Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Author	All Replies
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL 3 edits	reply to MGD Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto . VALLJRSX, VALL-JRSX, VIN DESIGN, VIN-DESIGN, PARADISE WEB, PARADISEWEB, E NAT, I have been working on this group since the first reports of Vin Design started coming in early December. There are now a flood of recent reports on Chris Jupin's blog, where victim's report being hit with consecutive charges each month from the above names. This division appears to have been set up to specifically target compromised American Express card accounts. I am interested in finding anyone who has any charges from this group on a non AE card. Here are excerpts from the blog so you can see the one two three hit in consecutive billings, when the card was not cancelled and replaced. Based on this input rate, there must be thousands of ongoing charges: quote: ------------------------------------------------------- 12/09...."I was hit with a $9.59 charge from VIN Designs so I just called my credit card company disputed the charge,"..... ------------------------------------------------------- 12/15...."I just noticed a charge of 9.45 on my AMEX from VIN Design.".... ------------------------------------------------------- 12/10..."I found an $11.87 charge from VIN Designs on my AMEX bill. The disturbing part is that when I called AMEX to dispute the charge, they told me that they have a standing agreement with VIN Designs.".... ------------------------------------------------------- 12/31..."I reported earlier that I cancelled my amex card and filed a fraud report for a charge of $9.59 from VIN Designs. That charge was successfully removed, but on my final amex bill on that card I found another charge for $9.59 from VALLJRSX VALL-JRSX of West Sacramento, Ca - also listed, like VIN Designs, as direct mktg internet"...... ------------------------------------------------------- 01/01...."I noticed unauthorized charges as recently as December 29 from the same operation out of Plumas Lake CA. The first was under VIN Design in November and then the latest was the same address but now under the name Paradise Web. Another suspicious transaction appeared under VALLJRSX out of Sacramento"...... ------------------------------------------------------- 01/03...."I was a victim of both ViN Design and VALLJRSX in the past two months. Amex refunded the Transactions."....... ------------------------------------------------------- 01/03...."I received my American Express bill today with a $11.95 charge on it from this company. When I googled VALLJRSX,"...... ------------------------------------------------------- 01/03....."I just did a search for Paradise Web and found this site - I too have had 3 unauthorized charges lately on my AmEx - VIN DESIGN, VALL-JRSX, and now Paradise Web. I am surprised that AmEx is still authorizing these charges and not rejecting them automatically.".... ------------------------------------------------------- 01/04...."I have been a victim, too .. 10/22/07 $11.87 - E NAT NATALIYA MAKOVCARMICHAEL CA ELECTRONICS STORE 12/05/07 $11.95 - PARADISE WEB PARADISPLUMAS LAKE CA DIRECT MKTG INTERNET 12/26/07 $ 9.45 - VALLJRSX VALL-JRSX WEST SACRAMENTO CA DIRECT MKTG INTERNET All 3 times, I called American Express and they refunded the charges without delay. After the 3rd one, I asked for a new credit card w/ a new number".... ------------------------------------------------------- 01/04...."I first noticed a 12/11/07 charge on my AmEx card from Paradise Web out of Plumas Lake, CA for $9.59 a few days ago. It was for an internet download. I had not made any internet download purchases, and neither had any one else in the family. I then checked my AmEx account and noticed a 1/1/08 charge by VALLJRSX out of West Sacrmento, CA for $12.24, also for "internet Downloads"...... ------------------------------------------------------- 01/04....."Same thing happened on my Amex card in November and December. November was $11.87 from VIN DESIGN VIN-DESIGPLUMAS LAKE CA and December was $9.59 from VALLJRSX VALL-JRSX WEST SACRAMENTO CA." ------------------------------------------------------- 01/04...."I too was hit with the same 3 charges and AMEX could not give me a phone number for these companies, yet they reversed the charges." ------------------------------------------------------- 01/04..."I too had several bogus charges on my account from the following companies between Nov 07-Jan 08: $12.38 VALLJRSX VALL-JRSX WEST SACRAMENTO CA $11.95 PARADISE WEB PARADISPLUMAS LAKE CA $12.38 E NAT NATALIYA MAKOVCARMICHAEL CA" ------------------------------------------------------- 01/04..."I just find fraudulant activity on my account. $12.38 VALLJRSX VALL-JRSX WEST SACRAMENTO CA - Jan 4.2008 $13.95 E NAT NATALIYA MAKOVCARMICHAEL CA - Nov 18. 2007" ------------------------------------------------------- 01/06...."Last July I ordered a free credit report from Equifax, and paid a few bucks (with my Amex card!) to see my FICO score. Then I got these charges on my Amex account: 01/02/08, $12.38 PARADISE WEB PARADISPLUMAS LAKE CA 12/14/07, $12.38 VALLJRSX VALL-JRSX WEST SACRAMENTO CA 11/11/07, $9.59 VIN DESIGN VIN-DESIGPLUMAS LAKE CA".... ------------------------------------------------------- 01/06...."I've also been charged by these two companies thru my American Express Card. AMEX is now investigating. VALLJRSX VALL-JRSX WEST SACRAMENTO CA PARADISE WEB PARADISPLUMAS LAKE CA"...... ------------------------------------------------------- 01/07...."I've also found a $11.95 charge on my credit card from VIN Design, Plumas Lake, CA. Called American Express and opened a fraud investigation.".... ------------------------------------------------------- 01/08 ......"I just found a charge on my recent 12/2007 amex statement of $12.38 from VIN DESIGN VIN-DESIGPLUMAS LAKE CA, DIERECT MKTG INTERNET. Googled it, found this site. Went back and checked past statements, found another bogus charge in OCT 2007 for $12.24 from VALLJRSX VALL-JRSX WEST SACRAMENTO, COMPUTER NETWORK/INFO"...... ------------------------------------------------------- Based on the modus operandi, there is a good chance that this is the "AE" division of the syndicate. I am following up this post with some of the details of what has been uncovered so far. As you might expect they are all linked together. MGD
	to forum · permalink · · 2008-01-07 16:04:30 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL 3 edits	reply to MGD Re: VALL-JRSX,, VIN-DESIGN, E NAT, PARADISE WEB VALLJRSX, VALL-JRSX, VIN DESIGN, VIN-DESIGN, PARADISE WEB, PARADISEWEB, E NAT, There are two focus points for this group. One is a hosting server at IP 64.202.102.8, and the other is a collection of individuals who may know each other, and who reside in either Sacramento and/or Yuba counties in California. That server has been under observation for over two weeks. There are at least 18 domains that are hosted on that IP. All 18 have not yet been identified, though several have. From that group the following domains of interest were selected for additional scrutiny: 1) vr-s.com . 2) ez-booksonline.com . 3) ibook-space.com . 4) ibookstfs.com . 5) ebooks-tfw.com . 6) best-ebooks4you.com . 7) az-bookspace.com Some of these sites are works in progress. Several changes were observed being made during the past 10 days. I am having difficulty reaching the individuals that appear to be fronting some of the operations. Phone numbers have changed, and where I was able to make contact the people answering the phone did not appear to speak English that well, only Russian. I am urgently trying to find out the domain name of their contacts, and where the money is going. Two crucial pieces of information needed to establish a connection to this syndicate. The first related website is a mobile games download site: »vr-s.com and contains the following info: vr-s.com VirtualMobile-Store, 900 simon terrace way, WEST SACRAMENTO,95605, USA 916-617-8005 (a division of VALL-JRSX ) That domain is registered as follows: vr-s.com Registrant: vlad mironyuk 4840 buffwood way sacramento, California 96841 United States . Registered through: GoDaddy.com, Inc. Domain Name: VR-S.COM Created on: 13-Jul-07 Expires on: 13-Jul-09 Last Updated on: 13-Jul-07 . Administrative Contact: mironyuk, vlad vladsdesign@hotmail.com 4840 buffwood way sacramento, California 96841 United States (916) 308-3108 . Domain servers in listed order: NS57.DOMAINCONTROL.COM NS58.DOMAINCONTROL.COM Digging deeper produced a Sacramento County Fictitious Business name registration for a Vlad's Design under the name Vladimir Mironyuk: Sacramento County Fictitious Business Name File Number: 0703444 Abandoned Date: Filing Date: 03/23/2007 Expiration Date: 03/23/2012 Ownership Type: Individual Status: Active Number of Business Names on this filing: 1 Number of Owners on this filing: 1 Business Name(s): VLAD'S DESIGN Owner Name(s): MIRONYUK, VLADIMIR There is also commercial phone listing: Vlad's Design (916) 628-8389 \| 4840 Buffwood Way Sacramento, CA Business Categories: Catalog & Mail-Order Houses The zip code 96841 in the domain reg is incorrect, it should be 95841. The following public data is also available: Nikolay & Vladimir Mironyuk home 4840 Buffwood Way Sacramento, CA 95841-2217 . . Vladimir Mironyuk work Job title: Owner Company: Vlad's Design 4840 Buffwood Way Sacramento, CA 95841-2217 . The Website VR-S.com states that it is a division of VALL-JRSX, and lists an address of 900 simon terrace way, WEST SACRAMENTO,95605, USA A check of both California State, and county business records finds a FBN record for VALL-JRSX: Sacramento Couny Fictitious Business Name File Number: 0703682 Filing Date: 03/28/2007 Expiration Date: 03/28/2012 Ownership Type: Individual Status: Active Number of Business Names on this filing: 1 Number of Owners on this filing: 1 Business Name(s): VALL-JRSX-DESIGNER Owner Name(s): SHIKHANTSOV, VALENTIN Note that both