dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
691413
share rss forum feed


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Doctor Four

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

said by Doctor Four:

A post today on the Sunbelt Blog is related:

US FTC Goes After $10 M Micropayment Scam

direct link to FTC press release
»www.ftc.gov/opa/2010/06/adele.shtm

MGD
Premium,MVM
join:2002-07-31
kudos:9

2 edits

1 recommendation

reply to Doctor Four

said by Doctor Four:

A post today on the Sunbelt Blog is related:

US FTC Goes After $10 M Micropayment Scam

quote:
The U.S. Federal Trade Commission has said it brought an action in U.S. Federal court that shuts down an identity theft scheme that stole more than $10 million from victims’ credit card accounts in small amounts and sent the money out of the country.

The scammers recruited 14 money mules to set up dummy corporations and open bank accounts to receive payments of $10 or less from victims’ credit card accounts. Each account was charged only once. The FTC said it did not know how the scammers obtained the victims’ credit card information.

The money mules, recruited via spam email, sent the stolen funds to bank accounts in Bulgaria, Cyprus, Estonia, Latvia, Lithuania, and Kyrgyzstan.

»sunbeltblog.blogspot.com/2010/06···ent.html

The cybermule companies named are different, but the M.O. here is the same.
Outstanding catch Doctor Four See Profile, same Organized Crime Syndicate, long ago tied directly to many of the names which are mentioned below. In various sections of the thread many are referred to
as the 3 letter "Toll Free Group", read on:

said by Snowy:

said by Doctor Four:

A post today on the Sunbelt Blog is related:

US FTC Goes After $10 M Micropayment Scam

direct link to FTC press release
»www.ftc.gov/opa/2010/06/adele.shtm
Thanks for the link. Snowy See Profile

[Note the FTC case file is labeled as (FTC File No. 0923051)(Adele Services)]

Actually, they are part of the Organized Crime Syndicate's multiple hub and spoke fraud operation, and many of the names are listed in this thread. Unfortunately the Chicago branch of the FTC has only taken a tiny bite out of the huge apple. It is as if they have reached into a 20LB. bag of ice and puled out a handful of cubes. While I congratulate the Chicago office of the FTC and what they have done. However this action amounts to a minor hiccup within the entire operation of the OCS. Not only has it not been shut down, it is flourishing, hundreds of thousands of dollars are still leaving the US every week en route back to the OCS. The FTC really needs to speak with other three letter government agencies whose primary focus is on criminal action and not civil. They can best describe to the FTC the larger and global picture of what is going on.

In defense of the FTC, the entire hub and spoke format of the syndicate's network, is, by design, configured to obfuscate and hide the entire scope of the global operation. Thus any infiltration will be unlikely to lead to a complete exposure without comprehensive and in dept forensics being performed.

In fact, during their investigation had the FTC just Googled the country names where they then knew the fraud proceeds were being wired to, they would have found almost several pages of almost 70 fraud alert listings from me of fraud entity names that were not on their list:»www.google.com/search?q=banks+in···filter=0




The FTC is in good company though, investigations in the past into the "Digital Age" and "Pluto Data" mass fraud charging also failed to unearth the full scope of the operation.

quoted from news articles:

.."U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims."

Over a much larger and longer period sample, the percentage is between 80% to 85%.

.." According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed."

Using the same time period that the FTC is referring to, 2004 to now, the actual number is well over 20 times that amount. Well in excess of $250 to $300 million in fraud proceeds, .25 billion, and well over 50 million cards fraudulently charged. If you add in the associated costs of the fraud including an industry average of $15 to $20 for institutions to replace a compromised card then the total cost to date could well be barking at $1 billion.

.."Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC."

Absolutely not true, over a very small sampling period it may appear as "floated just one charge per card number", however if you examine a much larger transaction time period of the card you will see that in the vast majority of the cases victims will be continually charged month after month. I have seen as many as 16 fraud charges on a single card over an 18 month period.

The FTC action is titled ADELE SERVICES, you can see here where cross charging between Adele and an already known and confirmed syndicate site of "Looper Enterprises"




An initial cursory review of the FTC's documents, raises questions about the some of the behavior of the cyber-mules. Though the OCS will never confide in a cyber-mule about the fraud, I always checked on how the cyber-mule set up the entities to see if they tried to hide or obfuscate the set up. My theory in sizing up the cyber-mules in advance was that if the business set ups were hidden and difficult to trace then that indicated to me that the cyber-mule was suspicious of the deal and might be indicative of some culpability. The cursory review of the FTC documents clearly indicate to me that some of the cyber-mules created hidden and hard to trace trails. That indicates to me suspicious behavior. Some of these business entities had over 70 business bank accounts. Who in their right mind would think that a business needing 70 bank accounts was engaged in anything remotely legitimate.

==============================================

API Trade, LLC, a Pennsylvania limited liability company incorporated in 2006, which has at least four bank accounts in its name; API's registered office address is 9926 Haldeman Avenue, #45 B, Philadelphia, Pennsylvania 19115

ARA Auto Parts Trading LLC, a limited liability company, which has at least two bank accounts in its name; ARA's principal address is 14202 Barcalow Avenue, Philadelphia, Pennsylvania 19116

Bend Transfer Services, LLC, a Nevada limited liability company incorporated in 2007, which has at least thirty bank accounts in its name; Bend's registered office address is 21285 East Highway 20, #169, Bend, Oregon 97701.

B-Texas European, LLC, a Texas limited liability company incorporated in 2006, which has at least sixteen bank accounts in its name; B-Texas' registered office address is 701 Brazos Street, Suite 1050, Austin, Texas 78701. B-Texas also conducts business at 8070 County Road, 603, Brownwood, Texas 76801.

CBTC, LLC, a Delaware limited liability company incorporated in 2007, which has at least four bank accounts in its name; CBTC's registered office address is 151 Evergreen Drive, Dover, Delaware 19901. It also conducts business at 9926 Haldeman Avenue, #45 B, Philadelphia, Pennsylvania 19115.

CMG Global, LLC, a Pennsylvania limited liability company incorporated in 2006, which has at least eleven bank accounts in its name; CMG's registered office address is 7400 Roosevelt Boulevard, #52602, Philadelphia, Pennsylvania 19115. It also conducts business at 7400 Roosevelt Boulevard, Apartment A303, Philadelphia, Pennsylvania 19152 and P.O. Box 52602, Philadelphia, Pennsylvania 19115.

Confident Incorporation, a California company incorporated in 2002, which has at least three bank accounts in its name; Confident's registered office address is 17800 Castleton Street, Suite 386, City of Industry, California 91748. Confident also conducts business at 30616 Sand Trap Drive, Agoura Hills, California 91301.

HDPL Trade LLC, a Pennsylvania limited liability company incorporated in 2008, which has at least nine bank accounts in its name; HDPL's registered office address is 1143 Northern Boulevard, #263, Clarks Summit, Pennsylvania 18411.

Hometown Homebuyers, LLC, a Texas limited liability company incorporated in 2002, which has at least thirty-seven bank accounts in its name; Hometown's registered office address is 413 East Highway 121, Lewisville, Texas 75057. It also conducts business at 8070 County Road 603, Brownwood, Texas 7680l.

IAS Group LLC, a California limited liability company incorporated in 2008, which has at least five bank accounts in its name; Highway 121, Lewisville, Texas 75057. It also conducts business at 8070 County Road 603, Brownwood, Texas 7680l.

IHC Trade LLC, a New York limited liability company incorporated in 2007, which has at least seventy-one bank accounts in its name; IHC's registered office address is 5823 North Burdick Street, East Syracuse, New York 13057.

MZ Services, LLC, an Arizona limited liability company incorporated in 2004, which has at least fifty-three bank accounts in its name; MZ Services's registered office address is located at 2910 North Casa Tomas Court, Phoenix, Arizona 85016.

New World Enterprizes, LLC, a New Jersey limited liability company incorporated in 2005, which has at least fourteen bank accounts in its name; New World's registered office address is 115 Magnolia Avenue, Suite 10, Jersey City, New Jersey 07306. New World also conducts business using the following addresses: (1) 441 Tomlinson Road, Apartment G 12, Philadelphia, Pennsylvania 19116, (2) P.O. Box 2645, Newark, New Jersey 07114, (3) 2400 East 3rd Street, Apartment 705, Brooklyn, New York 11223, and (4) 504 Florida Grove Road, Keasby, New Jersey 08832.

Parts Imports LLC, a Louisiana limited liability company incorporated in 2006, which has at least forty-two bank accounts in its name; Parts Imports' registered office address is 617 Elm Drive, Bogalusa, Louisiana 70427.

