This thread was born from this security forum thread: »
Unauthorized charges - digismarket & mfbpsite and specifically this post: »
Re: Unauthorized charges - digismarket & mfbpsiteThere is far more here than first meets the eye!.
digismarket.com and
mfbpsite.com card fraud, are only the tip of the iceberg. They are just a fraction of a criminal operation run by a well organized, sophisticated, multi divisional, vertical crime syndicate. That conclusion is the result of tracking and analyzing this syndicate's operations for over two years. They have been running this large criminal enterprise for at least 4 to 5 years, if not longer. Most importantly, it is driven from routine unfettered access to consumer's card account data by this Eastern European crime syndicate.
How long has this been going on?.... How and from where are they getting the card account data?....How exactly does it work?.... Where does the millions of fraudulent cash go?..... Who are they?.digismarket.com DIGISMARKET.COM 607-821-2630
And:
mfbpsite.com MFBPSITE.COM 310-237-6452
are just two out of the current crop of dozens of fraud sites that are all inter related, and operated by the same crime syndicate in a mutil hub and spoke type organization. The websites are just a front, fake sites, they do not sell anything, They are strictly a laundering vehicle used in an elaborate scheme to convert hijacked card data into cash, and shuttle it out of the country. A criminal conspiracy that has been operating successfully for several years.
Every single charge processed through any of these sites is fraudulent, There are no valid orders that originate from there. They are a front, set up exclusively to launderd hijacked card data into cash, and facilitate the removal of these funds out of the US.The current group of ebook sites involved in this card laundering process are controlled by the same crime ring that also operated the infamous fake webtemplate sites known as
DEVBILL. The Devbill fraud site group also included ebook sites: "Reqwest" advicebyrequest.com and its sister company "Digital Reading" digital-reading.com
are two from circa 08/2006. Also in the mix were mobile phone game download sites such as
"moball" hosted as
moballtech.com "Generex" generextech.com and "McColgan Cellular Games"
mobilegamejuice.com. The crime syndicate's operation was directly tied to the
Digitalage scam as many of the fraud charges showed up alongside the
"Digital Age" charge in the same billing period, or on subsequent periods, if the card was not cancelled. The Digital Age fraud was
directly tied to the infamous
"Pluto" card charge scam by a common domain
contact address.
The current crop of ebook sites can also be directly connected to this same criminal enterprise. There were several different website iterations of this laundering format over the years, these latest group of ebook scam sites can be assigned to a Version 5.0. Though crucial pieces of how the crime ring operated were accumulated from sifting through reams of data along the way, the case was not cracked until version 4.5 of the template scam was underway in the second half of 2006. Persistent cyber forensic analysis began to pay off in November of 2006, when a website manufacturing location was uncovered. Subsequent monitoring and shadowing of their activities produced an entire group or division of fraud sites in various stages of operation. This was followed in the first few months of 2007 by the penetration of the outer ring of the crime syndicate's operation. For the first time this enabled the core operational procedures to be uncovered. No postings updates were made during this period, because in the past the syndicate monitored the noise levels and adjusted their tactics accordingly.
Credit for contributions for some of this discovery should be shared with two other individuals. However, they requested anonymity, once the full scope and extent of this criminal enterprise was realized, and who may be behind it. It was then clear that this entire multi year operation had to be driven by unfettered access to a continuous stream of card account data. At least one division of the crime syndicate presented itself as being based in Lithuania, however, the laundered cash from the fraudulent credit card billings was tracked going to a bank account in Bulgaria. I will go into greater detail later, first lets address the current crop of card laundering fraud sites:
A sample of some of the other current sites ran by this enterprise include:
byersebooks.com Byers Ebooks 201-258-5600
ebsebooks.com AKA Electronic Business Resources 412-927-0410
usefulmart.com usefulmart.com 678-534-2858
bestdigimart.com Bestdigimart 330-871-7932
embintelligence.com embintelligence 404-287-0562
mylibreria.com mylibreria 503-616-3843
smartemarket.com Smartemarket 337-935-0141
There are also recent reports about fraud card charges listed as
Crystal Clear Designs,
fabri-tex and
Vin Designs. Other names surfacing are The Book Cellar Boston, Aslene Reads e-books, and Homebase out of CA . Other names now expired that were associated withthese fraud charges were
treedonlainsite.com, Brookshire Enterprises
brookshire-ent.com, and
bestdigimart.com. It took some serious digging to discover who they really are, as these criminals go to considerable lengths to obfuscate themselves. Many of the names they pick will intentionally resemble legitimate entities. In fact the domain for one of the above,
embintelligence.com is registered to an unrelated lady in her 60's residing at Saint Clare's Hospital, Franciscan Oaks Assisted Living Unit, in Denville, NJ, not your typical ebook vendor.