FBNs' were filed within a few days of each other. There are public record listings for a Valentin Shikhantsov including: Valentin Shikhantsov 900 Simon Ter, Apt 88 West Sacramento, CA 95605-1917 . Job title: Owner Company: Vall Jrsx Designer Portions of the site are a direct copy of the UK site, "Chillingo" with minor name alterations quote: Copyright c 2005 Powered by VR-S.COM VirtualMobile-STORE (a division of VALL-JRSX ) If you want to know exactly what personal information we hold about you, you can obtain it. If it transpires that the information held is inaccurate, we will make the necessary amendments and confirm to you that these have been made. Please write to [VirtualMobile-Store 900 simon terrace way, WEST SACRAMENTO,95605, USA +1 916-617-8005] enclosing a cheque for the administration fee of 15 made payable to VALL-JRSX under the terms of the Data Protection Act. The Data Protection Act of 1998 is a UK law. They forgot to remove the name: quote: Currencies Chillingo sets the price of each of the products in US Dollars (and converted to the local exchange rate equivalent based on the exchange rate of the day), and the amount you pay in GBP is calculated by your credit card handling company at the time of purchase. . . Next up is: ibookstfs.com 800-517-4127 »ibookstfs.com Though one of the pages has contact information of: ibookstfw online Store 15340 ne 14 av North Miami Beach, FL, 33162 Email: orders@ibookstfs.com Phone number: (786) 506-6708 The domain however is registered to: IBOOKSTFS.COM Registrant: vladimir okhotskiy 1076 lost trail dr. plumas lake, California 95961 United States . Registered through: GoDaddy.com, Inc. Domain Name: IBOOKSTFS.COM Created on: 27-Jul-07 Expires on: 27-Jul-08 Last Updated on: 27-Jul-07 . Administrative Contact: okhotskiy, vladimir vin-design@hotmail.com 1076 lost trail dr. plumas lake, California 95961 United States (916) 459-5222 Domain servers in listed order: NS51.DOMAINCONTROL.COM NS52.DOMAINCONTROL.COM Besides the email contact being vin-design@hotmail.com one of the pages also contains this: quote: Right of access to your information: If you want to know exactly what personal information we hold about you, you can obtain it. If it transpires that the information held is inaccurate, we will make the necessary amendments and confirm to you that these have been made. Please write to IBOOKSTFS [(800)517-4127] enclosing a cheque for the administration fee of 15 made payable to VIN-DESIGN under the terms of the Data Protection Act. Policy Changes Copyright © 2007 VIN - DESIGN Powered by vin-design A search of California records finds a state corporate LLC filing: LP/LLC VIN DESIGN LLC Number: 200735210176 Date Filed: 12/18/2007 Status: active Jurisdiction: CALIFORNIA Address 2934 LERWICH RD SACRAMENTO, CA 95821 Agent for Service of Process VLADIMIR N OKHOTSKIY 2934 LERWICH RD SACRAMENTO, CA 95821 An initial search of California public records does not produce any hits on the name VLADIMIR OKHOTSKIY. However a reverse search of that address produces a listing for: Anna I Okhotskaya 2934 Lerwick Rd Sacramento, CA 95821-1825 and a second listing for that name at: Anna I Okhotskaya 2318 Church Ave Sacramento, CA 95821 Going back to the address used for the domain registration for Vladimir Okhotskiy of: 1076 lost trail dr. Plumas lake, which is in Yuba County, Ca. A check of that address yields some very interesting clues: Dennis Timofeyev work 1076 Lost Trail Dr Plumas Lake, CA 95961-9123 phone number unavailable . Listing Details Job title: Owner Company: Paradise Web -----------> NOTE . Dennis & Vyacheslav Timofeyev 1076 Lost Trail Dr Plumas Lake, CA 95961-9123 . Running that last name through Sacramento Fictitious Business Name registrations yields: Business Name Owner Name File Number Filing Date PARADISE LAWN CARE TIMOFEYEV , TATYANA 0500931 01/24/2005 PARADISE LAWN CARE TIMOFEYEV , VLADIMIR 0500931 01/24/2005 PARADISE LANDSCAPING TIMOFEYEV , VYACHESLAV 0402866 3/09/2004 That may be where the name Paradise in "Paradise Web" came from. More to follow, MGD
	to forum · permalink · · 2008-01-09 14:47:38 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL	reply to MGD VALL-JRSX,, VIN-DESIGN, E NAT, PARADISE WEB Part 3, There are additional fraudulent charge reports from this group continuing to roll in on Chris Jupin's blog. There now seems to be little doubt that the earlier characterization of this as the "American Express" fraud division of the syndicate is true. The reported fraud charges from this group appear to be specifically targeting American Express compromised card accounts. While Cybersource / Authorize.net is to be heavily criticized for their utter failure to implement appropriate procedures in the vetting process to remove these fraudulent laundering accounts, apparently American Express fares no better. Authorize.net has been the criminal enterprise's provider of choice for several years. Part of the issue is that merchant account providers make maximum profits from charge back fees. They may initially be reluctant to address the distorted frequency of charge backs and credits associated with these fraud accounts. In the case of the VALL-JRSX, VIN-DESIGN, E NAT, PARADISE WEB group, it appears that American Express has provided these criminals with the perfect opportunity to use their own system to launder their customer's compromised cards. There was an initial report on the blog from a victim who quoted an AE csr as saying that they had a "reversal arrangement" with the fraud group. originally I brushed that off as a statement from an overzealous AE csr. However, now there is an additional report of the exact same arrangement. quote: Marti on 01.10.08 at 6:27 pm I checked my Amex account online this morning and saw a charge I didn’t recognize from Paradise Web for $9.59 on 01/06/08: Transaction Date: 01/06/2008 Transaction Description: PARADISE WEB PARADISPLUMAS LAKE ...........................Amex was very willing to reverse the charge, as they said they had an agreement with the company to automatically reverse disputed charges (!). Another poster mentioned this also. I find it incredible that the credit card companies seem to be facilitating these scams (in the sense that they do not seem to investigate or want to do anything to stop it). ........... Incredible !! that plays straight into the criminals hands. I am sure that this type of pre-arranged reversal agreement does not contain the usual high "charge back" fees. In effect, American Express is now performing one of the criminal's intensive tasks of mitigating charge back fees to maximize the take. In addition the process of setting up this type of merchant billing account directly with American Express appears to be only one step above the "honor system". The entire process can be done online, and subsequently administered and managed from there. Have a look at the application: »https://www209.americanexpress.com/merch···=regular Apparently neither American Express nor Cybersource realize that there is no accreditation process for setting up an LLC, or establishing an EIN number. Criminals, even those offshore can easily arrange for that kind of setup. Possession of those credentials does not establish any form of legitimacy to an operation, that process is not intended to. In addition the merchant account application is done "online". American Express states that approval comes "within the hour". Combine this with various card data storage and processing systems that are about as secure as a sieve, and you could not write nor invent a more efficient crime magnet. One wonders why Cybercrime is such an epidemic. Future callers to American Express from card holders who are victims of this group's fraud charges, should alert them that they need to reverse any and all charges from this group. In addition, they can use the submit reports for an up to date list of AE compromised accounts. They should automatically issue new cards to any account holder's card that is submitted from this criminal enterprise. As of yesterday, the status of the additional domains of interest on the VALL-JRSX, VIN-DESIGN, E NAT, PARADISE WEB, server at IP 64.202.102.8 hosting the sites are: ez-booksonline.com was still a work in progress, no contact data listed yet, nor is the refund page completed. Same for ibook-space.com and best-ebooks4you.com ebooks-tfw.com, ebooks-tfw.com, and az-bookspace.com, did not have any webpages configured..yet. They all currently have "cloaked" domain registration: Registered Through GoDaddy.com, Inc. Domain Name: best-ebooks4you.com Created on: 2007-09-03 04:10:49 Expires on: 2009-09-03 09:10:49 Last Updated on: 2007-09-03 04:10:50 Domain Servers NS57.DOMAINCONTROL.COM NS58.DOMAINCONTROL.COM . Administrative Contact Registration Private Domains by Proxy, Inc. (480) 624-2599 Phone (480) 624-2599 Fax DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States best-ebooks4you.com@domainsbyproxy.com . . Registration Private Domains by Proxy, Inc. (480) 624-2599 Phone (480) 624-2599 Fax DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States Domain servers in listed order: NS51.DOMAINCONTROL.COM NS52.DOMAINCONTROL.COM ibook-space.com@domainsbyproxy.com Registered Through GoDaddy.com, Inc. Domain Name: ibook-space.com Created on: 2007-08-27 14:46:34 Expires on: 2009-08-27 19:46:34 Last Updated on: 2007-08-27 14:46:35 Domain Servers NS57.DOMAINCONTROL.COM NS58.DOMAINCONTROL.COM . . EZ-BOOKSONLINE.COM Administrative Contact Registration Private Domains by Proxy, Inc. (480) 624-2599 Phone (480) 624-2599 Fax DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States Registered through: GoDaddy.com, Inc. om) Domain Name: EZ-BOOKSONLINE.COM Created on: 01-Aug-07 Expires on: 01-Aug-09 Last Updated on: 01-Aug-07 MGD
	to forum · permalink · · 2008-01-12 20:48:10 ·
informed @rr.com	reply to MGD Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto »yolo.courts.ca.gov/Calendars/Dai···bmit.y=9 VALENTIN SHIKHANTSOV AKA VALL-JRSX ARRESTED/ARRAIGNED!