SMI Imports, LLC, a Florida limited liability company incorporated in 2006, which has at least fourteen bank accounts in its name; SMI's registered office address is 2329 North Tamiami Trail, Apartment #10, Sarasota, Florida 34234. SMI also conducts business at 8122 45th Court East, Apartment 7, Sarasota, Florida 34243.

SVT Services, LLC, a New York limited liability company incorporated in 2008, which has at least eight bank accounts in its name. SVT's registered office address is 800 East 13th Street, Apartment K, Brooklyn, New York 11230.
==============================================





According to the FTC the above companies had merchant accounts and billed under the following names:




==============================================
ACM »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Adele Services
»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

»www.google.com/search?hl=en&q=si···gs_rfai=

Advanced Global Tech
AEI
Albion Group
Alpha Cell

ALS
ALS LLC


»www.google.com/search?q=site%3Ad···=en&sa=2

ALS cross charges a victim who 24 hours earlier was hit by Eatemplates.com AKA EA Web Designs 434-878-3659





BEI
BIT
BusinessWorks
Center Company
Centrum Group
CFM
CFR
COS
Data Services
Den Enterprises
Dgen
Digest Limited
Don Partners
DwellTech
Edge
ESTA
Eureka

Extra Path

»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Form Limited
Foto Fast
Gamma

GFDL

»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

GLOBO
Green Stone
Harry Dean

HBS

»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

HBS was identified by multiple victims as cross charging with known OCS entities. Including this September 2009 posting showing "HBS" and "Daye Traffic" and "CJ Financials" all hitting the same victim's card:





CJ Financials was subsequently linked to a cyber-mule LLc in Maryland: »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto and of course "Daye Traffic" was tied to a cyber-mule KEVIN L. DAYE in Nebraska »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Home Port

Homebase

»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

ICH Services
IHS
Image Company
Image Services
IPS
ISSO
IVA
Lang Group
Light Flow
Link Group

Link Services

»www.google.com/search?hl=en&q=si···gs_rfai=

Another one of numerous cross charges which ties the Organized Crime Syndicate's operation together. "LINK SERVICES" on the FTC's list and "Daye Traffic" a known OCS bothe hit the same victim's card sequentially:

quote:
...Just got my credit card statement with a fraudulent charge of $9.00 on it from "LINK SERVICES" out of California with the phone number of 866-473-8739. I also got one from "DAYE TRAFFIC LLC" with the phone number of 402-408-6643.





»Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

DAYE TRAFFIC was one of numerous identical floral themed fraud charging websites

List Services
Mark Silver
MARX
Mera
MFG
Name Services
NETT
New Eight
Office Development
Office Services
OM Extra
ONE
Online Group
Prc Services
Presi
Rasna
RSIPartners
RSS Inc.
Safeworks
Search Company
Search Management
Search Services
SFR
Sigma
Site Group
Site Management

Site Services


»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Source Limited
Standard Six
SYS INC
System Development
Terra
THQ
TIMO
TLC Inc.
Union Green
United Services
VIVOS
WELLE
Will Services
World Trade
World Wide Services
YES

==============================================
Back in 2008 I posted how even the folks at 800notes.com had noticed the well known obfuscation tactic by the OCS of post seeding the phone numbers of the fraud entity:



800NOTES

Credit Card Thieves Trying to Hide Their Trails

30 Jun 2008

We have recently discovered that many phone numbers, reported to be connected with unauthorized charges, are being targeted by spammers, who come to the website and make unrelated postings to the discussion threads.

At first it didn’t make any sense, we would see a thread where almost every user was reporting something completely different than all the others. Some said that the number belongs to a collection agency, some claimed that a telemarketer calls from it, others reported that the number belongs to a newspaper subscription service.

After a while a pattern emerged, all of these threads had one thing in common: “true” users were reporting unauthorized charges while other postings were made by bots.

We started to monitor the threads and discovered that someone has been spamming these particular discussions. It seems they do it for one purpose: to confuse the audience and keep it off track.

In many cases they even create a discussion thread for a particular number well in advance before any fraudulent charges are noticed and reported. They then spam it with unrelated postings. Like, for example, in this thread the first posting was made on Feb 16th2008, and then only on March 5th users started reporting strange transactions (we didn't remove the 'bot' postings for demonstration purposes and will clean it up shortly).

We are now building the list of the phone numbers that match this pattern and so far have 60 phone numbers responsible for fraudulent charges. All the numbers are from 888, 877, 866, and 800 area code.

The fraudulent charges are placed using the following company names:'Link Services', 'Link Group', 'Source Limited', 'System Development', 'HBS', 'Electronic Business Resources', 'Image company', 'World Wide Services', 'World Trade', 'ICS Services', 'Homebase', 'Home Port', 'DEN Enterprises', 'EST Company', 'BEI', 'Site Services', 'Search Services', 'ESTA', 'SENSATE TECHNOLOGY', 'Market Billing', 'MCA Templates', 'Web Templates', Will Services, 'Office Services', 'Terra', 'World Development', 'UNITED SERVICES', 'SITE DEVELPOMENT', 'ALS', 'Mera', 'Search Management', 'ONLINE GROUP', and 'ACM'.

We are looking into ways to prevent them from posting. If you find a thread with the pattern described above, please use the 'Report Abuse' button to alert us.
Ref:»800notes.com/news/Lvz7S11WjQCaCgjKqPx8Ag



You can clearly see how the seeding tactic was used across the entire range of groups, including the Orange template group, and including those listed by the FTC.

Not only has the current FTC action not even come close to shutting the operation down, being generous, it barely covers 5% of the known activity.

On the surface the FTC found that some of the fraud proceeds were used to pay for the set ups and support services.

Note Red underline:




If the FTC had of dug a lot deeper, they would have found that in one instance alone over $15,000 from the fraud charging proceeds of just one fraud entity were transferred from a Bank of America business account to buy an entire sequence of prepaid debit cards in $500 and $300 increments. These purchases were made in two trips where the cyber-mule was directed by the crime syndicate to a specific mall in Texas, and told to buy the prepaid cards at a Simon Group Mall store:




The Organized Crime Syndicate then had the cyber-mule go online and register the $15,000 worth of prepaid debit cards to various names and addresses which they provided to the mule via email. Once the mule completed the online registration of the prepaid cards then they could be used by the criminals directly from Eastern Europe to go online and purchase anything the wanted in the US. This is a form of "Virtual Money laundering" that the FBI has been loudly complaining to Congress and the banking industry about for some time now. It has been impossible to track this form of virtual money laundering, since no "money" physically moves between countries or banks. If you have noticed how difficult it has become recently to buy a prepaid debit card anonymously this should explain why. Criminals and money launderers have taken to to the prepaid debit card system like a duck to water. So much so that new legislation is about to go in effect shortly that requires all prepaid debit card purchases to be documented, including the recording of identity submits used to make the purchase.

Subsequent tracking of the OCS's card data above showed that it was used to pay for numerous forms of criminal support services, including hosting at GoDaddy, Voip phone service from Vonage, and online registration services for other fraud LLCs and corporations.

Obviously the FTC has apparently tracked the fraud proceeds from the group going to "bank accounts in Bulgaria, Cyprus, Estonia, Latvia, Lithuania, and Kyrgyzstan."





You can place a strong bet that if the FTC were to run these known bank wire drops of the Organized Crime Syndicate, where the card fraud proceeds were tracked going to against their own FTC list, bells should ring from the matching hits:

==============================================
Beneficiary Name: BETA-METAL LTD
Beneficiary Address: Grushevskogo 28/2, Kyev, Ukraine. 01021
IBAN: LV55 RTMB 0006 0380 6245
(multicurrency)
Bank: JSC Rietumu Banka
Bank address: 54 Brivibas street, Riga, LV-1011,
LATVIA S.W.I.F.T.: RTMBLV2X
==============================================

==============================================
Beneficiary Account: Name: VIDESS S.A No.: 073725
IBAN: CY2011501002073725USDCACC001
Beneficiary Bank: FBME BANK Limited,
Nicosia, Cyprus
Swift Code: FBMECY2N
Correspondent Bank: Deutsche Bank Trust Company,
New York, USA Swift
Code: BKTRUS33
Account No: 04-053-863
==============================================

==============================================
Beneficiary's Bank Name: FBME BANK Limited
Beneficiary's Bank SWIFT code: FBMECY2N
Beneficiary's Bank Address: Nicosia, Cyprus
Beneficiary Account: CY5611501002074923USDCACC001
Beneficiary Name: WESTA HOLDINGS LTD
==============================================