There are many more in various stages of operation, each processing thousands of fraudulent charges a month.These sites are not set up to generate any internet business, in fact, the items for sale can be routinely obtained for free. They are just one ingredient in an elaborate credit card fraud laundering process. The sites are an essential component in order to deceive multiple banks, and pass a routine vetting process for a card merchant account.
Authorize.net appears to be the predominant card processor used by this criminal enterprise.
One obvious sign that they are not intended as sites that random buyers could come across to make purchases from, is that many them are hidden from the internet. They, as intended, cannot be found using any search criteria. Several of the current sites are configured to block any search engine access using a robots.txt file configured as:
User-agent: *
Disallow: /
Examples:
This crime syndicate clearly has unfettered and continuous access to volumes of consumer's card account data at the highest levels. They had access to this data 2 years ago, last year, this year, and they have access to fresh data today. This criminal enterprise has built a sophisticated process that has enabled them to retrieve at least 1,500,000 card data accounts annually, and remove an estimated $15,000,000 a year in laundered card fraud proceeds out of the country. However, the actual amount could be any multiple of that. If they have not laundered a charge through your card already, it is only because they did not retrieve that account data yet.
Your card's prior history appears to have no relevance with respect to the odds of getting hit with these specific fraud charges. Also not relevant is the card issuing bank, the charges occur across a broad spectrum of card issuers. Neither is the fact that it is a debit (check card) or credit card, both are billed as CNP transactions, however, they do not have access to the debit pin numbers. Though primarily a Visa / Mastercharge phenomena, it also hits Amex and other card holders.
The current focus on Equifax as a potential source of a leak by the latest crop of victims posting on
Chris Jopin's blog and also discussed in Brian Sullivan's
Red Tape chronicles article, is a recurring anomaly with this criminal enterprise's fraud operation. Victims of this fraud tend to look for a prior common transaction which they believe may point to the source of how their account data was compromised. That focus is understandable, however, the long term history of this crime syndicate indicates that the data is not coming from any recent online transaction that the consumer made with their card. After sifting through years of reports the totality of the data points to a significant leak higher up the database chain.
If you were to examine the entire range of victims over a longer time period, you would find that there are many more who do not have any prior charging history in common. During the past few years consumer posting of fraudulent charges that can be tracked to this crime syndicate have reached critical mass at various times. The consensus during these peaks have pointed at one time to Amazon as being the common link, at another time it was PayPal, then various other vendors. The normal instinct is to look at where you last used the card online as a potential source of the leak. That kind of analysis and conclusion actually works in the crime syndicates favor, because it focuses attention to a common vendor, and away from data base storage higher up the chain.
Over the long term, the following anomalies emerge:• Card holders who have only used their cards at brick and mortar establishments, and have never used their card online, end up with a fraud charge from the syndicate. That is significant, in that the only data captured in card present B&M transactions are the card swipe data. That data only includes the cardholders first & last name, the card number, and the expiration date. I have verified that when this crime syndicate charges your card, they not only submit your card number, name, and exp date, but also your full correct address and the 3 digit CVV2 number. Where is that complete data stored if you never made an online purchase with the card?.
• Consumers have been hit with the crime syndicate's charge on two cards, either in the same month or in consecutive periods. The two cards were issued by different institutions and both were never used at the same vendor, nor online
• A consumer reported that shortly after receiving his new card he locked it up in a drawer, and never used it anywhere. Several months later the first ever charge to the card was from the syndicate.