	to forum · permalink · · 2008-01-13 00:19:56 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL 3 edits	reply to Davo1 Re: VALL-JRSX,, VIN-DESIGN, E NAT, PARADISE WEB said by Davo1 : MGD-Thank you for all the info you have provided. Just rec'd AE statement w/charges from Paradise & VALLJRSX..contacted AE to dispute & replace card. You are welcome. It is important to point out that this modus operandi, set up to exclusively target compromised American Express card holder accounts, is not new. In fact, my archives contain a duplicate operation that ran from September to December of 2006. There are some remarkable patterns of coincidence that whet my cyber forensic appetite. When these traits are pointed out, you will see that VALL-JRSX, VIN-DESIGN, E NAT, and PARADISE WEB are clearly a continuation of a long established pattern. So while American Express may eventually kill off these current fraudulent billing accounts, when the rate of complaints finally inundate their radar screen. They are unlikely to notice, nor react, to this established pattern, unfortunately. They identical set up from 15 months ago that targeted hijacked American Express data, was a company called LEXBAY. First reports of fraud charges on AE accounts surfaced in September of 2006. Coincidentally, LEXBAY also originated in the expatriate Russian / Ukrainian community in California. The reported line item charge of varying amounts in the $12 range, were listed on American Express statements as: quote: Transaction Description: LEXBAY LIMITED ROSEVILLE CA MOBILE CONTENT-GAMES ----------> LOOK ! Charge: $12.38 Merchant Address: LEXBAY LIMITED/ALEXANDER 8592 LAS BRISAS CIR ROSEVILLE CA 95747 USA Merchant Type: BUSINESS SERVICE That 8592 LAS BRISAS CIR address in Placer County, currently shows up on a Countrywide Financial REO Foreclosure List Inventory Reports of the 09/2006 fraud charges showed up on a multi page FatWallet thread, and subsequently on a Bargainshare.com thread. According to Placer County Fictitious Business records, LEXBAY was registered in October of 2005 to an ALEX BERNIK quote: Placer County, California. Doc Nbr: 2005-0002669- Date: 03-OCT-2005 Business Name: LEXBAY LIMITED Owner BERNIK, ALEX A standard peripheral check of running the Bernik last name produced two other FBN's with suspicious net sounding names registered by other individuals with the same last names: UNIBSOFT and ABCNET I never did find any nefarious reports under those names, other than noting the repeating name connections to UK entities. What the common link is to the Russian expatriate community in California is, remains to be seen Clearly, this further confirms the continuity of a long running operation that either American Express does not know about, or does not talk about. VALL-JRSX, VIN-DESIGN, E NAT, and PARADISE WEB were not the first using this MO to target AE cardholders, and they will not likely be the last either. Remember, what ends up being reported on the web, is only a fraction of what is actually taking place. EDIT= From the victim reports in that FW thread is this recurring anomaly: quote: ...." I have never heard of these people and have not used my AMEX Blue card in months (and I don't have it stored in any online payment services that I know about)"..... ...."I was also hit by this fraud. FYI, my AMEX card with this charge has not been used in over 2 years. "... ..."Same thing happened to me today. It was really odd because I haven't used this one AMEX card and I had a 14.95 charge.".... /EDIT MGD
	to forum · permalink · · 2008-01-16 02:40:22 ·
frank85 join:2008-01-23	reply to MGD Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto I found a charge also posted on 12/31/2007 VALLJRSX VALL-JRSX WEST SACRAMENTO CA S1E13F470 DIRECT MKTG INTERNET DIRECT MKTG INTERNET
	to forum · permalink · · 2008-01-23 11:14:43 ·
darpa @cox.net	reply to MGD got a chare on my ax card $9.59 from VALLJRSX VALL-JRSX 1-27-07 ALSO A SUSPECT CHARGE FROM TIM WEBB SALES $9.45, address 332 morrison ave, sacramento, ca. Its listed a a tele equipment co, but no telephone number published!
	to forum · permalink · 2008-01-25 15:24:36 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL	Re: VALL-JRSX,, VIN-DESIGN, E NAT, PARADISE WEB said by darpa : got a chare on my ax card $9.59 from VALLJRSX VALL-JRSX 1-27-07 ALSO A SUSPECT CHARGE FROM TIM WEBB SALES $9.45, address 332 morrison ave, sacramento, ca. Its listed a a tele equipment co, but no telephone number published! . You can change that status from suspect to positive fraud. I can confirm that the TIM WEBB charge is from the same AMEX fraud division. This is a dynamic operation with new names coming on board each week. Thank you for posting the line item details on TIM WEBB, as this is the first report that I have seen on them. Connecting the dots from a known fraud company combined with a new fraud charge is essential in keeping track of the operation. The $9.45 charge is from another fictitious business name registered in Sacramento County on 08/24/2007 as TIM-WEB and was registered by a TIMOTEY PROTOPOPOV It appears that the FBN registration has the first and last names reversed: County of Sacramento, California. Fictitious Business Name File Number: 0709634 Filing Date: 08/24/2007 Expiration Date: 08/24/2012 Ownership Type: Individual Status: Active Number of Business Names on this filing: 1 Number of Owners on this filing: 1 . Business Name(s): TIM-WEB . Owner Name(s): TIMOTEY, PROTOPOPOV That 322 Morrison Ave. address that you listed is also a match for: Timotey Protopopov Job title: Owner Company: Tim Web 322 Morrison Ave Sacramento, CA 95838-3260 Not sure of that spelling of the last name, as there is another individual listed for that address: Tatiana Protopotova 322 Morrison Ave, Sacramento, CA 95838 In fact TIM-WEB is not the only new one for this group to surface this week. One of the unfortunate benefits from victims that only dispute the charges and do not cancel their card, is that they are then able to document the continuity of this criminal enterprise. It helps connect the dots as the subsequent charges roll in. On 01/07/08 a poster reported: quote: ..."I’ve also found a $11.95 charge on my credit card from VIN Design, Plumas Lake, CA. Called American Express and opened a fraud investigation. The charges were removed from my bill. Waiting to hear what they send back to me. I feel sorry for anyone who doesn’t check their statements."... REF= »www.cjupin.com/2007/09/13/credit···ment-777 He is now back on 01/22/08 with two fresh charges to that card. The first report of two new names: quote: .."New month, new fraud charges on my AMEX Card.. Solomka Desig Pavel Sacramento, CA Computer network/info ($9.45) and Mobil Txt., Mobil Txt Fairoaks, CA Misc Personal Service ($12.24) I contacted AMEX . I told reviewed these charges and told them about this web site and all the fraudulent blogs and suggested that they take a look at it and do something beside give credit. I suggested they try investigating our fraud complaints. Of course they said they would as they had calls on these charges already today. I also had them issue me a new card. REF= »www.cjupin.com/2007/09/13/credit···ment-808 The first of those charges is from an FBN SOLOMKA DESIGN registered by a PAVEL KASHCHENKO County of Sacramento, California. Fictitious Business Name File Number: 0709688 Filing Date: 08/27/2007 Expiration Date: 08/27/2012 Ownership Type: Individual Status: Active Number of Business Names on this filing: 1 Number of Owners on this filing: 1 . Business Name(s): SOLOMKA DESIGN . Owner Name(s): KASHCHENKO, PAVEL A. Further checking produces an address: Pavel Kashchenko work Job title: Owner Company: Solomka Design 4282 Pinell St, Ste 101 Sacramento, CA 95838-2904 A cross check of the address shows that there is also a commercial listing for: Pk Cabinets 4282 Pinell St, Sacramento, CA 95838 (916) 641-0108 Checking back on the FBN list confirms the same name A subsequent check of commercial phone listings yields this from the Russian Yellow Pages: PK & Cabinets Pavel Kashchenko (916) 372-9525 (916) 641-0108 (fax) (916) 952-1207 (mobile) 1017 Rogers St W.Sacramento, CA, 95605 REF: »rypweb.com/Home.aspx?cat=3343&page=13 There is a listing for the above address: Pavel & Tatyana Kashchenko 1017 Rogers St West Sacramento, CA 95605-2001 As well as one for another address: Pavel Kashchenko work Job title: Owner Company: Pk Cabinets 3020 Duluth St, Ste 4 West Sacramento, CA 95691-2240 (916) 952-1207 Clearly Pavel's primary occupation is in the woodworking business, and he apparently may be a cyber-mule as a second job. Making contact with Pavel, once again yields another individual that does not speak English, only Russian. The only response to mentioning SOLOMKA DESIGN is "wrong number". The second charge labeled as "Mobil Txt" appears to track to a California LLC filing on 8/2/2007 to an entity named MOBIL DESIGN LLC registered by a ALEKSEY VYKHVESTOV. MOBIL DESIGN LLC Number: 200721410266 Date Filed: 8/2/2007 Status: active Jurisdiction: CALIFORNIA Address: 5118 SHELL STREET NORTH HIGHLANDS, CA 95660 Agent for Service of Process ALEKSEY VYKHVESTOV 5118 SHELL STREET NORTH HIGHLANDS, CA 95660 There is also a matching Sacramento County FBN that reverses back to the LLC: County of Sacramento, California. Fictitious Business Name File Number: 0708788 Filing Date: 08/02/2007 Expiration Date: 08/02/2012 Ownership Type: Limited Liability Company Status: Active Number of Business Names on this filing: 1 Number of Owners on this filing: 1 . Business Name(s): MOBIL DESIGN . Owner Name(s): MOBIL DESIGN A check of the 5118 SHELL STREET address yields: Svitlana Shramenko 5118 Shell St North Highlands, CA 95660-5331 August of 2007 appears to have been a busy month. The North Highlands address does not match to the Fair Oaks address listed on the Mobil Text charge. A check of both the State of California and Sacramento databases show that this is the only match for this item. The word "Mobil" is somewhat unique, in that the common name used is "MOBILE". There is also no public data for a ALEKSEY VYKHVESTOV. In fact, I suspect that the spelling of the name VYKHVESTOV is incorrect. That name does not generate public records anywhere in the country. Since this is such a concentrated epidemic, I am know at the stage where I can just browse the Fictitious Business Names database, and select out suspicious records. I am betting that ALEKSEY VYKHVESTOV of MOBIL DESIGN fame, is really ALEKSEY VYKHRESTOV (Change the second "V" to an "R")from this December 2006 FBN registration of ALEK DESIGN. County of Sacramento, California. Fictitious Business Name File Number: 