==============================================
NAME OF COMPANY : MARMION PACIFIC CORPORATION
COMPANY ADDRESS : 95 Athalassas Avenue
3rd Floor, CY-2024, Nicosia, Cyprus

BANK NAME : BANK OF CYPRUS
BANK ADDRESS : 28 Michalakopoulou Street,
CY-1075 Ayji Omologitae, Nicosia
Account number : 0155-40-642688-06
SWIFT : BCYPCY2N
==============================================

==============================================
Beneficiary's Bank Name: EUROBANK PLC
Beneficiary's Bank SWIFT code: EUBKBGSF
Beneficiary's Bank Address: 43 Cherni Vrah Blvd.,
1407 Sofia, Bulgaria
Beneficiary Account: BG96PIRB91701745144579
Beneficiary Name: Inowest Enterprises Inc
==============================================

==============================================
Beneficiary's Bank Name: Piraeus Bank
Beneficiary's Bank SWIFT code:
Beneficiary's Bank Address: 43 Cherni Vrah Blvd.,
1407 Sofia, Bulgaria
Beneficiary Account: BG73PIRB74051735052201
Beneficiary Name: Midtown Intergroup Ltd.
==============================================

==============================================
Beneficiary's bank name: ASIAUNIVERSALBANK
Beneficiary's Bank SWIFT code: ASUJK22
Bank address: 59, togolok moldo str., 720033,
BISKHEK, KYRGYZSTAN REPUBLIC
Beneficiary account: 1231128530000131
Beneficiary name: Inowest Enterprises
Beneficiary address: same as bank address
==============================================

==============================================
Intermediary bank:

NATIONAL BANK OF CANADA
MONTREAL, CANADA
ACC. 10233724000200101
SWIFT code: BNDCCAMMINT

Beneficiary Bank:
Trasta Komercbanka (Trust Commercial Bank)
Miesnieku iela 9, Riga LV 1050, Latvia
SWIFT code: KBRBLV2X
Beneficiary:
Name: VELNAR TRADE LLP
Account number: LV40KBRB1111212307001
Address: Cornwall Buildings, Birmingham, B3 3QR, UK
==============================================

==============================================
Beneficiary's Bank Name: Parex banka.
Beneficiary's Bank SWIFT code: PARXLV22.
Beneficiary's Bank Address: 3, Smilshu str., Riga, LV-1522, Latvia.
Beneficiary Account: LV83PARX0009490320001.
Beneficiary Name: Omtron Limited.
Beneficiary address: 60 market Square P.O.Box 1906, Belize City, Belize
==============================================

==============================================
Benificiary's Bank Name: Hellenic Bank
Benificiary's Bank SWIFT code: HEBACY2N
Benificiary's Bank Address: 173, Athalassas Ave. Stovolos, 2025, Nicosia, Cyprus
Benificiary's Account: CY69005001400001400734734801
Benificiary's Name: Omtron Limited
Benificiary's Address: 60 Market Square P.O. Box 1906, Beliz City, Beliz
==============================================

==============================================
Beneficiary's Bank Name: Parex banka
Beneficiary's Bank SWIFT code: PARXLV22
Beneficiary's Bank Address: 3, Smilshu str., Riga, LV-1522, Latvia
Beneficiary Account: LV83PARX0009490320001
Beneficiary Name: Omtron Limited
Beneficiary address: 60 market Square P.O.Box 1906, Belize City, Belize

Detail of the payment:
Law and consulting services.
Description: Consultations on introduction of accounting system of
documents. Documentation creation. Processing and filling
==============================================

==============================================
Beneficiary’s Bank Name: Aizkraukles banka
Beneficiary’s Bank SWIFT code: AIZKLV22
Beneficiary’s Bank Address: Elizabetes 23, LV-1010, Riga, Latvia.
Beneficiary Account: LV29AIZK0001140110388
Beneficiary Name: DIMELFIELD MANAGEMENT LTD
Beneficiary address: Geneva place Waterfront Drive Road, Town Tortola,
British Virgin Islands
Detail of the payment: For law consulting invoice 29072009/1
==============================================

==============================================
Please pay via Bank Wire Transfer (SWIFT transfer) to:

BANK: BANCO POPULAR DOMINICANO
BANK ADDRESS: TORRE POPULAR FLOOR 4 AVENIDA JOHN F. KENNEDY/MAXIMO GOMEZ
BANK CITY: SANTO DOMINGO
BANK COUNTRY: DOMINICAN REPUBLIC
SWIFT CODE: BPDODOSXXXX
ACCOUNT NUMBER: 735904526
ACCOUNT HOLDER: FREE WAY CORPORATION C por A
ACCOUNT HOLDER ADDRESS: CALLE B, CASA 17, SANTO DOMINGO, DOMINICAN REPUBLIC
REASON FOR PAYMENT: PAYMENT FOR SERVICES / PAGO DE SERVICIOS
The account currency is USD, so please execute the wire in USD
==============================================
.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to Doctor Four

In reviewing the FTC documents and examining the cyber-mule configurations with respect to vetting the mules, there are some issues which fail the initial "smell test". While in all cases to date the recruitment process always involves duping the cyber-mule. That is a crucial part for the organized crime syndicate because an aware mule with criminal intent could easily rip the syndicate off for $20K to $40K. So the question usually becomes is there evidence at some point which points to the cyber-mule becoming aware that what they are involved with is nefarious. Or are their accumulated actions so far outside of the realm of usually and customary business practices to make it blatantly obvious to even the foolish and naive that something is seriously wrong.

Historically, during the mule uncovering process I examine the entity configurations and patterns to see if there were subsequent signs of obfuscation by the cyber-mule. Mules who are out there and have a direct trail to their front door are synonymous with being totally duped over the long term. Take Kimberly Constanza for example, whose almost 6 year longevity as the Cyber mule for the notorious KCSOFT LLC is proudly displayed on her Linkedin profile One presumes that is indicative of the lack of even one iota of realization. Generally one would not knowingly list an occupation of laundering the proceeds of many hundreds of thousands of the proceeds of credit card fraud to foreign banks on ones resume. Conversely, if one finds signs or patterns of subsequent hiding or other forms of obfuscation, one might conclude that the behaviour could be the result of the cyber-mule's suspicions regarding the legality of what they are participating in. That is not a foregone conclusion, however, it appears reasonable to consider the it may be a possibility.

With that in mind, I have a tough time getting my arms around these two particular entities listed on the FTC documents:

• IHC Trade LLC, a New York limited liability company incorporated in 2007, which has at least seventy-one bank accounts in its name; IHC's registered office address is 5823 North Burdick Street, East Syracuse, New York 13057.
It is difficult to fathom how setting up 71 business bank accounts in a 24 month period could even remotely resemble any form of customary and usual business activity, regardless of how naive the duped cyber-mule may be. It certainly represents a new low for what I have ran across in my 5 plus years of shadowing this operation. based on New York state records it appears that IHC Trade LLC was registered on March 14th 2007 by a IRINA HECK with an address in EAST SYRACUSE, NY.





Selected Entity Name: IHC TRADE LLC
Selected Entity Status Information Current
Entity Name: IHC TRADE LLC
Initial DOS Filing Date: MARCH 14, 2007
County: ONONDAGA
Jurisdiction: NEW YORK
Entity Type: DOMESTIC LIMITED LIABILITY COMPANY
Current Entity Status: ACTIVE

Selected Entity Address Information DOS Process
(Address to which DOS will mail process if accepted on behalf of the entity)
IRINA HECK
5823 N. BURDICK STREET
EAST SYRACUSE, NEW YORK, 13057
Registered Agent
NONE


If this was the birth of the operation it certainly seems straight forward, with every thing as it should be. However here is where it gets dicey and a little muddy for me. Further examination of the FTC documents reveals this gem:

• HDPL Trade LLC, a Pennsylvania limited liability company incorporated in 2008, which has at least nine bank accounts in its name; HDPL's registered office address is 1143 Northern Boulevard, #263, Clarks Summit, Pennsylvania 18411.
1143 Northern Boulevard, Clarks Summit, Pennsylvania 18411. is a UPS Store & Mail Boxes Etc location:





Interesting, let's have a look at the Pennsylvania registration records for HDPL Trade LLC




Well there is a clear violation of PA Corporate regulations, while there are no residency requirements for registering a Corp / LLC in PA., you are required to have a registered physical address for an agent:

quote:
.. Pennsylvania Corporations and Limited Liability Companies are required to have a registered agent who must maintain a physical address in the State of Pennsylvania and be available during standard business hours. ...

