IP Address: 208.109.225.236

Registrant Contact:
mfbp
Eleanor Scott (SuppEleanor@gmail.com)
+1.3104103189
Fax: +1.5555555555
20411 Campaign Dr
Carson, CA 90746
US

A California corporation that matches that name appears to be registered to a Christopher Thom




2440 N FREMONT appears to be a multiple tenant business location. A public records search yields this:

Christopher Ins Thom
2440 Fremont St
Monterey, CA 93940
.

.
byersebooks.com »209.85.207.104/search?q=cache:-a···=3&gl=us

The domain data is:

Registered through: GoDaddy.com, Inc.
Domain Name: BYERSEBOOKS.COM
Created on: 11-Dec-06
Expires on: 12-Dec-07
Last Updated on:

Administrative Contact:
Kimeklis, Russell russellkimeklis@yahoo.com
162 Airmount Road
Mahwah, New Jersey 07430
United States
(309) 419-3042

However the corporation is registered as follows:

quote:
BYERSEBOOKS INCORPORATED 0400153571 DP

STATE OF NEW JERSEY

BUSINESS REGISTRATION CERTIFICATE

Taxpayer Name: BYERSEBOOKS INCORPORATED

Trade Name:

Address: 1303 FAULKNER COURT
MAHWAH, NJ 07430

Certificate Number: 1285919

Effective Date: November 14, 2006

Date of Issuance: November 28, 2007


The website lists the same address:




There is no public record of the Russell Kimeklis at the domain address in Mahwah, NJ, nor anywhere in New Jersey or surrounding states. The corp address does have the following name listed:

Jane Byers
Listing Details
Job title: Owner
Company: Byersebooks Inc

Calls to the published number listed for that address have not been returned.
.

.
ebsebooks.com AKA Electronic Business Resources »www.google.com/search?hl=en&q=eb···esources

The domain registration data lists:

Domain name: ebsebooks.com

Administrative Contact:
-
Richard Stewart (ebsebooks@yahoo.com)
+1.3094077237
Fax: -
910 Freeport Road
Pittsburgh, PA 15238
US

Creation date: 30 May 2006

The Pennsylvania corporation stats for ebsebooks are:




There is no registered agent listed, however, a check of the actual documents on file at DOC in Harrisburg, PA., show that the agent for tax process service, is an individual named TERRA MILBOURNE. There are no public listings for that named individual at the 34 Grant Ave address. Though the city is listed as Pitsburgh PA 15202. That zip code is commonly used as Bellevue, PA 15202. Several searches turn up other possible addresses and numbers for that named individual, including a listing at a commercial business located nearby.
.

.
Bestdigimart.com »www.google.com/search?hl=en&q=BE···G=Search

The domain reg has:

BESTDIGIMART.COM

Registrant Contact:

HARRIS HINES (HARRIS.HINES@gmail.com)
+1.3308717932
Fax: +1.5555555555
7644 Market St ,
Youngstown, Oh 44615 US

Creation date: 12 Feb 200

The Ohio corporate filing for the LLC is about as sparse as it can get. No place of business, and the registered agent is a commercial rental agent, Mark Schiff, a figure head. A public records check for the domain registrant turns up no entries for a Harris Hines in the State of Ohio.

quote:
Business Name Charter

BESTDIGIMART.COM LLC

Registration Number
1671920

Original Filing Date
Jan 10 2007

Type
Domestic Limited Liability Company

Active
Jan 10 2007 Active

Agent Name:

Business Filings Incorporated
Mark Schiff

»www2.sos.state.oh.us/pls/portal/···=1671920

and:

»www2.sos.state.oh.us/reports/rws···01600178

This one needs additional gigging in order to come up with whoever is really behind the LLC. Though Mr. Schiff would be recognized as the legal agent for the company, though he plays no active role in it.
.

.
mylibreria.com

Domain info:

Domain name: mylibreria.com »www.google.com/search?hl=en&q=my···e+Search

Registrant Contact:
MYLIBRERIA.COM
JEFFEREY PENN (PJEFFEREY@GMAIL.COM)
+1.5036163843
Fax: +1.5555555555
10940 N.W. Supreme Court
Portland, OR 97229
US

Creation date: 11 Apr 2007




There is no number listing for a Krishna at that address. However there is one for a Varalakshmi & Sudha R Yaramala.

Have not been successful at making contact
.

.
smartemarket.com »www.google.com/search?hl=en&q=sm···G=Search

Domain registration appears to be cloaked:

Domain name: smartemarket.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected (ec41e85caca04d158220ea920720f5f2.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd
8939 S. Sepulveda Blvd
Westchester, CA 90045
US
Creation date: 15 Jan 2007

Though the phone number on the website has a Louisiana area code, a search of the LA. corporations does not yield a match for that business name. There is a Smartemarket Inc: »www400.sos.louisiana.gov/cgibin?···4456640D though it has been around for a long time. This is still a work in progress.
.

.
embintelligence.com »www.google.com/search?hl=en&q=em···e+Search

The domain is registered to:

Domain name: embintelligence.com

Registrant Contact:
EMBINTELLIGENCE.COM
Barbara Frye (frye74@gmail.com)
+1.9735866072
Fax: +1.5555555555
19 Pocono Rd
Denville, NJ 07834
US
Creation date: 02 Aug 2007

That is the address of

The Georgia Division of corporations shows:




I contacted Mr. Benkowitz last week, and spent some time explaining the situation to him. I asked him up front not to mention our conversation to the people that he was dealing with outside the US. Rather he take and a day or two and go over the details that I provided him with, independently confirm them, and he should come to the same conclusion. His circumstances were identical to the known modus operandi. The set up matched exactly to previous cybermules from the 4.5 template version. There were two bank accounts, one to receive the merchant payments and a secondary account that the money was then transferred to, in preparation for wiring out the fraudulent funds from the US. The purpose of the second account by the way, is to allow the funds to be immediately removed from the incoming merchant account, and prevent any subsequent reversal by the processor. he confirmed that the syndicate had remote access to the bank account. Mr. Benkowitz had no access to the web site controls, he never received nor seen any detail level transaction report, only the summary reports of the billing.

I provided predictable detail of the function he performed and reviewed it with him. He never met nor spoke to the people he "partnered" for, all communication was via email. He said he did have a number for them, but that was essentially a virtual fax number where he sent charge credit back forms, whenever victims managed to track him down about their charges. I told him that if he looks over his situation, he will see that he has no clue what goes on behind the scene. His essential and primary function is to wire 90% of the funds on a regular basis from a bank account here to a foreign country for which he is paid the remaining 10%. Again to people he never met and does not really know who they are. I told him that not only did the website not have any measurable incoming traffic, neither was there any recorded outbound email traffic from the embintelligence.com domain. On a legit site one would expect the ratio of visits to purchases at maybe 20 to 1, and each purchase would be due a confirmation out bound email.

I mentioned the name of the previous beneficiary used on the ver 4.5 Bulgarian transfers "inowest" and asked him if it sounded familiar. He said it sounded like who he was sending the money to. I asked if it was going to Bulgaria, he said no, Kurdistan. I said Kurdistan and not Kazakhstan he said he believed it was Kurdistan.

I asked him how he was recruited. He said he was only involved with it for a few months, and that it was his brother in law who enrolled him as he had a corp for some time also. He did not give me his brother in laws name, nor the domain that he was using. Mr. Benkowitz said that he would go visit his partner in the next day or two and call me from his house so I could go over the same details with him. I said fine give me a call. The next day I did receive an email reply confirming that the merchant processor they were using was Authorize.net. I never heard from Mr. Benkowitz again, he did not answer, nor return a follow up phone call or reply to a subsequent email.