0613573 Filing Date: 12/12/2006 Expiration Date: 12/12/2011 Ownership Type: Individual Status: Active Number of Business Names on this filing: 1 Number of Owners on this filing: 1 . Business Name(s): ALEK DESIGN . Owner Name(s): Withdrawn Date VYKHRESTOV, ALEKSEY If true, that would be somewhat troubling. Two cyber-mule set ups a year apart, indicates that more than enough time has passed for any reasonable level of intuition to conclude that one is participating in a criminal operation. After the initial task of setting up the business names, tax id number, and corresponding bank account, the only routine task that a cyber-mule performs is the wiring of funds out of the country. What would make matters even worse is if ALEKSEY VYKHRESTOV is related to TIM VYKHRESTOV, who also in December of 2006 registered E.WEOB DESIGN County of Sacramento, California. Fictitious Business Name File Number: 0614050 Filing Date: 12/28/2006 Expiration Date: 12/28/2011 Ownership Type: Individual Status: Active Number of Business Names on this filing: 1 Number of Owners on this filing: 1 . Business Name(s): E.WEOB DESIGN . Owner Name(s): VYKHRESTOV, TIM A quick check of that name yields this: Tim Vykhrestov work Job title: Owner Company: E Weob Design 3900 Annadale Ln, Apt 21 Sacramento, CA 95821-2029 I can only speculate as tho whether these two entities ever materialized into full blown fraud operations. There are no reports of fraud that I can find, however, that can not be the sole measure, since many active scam operations never make it to Google. They are indeed highly suspicious, and certainly fit the pattern. This entire operation is bordering on the absurd, and it is by no means unique to American Express. However, this ironic utilization of American Express's merchant account system to fraudulently launder their own customer's compromised cards into cash, further emphasises clear defects in the financial system. This simplified charge reversal system, enables the crime syndicate to come back next month and take another shot at the same cards, to see if they will stick. If AE would assemble a database of the processed cards from all of these fraudulent merchant accounts, it may be possible to detect patterns from this large database, that could lead to the source or sources of the data. By now there is considerable card history, especially if you go back at least a year, or more. Since there are several unique characteristics of these fraudulent merchant accounts, one could easily write a simple script to filter and flag them at application time. There is no doubt that this criminal enterprise would adapt to any roadblocks, nevertheless, the vetting process has to become more stringent. All the while, this factory of recruits in the California Russian community, is registering new fake businesses faster then the old ones are been taken down. This process apparently can go on forever in its current form. We can see from the earlier example of LUX BAY from 2005, that this process has continued unabated for a considerable time. We cannot tell if the 2005 LUX BAY was specifically targeting AE. However recruiting cyber-mules in the California Russian community appears to be a well established operation. I have finally made contact with someone in the community who does speak English fluently, and is connected to one of the recent cyber-mules. That mule is a Russian only speaking female, who is a college student. That would appear to fit the profile of someone that may have been seeking part time work. The relative with whom I spoke with, has agreed to call me back and translate a conversation with the cyber-mule, though I am not sure that they will. He claims, and seems believable, that she has no idea as to what is really going. He also said that he was told that the website was not ready yet. He also states that he translates English emails for her and has not done that for anything related to this operation. I will follow up if he fails to get back with me. I have assumed from the start, and this reiterates it, that the criminals are obviously communicating with the California Russian division of cyber-mules in their native language. That makes this division unique in that respect. The focus of subsequent digging should include finding out what the common link is within the community that enables such a large unique group to be recruited, and for a sustained period. Are they all being recruited remotely?. In addition, how, and to where, are the fraudulent funds being sent. Also, the domain names from the email addresses that they are receiving communication from. I have previously ran across up to three cyber-mules who knew each other, in the Template - Ebook division. It was a "word of mouth" type of indirect recruiting. One person tells another, "Hey I got this well paying part time job, almost a "money for nothing" side business, "you should check it out". The level of mule concentration within this community is unmatched anywhere else. In this case, could there be a local liaison for the syndicate that is doing the recruiting?. There is something different occurring here that enables this to be such a focal point. MGD
	to forum · permalink · · 2008-01-28 05:16:07 ·
pvFromTexas @sbcglobal.net	reply to MGD Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto I got hit by them with the following fraud charges on my amex: 1/9/08 VALLJRSX VALL-JRSX WEST SACRAM $11.95 1/28/08 SOLOMKA DESIGN PAVELSACRAMENTO $9.45 I called up amex and reported the charges.
	to forum · permalink · 2008-01-29 21:01:11 ·
SAHinCA4 @pacbell.net	reply to MGD In mid January I was suddenly hit with two charges on my AmEx and was alerted via your posts that they were fraudulent - so thanks! I disputed both of them and just phoned AmEx and am having a new card mailed overnight. I live in the San Jose area but my parents live in Roseville and I visited them over the Christmas holiday. This began in early January. First charge was from VALLJRSX, second from Mobil Txt. VALLJRSX VALL-JRSX WEST SACRAMENTO CA DIRECT MKTG INTERNET Merchant Address: VALLJRSX 900 SIMON TERRACE UNIT # 88 WEST SACRAMENTO CA 95605 Merchant Type: INTERNET DOWNLOADS Doing Business As: VALLJRSX MOBIL TXT MOBILTXT FAIR OAKS CA MISC PERSONAL SERVICE Merchant Address: MOBIL TXT 4201 GREENVALE RD. FAIR OAKS CA 95628 Merchant Type: MISC PERSONAL SERV Doing Business As: No Additional Information
	to forum · permalink · 2008-02-09 18:23:02 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL 1 edit	reply to MGD Re: VALL-JRSX, VIN-DESIGN, E NAT, PARADISE WEB Cyber-mule arrested and charged, ... sometimes it can take a while!. As part of the expose on the VALL-JRSX, VIN-DESIGN, E NAT, PARADISE WEB, et all, American Express card fraud. That was the division centered around the Russian expatriate community in the Sacramento County, CA., and surrounding area. Back on January 16th 2008, I posted regarding how this specific modus-operandi of AE fraud could be tracked back several years. I documented a 2005 AE card fraud operation under LEXBAY LIMITED ROSEVILLE CA which was set up by a cyber-mule named ALEX BERNIK »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto I missed this several months later, in May of 2008: 05/15/2008 DEFENDANT INDICTED IN CHARGE CARD, MONEY LAUNDERING AND REAL ESTATE SCHEMES SACRAMENTO, Calif. United States Attorney McGregor W. Scott announced that a federal grand jury returned an indictment today charging ALEXSANDR BERNIK, 29, of the Sacramento area, with wire fraud, money laundering, and making false statements to federally insured banks to obtain real estate loans. BERNIK was previously arrested on April 30, 2008, on a criminal complaint filed in connection with this investigation and was ordered detained as a flight risk. The case is the product of an extensive investigation conducted by the United States Secret Service and the Internal Revenue Service-Criminal Investigation Division. According to Assistant United States Attorney Courtney J. Linn, who is prosecuting the case, the indictment charges that from October 2005 through November 2006, BERNIK engaged in a scheme to defraud American Express and its customers. He used the fictitious business name Lexbay Limited to open a bank account and establish a merchant relationship with American Express. Between August 2006 and November 2006, he fraudulently charged American Express customers for products or services that the customers did not order. During this time period, a bank account he controlled in the name of Lexbay Limited received approximately $177,000 from American Express. Some of those funds were then withdrawn in transactions designed in part to avoid transaction reporting requirements under state and federal law. The indictment further charges that in late 2005, BERNIK applied for and obtained loans from federally insured lenders secured by residential real property in the Sacramento area. In connection with those loans, the indictment charges that BERNIK knowingly made false statements overstating his income and knowingly submitted false bank statements to influence the banks to loan him money. The maximum penalties for wire fraud is 20 years in prison, and a fine of up to $250,000. The maximum penalty for money laundering is 20 years in prison and a fine of up to $500,000. The maximum penalty for making false statements to a federally insured lender is 30 years in prison and a fine of not more than $1,000,000. The actual sentence, however, will be determined at the discretion of the court after consideration of the Federal Sentencing Guidelines, which take into account a number of variables and any applicable statutory sentencing factors. The charges are only allegations and the defendant is presumed innocent until and unless proven guilty beyond a reasonable doubt. Ref: »www.usdoj.gov/usao/cae/press_rel···ease.pdf There was also an article in the local CBS news website: »cbs13.com/local/defrauding.custo···077.html MGD