A UPS MAIL BOX does not meet the "physical" requirements.

and there is more:


Business Name History
Name: HDPL Trade
Current Name: HDPL Trade
Name Type LLC
Limited Liability Company - Domestic - Information
Entity Number: 3796396
Status: Active
Entity Creation Date: 3/14/2008
State of Business.: PA
Registered Office Address:
1143 Northern Blvd
#263
Clarks Summit PA 18411
Lackawanna
Mailing Address: No Address

Officers
Name: EDWARD HECK
Title: President
Address: 5348 VEGAS DR.
LAS VEGAS NV 89108


Edward Heck, The last name HECK sounds familiar. So EDWARD HECK, the president of "HDPL Trade" lists an address in Las Vegas, Nevada. What is at 5348 Vegas Drive:



»www.incparadise.net/text/mail-forwarding.htm

Interesting, a mail forwarding service of EastBiz.com & incparadise.net. Do you get a feeling that someone is trying to remain anonymous and hide. Not exactly a typical pattern of a legitimate business set up. A Pennsylvania LLC registered using a UPS mail Boxes drop box, listing a president of the LLC to a mail forwarding address in Las Vegas, Nevada. While it is nothing that would cause a 3 letter federal agency from tracking you down in a matter of minutes, it is nevertheless clearly an attempt at anonymity and to project oneself as being somewhere else.

But there is more:

=========================================
New York
Selected Entity Name: IHC TRADE LLC
DOS Filing Date: MARCH 14, 2007
Address to which DOS will mail process:
Name: IRINA HECK
=========================================

Exactly one year and presumably many bank accounts later:

=========================================
Pennsylvania
Business Name: HDPL Trade
Entity Creation Date: 3/14/2008
Officers
Name: EDWARD HECK
Title: President
=========================================

Public records show a mid 2006 entry of:

=========================================
EDWARD G HECK Created: 05/2006
Edward Heck, Edward G Heck II, Irina E Heck, East Syracuse, NY
=========================================

So are Irina Heck of IHC TRADE, and Edward Heck of HDPL TRADE, related ?

What the heck were the Hecks thinking ?

The second time around fails the smell test. What transpired during that 12 month period to change from the plain straight up open registration of the first NY LLC to a second Darth Vader one. According to the FTC records that makes a combined total of 80 bank accounts for both since 03/14/2007. Makes you wonder about those federal "Know Your Customer" regulations.

MGD

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus

Once again an outstanding job of sleuthing and forensics! Yes, it's clear that this mule is much more than an innocent victim, but is knowingly taking part in criminal activity.

The ease at which the mules could ripoff the organization has had me wondering, too, if the syndicate has some minimal threshold of return they'd expect to see, and how they'd enforce such a threshold. Since another branch of their same organization is generating the fraudulent activity, they should know (almost to the dollar) exactly how much they ought to be receiving from each mule. If the mule starts keeping 50-75% of the gross fraud charges for himself, are there enforcers here in the States to pay them a visit?

I wonder if the mules, say those that know from the start what this is about, hide their true identities even from the syndicate. That would be a very risky game, for sure.


MGD
Premium,MVM
join:2002-07-31
kudos:9

1 edit

1 recommendation

Yes, they know exactly and can track to the dollar for every account in their massive organization. As you can see from that sting operation which duped the OCS into returning $2,000 in cash from the already wired fraud proceeds, in the belief that they were going to be able to restart the processing of ~ $40,000 a month fraud billing per each of the three accounts.



»Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

They knew how much was left in each of the three accounts. The criminals also have the log in credentials for the matching Authorize.net gateway processing accounts. Those accounts also show the exact amount billed down to the transaction level, and the status of the funds, plus processing charge status. Funds are wired out of the country from each affiliated business account weekly, so the most that can be in process per account is no more than around 7 days, plus the float / reserve.

In fact, according to their records, the FTC from all those corporations listed in the action, and the over 100 bank accounts, was only able to freeze ~$100,000 in the combined total. That was using a no advance notice exparte court order, where the freeze order goes direct from the FTC to the banks by passing the named account holders.

If one were to tell the OCS during the recruitment process that "hey I am sure this is a fraud, but I will go along with it for the money", they will drop you like a rock, swear they are legitimate, and stop communicating.

Conceivably, if one were to start out with a plan to rip the criminals off. you could stall them on the wires saying that you made them and they are AWOL. You could possibly build up two weeks or a little more of processing, pocket the funds and close it down. That is their fear, so they will only function with known duped mules. The former would be difficult anyway since they run a background check online to make sure that the mules name address etc., that is given to them matches. Of course the bank account has to be opened in person, and a picture ID produced. Then a merchant account has to be opened, though according to the FTC documents the OCS was repeatedly successful at setting some of the merchant accounts up with hijacked identities.

It would be difficult, but not impossible to set up a rip orff scenario of the OCS, and then scale it up. Especially if you take the first few weeks of proceeds and then close it. That would be long before any level of fraud complaints would surface, mitigating the risk. That is why they are so diligent at screening cyber-mules and checking them. They go to great lengths with official looking legal documents, Fake C&Cs, and multi page contracts and FAQs to impersonate a legit outfit. In fact, in many of the posted contracts in this thread, they list that any attempt to deceive or embezzle will generate immediate crime report filings with the FBI, leading to guaranteed prosecution with severe penalties. LOL!!

A recent excursion across enemy lines and infiltration into the organized crime syndicate's computers, servers, and operating network, shows that they keep detailed records and accounting of the massive crime operation. As has been tested and discussed before, the outside facing shopping cart is non functioning. They may sometimes enable it during the merchant account vetting process, if the account provider tries to "test it". Hidden behind the essentially empty fake website is a php / curl script. The organized crime syndicate runs a scripted bot direct from their HQ which has a hopper loaded with thousands of compromised card data. This bot script then makes individual connections to the matching fraud website receiving script through a proxy network of thousands of compromised US IPs / computers. The site script then processes or dumps each entry from the individual connections into the authorize.net processing network. From the card processor and merchant account issuers view, it appears that the purchases are originating at the fraud website and coming from various US IP addresses, and not from eastern Europe.

Here is an example recovered during the excursion / infiltration inside the syndicate's operation. This is the curl / php script hidden on the fake fraud website. The script file is the website interface and receptor for the bot connection:




The bot routing in via socks proxies on thousands of US IPs calls the above php file ia a "GET" request dumps a victim's hijacked card data entry already formatted for the script, all within a second of time. That one to two second action is completed with a "Post" action command, which causes the on site script above to connect to the authorize.net / Cybersource (Now owned by Visa) gateway and then dump the entry in to the card processor.

Now here is a snippet of around 100 seconds of recorded log activity of connections made to that script. Each "GET" is a request for the script, and each "POST" is a loaded card entry purchase. You can see the script being called and then loaded from various proxy botted US IP addresses over this ~100 second time capture snippet.




Multiply that ~ 100 second volume, with each transaction occurring over a fraction of a second, times 24/7, times many hundreds of card fraud websites. All the processor can see is that the purchase data originates at the fake fraud website and appears to them to be coming from random domestic US IP addresses. Mimicking what one would expect to see from a normal legitimate well advertised online business.

For each transaction the OCS gets this confirmation of the activy delivered back into their hands from the processor.





Their servers receive a matching processing activity response log back showing the result of each scripted transaction:




I was surprised to find that the 3 digit CVV2 is not required by the processor for online debit card transactions.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

2 recommendations

What adds to this debacle is the increasing frequency with which some banks are reversing the fraud charges back to the few victims who actually report the charge as fraudulent. When the between 10% and 20% of the fraud victims who report the charge to their card institution as fraudulent, (credit card), the bank will usually issue a provisional credit on the spot. The bank through the system then notifies the originating merchant account of the "dispute". That record usually ends up in the cyber-mule's hands, as it is mailed to the mule from the merchant account provider in the monthly account statement. Sometimes the mule will then log on to the authorize.net account and check the transaction details. Some are then making a print out of the authorize.net screen which has a date and time stamp along with the captured domestic IP where the transaction originated from (The bot proxy network). The mule then returns that print out record along with the dispute claim to the victim's card issuing bank. In the peak of irony, and without further recourse, the bank when they see that printout then reverses the fraud charge back to the card holder and makes them pay it. Apparently, for dispute complaints in this price range, even when the victim insists that it is fraudulent, the bank treats the time stamp IP transaction printout as prima-facia evidence that the card holder actually made the purchase. Talk about the ultimate victim frustration of the financial system....