This type of report has occurred repeatedly over the years for this operation:
(Emphasis added)
quote:
Mon, Aug 20, 2007 10:16 pm
I got one of my credit card bills in the mail and noticed a strange charge.
BROOKSHIRE-ENT.COM 2054190624 AL $5.00
Mind you, I haven’t made a charge on this card for maybe two years. I stopped using this card regularly after I accrued a pretty big balance and for the past few years, I’ve only been making payments to it. Heck, I don’t even keep this card in my wallet. It stays locked up in an undisclosed location that is too inconvenient for me to access. So getting a new charge on this card is pretty strange.
I immediately called my credit card company to dispute the charges. I explained a little more to them and they closed my account and will process for me a new account, number and card.
And:
September 3rd, 2007 at 3:15 pm |
Same problem here. This is quite a scam. $15 here. Same company. Inactive but valid Visa. ....................
Source= »slantyeyed.com/wp/?p=905
The current group of sites (Version 5.0) differ from the previous template group in that they are all differently designed webpages. That may be the result of a combination of publicity and also possibly blacklisting by the merchant account provider Authorize.net. Examples of the Ver 4.0 template sites can be found
here. The later group of the template sites from late 2006 thru mid year 2007 (Ver 4.5) were never published before as that was during the "shadowing" period when much of the operational tactics were being infiltrated.
Below is a list of the names and domains that were retrieved from the production assembly line during that time. I have uploaded screen shots of the actual web urls and websites that were taken at the time to a
Photobucket album This group was labeled as Version 4.5 since the format was a different design than the 4.0 group, note each name in the blue upper right box and the matching url. In fact, the connection between them can be seen as the morphing was caught in the act. A version 4.0 site
"Alta Vista Web Designs" reported multiple times for fraudulent charges was caught on the same IP as the new ones, in the process of being re labeled as
"ultrahorizonwebdesign.com"It was from this group or "division" that the laundered proceeds were tracked moving out of US Banks to the Bank in Bulgaria.
DOMAIN CONTACT NUMBER BUSINESS NAME
universal-webdesigns.com +1-(303)-495-3608 Universal WebDesigns, LLC
tws-templates.com +1-(210)-587-7370 Total Webdesign Solutions, LLC.
ptds-templates.com +1-(201)-535-8843 Pov technology design solutions, LLC
pps-templates.com +1-(775)-548-9423 PPS,Inc
lts-templates.com +1-(612)-216-4166 Littlefork Technology Solutions, Inc
kato-technologies.com +1-(313)-281-8090 K.A.T.O. Technology, LLC
icon-concepts.com +1-(386)-951-4388 Icon Design Concepts Inc
gvc-technologies.com +1-(516)-596-8594 GVC Tech Designs, Inc.
fdwc-technologies.com +1-(859)-401-0648 Design Web-Solution,LLC
web-designs-4-u.com +1-(706)-243-4850 Webdesigns4U, LLC
allstar-webtemplates.com +1-(303)-484-6926 All Star Web Designs, LLC
AEP-TEMPLATES.COM +1-(281)-962-4281 AEP WebDesign Solutions, LLC
ere-webdesignsolution.com +1-(207)-669-8257 ERE WebDesign Solution L.L.C
wilson-templates.com +1-(636)-234-0932 Wilson Technologies, LLC
pwd-templates.com +1-(609)-858-5284 Phoenix Web Design LLC
bfm-websolutions.com +1-(608)-531-1939 BFM Web Solutions, LLC
cmc-templates.com +1-(636)-234-0975 CMC Webdesign, LLC
ficas-templates.com +1-(262)-997-9372 FICAS, Inc
kaizer-templates.com +1-(321)-283-4399 Kaizer Services, LLC
ultratech-webdesigns.com +1-(303)-325-3807 ULTRATECH WEB DESIGNS
kamk-templates.com +1-(313)-281-1325 K.A.M.K. Technology, LLC
mgn-templates.com +1-(214)-594-5853 MGN Enterprises, LLC
hoskins-technologies.com +1-(859)-400-0794 Hoskins, corp
webfirstclass.com +1-(202)-640-2764 WEB FIRST CLASS LLC
floridadesign-solutions.com +1-(941)-876-6863 Southwest Florida Web Solutions, LLC.
westernlogos.com +1-(229)-351-4237 Western Logos, LLC
ur-solutions.com +1-(207)-457-5279 RSP Web Design Solution LLC
.