	to forum · permalink · · 2008-08-20 02:09:43 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL 3 edits	reply to StillAtIt Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto said by StillAtIt : I found this site as I was backtracking a fraudulent Amex charge from "24-hour corp" in Carmichael, CA. ..... Thank you for posting, and what a coincidence !! I ran across that several days ago while performing routine searches looking for signs of the American Express card fraud division. As some of you may recall, it has been almost 6 months since a posting has been made on this division which uses Sacramento County based Russian expatriate cyber-mules. Previous reports have been under the heading of: -------------------------------------------------- VALL-JRSX, VIN-DESIGN, aka VIN DESIGN, E NAT, PARADISE WEB, aka PARADISEWEB, TIM-WEB, SOLOMKA DESIGN, Mobil Txt, MOBIL DESIGN LLC, ROMAN I PIGLITSIN Telecom Service, DBA ROMAN PIGLITSIN, et all What do they all have in common?. They are a just a few of the LLCs or Fictitious Business Names that were registered in the Sacramento County or surrounding area by Russian expatriate cyber-mules. The business were registered for the sole purpose of obtaining a business merchant processing account from American Express. They were specifically set up in order to use AMEX's own system to launder hijacked American Express victim card data into cash. This was done by submitting and processing fraudulent charges against the stolen card data. The cyber-mules then wired the hijacked funds out of the country which presumably ended up in Russia and the Ukraine. This fraud has been operating out of that area, virtually uninterrupted since at least 2003 - 2002. The fraud runs in parallel with the indentical Visa / MasterCharge operation. -------------------------------------------------- I have been scouring for signs of their continued operation, which is sometimes difficult to find. However, knowing that this operation has been running in parallel for several years also, I knew that they were active somewhere, and it was just a matter of time before they hit the radar again. I was preparing a post over the last several days, while digging into: ACCEPT-ALL-PAYMENTS.COM AL-Pay, E-Sprint, and 24-hour corp I can now tie this recent American Express card fraud directly to the same operation, no question about it. I will follow with with the post that I have been preparing over the last several days, which includes both the UK and USA victim reports of the Amex fraud charges. In the interim watch this local Sacramento CBS 13 news report: »cbs13.com/video/?id=39375@kovr.dayport.com They are correct in that it is the "tip of the iceberg". However a whole section of the iceberg has been revealed already. The worst part of the American Express fraud charges, is that Amex has known about this format for over two years, and supposedly investigated it. Yet they are either unable, or unwilling, to take simple preventative measures to at least make it somewhat difficult for these cyber-mules to keep obtaining Merchant accounts from American Express. Remember, American Express has their own proprietary merchant processing system. This organized crime syndicate obtains the merchant account via the Sacramento County Russian cyber-mules direct from AMEX. That is how the American Express card holders become victims of this fraud. The bad part is that the syndicate has been obtaining these accounts from AMEX via this modus operandi for at least 5 years In an excerpt from my work in progress post, I prepared a simple script example of how they could have screened this out: Now obviously that will not shut down the operation. After all, the organized crime syndicate has had a constant supply of American Express card holder account data for years. However, American Express ought to at least make it somewhat difficult for the criminals to launder that card data into cash using the Amex merchant processing system. With the Visa / MasterCharge fraud division, the cyber-mules can be located anywhere within 50 states, which is a little more difficult to nail down. This one is so simple to at least place a minor road block in front of, that it borders on negligence, in my opinion. In addition, if you have not been alert to this over the past 5 years, then you have also lost the ability to do specific card fraud analysis on all of the data that was submitted via the dozens of fraudulent merchant accounts. That analysis is a crucial function as it may well reveal some of the points of initial compromise of the data. If so, that would have enabled those sources to be re-secured, and if unique, possibly prevent other sources from being compromised. MGD EDIT= corrected FBN/LLC names, added text
	to forum · permalink · · 2008-09-30 20:57:07 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL	reply to StillAtIt Re: ACCEPT-ALL-PAYMENTS.COM, AL-PAY, E-SPRINT, 24-HOUR CORP ACCEPT-ALL-PAYMENTS.COM, AL-PAY, E-SPRINT, 24-HOUR CORP 800 682-7189 800-683-6024 It has been almost six months since we have heard anything regarding the parallel AMEX fraud charges ran by Sacramento California Russian Expatriate cyber-mules. History tells us that even though we are not hearing anything, the chances that this multi year fraud operation has been abandoned, are between slim and none. Though I have routinely sniffed around looking for signs of them, unsuccessfully, that certainly did not mean they had stopped. Since fraud reports can show up in a myriad of places, it can be very difficult to monitor. What brings the Sacramento county Russian cyber-mule operation to the forefront once again, is a recent ongoing AMEX fraud with a twist, and some publicity. The current Amex fraud charge run can be directly tied to the same long running criminal operation, and also highlights new cyber-mules. The twist is that the fraudulent AMEX merchant accounts are now processing bogus charges to both US and UK victims with AMEX affiliated cards. I hit on this by changing some of the key word combo searches that I mentioned earlier that were routine exercises. It unfolded as follows: First was a search that returned a TV News video report from CBS 13 News in Sacramento, CA. quote: Local residents Targeted By Credit Card Scam Worldwide complaints from American Express card owners have led investigators to the Sacramento area, where a false business was allegedly making false charges. Elyce Kirchner reports: »cbs13.com/video/?id=39375@kovr.dayport.com Well with those keywords "American Express" "Sacramento" "false business" false charges", I knew before I even watched the video where and to who this would lead to. Sure enough, a new crop of Russian expatriate Amex cyber-mules, and one not so new. What was driving this were complaints from the USA and UK victims of fraud charges originating from: 24 HOUR CORP 800-682-7189 6104 Holt Ln. Carmichael, CA 95608 800-682-7189 By the way, these fraud charges vary from $25 to $50 per hit. Sample extracts follow from: »www.complaintsboard.com/complain···7/page/1 quote: 18 days ago by Aimee Same exact thing just happened to me- amex card, same business name, same notes, except they did it 2 times, and the charge was 44.19 each time. -------------------------------------------------- 17 days ago by Michele Same thing. Two charges on my AX card for $37.69 each! When you double hit in this range, then these are intended to be short lived fast burn accounts. Remember they can usually draw the money within 48 hours of submitting the charge. As long as they pile them in they can cover and keep adding to the draw, they can move the funds out fast. it is long gone by the time the victim sees the statement. Emphasis added: quote: 16 days ago by J. F. [send email] I agree that I think this company is fraudulent. This is the information that I have found about the supposedly company. I did a reverse search lookup for the company's address on whitepages.com and these are the results that I have found: 1 Result matching "6104 Holt Ln, Carmichael, CA." Andrey Yakovlev ------------->Strike One = Russian 6104 Holt Ln Carmichael, CA 95608-3972 ----->Strike Two = Sacramento County phone number unavailable Fraud charges in these amounts are what drew the national media attention to the "Pluto" and "Digital Age" card fraud. Likewise here: quote: 9 days ago by Katie ATTENTION ALL VICTIMS OF 24 HOUR CORP SCAM: I work for the Better Business Bureau in North East California. We are currently working on the 24 Hour Corp Scam with AMEX card holders. This scam has reached all the way to the UK. PLEASE EMAIL ME at your earliest convenience. We are meeting with channel 3 and 13 and would love to schedule more interviews and find out more information as to the number of people affected. I look forward to hearing from you. Thanks, Sincerely, Katie Robison Public Relations and Program Services katier[@]necal.bbb.org Several, but not all, of the UK victims had visited the USA: quote: 14 days ago by Nigel Barber I went to the States in May and only spent money at the hotel on my credit card and got US Dollars before I went. I have been back for nearly 4 months and now I get a 24hour corp on my statement for 23.18$. I have phoned my bank and they are aware of it and now they are investigating. Ihave given them the address above and we shall see what happens. This really is annoying. More on why AMEX ~~could~~ should have prevented this, they have known about this fraud group for several years. This is not "new" to American Express, at all. quote: 7 days ago by Janice I am based in the UK and noticed the unauthorised charges because they were the only ones in US Dollars on my statement. I hadn't used my card abroad or over the internet. Amex (in the UK) said that they are aware of the problem and their fraud team are investigating. They have stopped my card and will credit me for the two unauthorised charges which were $28.04 each. Many thanks for posting the alerts. Without it, I would not have known I was a victim of fraud. Can you believe this bank !!! This is asinine!: quote: 13 days ago by Clare Gomme Each month for the last 3 months, I have had charges on my Lloyds card to this company. I have tried to cancel the card to prevent this fraudulent use but Lloyds inform me that, even though they are investigating this company on behalf of a large number of clients, my account cannot be closed until the investigation is complete. In the mean time I am having to phone up each month to dispute this charge. This month I have also been charged for late payment with interest for the disputed amounts on my current statement. To make matters worse I have never used the Amex card on this duo card account so how has 24 hour corp got hold on my account number. Could the fraudster must be an employee of Lloyds? And it is not just that thread, this one too: 24 hour corp and/or e-sprint LLC 800 682-7189 and 800-683-6024 accept-all-payments.com »www.complaintsboard.com/complain···057.html quote: 28 days ago by Pl AMEX (from MBNA) in the UK recognised this as fraud & cancelled the card - it is said that the amounts are low because its below the authorisation limit so they go through automatically - but some AMEX issuers are waiting for customers to complain before they do anything. Spreading to other countries: quote: 27 days ago by George I had two charges from them on my