The most recent case example that I am looking at, and will post, is a from a victim whose credit card was issued by Chase Bank. Ironically, it was Chase bank who also reversed a fraudulent charge back to a customer whose card was officially noted as being compromised in the recent Monoprice database hacking. Even with that and despite the victim complaining to Chase upper management they insisted on reversing a fruad charge back to a customer depite a notice to the card holder from Monoprice that their card was compromised. After the compromise the card holder received numerous fraud charges including some from Yahoo. It was the time/ date/ IP transaction printout from Yahoo in response to that fraud notice which Chase is using to insist that the customer pay the fraud charge.

Remember that the printout only shows an IP address, the bank makes no effort to substantiate whether the IP address is even remotely close to the customers location, forget even establishing if it was their assigned IP. This is the DSLR thread on the Monoprice fraud on the Chase issued card »Bank Denied Fraud Claim As I stated in that thread a transaction date time IP stamp can never be used as the primary proof that a card holder actually made the transaction. Remember that it is the submitting of the printout by itself, which cause the reversal of the fraud charge back to the victim, not that any effort is made to establish if the information is correct. The now repeated occurrences of banks reversing fraud charges back to victims just based on the receipt of the transaction record is appalling, and has no legal basis whatsoever. The problem is that the amount is so small and is thus handled at such a low automated non thinking level. What is surprising about the other referenced case is that the victim then went to Chase Corp HQ, and was still rejected.

MGD

Expand your moderator at work

towerdave

join:2002-01-16
O Fallon, IL

1 edit
reply to MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

I just got hit by an integratedidea.com charge on my debit card. Just read through the initial posting in this thread. Incredible!!

I have nowhere near enough time to read the entire thread, but I'm glad to find this information so I can try to allay my wife's fears about what happened.

Thank you for all of your research!!!!!

TD


Whip

join:2009-01-23
Califon, NJ

Seems the scammers REALLY don't want the site to be found:

hxxp://integratedidea.com/robots.txt

Reported Attack Site!

This web site at integratedidea.com has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to towerdave

said by towerdave:

I just got hit by an integratedidea.com charge on my debit card. Just read through the initial posting in this thread. Incredible!!
...
.
Thanks, I do need to work on preparing a consolidated Cliff Notes version.

I would not suspect any issues with your PC being compromised as a primary contributor to getting nailed with the organized Crime Syndicate's fraud charge. In fact, just owning a debit or credit card appears to be the only necessary qualification, having used it anywhere is not even required, in order to be hit. There is an extensive range of victims from non usuage to across all usuage levels. over the almost decade long period that this massive fraud has been in operation there have been numerous common links for sime victims. In 2007 a large group had Equifax in common, with some having only that as a prior history. So many that it garnered news media attention in lste 2007, including this article by Brian Sullivan titled "E-BOOKS, CREDIT CARD THEFT AND EQUIFAX" »redtape.msnbc.com/2007/11/chris-···nev.html Despite their history of FTC issues over consumer complaints, Equifax investigated but found no internal issues, but left open the possibility that it could be higher up the processing chabge outside of their control.

The only absolutely confirmed source of data that the OCS has used was the SQL exploit hacking that they performed on Rangerjoes.com multi-year customer cardd database. The syndicate ploughed that data, starting within 48 hours of the hacking, with fraud charges through a dozen of their active card fraud laundering websites. That was the only place where the majority of the cards were used. The Rangerjoes.com incident represents only a tiny fraction of the millions of cards that this syndicate has used over the period.

Reporting the charge as a FRAUD transaction, and cancelling and replcaing the compromised card, is the SOP solution to your issue.

INTEGRATEDIDEA.COM aka FBN INTEGRATED IDEA 816-470-0407 has been actively fraud charging for almost a year. »800notes.com/Phone.aspx/1-816-470-0407 I am not quiet sure how the apparent elderly cyber-mules, both Phd's, Dr. Shriniwas Katti and Dr. Pramila Katti in Raymore, Missouri got hooked into this fraud money laundering operation. But they join an esteemed group which includes lawyers, retired physicans, IT Consultants, and house wives.

Though the number of complaints of the fraud operation of INTEGRATEDIDEA.COM had been recently quiet, it has started to pick back up again. You can mutiply the numer of complaints which reach the internet from anywhere from 1,000 to 10,000 at to the probable number of the current rate of victims of the fraud charging.

The most active recently based on referrals has been SCREEN SAVERSRISE.COM 240-2844437 aka SCREENSAVERSRISE.COM 240-284-4437 »800notes.com/Phone.aspx/1-240-284-4437 followed by the VPNMONSTER.NET & VPNMONSTER.COM. Plus I have a backlog of several fresh entities to post about.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to towerdave

said by towerdave:

I just got hit by an integratedidea.com charge on my debit card. Just read through the initial posting in this thread. Incredible!!

If you have the time towerdave See Profile send me via an IM the (ARN) ACquirer Reference Number for that fraud charge transaction. The ARN is a 23 digit number that appears aftert the transaction on the line item charge. Since it is a debit card you might have to call your bank and ask for it, if you do not see it listed next to the transaction.

That ARN number will enable me to identify the bank that is receiving the fraud charge proceeds. That bank, where the cyber-mule has the business bank account linked to the merchant account going through Authorize.net is where the bulk fraud proceeds are being stashed at. That bank will also be the location from where the fraud proceeds are being wired out of the country back to the organized Crime Syndicate. In accordance with federal laws that criminal money laundering account at the bank needs to be immediately frozen. I just hope it is not at the clueless PNC Bank.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 edit

1 recommendation

reply to Whip

said by Whip:

Seems the scammers REALLY don't want the site to be found.....
The Google write up does not make sense, I have not checked the website recently.




Edit=

If you recall, back a few chapters ago the C&C recruiting site of SKYDEX SOFT aka skydexsoft.com, at the time hosted I believe it was hosted in the Ukraine, was also infected with several Iframe exploits. Skydexsoft had over 150 simultaneous bogus job adds for cyber-mules on Careerbuilder. They were carpet bombing job adds across major cities in the US.

MGD

Whip

join:2009-01-23
Califon, NJ

1 edit

How are there 356 pages to a bogus website that normally only show around 5-6 pages? Would any transactions also be considered a 'page'?

P.S. I copy and paste your message from page 4 on 800notes to the first page MGD.


Whip

join:2009-01-23
Califon, NJ
reply to MGD

Did you check out McAfee siteadvisor? The integratedidea site links to a malware site:

»www.siteadvisor.com/sites/integr···=2287519

stern-kalli.cn

And I don't know what this guy is pulling but his domain is hidden but infected:

»badwarebusters.org/main/itemview/8247

Maleware software hosted anothe
by Kalpesh
11 months ago

Hi, my web site is www.saleanddiscount.com has badware warning put up by google.

I got the below info and suspect that the problem comes from javascript code which is causing the error on that page . I have already remove that code from my main page but it still giving error on that page.
I think my site is hacked.I dont know how to remove the code which is i already removed.Is there any invisible code in that file?

Thanks

Kalpesh

What is the current listing status for www.saleanddiscount.com?
Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?
Of the 13 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-08-27, and the last time suspicious content was found on this site was on 2009-08-27.
Malicious software is hosted on 1 domain(s), including stern-kalli.cn/.

This site was hosted on 1 network(s) including AS15244 (ADDD2NET).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, www.saleanddiscount.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
www.saleanddiscount.com/robots.txt

User-Agent: *
Allow: /


MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

said by Whip:

How are there 356 pages to a bogus website that normally only show around 5-6 pages? Would any transactions also be considered a 'page'?
Though there are still fraud charge complaints the INTEGRATEDIDEA.COM website has been down for a while. That amount of pages is way too much for the typical fraud site. They count the total of linked pages beginning at the the main index page and any subsequent sub links. The fake purchase pages are not typically active. I am not sure how Google even found it if it was blocked by a robots instruction. Google would audit it if there malware referrer links to it from another website which Google found first. But the Google analysis does not make sense, it lists 800notes.com as being infected from INTEGRATEDIDEA.COM.

said by Whip:

P.S. I copy and paste your message from page 4 on 800notes to the first page MGD.
Thanks.

said by Whip:

Did you check out McAfee siteadvisor? The integratedidea site links to a malware site:

»www.siteadvisor.com/sites/integr···=2287519

stern-kalli.cn

And I don't know what this guy is pulling but his domain is hidden but infected:
....
..
User-Agent: *
Allow: /

I read it now. The presence of a robots.txt file is typical and normal. The issue relevant to the hidden fraud sites is what the robots.txt file contains. It is the contents that are the key as to whether a supposed e-Commerce website is being purposely hidden from everyone including search engines. The example that you posted above allows the entire website to be archived in search engines. The star after user agent means "all" search engines, and the allow followed by the forward slash means all visible directories can be archived.