Though the ebooks sites operated as a division and in parallel to the template sites as far back as late 2006, they multiplied during the first half of 2007. By the middle of 2007 they became the predominant sites, just as the template operation appeared to be phasing out. The current crop of ebook (et all) sites operate identically to the prior version, down to a common beneficiary.
There are 3 core components to this crime syndicate's operation.The first ingredient is direct access to a constant supply of card account data. I cannot identify where the long term data is coming from, though access is on going because fresh cards are routinely hit. I can confirm that this criminal enterprise does have the following data on the victims that charges are processed against. In addition to the card number they have the victim's full name and complete address, the card expiration date and the CVV2 security code.
The second component is the ability to set up a web hosting site combined with a merchant billing account to process the card charges and launder them into cash. Though the criminals are adept at successfully passing a vetting process to obtain a merchant account, there is an obvious weakness in the entire process.
The third and crucial component is the ability to set up US bank accounts to receive the funds from the fraudulent charges. This crime syndicate actually has two bank accounts set up for each domain. One to receive the initial funds from the processor, and a second account that the money is then transferred into, to protect it from being reversed. The later account is from where the laundered funds are then wired out of the US in increments below the threshold for any oversight. That set up has been repeatedly documented in the template sites (Ver 4.5), and the identical modus operandi has now been confirmed in use with these ebook site set ups.
To defeat current banking regulations and remain anonymous the syndicate recruits US victims as mules who are hired as unwitting partners in the fraudulent scheme. The process of recruiting and maintaining these cyber mules is a division unto itself of this criminal enterprise. That complex process was also documented in the previous version and is expected to be no different in this version. Be advised that this is not your typical bogus check cashing or carded goods re-routing job, that should send alarm bells ringing in even the most naive individual. There is an indoctrination process that begins at the moment of contact and persists throughout the process. The syndicate actively recruits from multiple venues, including contacting individuals that have resumes listed on Monster and other job seeking sites. It may take an initial interest and response from over 200 people in order to end up with one fully indoctrinated and participating cyber mule. I have spoken with several and the process is effective, none had any idea what they were involved in, especially during the early stages.
I assume by design, all of these cyber mules had little prior knowledge of how an internet business or merchant billing account operates. They are recruited as US partners for a foreign company, and are instructed to set up a Limited Liability Corporations (LLC) naming themselves as the registered agent. They are also instructed to obtain a federal tax id number in the business name. Using that LLC documentation they are then instructed to set up the two US corporate bank accounts. The bank accounts must have online access so the syndicate can remotely access and monitor the incoming fund transfers. However, the wiring of funds back to the syndicate is done by the cyber mules. The syndicate is thoroughly versed in the procedures of how to set up US corporations, and they also appear to have intimate knowledge of the US banking system. They provide detailed instructions for the cyber mules to follow. The brainwashing is so thorough that they even have the mules make a purchase from the site with their own credit card as a test, and then later issue them a credit for the charge. The cyber mules receive compensation in the amount of 10% of the monthly proceeds after expenses. They are reimbursed for the LLC set up cost from the first fraud card run.
While trying to identify who the cyber mules were for the current Ebook sites it became apparent that the obfuscation process had reached new levels with this version 5.0. Remember that this syndicate makes hiding information at every stage an integral part of the process. Some of the websites are difficult to find due to search engine blocking, at least until there are several internet reports of fraudulent charges. In many cases the business name is a craftily altered derivative of the domain name used, making it difficult for one to easily lead to the other. Charges may show up billed under the business name which may not be the exact lettering of the domain name. They intentionally balance the obfuscation, close enough that it does not raise suspicion at the merchant account vetting process during set up, but as difficult as possible to match after the fact when the fraud is under way. See the layout of names on the 4.5 list above. Also some of the latest reports of fraud charges under such names as "Crystal Clear Designs", "The Book Cellar" and "Vin Designs" which are too generic to dig into without additional data.