Greek Alpha Bank AMEX, within July, the amounts were 17, 05 and 17, 18 euros...it is amazing the way they let this company charging people all this time. The Bank returned the amounts but I still find it unacceptable... I have reported it since 4 of AUGUST and AMEX still let them charge. A UK victim's thread on the UK forums Moneysavingsexpert.com: »forums.moneysavingexpert.com/sho···1&page=2 quote: Lloyds TSB Credit Card ------------------------ Beware, its seems that some thing suspicious is happening with transactions with Lloyds TSB cards. LLoyds TSB have said they have had alot of the same, but they dont know who the company is. It showed on some statements as 24 HOUR CORP 24HOUR CARMICHAEL CA£18.340806 35.37 USD @ 1.9286 24 HOUR CORP 24HOUR CARMICHAEL CA £19.54 ##0805 37.69 USD @ 1.9289 So make sure you check your statements!! ------------------------------------------------------- I have had a charge on my Virgin Amex for approx $23 which translates at £13.84 from 24 Hour Corp Carmichael. Virgin have said they will contact the merchant and ask for documentation. They give them 40 days for a response and if it's not a legitimate charge they will refund the money back to my account. In the meantime the amount is frozen so it doesn't accrue interest but they won't issue me with a new card until it is confirmed as a fraudulent transaction. This is a known fraud ------------------------------------------------------ A similar charge has appeared on my British Airways Blue Amex card. $44.92 USD on 10 Aug 08. I am just off the phone to Amex and I was told that this is a known fraud which is impacting numerous cardholders. They will refund it and they have insisted that my card is cancelled and a replacement issued. What dissapoints me is that their fraud team are aware of this and they are not proactively identifying customers that are impacted. When I pushed them on this I was told: "It would take too long to review every account, so we are waiting for customers to call us - Amex have revoked the merchant's Amex authorisation, but because the transactions are below the "floor limit" they are applied automatically to customer accounts without being checked to see if they are valid". Please keep your eyes open!!! What is even more disappointing is the fact that American Express has known about this specific fraud operation for several years. Contributing to the problem is how easy Amex doles out merchant accounts. Since a core function of this long running fraud is the use of Russian expatriate cyber-mules from a concentrated area around Sacramento County, a simple add on in the vetting process that was listed in the above post, could easily filter these out at application time. So lets look over some of the info that has already been posted, and add some to it: ACCEPT-ALL-PAYMENTS.COM, AL-PAY, E-SPRINT, 24-HOUR CORP 800 682-7189 800-683-6024 The website ACCEPT-ALL-PAYMENTS.COM is now down, two cached pages still exist from August 26th 2008: Snapped 2008-10-01 06:12:04 »74.125.45.104/search?hl=en&suggo···G=Search Snapped 2008-10-01 06:11:46 »74.125.45.104/search?hl=en&suggo···G=Search from the page: Contact Us E-Sprint LLC,. 2721 Rio Linda blvd. Sacramento, CA, 95815 Phone/fax +1(800)683-6024 So, did American Express improve the vetting process for individual merchant accounts, and the criminals moved up to the next rung on the ladder and were operating as a secondary wholesaler / affiliate?: quote: Welcome to AL-Pay! The best credit card and E-check payment system on the net. Did you know that when you accept credit cards and checks online, you can expect your sales to increase by an astounding 50 to 400%? You simply can't compete if you don't accept credit cards and e-check. With our free online application, you can start accepting credit cards and e-checks on your web site in less than 24 hours! In addition to accepting credit cards and e-checks on your web site in real-time, you will also receive our simple-to-use, web-based payaments administration system. With our versatile ecommerce software, you have a complete solution. Or was that just a ruse? Running down the names: E SPRINT is a California LLC registered on March 11th 2008 by a PAVEL UDALOV: LP/LLC E SPRINT LLC Number: 200807110216 Date Filed: 3/11/2008 Status: active Jurisdiction: CALIFORNIA . Address 2721 RIO LINDA BLVD SACRAMENTO, CA 95838 . Agent for Service of Process PAVEL UDALOV 2721 RIO LINDA BLVD SACRAMENTO, CA 95838 There was also a matching Sacrament Country Fictitious Business Registration for E SPRINT LLC: There is no phone listing for either PAVEL UDALOV or a reverse for that address. In fact, there is no public records for a Pavel Udalov within the entire state of California. That home however does show up as having being last purchased on 08/07/2007 and was put back on the market a month later. That home was recently listed on "Sacramento Area Flippers In Trouble", as having a 37% drop in asking price from the previous sale, and has unpaid back property taxes for 2007. »74.125.45.104/search?q=cache:DEd···=5&gl=us The address is no longer on the MLS listing. I am unable to find anything specific for "Al-Pay". However, the ACCEPT-ALL-PAYMENTS.COM domain as "StillAtIt" posted, brings us to a very familiar name: Registered through: GoDaddy.com, Inc . Whois Record Registrant: ESprint Corp. 4351 marysville blvd Sacramento, California 95838 United States . Domain Name: ACCEPT-ALL-PAYMENTS.COM Created on: 27-Apr-08 Expires on: 27-Apr-09 Last Updated on: 27-Apr-08 . Administrative Contact: piglitsin, roman piglitsin@hushmail.com ESprint Corp. 4351 marysville blvd Sacramento, California 95838 United States (916) 308-7086 Fax -- . Domain servers in listed order: NS13.DOMAINCONTROL.COM NS14.DOMAINCONTROL.COM From February 2008: quote: Julia: VIN design, Roman Piglitsin and Solomka from Sacramento and Plumas, CA have hit my Amex three times now since November for $12.38, $9.45 and $9.59. Fortunately, Amex has been good about crediting my account. »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto From March 2008: quote: Angry: Oh my! I did a search of some bogus charges that were on my AMEX and this site popped up! Thank goodness I'm not alone. I apologize in advance if this is not the correct place to post this or if you all have discussed this information previously. The two companies that charged my AMEX have already been posted by others: 1) ROMAN I PIGLITSIN Telecom Service 2/20/08, $11.87 ROMAN I PIGLITSIN DBA 4351 Marysville Blvd Sacramento, CA 95838 Cellular Telephones R And P Web Designer 2) SOLOMKA DESIGN, Computer network 2/08/08 $11.95 SOLOMKA Design 4282 Pinell St Ste 101 Sacramento, CA 95838 Internet Downloads I immediately flagged it online, but didn't submit it as a fradulent charge. At the time I thought it MIGHT have been something connected to my MONTHLY charge from EXPERIAN that is SUPPOSED to cover credit report monitoring and protection. Imagine that! .... .. AMEX has sinced given me a credit and sent letters stating they are investigating. »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto That ties ROMAN I PIGLITSIN to SOLOMKA, which ties to VALLJRSX VALL-JRSX »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto and also to Mobil Txt, and on up the ladder we go!. Roman's directory listing does show him as the owner of "R And P Web Designer", which means that the White Pages picked it up from a business filing, a search of both Sacramento County, and California records does not yield a hit. It is possible that it could be registered in another county. These are the only two listings: Did the crime syndicate do the same as they do in the other divisions, and after the ROMAN I PIGLITSIN DBA cyber-mule merchant account burned up, and he became black listed, then used his identity to register the ACCEPT-ALL-PAYMENTS.COM domain? The last several months have been a dry spell in terms of fraud charge information on this Amex division, though I doubt that they were on vacation. In fact Domain Tools shows that there are a total of 6 domains registered using the piglitsin@hushmail.com email address. One of them as late as July. You should presume the other 5 are also tied to fraudulent American Express merchant accounts that we do not know about. Some of them may have been already active, I have searched for fraud reports. That brings us to 24-HOUR CORP, there were three Corporate registrations of that name: The first one was in the beginning of 2005, and subsequently suspended: Corporation 24 HOUR CORP. Number: C2715247 Date Filed: 1/10/2005 Status: suspended Jurisdiction: California . Address 6104 HOLT LANE CARMICHAEL, CA 95608 . Agent for Service of Process LEO YAKOVLEV 6104 HOLT LANE CARMICHAEL, CA 95608 Then registered again on 08/18/2006 with a new address: Corporation 24 HOUR CORP. Number: C2892866 Date Filed: 8/18/2006 Status: suspended Jurisdiction: California . Address 2370 MARKET ST STE 111 SAN FRANCISCO, CA 94114 . Agent for Service of Process LEO YAKOVLEV 2370 MARKET ST STE 111 SAN FRANCISCO, CA 94114 Registered for a third time in June of 2008, new agent name, but the same address as the 2006 registration: Corporation 24 HOUR CORP Number: C3150801 Date Filed: 6/23/2008 Status: active Jurisdiction: California . Address 2370 MARKET ST STE 111 SAN FRANCISCO, CA 94114 . Agent for Service of Process DAVID BLESS 2370 MARKET ST STE 111 SAN FRANCISCO, CA 94114 . The 2370 MARKET ST STE 111 address is the same as that of a company called Ferro Rosso Corp. www.ferro-rosso.com »www.ferro-rosso.com Snapped 2008-10-01 06:11:29 »www.ferro-rosso.com/contact.htm Yelena Milovanova 2370 Market Street, Suite 111 San Francisco, CA 94114 888-870-7797 Ferro Rosso Corp. 2370 Market Street, Suite 111 San Francisco, CA 94114 What the connection is to this apparently legit company, I do not know. However, they have more than an address in common: They share the same "24 Hour Corp" as the agent, which in 2007 would have been LEO YAKOVLEV. A check of all FBNs' registered to either Andrey or Leo: With so little information thus far, I do not necessarily suspect a formal conspiracy between the criminals and the cyber-mules, because of the common Russian heritage link. Evidence of hiding, or otherwise participating in the obfuscation of the set ups would indicate some level of complicity. However, what has been frustrating, is the inability to obtain information from known cyber-mules. Their unwillingness to even talk about it, or cooperate, certainly leaves an impression of being complicit, which may or may not be accurate. Repeated contact attempts yields mules who claim to be only able to speak Russian. When you hear others speaking English in the background, and point that out, they still refuse to have them act as translators. They do know the subject matter, and most of the calls end abruptly. In a case where a translator was available and the issue was discussed with them, they offered to call back with the cyber-mule present, but never did. Repeated follow up calls were ignored. That makes the Sacramento case a difficult area to crack and gather intelligence data on. Based on this stonewalling, which may be more cultural that anything else, a Dslr member who spends time in that area attempted several months ago to generate local media interest in the case, and was not successful. How complicit some of these cyber-mules are may be revealed in the upcoming Federal case of the 2005 cyber-mule, ALEX BERNIK of LEXBAY LIMITED ROSEVILLE CA: »Re: VALL-JRSX, VIN-DESIGN, E NAT, PARADISE WEB MGD