On the other hand the OCS card fraud laundering websites have "Disallow" with a forward slash. That instructs all search engines not to archive any portion of the website or its contents. So when you check for a robots.txt file also look at how it is coded, a Disallow All for a ecomerce site is the problem. The same search engine index blocking can also be achieved using embedded Meta tags in the source code of the individual pages meta tags followed by "noindex" and/or nofollow. In fact that is what the OCS used before robots files were adopted. You can see from several of my Circa 2005 -2006 postings on the organized crime syndicate where I pointed them out, e.g.: »Credit card criminals Devbill have a new home !!!

Despite numerous email responses to fraud victims by the OCS circa 2005, that someone must have stolen their card and used it on the "legit" to buy templates, then issuing a credit for the transaction, and advising them to cancel and replace the card, I knew it did not add up. Analysis of the source code of all of the websites showed that they were littered with noindex nofollow meta tags. The smart responses were designed to deflect attention away from the websites and point the problem to a supposed third party thief. The combination of all those inconsistencies is what initially drove the forensic bloodhound process of peeling back the layers of this massive organized crime.

Eventually, tracking down the registered business entities behind the operation became a roadblock for some time. Finding physicans and otherwise reputable people behind the entities aroused even more suspicion. Back then the yet to be designated cyber-mules were for the, most part uncooperative. "Mind you own business" was the typical response of the day from cyber-mules, who were totally convinced that they were in a legitimate partnership. My inquiry was perceived as that of a potential competitor. That became a very difficult nut to crack and took some time.

MGD


Konda

@grgrid.net
reply to Whip

Lots of new fraudulent charges happening. I think this is pretty big and might be related.

Check:
»800notes.com/Phone.aspx/1-888-402-0881
»800notes.com/Phone.aspx/1-888-403-2136
»800notes.com/Phone.aspx/1-888-438-9250

All of these people were charged in the last few weeks and have no idea where it is for. These 3 I found in just a few minutes, so there are probably a lot more. All 3 use the same callcenter, where people can't get any information regarding the charge.

In »800notes.com/Phone.aspx/1-888-402-0881 someone mentioned: Business Name:

Web Profit Coach/Internet Career Builder
Type of Business: WORK-AT-HOME COS.
Website Address: »www.internetcareerbuilder.com

When doing a google cache search on internetcareerbuilder there was someone talking about he had been set up with 11 ebook shops, so that's why I thought it might be related to all of this.


MGD
Premium,MVM
join:2002-07-31
kudos:9

4 edits

1 recommendation

said by Konda :

Lots of new fraudulent charges happening. I think this is pretty big and might be related.

Check:
»800notes.com/Phone.aspx/1-888-402-0881
»800notes.com/Phone.aspx/1-888-403-2136
»800notes.com/Phone.aspx/1-888-438-9250

All of these people were charged in the last few weeks and have no idea where it is for. These 3 I found in just a few minutes, so there are probably a lot more. All 3 use the same callcenter, where people can't get any information regarding the charge.

In »800notes.com/Phone.aspx/1-888-402-0881 someone mentioned: Business Name:

Web Profit Coach/Internet Career Builder
Type of Business: WORK-AT-HOME COS.
Website Address: »www.internetcareerbuilder.com

When doing a google cache search on internetcareerbuilder there was someone talking about he had been set up with 11 ebook shops, so that's why I thought it might be related to all of this.
Interesting, will have to take a look. That 888-402-0881 has generated 10 pages of complaints on 800notes within a month. Whatever it is, it is big. However,

"Web Profit Coach/Internet Career Builder
Type of Business: WORK-AT-HOME COS."

is indicative of a domestic fraud and scam operation, but you can never tell for sure without some digging

Edit 1

-------------------------
I just discovered the same charge ONLINE PYMT 88840208 38.97 USD from 07 july on my Visa electron and I am from Denmark so this is a worldwide theft.
-------------------------

Reported a single transaction of $39.87 on 4 July to Santander in the UK today, they cancelled my card and are sending me the forms to report the fraud

-------------------------

I live in Australia. No one called me... I just had a debit turn up on my credit card account for US$39.87. I don't know where they got my details from but I suspect it was Summer Bay Resorts that gave it to them.

-------------------------

I am not sure how the poster is making the connection between the huge scam and "Web Profit Coach/Internet Career Builder Type of Business: WORK-AT-HOME COS." They do not state the connection. If it is the 800 number they need to make sure the time period is the same as 800 numbers are recirculated frequently. Though the address posted is a "Regus" rent a desk office, which has some common MO ground.

Edit 2

It is global fraud that appears to be going through a (clueless) third party processor:

-----------------
I too had 4 amounts for $38.99 on my statement at the start of July. When I called that number (001 8884020881 from the UK) I did get through within a few seconds, and the guy was very helpful.

It was a company based in Florida who manage online payments for many companies. I gave him my name and he was able to find a record of the payments, and said they would be refunded to my card. OK so I may have to wait a couple of weeks to see if they actually get refunded, but he seemed genuine enough.
-----------------

Edit 3 - some of the reported line items do show "PHOENIX AZ"

An transaction ARN needs to be traced and the related merchant account needs to be immediately suspended and cut off. it is hard to tell if the biller is a victim or a co-con.

Edit 4

This smells in part at least of Cyprus based merchant processing. I have yet to find a legitimate online charge ever, originating from Cyprus.

MGD

hoyleysox
Premium
join:2003-11-07
Long Beach, CA

Supposedly there is lots of Russian organized crime in Cyprus.

»www.turks.us/article.php?story=2···93715339

»www.nytimes.com/1995/06/15/world···nted=all


MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

said by hoyleysox:

Supposedly there is lots of Russian organized crime in Cyprus.
...
Indeed, and it has existed there for years, Cyprus has been a historic haven and gateway for organized crime money laundering. Its latest role has been as the base of operation for hundreds of nefarious merchant account processing for scams and frauds.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 edit

1 recommendation

reply to Doctor Four

It is difficult to fathom how the FTC managed to surgically carve out the Organized Crime Syndicate's "Toll free group" from the rest of the ongoing massive card fraud laundering operation. While by design the OCS's hub and spoke fraud laundering configuration is created to limit the exposure and view of the entire structure, and enable apparently isolated components to be identified and lost without impacting the overall operation. There are multiple incidents over the last six plus years where components have been identified during legal action that failed to expose the totality of the operation. The Michigan case of Krystal Owens, investigations as a result of the Pluto Data Ltd fraud: Feds probe mysterious credit card charges, the "Digital Age" Credit Card Fraud, and the "E-books, credit card theft and Equifax" all failed to reveal the true extent of the operation. Regarding the current FTC action, according to Robert McMillan's idg.com article "FTC says scammers stole millions, using virtual companies" the FTC had several correct determinations, bolded here:

said by Robert McMillan :
.... The scam, which had been run for about four years years, according to the FTC, provides a case lesson in how many of the online services used to lubricate business in the 21st century can equally be misused for fraud.

"It was a very patient scam," said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. "The people who are behind this are very meticulous."

The operation is now in its tenth year, not four, however I agree that "patient" and "meticulous" are correct attributions.

said by Robert McMillan :
....... The FTC has not identified those responsible for the fraud, but in March, it quietly filed a civil lawsuit in U.S. District Court in Illinois. This has frozen the gang's U.S. assets and also allowed the FTC to shut down merchant accounts and 14 "money mules" -- U.S. residents recruited by the criminals to move money offshore to countries such as Bulgaria, Cyprus, and Estonia.

"We're going to aggressively seek to identify the ultimate masterminds behind this scheme," Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

Wernikoff doesn't know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

They first need to grasp the context of the entire operation. I disagree with the "loophole" characterization of how they used the card processing system. They come in right through the front door, no loopholes are needed. The OCS is a vertical operation and sources their data directly, purchasing the data in carding forums is something I eliminated as a probable item a long time ago.

said by Robert McMillan :
.... U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed. Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC.

Indeed consumers do pay for the majority of the fraud, but the "typical one charge per card" is false.

said by Robert McMillan :
The FTC's Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

"Does it prevent the people from ultimately responsible from building up again from scratch?" he asked. "No. But we do hope that this seriously disrupts them.".

By no means has the operation been halted, minor inconvenience at best. The $100,000 frozen by the courts over the total group listed in the FTC documents represents 3 months billing of one cyber-mule.