That is why it is important for anyone reporting these small fraudulent charges to list the complete line data that appears on their card statement including any listed phone number, even a partial oneAlso, it is vital that you report these immediately as
fraudulent charges to your bank. DO NOT call and "dispute" the charge. Disputing a charge is a process reserved for billing received from a legitimate entity, that you did not make. The dispute process helps the criminals sustain the operation for that domain, because the bank sends them a notice of dispute which (A) takes time, and (B) allows the criminals to issue you a credit and save the cost of a charge back fee, usually around $25.
It is also vital that you cancel and replace the card. These criminals have your com;plete card data. They will continue to make charges to the card. Cancelling and replacing it is your only option.By now they have many years of experience and have perfected the process. The syndicates goal is to run high volume small charges spread across many bank card issuers, using multiple merchant accounts. They hope to maximize the amount of victims who either do not notice it, or do not bother because of the amount. Once a victim is prepared to contest it, then the syndicate wants to issue you a credit and save the charge back fee. They have a prepared script to deflect the attention away from them by saying that someone must have used your card on our site so we will issue you a credit. They will even go so far as to make up an email address that was used for the purchase. They may even tell you that you should report your card as stolen. Of course when was the last time a thief stole a credit card number and decided to maximize its potential by downloading a $10 ebook. In the past the syndicate had the mules respond to the telephone messages, but in the current version they route the calls and voice mails to Eastern Europe and respond directly. Bypassing the mules extends the longevity of each LLC because they are shielded from the volume of charge backs that grows larger each month. The criminals are also using some of the same service providers for the listed phone numbers as was used in previous versions.
So who are the conned US based cyber mules for the current ebook sites. I began the process of trying to track them down two weeks ago. I know how to find them based on the crime syndicate's know modus operandi, however actually making contact with them has been tedious and difficult at best.
Here is the data so far:
.
digismarket.com »
www.google.com/search?hl=en&q=DI···G=SearchThough the domain is registered to a Johanna Ray in with an address in Selden, NY:
Domain name: digismarket.com
Registrant Contact:
digismarket.com
JOHANNA RAY (johanna.market@gmail.com)
+1.6813466445
Fax: +1.5555555555
16 Hudson ST
Selden, NY 11723
US
The crime syndicate's cyber mule will be the individual who registered the LLC,
in the case of Digismarket it is conviently to "no name" at:
That address data cross references to a Steven Bailey:
Steven Bailey
6 Franklin Pl, Apt 2
Farmingdale, NY 11735-2636
Listing Details
Job title: Owner
Company: Digismarket Com LLC
So far I have not been able to locate a listed phone number for Mr Bailey or found a way to contact him.
.
.
mfbpsite.com »
www.google.com/search?hl=en&q=mf···e+SearchThat domain is registered as follows:
Domain name: mfbpsite.com
IP Address: 208.109.225.236
Registrant Contact:
mfbp
Eleanor Scott (SuppEleanor@gmail.com)
+1.3104103189
Fax: +1.5555555555
20411 Campaign Dr
Carson, CA 90746
US
A California corporation that matches that name appears to be registered to a Christopher Thom
2440 N FREMONT appears to be a multiple tenant business location. A public records search yields this:
Christopher Ins Thom
2440 Fremont St
Monterey, CA 93940
.
.
byersebooks.com »
209.85.207.104/search?q=cache:-a···=3&gl=usThe domain data is:
Registered through: GoDaddy.com, Inc.