	to forum · permalink · · 2008-10-01 06:51:44 ·
MGD Premium,MVM join:2002-07-31 Fort Lauderdale, FL	reply to MGD Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto As noted in the above post one of the latest fraud cyber-mule recruiting sites were QUETOYS.COM QUETOYS.NET, and QUETOYS.ORG As you can see from Google, Que Toys Ltd., was a derivative of the prior fraud recruiting Tetronix Toys Ltd. Que Toys Ltd - Tetronix Toys Ltd. Also noted was the fact that the QUETOYS group was hosted on the Russian owned cesspool of cybercrime network of 3FN / Pricewert LLC / APS Telecom. That should not have been a surprise as the crime syndicate has a long relationship history with this genre, such as McColo, Atrivo, EST, etc. They do not use these cyber crime services exclusively, over the years they have based some of their operations at GoDaddy, Hostdone, Everyones Internet, Inc., JaguarPC.com / Landis Holdings Inc., etc. They surprise this time around though was where QUETOYS.COM ended up being moved to 24 hours after the plug was pulled on 3FN. As you are aware, the FTC disconnected 3FN with no prior notice, the result of an "ExParte" court order, and was a well kept secret beforehand. Not only was the speed at which QUETOYS.COM resurfaced remarkable, but also the fact that it turned up on another US based IP, 66.225.241.14 QUETOYS.COM = 66.225.241.14 IP Address History . Event Date Action Pre-Action IP Post-Action IP . 2009-06-01 New -none- 216.195.62.132 2009-06-08 Change 216.195.62.132 66.225.241.14 Name Server History . Event Date Action Pre-Action Server Post-Action Server . 2009-05-26 New -none- 3fn.net 2009-06-05 Transfer 3fn.net Zevshost.net . IP 66.225.241.14 is owned by a Chicago based hosting company called HOSTFORWEB: IP Address: 66.225.241.14 IP Location - Illinois - Chicago - Hostforweb Inc Name Server: DNS1.ZEVSHOST.NET (has 232 domains) Name Server: DNS2.ZEVSHOST.NET Server Central Network SCN-2 (NET-66-225-192-0-1) 66.225.192.0 - 66.225.255.255 HostForWeb Inc. HOSTFORWEB-5 (NET-66-225-241-0-1) 66.225.241.0 - 66.225.241.255 OrgName: HostForWeb Inc. OrgID: HOSTF-1 Address: PO BOX 1164 City: Chicago StateProv: IL PostalCode: 60690 Country: US NetRange: 66.225.241.0 - 66.225.241.255 CIDR: 66.225.241.0/24 NetName: HOSTFORWEB-5 NetHandle: NET-66-225-241-0-1 Parent: NET-66-225-192-0-1 NetType: Reallocated Comment: RegDate: 2004-05-21 Updated: 2004-05-21 OrgTechHandle: ADMIN240-ARIN OrgTechName: Administrator OrgTechPhone: +1-312-343-4678 OrgTechEmail: alex.k[@]hostforweb.com The president of Hostforweb is Alex Korneyev presumably of Russian heritage: »www.google.com/search?hl=en&q=Al···oq=&aqi= »www.google.com/search?hl=en&q=al···oq=&aqi= Hostforweb Corp That in itself may not be remarkable, however, when you combine it with the fact that a group of the identical American Express card fraud laundering websites were also stashed on a Hostforweb IP it certainly rises to that level. While it may be just a remarkable co incidence, remember that as a hosting entity, hostforweb is a relatively small operation, though it does host many .ru domains. One has to also presume that due to the surprise shutdown of 3FN, and the subsequent prompt relocation of QUETOYS.COM to IP 66.225.241.14, that the syndicate had prior knowledge of Hostforweb's existence. It is doubtful that they discovered Hostforweb and managed to relocate there all within hours of the 3FN shutdown. A HostforWeb IP 64.202.102.8 first came to attention back in early January of 2008 as the host of several of the American Express card fraud laundering domains related to: VALLJRSX, VALL-JRSX, VIN DESIGN, VIN-DESIGN, PARADISE WEB, PARADISEWEB, E NAT, VR-S.COM. These were all associated with the multi year Amex card fraud laundering operation that all have Russian ex patriate cyber-mules. The operation is concentrated in the Sacramento and surrounding counties in California. Some examples: quote: Kevin: Very interesting reading. I just noticed a charge of 9.45 on my AMEX from VIN Design. I did the research and ended up here. Strange thing about this- 2 months ago, I disputed a charge of 9.59 from an obscure mobile game developer in Sacramento (which is near Plumas Lake, CA). I did a lookup of the address and found the site vr-s.com. I don’t download games from 3rd party sites so I disputed the charge. When I looked at the most recent charge, and did an address lookup, I ran into an e-book site, ibookstfs.com. Lo and behold, the website copy of both ibookstfs.com and vr-s.com is identical. Compare the privacy policy- it’s boilerplate, as is the site design, logo placment, etc. The domain owner is someone named Vladimir for both domains, and all addresses for these are in or around Sacramento, California. Going to check out that linked article above now. Ref:»www.cjupin.com/2007/09/13/credit···rketcom/ quote: Fraudulent Charges and Equifax … Three times in as many months, I have had weird charges from California appear on my American Express statement. I did not do business with these companies and I cannot find any information about them online. 10/22/07 $11.87 - E NAT NATALIYA MAKOVCARMICHAEL CA ELECTRONICS STORE 12/05/07 $11.95 - PARADISE WEB PARADISPLUMAS LAKE CA DIRECT MKTG INTERNET 12/26/07 $ 9.45 - VALLJRSX VALL-JRSX WEST SACRAMENTO CA DIRECT MKTG INTERNET Each time, I called American Express to dispute the charges and they were promptly credited back to my account. I asked them if they could provide me more information about the company that charged me like their phone number, address or website. But, they never had any additional information they could provide. Apparently, whatever I can see when I manage my account on their website is all they can see. It’s obvious that someone got a hold of my account number. So, I called American Express today and they canceled my card and are issuing me a new card with a new number. But, I just ran across this article »redtape.msnbc.com/2007/11/chris-···ml#posts by Bob Sullivan (really enjoy reading his stuff) on the Red Tape Chronicles on MSNBC. His article talks about people that have had small bogus charges posted to their debit or credit cards. And, just like the people in the article, I also subscribe to Equifax credit monitoring services. Maybe there is a connection? You would think that Equifax’s website and customer data is secure. But, it’s hard to deny these connections. Ref:»cybercjh.com/blog/2007/12/28/fra···-equifax The Amex card fraud laundering is a mirror copy of the Devbill VISA and MASTER CHARGE fraud operation. In fact, the non stop AMEX fraud can be documented operating from as far back as 2002. American Express card fraud laundering domains While the Devbill operation is far more sophisticated, and is spread across a diverse group of financial institutions, and merchant account providers, and thus obfuscates detection. On the other hand the AMEX fraud is conducted exclusively through American Express's facilities. Once the criminals have hijacked global American Express victim account data, they open fraudulent merchant accounts directly from AMEX and launder the hijacked card data via bogus fraud charges right back to AMEX. Amex in turn converts the fraud charges into cash and deposits the funds into the criminal's bank accounts, where it is then wired abroad back to the criminals. This will go down in history not only for its longevity, but also for its undetected simplicity. As a result of the discovery of the Amex card fraud hosting in early 2008, the Hostweb IP 64.202.102.8 has been under routine observation ever since then. Due to continued shadowing operations, some but not all, of the domains hosted there were published in previous posts. Here is a final list of the peak hosting on IP 64.202.102.8 From notes circa 02/2008: Hosting audit IP 64.202.102.8 01. Activexupdateweb.com 02. Az-bookspace.com 03. Best-ebooks4you.com 04. Crosswaronline.com 05. Digiwexonline.com 06. E-bookstrail.com 07. Ebooks-tfw.com 08. Ez-booksonline.com 09. Gameboxmobileshop.com 10. Ibook-space.com 11. Ibookspace.com 12. Ibookstfs.com 13. Liveinmotion.net 14. M-gamezshop.com 15. Mobilehomegame.com 16. Newmobile-shark.com 17. Online4ebooks.com 18. Vr-s.com = domains that were listed or discussed previously. I acknowledge research contributions from back then by DSR member sch9171 Two domains on the above list never had associated websites, and appear to be the first on that IP, Activexupdateweb.com and Digiwexonline.com. The former Activexupdateweb.com was registered in 04/2006 with a cloaked Domains by Proxy GoDaddy 2 year registration, and was renewed for another two years in 04/2008. Though the later Digiwexonline.com registration and renewal time frames matched identically to Activexupdateweb.com its registration details were not cloaked, and are as follows: Registrant: Lucy Peat (lucypeat345@yahoo.co.uk) Highbury Lodge Hill Farm Castle Bytham, Grantham NG334RW United Kingdom Domain Name: DIGIWEXONLINE.COM Created on: 06-Apr-06 Expires on: 06-Apr-10 Last Updated on: 05-Apr-08 It is reasonable to suspect that this is a carded and/or fraudulent registration. Not only that but in 2006 DIGIWEXONLINE.COM was a call home domain for a virus known as W32/Kibik.a quote: Discovery Date 11/09/2006 Characteristics - The W32/Kibik.a detection covers rogue copies of explorer.exe that are patched by W32/Kibik.dr. This virus was most recently caught spreading in the wild through a malicious website hosting Exploit-XMLCoreSrvcs. Once explorer.exe is restarted or the system is rebooted, the rogue explorer.exe (W32/Kibik.a) is loaded into memory. When run, W32/Kibik.a loads and injects a thread from W32/Kibik.dll into the following running processes where available: •explorer.exe •iexplorer.exe •firefox.exe •opera.exe •avp.exe These processes typically have permissions to access the Internet, in an