More examples of cross charging from the FTC's list of the closed accounts:




The "Center Company" was listed by a victim as a prior fraud charge before the four year long OCS fraud operation of:

EBSEBOOKS.COM aka Electronic Business Resources 412-927-0410 »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

quote:
I too had a charge from this company on my credit card. The previous fraudulent charge was for $9.00 from CENTER COMPANY 888-856-8228 FL . I use some of the same companies as Motobuddy, but none with this particular card.
Caller ID: 1-412-927-0410

»whocallsme.com/Phone-Number.aspx···270410/2




The reply one victim got from a fictitious "David Bergman" representing EBSEBOOKS.COM aka Electronic Business Resources 412-927-0410

quote:
I had 2 fraudulent charges of $4.95 ea..called my bank and reported it as FRAUD and cancelled the card.. after calling and e-mailing.. this is what I got..

=======================
My name is David Bergman and I represent EBR LLC Customer Service.
We got an e-mail from you reporting a charge from our website on your credit card. Thank you for reporting about this situation promptly.

I guess I should explain everything to you.
Our company sells E-Books, electronic manuals on different topics, mostly business. The price you reported is one of the prices of our products and we think that your card was charged for the price of a E-Book bought on our website.

In this regard I have a very important question for you:
Are you sure that nobody but you has access to your credit card information(name and number)? You see, if your card was charged and you didn't know about that somebody does have your card information and can use it. Please check it.

We have already removed the charge you reported. The refund will be stated in your account within two or three business days.

Nevertheless I strongly recommend you to call your bank and ask them to issue another card for you. Because if your card was once charged without your notification there's no guarantee that the person having access to the CC information wouldn't use it again.

It is also possible that some banking error occurred and your card was charged by mistake. If there are no other unidentified charges in your card that is the most probable variant. But still please call them and talk it over.

Best regards,
David Bergman, EBR LLC

support@ebsebooks.com

»whocallsme.com/Phone-Number.aspx/4129270410

That reply from the 2007 through 2010 EBSEBOOKS.COM would be an identical match that other victims received across three generations of the OCS's operation going back to 2004:




The Absolute Software listed in the David Bergman search above, goes back to the circa 2004 - 2005 version 2.0 fake webtemplate card fraud laudering sites.




The FTC listed "DEN ENTERPRISES" from the toll free group:




In May of 2008 cross charged with:

=============================================
dave
2 May 2008
I was charged 9.65 from this 'Den Enterprises' and also 4.95 by a company called 'bestsmartstore com llc'. Both are fraudulent charges by bogus companies. I called my CC company and they are crediting my money back and issuing a new card.

Thanks to everyone for taking a stand against these crimes.

=============================================

BESTSMARTSTORE.COM AKA BEST SMART STORE.COM LLC 623-242-2557
»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

In October of 2008, a victim is hit by both "DEN Enterprises" and one of the many fraud sites of notorious cyber-mule Jim Lennon's orange template websites

=============================================
lan replies to omv
10 Oct 2008
Same to me Den Enterprises 9.65 chg on 08/20/08. Just thought I didnt remember doing something but gave it some thought. Then on 10/10/08 another chg from New Liberty Management In. for 10.29 closed acct immediately. Their Ph # 417-423-7523 says customer calling out of area try back. Bogus. I usually dont let things go I will investigate and proceed through my AG office.

=============================================

Jim Lennon's group included:

NLMDESIGN.COM AKA New Liberty Management, Inc. 417-423-7523

NLMDIZ.COM AKA NLM DESIGN INC 225-910-8783

NLMWEBDESIGN.COM AKA NLM TEMPLATES and MORE 270-975-4864

From the Robert McMillan article:

said by Robert McMillan :
... One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data.
......... First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation.

If First Data had 110 accounts, they likely had ten times that amount, and still have active card fraud laundering account.

In May of 2008 an alert was sent to First Data as they had the processing account for EYECONTEMPLATES.COM aka EyeCon Technologies, LLC 703-879-6908 EyeCon was the card fraud laundering operation whose business bank account was at PNC Bank where a security official claimed that it was a legitimate account, refused to intervene, and asked why I was not going after Careerbuilder.com instead. That failed encounter led to contacting First Data, the processor for EyeCon Technologies, LLC, who did promptly close the merchant account:




Apparently that May 2008 alert about the extent of the card fraud laundering operation must not have lead to any wholesale changes in the vetting process.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 edit

1 recommendation

said by Robert McMillan :
"We're going to aggressively seek to identify the ultimate masterminds behind this scheme," Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

Wernikoff doesn't know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

It became apparent as far back as 2004 that the OCS was a vertical operation, and was directly infiltrating the financial system to obtain the card data. That conclusion did not come solely from monitoring the going rate at that time for card dumps on multiple hidden underworld forums, did not make the operation economically viable. Back then, at $9 per fraud hit, it would have taken 3 successful hits to a card before a profit was turned.

More than that, it was the repeated reports of some of the victim's card history which pointed to something far more sinister. Take the CENTER COMPANY --> EBSEBOOKS connection above, the "DAVID BERGMAN" bogus deflection replies all the way back to the 2004 era of the ABSOLUTE-SOFT.COM version 2.O and this forum:

Circa early 2004:



»Who is Absolute-soft???

Then: »$9.95 scam.. check your bank statements. security

By 2005 the growing appearance of the real extent of the operation: »Re: I got the same changes ....

The beginning of a comprehensive monitoring of the unusual circumstances of some of the victim card data:

But this is now TWO YEARS Later, one fraud entity is still going:

quote:
===========================================
Mark says:
January 21, 2006 at 8:39 am
Hi all,

I got hit in December on a CC that has NEVER been used at NewEgg, Buy.com, etc, and has never been typed online for that matter. It was only used once with a PHONECALL order. The credit card has been in my safe for months, so ANY charge I get is fraudulent. I am making an educated guess that the breakdown is somewhere in the mechanism that communicates the CC number and info for approval. Maybe the common denomincator is the company that certain merchants are using for CC authentication.

Just a thought…
===========================================

I wondered if there was a connection:

State of California

Entity Name: ABSOLUTE SOFTWARE CONSULTING LLC
Entity Number: 200336010080
Date Filed: 12/22/2003
Status: CANCELED
Jurisdiction: CALIFORNIA
Entity Address: 22806 SAILWIND WAY
Entity City, State, Zip: LAKE FOREST CA 92630
Agent for Service of Process: EVELYN NAZARIO
Agent Address: 22806 SAILWIND WAY
Agent City, State, Zip: LAKE FOREST CA 92630
Digging even deeper, there appeared to be:

quote:
Credit card charged by absolute-soft.com

August 18, 2005

Absolute-soft.com, CA.

They charged my credit card $9.95. I never heard of this company and I never ordered or bought anything from them. I sent them an email detailing the problem. I received an email back from

This is what the email said:

--------------------------------

"My name is David Bergman and I represent Absolute Software Consulting LLC Customer Service.

We got an e-mail from you reporting a charge of $9.95 on your credit card. Thank you for reporting about this situation promptly. I guess I should explain everything to you. Our company produces web design products, mostly website templates - primary web pages with no content. The price of each template is $9.95

thus your card was charged for the price of a template bought on our website. In this regard I have a very important question for you: Are you sure that nobody but you has access to your credit card information(name and number)? You see, if your card was charged and you didn't know about that somebody does have your card information and can use it. Please check it. We have already removed the charge you reported. The refund will be stated in the account within three or four business days. Nevertheless I strongly recommend you to call your bank and ask them to issue another card for you. Because if your card was once charged without your notification there's no guarantee that the person

having access to the CC information wouldn't use it again. It is also possible that some banking error occurred and your card was charged by mistake but still please call them and talk it over. Best regards,

===========================================
joe says:
July 26, 2006 at 3:45 pm

I had this charge, got a new bank card and the charge has appeared again. How did they get my new number that is only a week old. Someone is getting hacked, the bank or the merchants!
===========================================
Eric says:
July 27, 2006 at 6:37 pm

I got this charge back in May on 1 of my cards. I had it corrected and got a new credit card number. Just last week the charge came up again on a different card from a different company. Got that fixed 3 days ago and wouldn’t you know another charge from them yesterday on another different card. PLEASE somebody find out how to stop this. We shouldn’t have to change all our cards because of 1 fake company!
===========================================
Jim says:
August 17, 2006 at 10:10 am

I recieved this charge on my bank account 8/9. I am trying to get it refunded.
===========================================
DC says:
August 17, 2006 at 5:39 pm

Absolute-Soft.com hit me today for 9.95 on my debit card. Called the bank to close/change account. How they can get away with this for over 2 years is beyond me. You’d think the banks would set up some sort of common list where companies like Absolute-Soft wouldn’t even be able to submit charges at major institutions. A 5 minute internet search shows the level of this scam. Ridiculous.

absolute-soft.com
===========================================

This was far more than someone buying card dumps. In several instances over time it appeared that all the cards a victim had, issued by several institutions, were sequentially charged with fraud. It was if they were also accessing combined lists of card data alphabetically.