Domain Name: BYERSEBOOKS.COM
Created on: 11-Dec-06
Expires on: 12-Dec-07
Last Updated on:
Administrative Contact:
Kimeklis, Russell russellkimeklis@yahoo.com
162 Airmount Road
Mahwah, New Jersey 07430
United States
(309) 419-3042
However the corporation is registered as follows:
quote:
BYERSEBOOKS INCORPORATED 0400153571 DP
STATE OF NEW JERSEY
BUSINESS REGISTRATION CERTIFICATE
Taxpayer Name: BYERSEBOOKS INCORPORATED
Trade Name:
Address: 1303 FAULKNER COURT
MAHWAH, NJ 07430
Certificate Number: 1285919
Effective Date: November 14, 2006
Date of Issuance: November 28, 2007
The website lists the same address:
There is no public record of the Russell Kimeklis at the domain address in Mahwah, NJ, nor anywhere in New Jersey or surrounding states. The corp address does have the following name listed:
Jane Byers
Listing Details
Job title: Owner
Company: Byersebooks Inc
Calls to the published number listed for that address have not been returned.
.
.
ebsebooks.com AKA Electronic Business Resources »
www.google.com/search?hl=en&q=eb···esourcesThe domain registration data lists:
Domain name: ebsebooks.com
Administrative Contact:
-
Richard Stewart (ebsebooks@yahoo.com)
+1.3094077237
Fax: -
910 Freeport Road
Pittsburgh, PA 15238
US
Creation date: 30 May 2006
The Pennsylvania corporation stats for ebsebooks are:
There is no registered agent listed, however, a check of the actual documents on file at DOC in Harrisburg, PA., show that the agent for tax process service, is an individual named TERRA MILBOURNE. There are no public listings for that named individual at the 34 Grant Ave address. Though the city is listed as Pitsburgh PA 15202. That zip code is commonly used as Bellevue, PA 15202. Several searches turn up other possible addresses and numbers for that named individual, including a listing at a commercial business located nearby.
.
.
Bestdigimart.com »
www.google.com/search?hl=en&q=BE···G=SearchThe domain reg has:
BESTDIGIMART.COM
Registrant Contact:
HARRIS HINES (HARRIS.HINES@gmail.com)
+1.3308717932
Fax: +1.5555555555
7644 Market St ,
Youngstown, Oh 44615 US
Creation date: 12 Feb 200
The Ohio corporate filing for the LLC is about as sparse as it can get. No place of business, and the registered agent is a commercial rental agent, Mark Schiff, a figure head. A public records check for the domain registrant turns up no entries for a Harris Hines in the State of Ohio.
quote:
Business Name Charter
BESTDIGIMART.COM LLC
Registration Number
1671920
Original Filing Date
Jan 10 2007
Type
Domestic Limited Liability Company
Active
Jan 10 2007 Active
Agent Name:
Business Filings Incorporated
Mark Schiff
»
www2.sos.state.oh.us/pls/portal/···=1671920and:
»
www2.sos.state.oh.us/reports/rws···01600178This one needs additional gigging in order to come up with whoever is really behind the LLC. Though Mr. Schiff would be recognized as the legal agent for the company, though he plays no active role in it.
.
.
mylibreria.comDomain info:
Domain name: mylibreria.com »
www.google.com/search?hl=en&q=my···e+SearchRegistrant Contact:
MYLIBRERIA.COM
JEFFEREY PENN (PJEFFEREY@GMAIL.COM)
+1.5036163843
Fax: +1.5555555555
10940 N.W. Supreme Court
Portland, OR 97229
US
Creation date: 11 Apr 2007
There is no number listing for a Krishna at that address. However there is one for a Varalakshmi & Sudha R Yaramala.
Have not been successful at making contact
.
.
smartemarket.com »
www.google.com/search?hl=en&q=sm···G=SearchDomain registration appears to be cloaked:
Domain name: smartemarket.com
Registrant Contact:
WhoisGuard
WhoisGuard Protected (ec41e85caca04d158220ea920720f5f2.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd
8939 S. Sepulveda Blvd
Westchester, CA 90045
US
Creation date: 15 Jan 2007
Though the phone number on the website has a Louisiana area code, a search of the LA. corporations does not yield a match for that business name. There is a Smartemarket Inc: »
www400.sos.louisiana.gov/cgibin?···4456640D though it has been around for a long time. This is still a work in progress.
.