Yesterday I decided to track down who the brother in law may be, it was not difficult:
.

.
usefulmart.com »www.google.com/search?hl=en&q=us···G=Search

Domain name: usefulmart.com

Registrant Contact:
UsefulMart.com LLC
Kevin Kirk (burningmike@gmail.com)
+1.5094639854
Fax: +1.5555555555
1024 Coral Club Drive
Coral Springs, Florida 33071
US
Creation date: 29 Nov 2006

Nobody by that name at that address.

A check of the Georgia public corporation records produced this:




Over a year old and still kicking, impressive !!

I went ahead and called Mr. Hoffman yesterday, I said that I had spoken to his brother in law last week and I was wondering if he had discuused the conversation with him. He said yes he had, and he said "I am angry at him for giving you my name and number". I said that he did not give it to me, I found it on my own. Mr. Hoffman had a nasty attitude, and said that he did not want to have any conversation with me about this issue, he did not want to discuss anything, goodbye !! and he hung up.

I am really disapointed, while it is easy to see from watching this criminal enterprise in operation, how people could get indoctrinated into the scheme. It is disturbing that once the situation is clearly laid out for them, and they examine what role they are actually performing, and the circumstances, that it is at least highly suspicious. There are no legitimate business models where this scenario exists. I have a lot of sympathy for the ensared cyber mules, they are also victims of this ruthless criminal enterprise. However the millions of dollars a year that they unwittingly launder out of the US and into this crime syndicates hands are not going to feed hungry children in orphanages. Freezing all funds at the moment of awareness, is a pre requisite to remaining an innocent participant.

Before moving on to some of the previous methods used for recruiting cybermules, lets address where the fraudulent funds were actually going outside the US to, during that phase.

The specific routing data was:

Beneficiary's Bank Name: EUROBANK PLC

Beneficiary's Bank SWIFT code: EUBKBGSF
Beneficiary's Bank Address: 43 Cherni Vrah Blvd.,
1407 Sofia, Bulgaria Beneficiary Account:
BG96PIRB91701745144579 Beneficiary Name: Inowest Enterprises Inc

EUROBANK PLC is an original Bulgarian Bank that was bought out by the Greek bank Piraeus Bank in January 2005.

Not much data is available about the beneficiary "Inowest Enterprises Inc". It appears from one posting on a PrOn webmasters site someone described them as a company that sends out wires on behalf of others. Not surprised, Bulgaria has a long tradition as a money laundering center This was only one of many stops in the process before it reached it final location. I believe that the core of this crime syndicate is located somewhere in Russia, and ultimately that may be where the money ends up.

The cyber mule recruiting division of this enterprise involved several processes. As mentioned prior it included the syndicate directly contacting people who posted their resumes on job sites. They also placed adds in multiple locations. During the shadowing of the last template phase sites an actual recruiting website was uncovered. this website was specific tot he template group and was assumed to be one of many that were in operation. The site operated as P.O.V Webdesign Solutions, Inc., with a domain of pov-webdesignsolutions.com. The name closely resembled one of the actual template sites ptds-templates.com which was labeled Pov technology design solutions LLC. However there was never any direct reference between the recruiting site and the actual template domains.

A set of inventory screen shots of the site and its recruitment pages was taken in April 2007, not long before they disappeared.




Listed on the main page is their "location" given as:

P.O.V. Webdesign Solutions, Inc.,
Laisves pr. 12
LT-04215
Vilnius, Lithuania




The designated contact was listed as Tomas Lasinkas, who in fact was the name the version 4.5 template cyber mules communicated with, regardless of where or how they were recruited. In addition the "president" of POV is listed as Povilas Baranauskas.

The balance





Interesting, apparently some potential cybermules and newbie converts found each other HERE

Again, the goal is to run high volumes of cards against small amounts multiplied, times numerous simultaneous sites. If the victim catches it give them a fake email address that used it. Quickly give them a credit to prevent a $25 charge back fee, and to prevent triggering a high charge back alert with the merchant account. Tell the victim someone must have used the card on the site. Suggest it even may have been stolen to divert attention away from the operation. keep the cyber mule out of the loop, maximize the return and longevity for each operating domain.

Viewed at the lowest common denominator it is a handful of victims complaining about a trivial charge on their card from one little website. That is not going to trigger any bank investigation, is it spread among many. It also is way below the threshold to trigger any Federal snooping around. Even if a site goes down the rest of the hub are preserved, they do not appear related. If a division goes down, the other divisions still function. Everything hums unless someone grasps the big picture and identifies it as a multi million dollar operation. Add the costs of replacing the cards and we have an annual loss barking at $70 million. But who knows how big it really is.

Most certainly this structure was built around the fact that the syndicate has direct access to this card account data, and volumes of it. The operation is vertical, they are not buying data from carding forums.

While the location and method of the card access is a priority to discover, notable mention of the clear weakness in the merchant account vetting process must not be ignored. There are numerous symptoms indicating that these sites are not legit even before the charge back ratio grows to trigger levels. No traffic, no outbound mail, robots disallow. Card data detail entry reports that would show that the data is batched, and is not coming randomly from assorted IPs as a typical site would have. It is not that it cannot happen every now and then, but for a multi year criminal syndicate to operate well over 100+ domains with impunity, over and over, and not trigger any alert. Would it be so rewarding to criminals if Authorize.net and others did not front the money right away and instead held two months in reserve for new sites, that would enable the charges to cycle. Clearly some changes need to be made, much of this fraud has become acceptable and is tolerated as past of the given percentage that is wrote off annually.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

3 edits

4 recommendations

I just ran some new searches after completing the above, and found a news article that I had previously missed. This July 07 notice from the Michigan Attorney General may be a partial reason for the ver 4.5 template sites phasing out and the full blast of ebook sightings. A cyber mule was arrested and charged:

quote:
Office of the Attorney General:

Cox Charges Woman with ID Theft

Agency: Attorney General

July 19, 2007

LANSING -- Attorney General Mike Cox today announced that he has charged Krystal Owens of Detroit with three-counts of identity theft and one-count of conspiring to commit identity theft.

"Identity theft is a devastating crime to its victims," said Cox. "My office will continue to be vigilant in defending Michigan's citizens from having their identities stolen."

Since January 2007, the Michigan Attorney General's Office has received more than 130 complaints from consumers across the country indicating that K.A.T.O. Technology, LLC, also known as K.A.M.K. Technology, LLC, had charged $12.95 against their credit card without their permission. The Attorney General's investigation found that in the summer of 2006, the defendant Krystal Owens conspired with Tomas Lasinkas of POV Web Design Solutions to set up bogus corporations, banking accounts, and other arrangements thereby enabling Lasinkas to make unauthorized charges against consumers credit card accounts using the bogus company names K.A.T.O. Technology, LCC and K.A.M.K. Technology, LLC. From September 2006 to March 2006, Lasinkas made 75 to 100 unauthorized charges, at $12.95 each, on a daily basis, and Owens wired the illegal proceeds to Lasinkas' bank accounts in Bulgaria on a regular basis. Lasinkas and Owens accumulated approximately $200,000 by way of this fraudulent activity during a six month period.

A criminal charge is merely an accusation, and the defendant is presumed innocent until and unless proven guilty. The penalty for identity theft is up to 5 years in prison and/or a fine up to $10,000.