attempt to bypass desktop firewall policies. W32/Kibik.dll performs a search on Google Blog Search using a hardcoded unique string. Currently, this search request does not yield any results on Google, but can possibly be used at a later time to download additional instructions or malware. Unlike Google Search, Google Blog Search may more specifically link to blog sites via RSS or Atom feeds. It also contacts a CGI script hosted on the following domain: digiwexonline.com At the time of writing, this website is not responding with data. It may also have been used to simply track the locations and number of infections. Ref: »vil.nai.com/vil/content/v_140866.htm Though I never saw a hosted site on DIGIWEXONLINE.COM, apparently there was one there for a very short period. Domiantools.com pulled this interesting site shot during an audit on 06/04/2008 Though it lists itself as "Enterprise Business Solutions" mobile billing, the page appears to be an entire fake. There is no record of a listed Joshua Reventrop, nor of such a statement: quote: "We are a vibrant mobile billing company with capabilities for premium rate services and superior delivery" Joshua Reventrop Marketing Director Enterprise Business Solutions LLC Activexupdateweb.com and Digiwexonline.com were subsequently moved in unison to another hostforweb IP 75.102.25.150 in June of 2008. During that time frame the last two domains that showed up on the original IP 64.202.102.8 were Crosswaronline.com and Liveinmotion.net. At first both appeared innocuous, and the SMTP server on port 25 of IP 64.202.102.8 announced itself as Liveinmotion.net. Furthermore liveinmotion.net had an open verified domain registration which one might consider exculpatory on that server: ICANN Registrar: GODADDY.COM, INC. Registrant: Sergey Tcherednichenko (sergeytch[@]gmail.com) Kirov av. 78/24 Dnipropetrovsk, Dnipropetrovsk 49000 Ukraine +380667032959 Domain Name: LIVEINMOTION.NET Created on: 14-Feb-07 Expires on: 14-Feb-11 Last Updated on: 13-Feb-09 Domain servers in listed order: NS33.DOMAINCONTROL.COM NS34.DOMAINCONTROL.COM Sergey Tcherednichenko AKA Sergeytch appears to be a game developer in the Ukraine, and has multiple posts on forums regarding graphics design, etc: »www.google.com/search?hl=en&q=Se···oq=&aqi= A 01/26/2008 screen shot of Crosswaronline.com shows the website was a static image of a game "Crosswar". Initially it was thought that there was no connection between Crosswaronline.com and Sergey Tcherednichenko's domain Liveinmotion.net. In fact, when Crosswaronline.com was first detected on that dedicated IP it was immediately connected to the AMEX card fraud laundering operation because of its domain registration: Registrant: vlad mironyuk (vladsdesign@hotmail.com) 4840 buffwood way sacramento, California 96841 United States Domain Name: CROSSWARONLINE.COM Created on: 06-Jul-07 Expires on: 06-Jul-09 Last Updated on: 06-Jul-07 Domain servers in listed order: NS57.DOMAINCONTROL.COM NS58.DOMAINCONTROL.COM That crosswaronline.com registration to a VLADIMIR MIRONYUK aka VLAD, was the same registration as the known Amex card fraud laundering domains of VR-S.COM and its companion NEWMOBILE-SHARK.COM: »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto Two subsequent events confirmed Sergey Tcherednichenko's direct control over crosswaronline.com. They were both moved to IP 62.149.27.79: Server Type: Apache/2.2.10 (Unix) PHP/5.2.7 IP Address: 62.149.27.79 IP Location - Kyyiv - Kiev - Colo-cc 1. Crosswaronline.com 2. Liveinmotion.net 3. Liveinpoker.com 0 4. Yourlastletter.com And also Liveinmotion.net now displays two real mobile phone games, one of them being crosswar. What Sergey Tcherednichenko's direct connection to, or knowledge of, the Amex card fraud laundering operation is not known, but there are multiple direct connections. The commonality of the entire mobile game download component theme in both fraud operations is not lost in this relationship either. With respect to some of the other websites that were hosted on IP 64.202.102.8 and not part of the group of 8 discussed previously, E-bookstrail.com had a cloaked GoDaddy registration also, and its privacy policy listed it as a division of PARADISEWEB 1076 lost trail dr., Plumas lake, California 95961 800-959-8715 Another fraud site of interest was Gameboxmobileshop.com now currently assigned to Hostweb IP 75.102.25.153. On the privacy notice page Gameboxmobileshop.com listed itself as: VB Service LLC, 2114 Sherington Way, Sacramento, CA 95835 916-396-4310 ------------------ You can change your preferences on receiving information from us and third parties at any time by writing to us at [VB Service LLC 2114 Sherington way Sacrfamento, CA 95835 tel. (916) 396-4310 USA] or by sending an email to support@gameboxmobileshop.com. ------------------ As discussed previously, though several of the Russian ex pat AMEX cyber-mules have been tracked and contacted, none were cooperative. As many claimed not to speak English, the conclusion was that they were recruited via Russian language solicitations. So far only one vector was found, and it mentioned VB Service LLC. It was a posting on a Russian website irr.az: A translation of the title yielded: "VB Service LLC announces the recruitment for the vacancy in the department of marketing and sales" A matching California LLC was identified listing the owner as a ALICE KIRILYUK in Sacramento, "surprise surprise" VB SERVICE LLC Number: 200734510075 Date Filed: 12/11/2007 Status: active Jurisdiction: CALIFORNIA Address 2114 SHERINGTON WAY SACRAMENTO, CA 95835 Agent for Service of Process ALICE KIRILYUK 2114 SHERINGTON WAY SACRAMENTO, CA 95835 Though a few attempts to reach her failed, ALICE KIRILYUK appears to have a reasonable grasp of the English language: quote: Friday, February 17, 2006 Alice Kirilyuk, 22, loves shoes and bags but could never find what she liked in Sacramento. She and 30-year-old partner Russ Akhmerov, both of whom are originally from Moscow, decided last summer they'd open their own store. Vetta Bollare, which means "top brand" in Italian, is set to open April 1 next to Doubleday Bookshop. It'll sell shoes and handbags from Italy, Brazil and Spain, at prices from $130 to $450 -- lower than you'd find them for in San Francisco, Kirilyuk says. Ref: »assets.bizjournals.com/sacrament···mn1.html There is also a Porn connection, Alice Kirilyuk and Russ Akhmerov are listed as the owners of a FBN called DOLPHIN ENTERTAINMENT which produces and markets gay porn movies featuring young Russians and Latvians. They also own/ed numerous Porn domains including GayRussia.com. »www.google.com/search?hl=en&q=%2···oq=&aqi= Russ Akhmerov aka Rouslan aka Ruslan. At the time of that discovery, circa 02/2008 I ran their last names through my files. I got a hit on Alice's last name "Kirilyuk", and I am not sure if there is any connection or not. However, the name "Kirilyuk" takes us back through 7 years of the AMEX card fraud operation to a Sacramento County Fictitious Business name registration by a RUSLAN KIRILYUK. Who in July of 2002 registered the FBN of ESTOREONLINE. The peak of AMEX fraud charge complaints for that entity occurred in 2005 at the same time the "DIGITAL AGE" Visa / MC fraud was in full bloom. In fact the fraud charging complaints were intermingled in threads of Digital AGE, several follow up fake templates sites and ESTOREONLINE. Besides DSLR, and dozens of other forums, there was a 22 page thread on fatwallet.com quote: ....... Just realized for the past 2 months ESTOREONLINE ROCKLIN, CA has been charging my card, and its a bookstore... that doesn't exist. funny thing is i don't ever use this card. .. Also see: »news.cnet.com/5208-7350_3-0.html···&start=0 and »209.85.165.104/search?q=cache:5k···40&gl=us Even four years later Google can still resurrect line such as ...."I have an AX account and there is a 25 dollar charge from estoreonline (thats all it says) and I have no idea what it is and I havent used the card in years, just got this myserious bill. .... »www.google.com/search?hl=en&q=%2···oq=&aqi= The irony is that in September of 2005 a sharp AMEX rep posted this in the fatwallet forum: quote: "hi i work for AMEX and just was given this website by a cardmember to alert AMEX about this problem. i have set up an investigation and we are looking into this and will get it correct asap. thank you all for your understanding and responses it will help us in our investigation. ashleigh " Sep/21/2005 2:06 PM Ashleigh later followed up with this: quote: okay new update on the investigation at AMEX, it is called www.ecollectiononline.com ashleigh ESTOREONLINE 2823 Catalina Drive Rocklin, CA 95765 I wonder if now, almost four years and several million dollars of consumer Amex charge fraud later, if someone should break the bad news to American Express investigators. We know from the 2008 federal indictment of ALEXSANDR BERNIK AKA "ALEX", the cyber-mule of the AMEX card fraud laundering LEXBAY LTD fame, that during the eleven months it lasted in 2005/2006, he was racking up almost $45,000 a month of net fraud proceeds between August 2006 and November 2006. ecollectiononline.com was a GoDaddy domain by proxy reg, however, there is a WebArchive screen shot from circa 2005 of the webpage: The »web.archive.org/web/200508140201···dex.html We also now that ESTOREONLINE aka ecollectiononline.com was not RUSLAN KIRILYUK's only venture. Seven years ago, back in 2002 and 2003 his name shows up as the registrant ofat least two other GoDaddy registered Amex card fraud laundering domains: EBOOKS-SHOP.NET and TRAFICHUNTERS.COM** Registrant: Ruslan Kiriluk webserv77@hotmail.com E-books-Pro 4339 galbrath dr Sacto, California 95610 United States Registered through: Go Daddy Software Domain Name: EBOOKS-SHOP.NET Created on: 14-Aug-02 Expires on: 14-Aug-03 Last Updated on: 22-Aug-02 Domain servers in listed order: NS.EBOOKS-SHOP.NET NS.PROMOTE5.COM --------------------------------------- Record expires on 24-Jan-2003. Record created on 24-Jan-2002. Domain Name: TRAFICHUNTERS.COM Registrant: TraficHunters.com TRAFICHUNTERS-COM-DOM 612 Coppervale Circle Rocklin, CA 95677 USA . Administrative Contact: Ruslan Kirilyuk epros@msn.com 612 Coppervale Circle Rocklin, CA 95677 USA Name Server: NS.EBOOKS-SHOP.NET Name Server: NS.TRAFICHUNTERS.COM The same themes are still in use now: »web.archive.org/web/200211212213···ers.com/ A fraud charge complaint from circa 2002/2003 for "TRAFLCHUNTERS.COM 4153095956 CA" MGD
	to forum · permalink · · 2009-06-30 16:33:24 ·


Tuesday, 09-Feb 22:30:37	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10.5 years online! © 1999-2010 dslreports.com. page compression OFF