.
embintelligence.com »
www.google.com/search?hl=en&q=em···e+SearchThe domain is registered to:
Domain name: embintelligence.com
Registrant Contact:
EMBINTELLIGENCE.COM
Barbara Frye (frye74@gmail.com)
+1.9735866072
Fax: +1.5555555555
19 Pocono Rd
Denville, NJ 07834
US
Creation date: 02 Aug 2007
That is the address of
The Georgia Division of corporations shows:
I contacted Mr. Benkowitz last week, and spent some time explaining the situation to him. I asked him up front not to mention our conversation to the people that he was dealing with outside the US. Rather he take and a day or two and go over the details that I provided him with, independently confirm them, and he should come to the same conclusion. His circumstances were identical to the known modus operandi. The set up matched exactly to previous cybermules from the 4.5 template version. There were two bank accounts, one to receive the merchant payments and a secondary account that the money was then transferred to, in preparation for wiring out the fraudulent funds from the US. The purpose of the second account by the way, is to allow the funds to be immediately removed from the incoming merchant account, and prevent any subsequent reversal by the processor. he confirmed that the syndicate had remote access to the bank account. Mr. Benkowitz had no access to the web site controls, he never received nor seen any detail level transaction report, only the summary reports of the billing.
I provided predictable detail of the function he performed and reviewed it with him. He never met nor spoke to the people he "partnered" for, all communication was via email. He said he did have a number for them, but that was essentially a virtual fax number where he sent charge credit back forms, whenever victims managed to track him down about their charges. I told him that if he looks over his situation, he will see that he has no clue what goes on behind the scene. His essential and primary function is to wire 90% of the funds on a regular basis from a bank account here to a foreign country for which he is paid the remaining 10%. Again to people he never met and does not really know who they are. I told him that not only did the website not have any measurable incoming traffic, neither was there any recorded outbound email traffic from the embintelligence.com domain. On a legit site one would expect the ratio of visits to purchases at maybe 20 to 1, and each purchase would be due a confirmation out bound email.
I mentioned the name of the previous beneficiary used on the ver 4.5 Bulgarian transfers "inowest" and asked him if it sounded familiar. He said it sounded like who he was sending the money to. I asked if it was going to Bulgaria, he said no, Kurdistan. I said Kurdistan and not Kazakhstan he said he believed it was Kurdistan.
I asked him how he was recruited. He said he was only involved with it for a few months, and that it was his brother in law who enrolled him as he had a corp for some time also. He did not give me his brother in laws name, nor the domain that he was using. Mr. Benkowitz said that he would go visit his partner in the next day or two and call me from his house so I could go over the same details with him. I said fine give me a call. The next day I did receive an email reply confirming that the merchant processor they were using was Authorize.net. I never heard from Mr. Benkowitz again, he did not answer, nor return a follow up phone call or reply to a subsequent email.
Yesterday I decided to track down who the brother in law may be, it was not difficult:
.
.
usefulmart.com »
www.google.com/search?hl=en&q=us···G=SearchDomain name: usefulmart.com
Registrant Contact:
UsefulMart.com LLC
Kevin Kirk (burningmike@gmail.com)
+1.5094639854
Fax: +1.5555555555
1024 Coral Club Drive
Coral Springs, Florida 33071
US
Creation date: 29 Nov 2006Nobody by that name at that address.
A check of the Georgia public corporation records produced this:
Over a year old and still kicking, impressive !!
I went ahead and called Mr. Hoffman yesterday, I said that I had spoken to his brother in law last week and I was wondering if he had discuused the conversation with him. He said yes he had, and he said "I am angry at him for giving you my name and number". I said that he did not give it to me, I found it on my own. Mr. Hoffman had a nasty attitude, and said that he did not want to have any conversation with me about this issue, he did not want to discuss anything, goodbye !! and he hung up.
I am really disapointed, while it is easy to see from watching this criminal enterprise in operation, how people could get indoctrinated into the scheme. It is disturbing that once the situation is clearly laid out for them, and they examine what role they are actually performing, and the circumstances, that it is at least highly suspicious. There are no legitimate business models where this scenario exists. I have a lot of sympathy for the ensared cyber mules, they are also victims of this ruthless criminal enterprise. However the millions of dollars a year that they unwittingly launder out of the US and into this crime syndicates hands are not going to feed hungry children in orphanages. Freezing all funds at the moment of awareness, is a pre requisite to remaining an innocent participant.