Source: »www.michigan.gov/ag/0,1607,7-164···,00.html

That seems really severe, I do not believe based on my experience of the syndicate, that it was possible for Krystal Owens to "conspire", that would require knowledge and intent.

It appears that a subsequent article in the Detroit Free Press investigated and picked up on that angle:

quote:
................. Krystal Owens, 40, of Detroit was arraigned Thursday on three counts of identity theft and one count of conspiring to commit identity theft for allegedly bilking people out of at least $200,000, Cox said. If convicted, she faces up to five years in prison for each count of identity theft and/or a fine of up to $10,000.

But a Free Press review conducted late Thursday and early today of the particulars of the case raises questions about whether Owens was a willing or unwitting participant in a potential online version of a get-rich-quick scheme. The attorney general's office was not available for comment on this issue early this morning.

Owens was charged after more than 130 people nationwide filed complaints since January with the Michigan Attorney General's Office that their credit cards were billed $12.95 without their permission by K.A.T.O. Technology, LLC, or K.A.M.K. Technology, LLC. ........

Source: »www.redorbit.com/news/technology···dex.html

From my November 2006 archive of the website "factory"


kato-technologies.com +1-(313)-281-8090 K.A.T.O. Technology, LLC
kamk-templates.com +1-(313)-281-1325 K.A.M.K. Technology, LLC



KATO


I wonder if they are aware of the full scope of the operation, and that other than a momentary blip it is still running.

Strange in that I cannot find any subsequent activity of this July case.

This may explain why the funds, though still assigned to the same named beneficiary: Inowest Enterprises Inc., may now be going to another country instead of Bulgaria. I would like to get confirmation from another cybermule that they are in fact going to Kurdistan. Of course either place is probabaly one of many stops and conversions that take place on the way to a final destination.

I don't for a moment believe that there is or ever was a "Tomas Lasinkas" and "Povilas Baranauskas" it don't get any more "Lithuanian" sounding than that. Plus hang up a large shingle saying "here is our address, this is where we are at" and you can bet that it is the last place on earth that the real criminals are going to be at. Nor do I think that there was an executive from the crime syndicate waiting at the Bulgarian bank for the weekly wire transfers to come in.

By the way several subtle attempts to get "Lasinkas" out in the open failed. Even when his accounts were blocked and his money was at stake, he still wouldn't crawl out of his shell.

Here is his voice circa Feb. 2007. Bad quality because he was using Skype, ID was +1(000)012-3456

downloadTomas_Lasinkas_3.wav 1445208 bytes


MGD


Rocky67
Pencil Neck Geek
Premium
join:2005-01-13
Orange, CA

Re: Ebook websites, fraud charges, Dev bill/DigitalAge/Pluto

MGD, your work is astonishing. The cyber community owes you a vote of thanks.
--
"Just because I don't care doesn't mean I don't understand." - Homer

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus
reply to MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Amazing! That is some of the most incredible work I've seen.

Regarding this enterprise, they must have some extensive resources. None of the obvious English language gaffs, that endless supply of fresh card data, a deep understanding of the U.S. banking and finance system. No lads sitting in sweaty Nigerian Internet cafes, these.

I can only imagine that the card data is an inside source at one of the central clearinghouses. Finding THAT source should be a top Federal priority.

MGD
Premium,MVM
join:2002-07-31
kudos:9
reply to Rocky67

Re: Ebook websites, fraud charges, Dev bill/DigitalAge/Pluto


Thank You Rocky67 See Profile, appreciated.

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 edit
reply to garys_2k

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

said by garys_2k:

Amazing! That is some of the most incredible work I've seen.

Regarding this enterprise, they must have some extensive resources. None of the obvious English language gaffs, that endless supply of fresh card data, a deep understanding of the U.S. banking and finance system. No lads sitting in sweaty Nigerian Internet cafes, these..........
Thanks,

Yes indeed, this is not your typical scam operation at all. The sophistication, expertise, and sheer enormity of this crime syndicate's operation has yet to be realized, or receive the deserved publicity. They have have intricate knowledge of the not only the banking system, but also down to the level of knowing the precise chargeback exception triggering ratios of the online merchant processing system.

Again, it is vital that the victims report the charges as fraudulent, then cancel and replace their cards. You play in to the crime syndicates hands by allowing them to issue a credit for the charge. That is what they want to do once they know you have caught it, and will dispute the charge. Victims should also file a complaint online with the Internet Crime Complaint Center (IC3).

By issuing credits or reversals to the percentage of victims that discover and pursue the fraudulent charge, that will help maintain a chargeback ratio below the merchant processor's flag threshold. They have managed to sustain some individual accounts for well over a year by doing this.

In addition, they get to deflect attention away from their operation, by making it appear, however unbelievable, that a team of criminals are trying to scam the websites using hijacked card data to buy useless ebooks, webtemplates, or cellphone games. When in fact the syndicate is just harvesting cash by ploughing card data in batch entries through their scores of fake sites.

said by garys_2k:

I can only imagine that the card data is an inside source at one of the central clearinghouses. Finding THAT source should be a top Federal priority.
.
Yes, this most definitely needs Federal priority, and immediate urgency from both the Secret Service and the FBI. The sheer volume of data that the syndicate has access to, indicates that there is a compromised hole large enough to drive a truck through it.

I have given considerable thought as to where and how they are getting the data from. Infiltration by a human mole remains a distinct possibility. I do believe though that the core of the criminal enterprise operates from Russia, or maybe the Ukraine, and there is some anecdotal evidence to support that.

Two years ago at the peak of the Digital Age card fraud, there was much speculation that the CardSystems Solutions Inc. leak may have been a prime source of data at the time. However, many of the reports, if correct, stated that though consumer's name, card number and CVV2 were taken, the victims address was not in the files. Since we know that this syndicate is entering address data, then that would tend to preclude that possibility.

There was one component of the Card Systems data theft that could very well be the same vehicle in use now, and should also be considered a primary suspect. According to an About.com article in October of 2005, that addressed the potential Card Systems & Digital Age connection. There was a quote from Congressional testimony provided by John Perry, President and CEO of Card Systems Solutions with respect to how the data was compromised:

quote:
......"the theft was carried out through the use of a malicious script planted on their system through an Internet-facing application. The malware was programmed to run every 4 days, at which time it sought out a specific file type and extracted credit card holder's names, account numbers, expiration dates and CVV codes. The extracted information was zipped and forwarded to an FTP site where it was presumably retrieved by the attackers".

There is no reason not to believe that a similar malware could exist in another penetrated card account database. Similar malware could have infiltrated databases further up the chain, and still be functioning today.

There are still groups of victims on diverse internet forums comparing unique online vendors that they all have a recent purchase with. They point to that common link as the source and location of where their card data was compromised at. Some say Equifax, others are pointing to Digital River, and some to PayPal.

However, there is some degree of certainty that this data is not coming from any recent internet transactional event, for several reasons.

Sampling of the entire operation routinely turns up victim's cards that were never ever used in online card not present (CNP) transactions. If you never entered your CVV2 number, who or what database would have it stored ??. Combine that with reported charges to cards that were dormant for extended periods that are then hit with these charges. That indicates that the data is not coming from intercepted recent transactions, but rather a storage database that contains card accounts with both active and dormant card data combined, and no distinguishing flags between them.

Also, routine reports of victims hit on multiple unrelated cards, indicates that the database may group card account data by the card holder account name, regardless of the card issuer. It does appear that the syndicate is unable to differentiate between fresh frequently used cards, and cards with little or no recent activity. If the criminals had access to the card activity, they would surely sort by that data. For an operation that remains low key, and is dependant on maximizing non disputed billing, why would they knowingly even shoot a charge against a card that has been dormant for a year or more. That is as close as one can get to a guaranteed rejection of the charge by the victim. Bill $15 get get $15 chargedback plus a $25, equals -$25.

So they do not know, otherwise they would screen the dormant ones out. In fact, if they could see the transactional history of the accounts, they would sort and select out all the ones that had 3 page bills every month, and probably at least two users. Those are the accounts that have the highest odds of not catching and rejecting the charge. They could maximize their laundering success ratio by selectively billing accounts where the fraud charge would be buried in a 30 item bill.

There are also routine reports of victim's who noticed that their cards were "pinged" 24 hours before the charge hit. If the criminals were intercepting data at the transactional level, between Equifax and the upstream processor for example, there would be no need to ping cards.
The data would already be from fresh recently used cards.

Random card pinging has been a common theme going all the way back to the Pluto card scam.

MGD
Edit = fixed bad link


pcdebb
RIP lil hurricane
Premium
join:2000-12-03
Brandon, FL
kudos:5
reply to MGD
i swear, in my lifetime if i ever win the lottery i'm writing you a check, just for the effort you put into this.

MGD
Premium,MVM
join:2002-07-31
kudos:9
said by pcdebb:

.
That is so nice , Thank You

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

4 edits

2 recommendations

reply to MGD
I will now address several additional sites that are currently involved in the card fraud operation. We will also take a look back at some that have already burned out.

First let's again look at the structure of this criminal enterprise, so that we can understand how it operates. I will go into some detail on the multiple "hub and spoke" format of the operation.

One step up from the fake sites that are converting and laundering the card data, are the hub sites. A hub site is the command and control for a group of the fake billing sites. The hub site will be visible because it is also the recruiting location for the US based cyber mules. That is where the mules are first recruited to, and from where they get instructions in setting up the (unknown to them) fake business operation. From there they will receive detailed instructions for setting up an LLC, a corporate bank account, and applying for a merchant billing account, all for the fake business site which they have been assigned to. The hub site operates numerous fake business sites and contol the mules.

Here is a diagram of the way I see the operational structure:





There is now further confirmation connecting the Devbill Template sites from 2006 thru early 2007, and the current crop of E-book sites. As stated earlier the laundered funds from the template group were tracked being wired from US bank accounts to A Eurobank account in Bulgaria. Several of the bank accounts associated with the new E-book (et all) sites are now wiring the laundered proceeds to a bank in Bishkek the Capital city of the Republic of Kyrgyzstan, another former Soviet Republic. No coincidence either is the fact that the funds are sent to the attention of Inowest Enterprises the same beneficiary as the devbill template group wirings. Presumably the move from Bulgaria to Kyrgyzstan may have been partially motivated by the busting of the cyber mule by the Michigan Attorney General. There will be several wire transfer points conviently located in countries that are difficult to trace money from.

Just as pov-webdesignsolutions.com was the hub / command & control for the 2006-07 web template sites, the equivelant hub / command & control for some of the E-book fraud sites is e-bca.com »www.e-bca.com , »www.e-bca.com/affiliate.php




That is who instructs and communicates with the mules. They also batch process the hijacked card data in to the site billing account. That is also where the contact phone numbers listed on the site will relay to, and where the calls to victims are returned from.

While pov-webdesignsolutions.com pretended to be operating from Vilnus, Lithuania, e-bca.com is pretending to be out of Boden, Sweden

Atala Designs, Inc 214-594-4188 was also a hub C&C site at one time »ataladesigns.com




However, there are recent reports of fraud charges coming in under the Atala Designs ataladesigns.com name. They may now have switched to dual purpose mode. In may 2007 they hit the radar as clearly being in the mule recruiting business. They were running employment adds on Craigslists and were tested. Here is the May 2007 response to the add inquiry:

quote:
From: gundarskristop@aol.com [mailto:gundarskristop@aol.com]
Sent: Thursday, May XX, 2007 XX:XX XX (REDACTED)
To: (REDACTED)
Subject: Atala Designs, Inc. from Craigslist

Hello (REDACTED),

Thank you for responding to Atala Designs, Inc's job offer on
craigslist.org. In this letter I will kindly let you into
the details of Atala Designs, Inc position of Manager.

Our Marketing Department has developed a perfect idea to boost sales.
The idea is to have more subsidiaries that would resell our Webstite
Templates. Manager is the person who owns a subsidiary company. Your
owing a subsidiary company is very profitable, it is a
21-century-level business. Anyone can do this, because setting up a
small company of your own is very simple, and provided with
easy-to-follow step-by-step instructions of your personal
Atala Designs, Inc manager it is really a fun ride.

After your company is set up, Atala Designs, Inc will create a
website for you which will resell our templates.

With company and online store you will easily open necessary business
and merchant accounts in a bank.

Final step is launching your store live on the web and taking your
commission from sales.

Let me emphasize extremely advantageous features that are sure to help
you make the right decision and become our partner. They are:

1. No skills and experience in programming and web design are required
from you. Atala Designs, Inc professionals will handle all technical
questions;
2. You will not have to sell or advertise anything. It is our special
marketing department that will be responsible for it;
3. You will not have to process our customers' payments and deal with
customer care issues. Our customer service department will solve
them;
4. As the project is in full swing your only responsibility will be
managing business account (withdraw your commission and transfer
the balance to Atala Designs, Inc).

So, I very much hope that you find our business concept interesting
and if you would like to pursue it further, feel free to email me and
I will get back to you with every little detail of how our cooperation
will develop. Also, I will forward you our Agreement, Instructions and FAQ.

Atala Designs, Inc Agreement - if you would like to work
with us, this agreement contains important information about how you
are going to be paid, security, etc;

Instructions - describes our partnership in detail and instructs
you what to do next;

FAQ - the questions you maybe want to know.

I will be looking forward to your next email.

Please reply to this email: gundars_kristopans@ataladesigns.com

Thank you very much.
Respectfully,
Gundars Kristopans,
Manager of Atala Designs, Inc.

Atala Designs, Inc.
Astras Gunara 8b, 14, Riga,
LV-1082,
Latvia,
Phone/Fax for US: (801) 788-5851
Our web site: ataladesigns.com

.
Take note that Atala is pretending to be located in another Baltic state, Latvia. Since Lithuania has been covered by P.O.V. Solutions, I would expect Estonia to show up listed somewhere shortly.

Atala Designs is clearly a web template C&C hub and along with them come reported fraud charges from a rash of new template sites.

Templates, Version 5.0:

sensatetech.com - 805-275-2235 AKA Sensate Technology, LLC., Innovative Solutions »www.google.com/search?hl=en&q=80···G=Search




ccdtemplates.com - 206-319-8144 AKA Crystal Clear Designs, LLC., Innovative Solutions »www.google.com/search?hl=en&q=20···G=Search




mvwebtemplates.com - 404-474-3440 AKA Most Valuable Web Templates Innovative Solutions »www.google.com/search?hl=en&q=40···G=Search




mcatemplates.com - 623-444-2173 M.C.A.
»www.google.com/search?hl=en&q=62···G=Search




ilicsolutions.com - 312-235-6926 Alen Ilic, Inc




freedomtemplates.com - 954-???-????

[freedomtemplates is AWOL, if someone has a screenshot or details from the site, please contact me]

All are carbon copies of each other. Cards will be hit with charges from multiples of this group. Some charges showing up in tandem with the ebook fraud site mylibreria.com

I will follow up with details on the above group

MGD


GraciousReader

@entechnologies.com
reply to MGD
Thank you for this information! Earlier this week, I found a suspicious charge from embintelligence.com on my credit card I hardly use. I looked up the DNS info, searched on the contact info, and came upon this page.