Before moving on to some of the previous methods used for recruiting cybermules, lets address where the fraudulent funds were actually going outside the US to, during that phase.
The specific routing data was:
Beneficiary's Bank Name: EUROBANK PLC
Beneficiary's Bank SWIFT code: EUBKBGSF
Beneficiary's Bank Address: 43 Cherni Vrah Blvd.,
1407 Sofia, Bulgaria Beneficiary Account:
BG96PIRB91701745144579 Beneficiary Name:
Inowest Enterprises IncEUROBANK PLC is an original Bulgarian Bank that was bought out by the Greek bank
Piraeus Bank in January 2005.
Not much data is available about the beneficiary "Inowest Enterprises Inc". It appears from one posting on a PrOn webmasters site someone described them as a company that sends out wires on behalf of others. Not surprised, Bulgaria has a long tradition as a
money laundering center This was only one of many stops in the process before it reached it final location. I believe that the core of this crime syndicate is located somewhere in Russia, and ultimately that may be where the money ends up.
The cyber mule recruiting division of this enterprise involved several processes. As mentioned prior it included the syndicate directly contacting people who posted their resumes on job sites. They also placed adds in multiple locations. During the shadowing of the last template phase sites an actual recruiting website was uncovered. this website was specific tot he template group and was assumed to be one of many that were in operation. The site operated as P.O.V Webdesign Solutions, Inc., with a domain of pov-webdesignsolutions.com. The name closely resembled one of the actual template sites ptds-templates.com which was labeled Pov technology design solutions LLC. However there was never any direct reference between the recruiting site and the actual template domains.
A set of inventory screen shots of the site and its recruitment pages was taken in April 2007, not long before they disappeared.
Listed on the main page is their "location" given as:
P.O.V. Webdesign Solutions, Inc.,
Laisves pr. 12
LT-04215
Vilnius, Lithuania
The designated contact was listed as
Tomas Lasinkas, who in fact was the name the version 4.5 template cyber mules communicated with, regardless of where or how they were recruited. In addition the "president" of POV is listed as
Povilas Baranauskas.
The balance
Interesting, apparently some potential cybermules and newbie converts found each other
HEREAgain, the goal is to run high volumes of cards against small amounts multiplied, times numerous simultaneous sites. If the victim catches it give them a fake email address that used it. Quickly give them a credit to prevent a $25 charge back fee, and to prevent triggering a high charge back alert with the merchant account. Tell the victim someone must have used the card on the site. Suggest it even may have been stolen to divert attention away from the operation. keep the cyber mule out of the loop, maximize the return and longevity for each operating domain.
Viewed at the lowest common denominator it is a handful of victims complaining about a trivial charge on their card from one little website. That is not going to trigger any bank investigation, is it spread among many. It also is way below the threshold to trigger any Federal snooping around. Even if a site goes down the rest of the hub are preserved, they do not appear related. If a division goes down, the other divisions still function. Everything hums unless someone grasps the big picture and identifies it as a multi million dollar operation. Add the costs of replacing the cards and we have an annual loss barking at $70 million. But who knows how big it really is.
Most certainly this structure was built around the fact that the syndicate has direct access to this card account data, and volumes of it. The operation is vertical, they are not buying data from carding forums.
While the location and method of the card access is a priority to discover, notable mention of the clear weakness in the merchant account vetting process must not be ignored. There are numerous symptoms indicating that these sites are not legit even before the charge back ratio grows to trigger levels. No traffic, no outbound mail, robots disallow. Card data detail entry reports that would show that the data is batched, and is not coming randomly from assorted IPs as a typical site would have. It is not that it cannot happen every now and then, but for a multi year criminal syndicate to operate well over 100+ domains with impunity, over and over, and not trigger any alert. Would it be so rewarding to criminals if Authorize.net and others did not front the money right away and instead held two months in reserve for new sites, that would enable the charges to cycle. Clearly some changes need to be made, much of this fraud has become acceptable and is tolerated as past of the given percentage that is wrote off annually.
MGD
·