The registrar address is valid, but it also happens to be an assisted living center in NJ. I called the number at the website (in Georgia) which sounded like a really bad answering machine. This all seemed a bit suspicious at the time, so I didn't leave any info and put out a fraud alert on my credit.

I've printed out the info and will be trying to resolve this later with my bank. Thank you very much!


EW

@sbcglobal.net

1 edit
reply to MGD
MGD, please contact me regarding your Ebook fraud investigation [removed by moderator- Dennis]


salvo

@goodyclancy.com
reply to MGD
My account was recently charged by usefulmart.com and, after one day of internet research, I subsequently canceled the card and disputed the charge.

I wish I had seen this site prior to that, though, otherwise I wouldn't have merely disputed the charge, but would have characterized it as a fraudulent charge.

I have, though (due to the advice on this site) filed a formal complaint with IC3.

It seems as though it shouldn't be too hard for the credit-card transaction authorizers to "globally" reject any charges originating from these families of sites....

Also, I understand the sensitivity to putting up too much information about these criminals thus allowing them to cover their tracks---if an e-mail such as mine hinders the effort to more closely monitor the activities of these rings, then please, Mr./Ms. Moderator, delete it.


Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18
reply to MGD
I'd sure like to see indictments and arrests on the 2 Marietta based Mules (Mr. Benkowitz and Mr. Hoffman) that know they are not running a legitimate web enterprise. Would you report those two to the AJC.com so they can do a story on them from your evidence and get the local authorities involved?
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

MGD
Premium,MVM
join:2002-07-31
kudos:9

4 edits
said by Doctor Olds:

I'd sure like to see indictments and arrests on the 2 Marietta based Mules (Mr. Benkowitz and Mr. Hoffman) that know they are not running a legitimate web enterprise. Would you report those two to the AJC.com so they can do a story on them from your evidence and get the local authorities involved?
.
I need to update that segment, I did not want to post anything prior to certain events taking place. I did make subsequent contact with the parties and provided them with irrefutable evidence of the fraud, and the fact that they were conned into believing it was a legitimate operation.

I also emphazied at the time that while up to now they were a victim and an unwitting participant, however, once alerted and given specific details of the fraud, then to continue to go forward, could in the future jeopardize the claim of being an unwitting participant.

I can now tell you that the bank accounts have been frozen, and remote access to the accounts blocked. No additional funds will be wired to the drop in Kyrgyzstan. I also requested that all documents, including emails and other evidence be preserved.

It is worth reiterating that all the mules that I have been in contact with have no idea what they have been involved with. The con job is very professional, it even invloves completing and submitting a multiple page application. They also must provide copies of their identification, under the guise that they need a security background check. The data that mules end up seeing is very restricted, and intended that way.

The mules that I have located or identified range in age from their early twenties to seventies, and have various backgrounds. Recently many of them have been elderly, but they clearly were not net savvy enough to recognize the subtle signs of the fraud.

MGD

EDIT= There are dozens and dozens of active mules out there, located around the country. Probably way more than 100 all total over the past two years. There will be a cyber mule behind evey one of these websites generating the fraud charges.

MGD
Premium,MVM
join:2002-07-31
kudos:9
reply to EW
said by EW :

MGD, please contact me regarding your Ebook fraud investigation [removed by moderator- Dennis]
To the LE agent that posted this, I sent you an email from MGD with my contact information. Please check to make sure that you received it.

(I requested that the moderator redact your contact information when I read it.)

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to MGD
An update regarding the victim card data.

I recently discussed the results of a random sample of the data that this crime syndicate is processing. My original thoughts as to the source may not be accurate.

The sample was small, about 2,000 consecutive entries. The interesting part is that the rejection rate ran about 35% at initial entry time. If this is a representative sample it may be significant in terms of the likely source of the data.

There was no dominant reason for the rejection, it varied. Invalid cvv2 number, card previously reported as lost or stolen, address match failed, etc, etc.

It has been suggested that these criminals may be compiling partial data from multiple sources in order to build a data set sufficient to complete a CNP (card not present) transaction. That scenario has been seen out there in the wild before.

These results certainly suggest that they do not have "pure" data. It also further reinforces that they are not intercepting recent real time vendor transactions. The failure rate for card processing from legitimate entities is in the single digits.

They still must have volumes of data though, even more so if the typical failure rate is 35%. They are also not entering data in batches as was first seen two years ago. The data is entered at random times to mimic a typical online vendor, thereby defeating any batch type triggering event flags.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to MGD
Need to add one more to the above group of fraud template sites:

valencetemplates.com - 312-265-8407 Valence Internet Technology, LLC




[valencetemplates.com IP 66.152.173.182]

Domain name: valencetemplates.com

Registrant Contact:
VITLLC
Brian Guest (brian_guest01@yahoo.com)
+1.6614518231
Fax: +1.6614518231
1048 N. Marshfield #3R
Chicago, IL 60622
US

Name Servers:
ns1.hostdone.com
ns2.hostdone.com

Creation date: 10 Oct 2007 17:51:17
Expiration date: 10 Oct 2008 17:51:17

Entity Name VALENCE INTERNET TECHNOLOGY SOLUTIONS, INC.
File Number 65757419
Status GOODSTANDING
Entity Type CORPORATION Type of Corp DOMESTIC BCA
Incorporation Date (Domestic) 09/18/2007 State ILLINOIS
Agent Name R & S LEGAL SERVICES INC
Agent Change Date 09/18/2007
Agent Street Address 200 WEST MADISON ST STE 2100
Agent City CHICAGO
Agent Zip 60606 Duration Date PERPETUAL
Annual Report Filing Date 00/00/0000




Assuming that name is correct there is no listing for that address. The agent service R & S LEGAL SERVICES INC can be contacted also. I am betting that Mr Guest and Mr. Ilic of ilicsolutions know each other. The dates are close and one may have recruited the other.

.

ilicsolutions.com - 312-235-6926 Alen Ilic, Inc

[ilicsolutions.com IP 66.152.162.117]

Domain name: ilicsolutions.com

Registrant Contact:
AI LLC
alen ilic (alen_ilic04@yahoo.com)
+1.6108081615
Fax: +1.6108081615
4950 N Marine Dr #807
chicago, IL 60640
US

Name Servers:
ns1.hostdone.com
ns2.hostdone.com

Creation date: 26 Oct 2007 20:11:22
Expiration date: 26 Oct 2008 20:11:22

Entity Name ALEN ILIC INC.
File Number 65821265
Status GOODSTANDING
Entity Type CORPORATION Type of Corp DOMESTIC BCA
Incorporation Date (Domestic) 10/19/2007 State ILLINOIS
Agent Name ALEN ILIC Agent Change Date 10/19/2007
Agent Street Address 4950 N MARINE DR #807
Agent City CHICAGO
Agent Zip 60640
Duration Date PERPETUAL
Annual Report Filing Date 00/00/0000 For Year

No number listed at that adress. I have located a phone number
for that name at a nearby address.




.

sensatetech.com - 805-275-2235 AKA Sensate Technology, LLC.,

[sensatetech.com] 202.60.92.179

Domain name: sensatetech.com

Registrant Contact:
ST LLC
George Berreman (georgeberreman@yahoo.com)
+1.5016370368
Fax: +1.5016370368
3700 Dean Dr #507
3700 Dean Dr #507, Ca 93003
US

Name Servers:
ns1.aussiednsserver.com
ns2.aussiednsserver.com

Creation date: 12 Sep 2007 21:44:07
Expiration date: 12 Sep 2008 21:44:07

LP/LLC
SENSATE TECHNOLOGY LLC
Number: 200723010107
Date Filed: 8/1/2007
Status: active
Jurisdiction: CALIFORNIA
Address
3700 DEAN DRIVE #507
VENTURA, CA 93003
Agent for Service of Process
GEORGE BERREMAN
3700 DEAN DRIVE #507
VENTURA, CA 93003




There is a listed number
.

ccdtemplates.com - 206-319-8144 AKA Crystal Clear Designs, LLC.,

[ccdtemplates.com IP 202.60.92.179]

Domain name: ccdtemplates.com

Registrant Contact:
CCD LLC
Arthur Chandler (arthur_chandler00@yahoo.com)
+1.7203851302
Fax: +1.7203851302
13626 8th Ave S
Burien, WA 98168
US

Name Servers:
ns1.aussiednsserver.com
ns2.aussiednsserver.com

Creation date: 26 Sep 2007 18:38:56
Expiration date: 26 Sep 2008 18:38:56

INTERACTIVE DESIGNS LLC

UBI Number 602762619
Category Limited Liability Regular
Profit/Nonprofit Profit
Active/Inactive Active
State of Incorporation WA
Date of Incorporation 09/18/2007
License Expiration Date 09/30/2008

Registered Agent Information

Agent Name ARTHUR CHANDLER
Address 13626 8TH AVE S
City BURIEN
State WA
ZIP 98168




13626 8TH AVE S appears to be a Multiple business location
No listed number at that address. however there are several people with that name in the Tacoma / Seattle area

.

mvwebtemplates.com - 404-474-3440 AKA Most Valuable Web Templates Innovative

[mvwebtemplates.com IP 202.60.92.179]

Domain name: mvwebtemplates.com

Registrant Contact:
TTS
Edward Murphy (eddiemv777@yahoo.com)
+1.2707787541
Fax: +1.5555555555
1060 Park Row North
Atlanta, GA 30312
US

Name Servers:
ns1.aussiednsserver.com
ns2.aussiednsserver.com

Creation date: 26 Jun 2007 20:23:33
Expiration date: 26 Jun 2008 20:23:33

Name Name Type
MURPHY VENTURES, INC. Current Name
SWINTON LEGACY, INC. PRIOR NAME

---------------------------------

Profit Corporation - Domestic - Information

Control No.: 0209361
Status: Active/Compliance

Entity Creation Date: 2/19/2002

Jurisdiction: GA
Principal Office Address: 1060 Park Row North
Atlanta GA 30312
Last Annual Registration Filed Date: 7/16/2007
Last Annual Registration Filed: 2007

-----------------------------

Registered Agent

Agent Name: EDDIE J. MURPHY
Office Address: 1060 PARK ROW NORTH
Atlanta GA 30312
Agent County:

----------------------------

Officers

Title: CEO
Name: EDDIE MURPHY
Address: 1060 PARK ROW NORTH
Atlanta GA 30312

----------------------------

Title: CFO
Name: ANN MURPHY
Address: 1060 PARK ROW NORTH
Atlanta GA 30312

----------------------------

Title: Secretary
Name: EDDIE MURPHY
Address: 1060 PARK ROW NORTH
Atlanta GA 30312

-----------------------------




Now that LLC was a tough find, it originally was formed in 2002 and is why I skipped over it several times. It was formerly another name, and then changed to MURPHY VENTURES which
equals the "MV" in: "mvtemplates.com". No number however there is one for another business at that address.

.

mcatemplates.com - 623-444-2173 M.C.A.

[mcatemplates.com IP 66.152.161.13]

Domain name: mcatemplates.com

Technical Contact:
MCT LLC
Steve Rogan (steve_rogan12@yahoo.com)
+1.5095625853
Fax: +1.5095625853
8912 E. Pinnacle Pear Ro #174
Scottsdale, AZ 85255
US

Name Servers:
ns1.hostdone.com
ns2.hostdone.com

Creation date: 25 Sep 2007 10:25:41
Expiration date: 25 Sep 2008 10:25:41

That address is a typo, it is "Peak" not "Pear" and that appears to be a multi business location. Still searching Arizona corp. records. M.C.A. is an abbreviation for something not related to "templates". Cannot locate a Steve Rogan in Scottsdale.

.

freedomtemplates.com site currently 404

Domain name: freedomtemplates.com

Registrant Contact:
Cd LLC
Edgard Lopez (edgardfromflorida@yahoo.com)
+1.6156766977
Fax: +1.6156766977
4019 N. University Dr. APT. E-107
Fort Lauderdale, FL 33351
US

Name Servers:
ns1.aussiednsserver.com
ns2.aussiednsserver.com

Florida Limited Liability Company
FREEDOM WEB DESIGNS, LLC
Filing Information
Document Number L07000077425
FEI Number NONE
Date Filed 07/27/2007
State FL
Status ACTIVE

Principal Address
4019 NORTH UNIVERSITY DRIVE, APT. 3-107
SUNRISE FL 33351
Mailing Address
4019 NORTH UNIVERSITY DRIVE, APT. 3-107
SUNRISE FL 33351
Registered Agent Name & Address
SPIEGEL & UTRERA, P.A.
1840 SW 22ND ST.
4TH FLOOR
MIAMI FL 33145 US
Manager/Member Detail
Name & Address
Title MGR
LOPEZ, EDGARD A
4019 NORTH UNIVERSITY DRIVE, APT. 3-107
SUNRISE FL 33351




I hope MR. Lopez did not sign up for the syndicate's CEO special package deal. As it appears that less than two months after the above corp was set up, he registered 4 more LLCs that have ominous internet appearing names.:

Florida Limited Liability Company
COMPUTERS DATA CENTER & TECHNOLOGIES, LLC
Date Filed 09/18/2007

Florida Limited Liability Company
WEB INVESTMENTS USA, LLC
Date Filed 09/18/2007

Florida Limited Liability Company
WEB DATA INTERNATIONAL, LLC
Date Filed 09/18/2007

Florida Limited Liability Company
REAL INVESTMENTS MANAGEMENT INTERNATIONAL HOLDINGS, LLC
Date Filed 09/18/2007

Still trying to track a number down for Edgard at this new location.

Though not all sites are coded to block search engines, this group was:









MGD

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus
reply to MGD
We may get a few more views on this thread, I posted a reply here: »800notes.com/Phone.aspx/1-805-275-2235/ where people are speculating about how their cards were compromised.

As far as how they're getting the CC and CV2 numbers, since many of these cards have not been used recently (if ever) that would tend to discount the "assembled from multiple sources" theory but add weight to the compromised database idea. Of course, that contradicts the high rejection rate...

Too bad we can't ask Time magazine's newest Person of the Year to help us -- something tells me he'd be able to find out with one phone call. »www.time.com/time/specials/2007/···theyear/


Amy B80

@charter.com
reply to MGD
Thank you for linking to this forum from »www.sygyzy.com/2007/02/07/e-book···new-419/

We reported the charge as fraudulent, shut down the debit card immediately but the company was still able somehow to refund the $4.95 even though the debit card number they used was now defunct so how were they able to get the refund issued through the bank while the bank was aware it was a fraudulent charge to begin with? I'm not happy with the bank for doing this because that pretty much cuts me off from being able to do anything else about it, though I admit from the way you make things sound, it might not be completely beneficial if all I am going to be able to do is take down some unknowing mule. I truly was hoping to keep them from being able to make a refund even so far as refusing to give any contact/billing information regarding the charge when I finally got a heavy accent speaking lady that answered the phone at the number listed with the charge. Note I had called numerous times with the landline home phone with never an answer then later that evening I called with a cell phone and she answered right away. Odd.

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

said by Amy B80 :

..... so how were they able to get the refund issued through the bank while the bank was aware it was a fraudulent charge to begin with? ...
For cancelled cards there is a rollover process that extends at least for 30 days where a credit will be cross referenced. It is not the banks fault, as once the original biller issues a refund for the charge the process is automated.

As mentioned before, that is why they always list a relay phone number on each site, and aggressively try to issue credits when a victim intends to charge it back. A chargeback negates the original charge and then adds a $25 fee from the merchant processor. That eats away at the syndicates funds, and is eventually what burns the account up. Depending on the variables the account can last for a year or more. However, the growing amount of chargebacks and fees eventually cause the account to implode, and it ends up in a huge negative.

So a priority for the criminals is to issue a credit in lieu of facing a charge back. In addition, corresponding with a victim allows them to deflect attention away from them by insisting that "someone" compromised their card and used it to purchase something at the site. That modus operandi has been in use for years. In fact some of you may recall in 2003 - 2004, during earlier versions of this syndicate's enterprise they had websites which had a message on the main page that said "If you received a charge from xyz company on you card. Please enter the last four digits of your card number to receive a refund credit." That format was subsequently discontinued as it became ridiculed. Placing a message and entry box prominently on the main page became an obvious scam flag when thousands of users reported charges from assorted sites that all had the same format.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

2 edits

1 recommendation

reply to garys_2k
said by garys_2k:

We may get a few more views on this thread, I posted a reply here: »800notes.com/Phone.aspx/1-805-275-2235/ where people are speculating about how their cards were compromised.
..........
Thanks, I had seen some of those individual pages before from search hits, but not the entire thread.

In reviewing, it leads to another "template page". A poster listed a charge from naturalordretemplate. Re arranging the name leads to:

naturalordertemplate.com - 626-310-0668 Natural Order, Inc




[naturalordertemplate.com IP= 66.152.173.178]

Domain name: naturalordertemplate.com

Registrant Contact:
I E C I
Andrew Fairbanks (andy_fairbanks@yahoo.com)
+1.6106431850
Fax: +1.6106431850
403 Perkins ST
Oakland, CA 94610
US

Name Servers:
ns1.hostdone.com
ns2.hostdone.com

Creation date: 17 Sep 2007 20:07:28
Expiration date: 17 Sep 2008 20:07:28

Andrew Fairbanks
403 Perkins St
Oakland, CA 94610-4722
phone number unavailable

There are two other individuals who have the same phone number using that address.

Though the listed contact phone is also a CA area code, there is no listing for a "Natural Order " in the California corp. database. Two postesrs report that the charge appears to list Minnesota as the origination, and also that the phone number above is also listed as "Atala Designs". That is the Hub / recruiting site I listed in a previous post.

quote:
..."Pending charge from "Atala Designs St Paul Park MN" for $11.85 on 22Dec07"...



..."I received a charge on my credit card from ATALA Designs for $10.65 12/12/2007. I reported it to my bank and the charge was removed and now I have to get a new card. On my account description of the charge it gave a 626 number which is Alhambra, CA but the info on my account said MN"....

Strange, ataladesigns.com: »ataladesigns.com/ is now off the air. I also checked Minnesota corp data base and did not get a hit under that name either.

EDIT= This could be an attempt to salvage a business entity set up, where the mule may have got suspicious and dropped out in the early stages. /edit

I have some other hub sites coming up shortly including what appears to be a new theme, version 6.0. Also have the latest version of the "mobile phone games" site, a la Generex and Moball.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

2 edits

1 recommendation

reply to MGD
Still digging around the "Inowest" connection, so far unable to tell if they are a part of the operataion, or complicit. I cannot yet rule them out.

We have already established the firm connection, and continuation to the Devbill / digitalAge et all by way of the foreign laundering.

As stated, the version 4.5 templates funds from the hijacked cards were wired out of US banks to:

Beneficiary's Bank Name: EUROBANK PLC
Beneficiary's Bank SWIFT code: EUBKBGSF
Beneficiary's Bank Address: 43 Cherni Vrah Blvd.,
1407 Sofia, Bulgaria
Beneficiary Account: BG96PIRB91701745144579
Beneficiary Name: Inowest Enterprises Inc

We know that the fraudulent carded funds from several of the e-book sites are now wired out of US banks and routed to:

Beneficiary's bank name: ASIAUNIVERSALBANK
Beneficiary's Bank SWIFT code: ASUJK22
Bank address: 59, togolok moldo str., 720033,
BISKHEK, KYRGYZSTAN REPUBLIC
Beneficiary account: 1231128530000131
Beneficiary name: Inowest Enterprises
Beneficiary address: same as bank address

Asia Universal Bank is: »www.aub.kg/en .No coincidence that Asia Bank has several outlets in Russia, and branch offices in the Ukraine, Latvia, and Kazakhstan.

AUB does have a stated policy to counteract the laundering of illicitly-acquired funds:
»www.aub.kg/en/about/general/proiz Maybe a "heads up" is in order.

Inowest is now referenced in two webmaster forums that deal in PrOn affiliate referrals and sponsored site linking. In addition to the previous:

quote:
I'm getting wires but don't know which sponsors - please help!

------------------------------------------------------------

Hey

I've received a few unknown wires. Does anyone here know which sponsors they are? These are wires btw, no cheques.

Inowest Enterprises
Gioram
Kenny Media
Design Ironic

And if the owners of these sponsors see this post, can you please tell me in which country your company is based?

Thanks anyway
Maikel

Source= NOT WORK SAFE »www.gofuckyourself.com/showthrea···t=615371

A second recent reference is on a similar Russian forum, and in fact specifically mentions "Inowest v ASIAUNIVERSALBANK". A rough Google translation is here may not be WS either: »translate.google.com/translate?h···6hl%3Den

At this stage it is possible that inowest is a Russian "currency facilitator", operating on the virtual fringe. Maybe similar to this Russian company: »www.fethard.biz/ and »www.fethard.biz/about.php

It is reasonable to assume that whatever laundering vehicle and location the criminal enterprise is using, it is one that they are familiar with, and have established history with.

I need to reach and convert more "cyber mules" in order see if there are other accounts and C&Cs that are in use.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

2 edits

1 recommendation

reply to MGD
At the start, I reiterated that this syndicate has been in operation for years, and has constant access to card account data. You can journey back to seven years ago and see the "Beta", or maybe even Version 1.0 of this long running criminal operation. These reports are from 7 years ago, almost exactly to the day:

'Tis the season for credit-card heists

and:

'Egghead.com Gets Hacked

Besides, at that time, the obvious operational base was Russia, pay close attention to some of the common ingredients:

circa 2000:
quote:
"....MSNBC.com research has revealed that for at least the past six months, hundreds and perhaps thousands of consumers have found charges between $5 and $25 billed to their credit cards. The laundering efforts appear to involve a group Russian telecommunications and Internet companies. Since July, Net users have widely complained about charges from companies named Skiftelecom, Incomtel, Global Telecom, and Inetplat. It was not immediately clear if the Russian firms were participants or victims of the scheme.

After initial e-mail contact, Inetplat didn't respond to a request for an interview. None of the others immediately replied to e-mail.

There has been a fresh flurry of charges-at least 100-billed this week by Global Telecom and Inetplat, which appear from their Web site to be the same company......."

Ringing any bells ???

if not try this:

quote:
"....She said one of her fellow victims had received a reply from Inetplat earlier this year after complaining. In the e-mail, the company was said to reply: "Possible your credit card data was stolen by hackers and used to enter one of the sites of our clients. We refund you all the money charged from your card within one week. Please do not make chargeback within this week." .....


Oh.. sound familiar.!!

What was not apparent back in 2000 was these sites were "fronts" and connected.GTELECOM.NET Global Telecom gtelecom.net and Inetplat Inetplat.com were clones of each other.

From a rough translation of Inetplat.com's Home Page

quote:
"....The pay system InetPlat allows services on the method to the payment through Internet of the credit maps VISA and Eurocard/Mastercard for vebmasterov of paid sites and developers of software. Relying on contemporary technologies we let us ensure reliability and safety of your electronic commerce. Hundreds of clients from the different countries of peace already are used InetPlat in their business".....

A comment in another Russian PrOn webmaster affiliate forum not long afterwards makes reference to "inetplat" and translates as:

circa 2001:
quote:
".....4 more greatly I will say, they do not work from similar lazhey EVEN nelegal'shchiki! -))) An example, there was this office as inetplat.com (recently its name it was mentioned in connection with the scandal "Russians they robbed 3 million Americans"), so they they attempted to interest in its service of russkoyazychnykh nelegal'shchikov. And those sent them. This office awaits analogous. However, however, there lie in the first proposal on the site, in the first word: THE "RELIABLE method to obtain payment into the Internet"; -))"....

Of course now after several progressions and iterations they have adapted and fine tuned the operation. Incoming charges from Russia against thousands of US cards has long been addressed by monitoring algorithms that will reject them onsight. As recently as 2006 they had several sites that tried to run charges from merchant accounts in the UK and Sweden. They failed, the majority of the charges were rejected, and were subsequently blacklisted. Many potential victims received a notice from the card issuer that the charge was rejected.

The hosting and processing via internal US merchant accounts was a procedure adopted by the syndicate to counteract these measures. The most lenient security threshold for charges processed to US cards are ones that originate from within the US. It was then that the recruiting of cyber mules began, and the operation moved "onshore".

The fundamental issue back then was one of a card data security problem, that is what drives this entire operation. Unfortunately, 7 years later it is still the core problem.

MGD

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus

1 recommendation

Getting to the core issue, where/how they get the card data, ought to be front and center to the entire Mastercard/Visa/Amex industry. Seven years? Clearly the source data has been the most consistently reliable part of the scheme -- more certain than the systems for processing the charges.

It could likely be a small group of moles placed in key positions in the business. They could skim the data onto floppies/CDRs/USB drives, whatever and export it at their leisure. They could plant the malware onto the providers' servers that uploads files.

Or, maybe they can do the latter remotely -- given the number of vulnerabilities in web facing servers out there. As for the high rejection rate, that could be a key clue.

Clearly we need a much more robust method of verifying credit card transactions where the card isn't physically present. I suspect this syndicate targets the U.S. because our procedures are easier to defraud.


chst

@pacbell.net
reply to MGD
MGD, the job you are doing is amazing!

I could become one of those cyber mules! But now they have no chance. They've hired me and I've almost set up the merchant account already. That's a big luck I've found everything out on this stage, they haven't had a chance to charge anybody through me yet!

Well, anyway.. I think I've got some interesting things that were not mentioned above and could help to trace those bastards, but I'm not sure if I should post them right here. Please e-mail me at chstpublic[at]gmail.com

MGD
Premium,MVM
join:2002-07-31
kudos:9
said by chst :

MGD, the job you are doing is amazing!.......
Thank you,

as requested, made contact from 007MGD

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to MGD
Updating, rooted some more out.

Another template clone:

infinitysonstemplates.com 404-474-2550 Infinity & Sons, LLC
.
That is the current phone number listed here: »infinitysonstemplates.com/help.php Charges have also shown up on statements under that name listing another number: 404-645-1736 see: »800notes.com/Phone.aspx/1-404-645-1736




[infinitysonstemplates.com IP 66.152.162.116 ]

Domain name: infinitysonstemplates.com

Registrant Contact:
IS LLC
bryan gracy (gracy_bryan@yahoo.com)
+1.4046451736
Fax: +1.4046451736
205 Sue Ln
Auburn, GA 30011
US

Name Servers:
ns1.hostdone.com
ns2.hostdone.com

Creation date: 02 Nov 2007 19:41:28
Expiration date: 02 Nov 2008 20:41:28

The cybermule matches the domain reg.:




Business Name History

-----------------------------------------

Name Name Type
INFINITY & SONS LLC Current Name

-----------------------------------------
Limited Liability Company - Domestic

Control No.: 07089304
Status: Active/Compliance

Entity Creation Date: 10/29/2007

Jurisdiction: GA
Principal Office Address: 205 sue lane
Auburn GA 30011
Last Annual Registration Filed Date:
Last Annual Registration Filed:

----------------------------------------

Registered Agent

Agent Name: Gracy, Bryan
Office Address: 205 sue lane
Auburn GA 30011
Agent County: Barrow
----------------------------------------

There is no number listed for him at that specific address. A reverse lookup of the address lists a different name. It is possible that this was a recent move, as there are other listings for his name in Georgia.

.
.

Here is another E-book site:

mynetconnex.com 732-993-5297 mynetconnex




Been around since March 2007 without much noise: »www.google.com/search?hl=en&q=my···e+Search

For this genre, the domains usually do not match anyone, and can be carded. There is no reverse listing for this address, nor is there one for anyone with that name in NJ.

[mynetconnex.com IP 68.178.233.191]

Domain name: mynetconnex.com

Registrant Contact:
MYNETCONNEX.COM
MEGAN BROCK (supportmynetconnex@gmail.com)
+1.7329935297
Fax: +1.5555555555
306 Stevens Way
Freehold, NJ 07738
US

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 20 Mar 2007 20:42:34
Expiration date: 20 Mar 2008 20:42:34

There does not appear to be any corp listing for a mynetconnex, however, there is the following New Jersey corporation:

quote:
New Jersey State
Corporate and Business
Information Reporting

Business Entity Name

NET CONNEX, INC.

Filing Number
0100708464

Code DP

There is a legit business called : Net Connex Technologies, Inc., so I am unable to tell yet. The Governor of New Jersey wants at least $5 to cough up more info. I have added it to my list. I may try and negoitate a bulk rate !

MGD


pleekmo
Triptoe Through The Tulips
Premium
join:2001-09-14
Manchester, CT

1 recommendation

Maybe we should start an MGD anti-scammer fund. I think that this would be an excellent idea, given MGD's value so far in shining the light on the dark corners of the Internet financial world.
--
HCN: Because you deserve a rest!

Proud member of the Free Omelas Liberation Front.

MGD
Premium,MVM
join:2002-07-31
kudos:9
Thanks, I was just making fun, .... and to be fair to NJ, they are not alone, several states now charge to look up data.

However, I am still set on you winning that lotto.

MGD


pleekmo
Triptoe Through The Tulips
Premium
join:2001-09-14
Manchester, CT
said by MGD:

However, I am still set on you winning that lotto.

MGD
Yes, I do every now and then say my prayers to the Jackpot God.
--
HCN: Because you deserve a rest!

Proud member of the Free Omelas Liberation Front.