By 2006 not only are reports of fraud charging all over DSLR, but forum pockets all over the internet can be found of the same fraud reports. Start collecting names:

»www.jerseysmarts.com/2004/11/22/···y-fraud/

I knew back then that killing the websites had no effect on their ability to keep merchant processing accounts:

»www.jerseysmarts.com/2006/03/10/···d-fraud/

They could just resurface anywhere, but remain hidden with the first use of "no index" and "no follow" meta tags:

»Credit card criminals Devbill have a new home !!!

Was the four year and plus, card fraud laundering runs of KCSOFTLLC and EBSEBOOKS.COM aka Electronic Business Resource an aberration, a quirk within the financial system that they managed to slip through and continue fraud processing?.

No, they are just two of many examples. Absolute-soft.com aka ABSOLUTE SOFTWARE CONSULTING LLC began fraud charging in early 2004. Five years, HALF A DECADE later, this crops up in April of 2009:





Let's go back and have another look at that California corporation's database:

Entity Name: ABSOLUTE SOFTWARE CONSULTING LLC
Entity Number: 200924410303
Date Filed: 09/01/2009
Status: ACTIVE
Jurisdiction: CALIFORNIA
Entity Address: 22806 SAILWIND WAY
Entity City, State, Zip: LAKE FOREST CA 92630
Agent for Service of Process: BUSINESS FILINGS INCORPORATED
(C2113485)
Agent Address: *
Agent City, State, Zip: *
Apparently a 2009 refreshed registration.
.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 edit

1 recommendation

reply to Whip

said by Whip:

...
P.S. I copy and paste your message from page 4 on 800notes to the first page MGD.
ref:»800notes.com/Phone.aspx/1-816-470-0407

Amazing how crumbs of evidence data can be linked together to demonstrate the size of this extensive massive fraud operation. Take the current INTEGRATEDIDEA.COM aka FBN INTEGRATED IDEA 816-470-0407 listed on the previous page 51




The task of establishing common links across the entire multi-year landscape of this Organized Crime Syndicate, requires the meticuluos cross checking of data snippets over a vast array of data, in order to identify evidence of the intricate connections. With respect to additional tie ins of INTEGRATEDIDEA.COM aka FBN INTEGRATED IDEA 816-470-0407 to the OCS, that came from a small window of opportunity when they let the domain cloaking of INTEGRATEDIDEA.COM slide, and thus exposed the original registration to an identity theft victim:




That victim's name used for the original domain registration is an exact match to another fraud domain registration from early 2008. In fact, this match to a card fraud laundering website domain registration has not been reported on in this thread before now.

The related story begins in March of 2008, when, during an audit of several known servers in use by the OCS, a freshlly minted card fraud laundering website mobilehomestuffstoreplus.com was discovered:





Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Domain Name: MOBILEHOMESTUFFSTOREPLUS.COM
Created on: 22-May-08
Expires on: 22-May-09


A few months later:


Registrant:
Wild West Domains
14455 N Hayden Rd
Suite 219
Scottsdale, AZ 85260
United States

Domain Name: MOBILEHOMESTUFFSTOREPLUS.COM
Created on: 22-May-08
Expires on: 22-May-09
Last Updated on: 03-Sep-08

Administrative Contact:
domains for sale, Wild West Domains
confiscateddomain@wildwestdomains.com


The duped cyber-mule was located and contacted. They were recruited from their resume posted on careerbuilder.com by the known OCS HR fraud of THECAREERPLANET.COM and the fake name of Anneliese Aitken anneliese.aitken@thecareerplanet.com:




Fortunately the cyber-mule had just been approved for a merchant account on the day that they were contacted, so this operation was nipped in the bud:




Glad that they were alerted before the fraud operation got off the ground, the duped cyber-mule turned over records of the communications in order to help. One email from the OCS confirming that they had registered an LLC online called AVANT-GARDE

quote:
From: Anneliese Aitken anneliese.aitken@thecareerplanet.com
To: XXXXXXXXXXXXXXXXXX
Sent: Tue, 4 Mar 2008 9:15 pm
Subject: Re: Independent Contractor Agreement

Dear XXXXXXXXXXXX

The registration of LLC is started.?

The name is "Avant-garde" (title: on-line trading).?

The order for registration is already send and you will receive the documents?

during 1-2 weeks.?

When you receive it, please don't forget to send me the scan of Certificate of Status.?
Sincerely yours,

Anneliese Aitken

www.TheCareerPlanet.com




This was not the LLC that was registered on behalf of the cyber-mule, who also confirmed that only one had been issued, and they never understood the purpose of the email from the OCS.




A check within the home state records of the mule showed no such registration. Clearly the OCS had sent the email to the wrong cyber-mule. Understandable, since they have numerous duped recruits at a time. But who and where did it belong to ?. That "Avant Garde" name os so common it returned thousands of search hits. Plus there was a huge list of businesses formations matching that name across the US, none of which matched the criteria. A cross check of many thousands of various domain name configurations of that name did not turn up a positive ID. The lead was shelved and then returned to intermittingly for rechecking. Surely there would be a future report of fraud charges. Finally, after repeated checking a possible lead was found in the state of Colorado's corporation database records:




And the date of incorporation matched to the email from the OCS:






Then another bloodhound hunt to find the matching card fraud laundering website:

AVANT-GARDE LLC aka AVANTG.ORG 719-387-7249 & 424-785-1586




.

719-387-7249 phone number comments:
quote:
========================================
Laurie -
1 Jan 2009
My debit card gets charged $4.99 every couple of months. I have cancelled the card and received a new one and the same thing has happened. I don't know how the company gets the number because I only use this card for deposits and withdrawals as it is not my main account. The company is listed as Avant Garde LLC in Woodland Park, CO. The number 719-387-7249 listed on my statement is not a working number. I cannot find out much else about this company. I live in Florida.
Caller: Avant Garde LLC
========================================

Individually, within the system there are smart people. However, each is only exposed to tiny segments of the Organized Crime Syndicate. Very few see the big picture, the lack of "collective Intelligence gathering" gathered from outside the walled garden. Only by going out in the field can proper Threat Reconnaissance to the financial system be performed.

quote:
========================================
DIRECT MERCHANTS BANK
8 Jan 2009

CREDIT CARDS ARE BEING CHARGED $ 4.99 EVERY FEW MONTHS. THE COMPANY AVANT GARDE LLC APPEARS TO EXIST ONLY TO COMMIT CREDIT CARD FRAUD, THIS PHONE NUMBER IS NOT A WORKING PHONE NUMBER.
========================================

»whocallsme.com/Phone-Number.aspx/7193877249

Victim fraud complaints from late 2008: »800notes.com/Phone.aspx/1-719-387-7249

The contact phone number listed originally on the AVANTG.ORG was used by the known card fraud laundering operation of YOURPLPROJECT.ORG

Now look at the Mar-2008 identity theft domain registration for AVANTG.ORG:


Domain ID:D151986593-LROR
Domain Name:AVANTG.ORG
Created On:11-Mar-2008 23:47:41 UTC
Last Updated On:12-Mar-2008 00:53:24 UTC
Expiration Date:11-Mar-2009 23:47:41 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:ad963fb564e
Registrant Name:Alesia Painter
Registrant Organization:AVANTG.ORG
Registrant Street1:1214 E Main St
Registrant Street2:
Registrant Street3:
Registrant City:Luray
Registrant State/Province:VA
Registrant Postal Code:22836
Registrant Country:US
Registrant Phone:+1.7193877249
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:Apmail1976@gmail.com


Almost a year later the card fraud laundering domain of INTEGRATEDIDEA.COM is registered, but privacy cloaked and hidden:


Domain name: INTEGRATEDIDEA.COM

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (wlfxvmdl@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O integratedidea.com
Bellevue, WA 98007
US

Creation date: 18 Feb 2009
Expiration date: 18 Feb 2010


However, in March of 2010 shortly after the domain registration was renewed for a second year the privacy cloaking fee was not paid and the shield was lifted:


Registration Service Provided By:
Landis Holdings Inc.
Contact: sales[@]jaguarpc.com

Domain name: INTEGRATEDIDEA.COM

Registrant Contact:
-
Alesia Painter (Alesia.Painter555@gmail.com)
+1.8164700407
Fax:
1214 E Main St
Luray, VA 22836
US

Status: Locked

Name Servers:
yns1.yahoo.com
yns2.yahoo.com

Creation date: 18 Feb 2009 00:47:46
Expiration date: 18 Feb 2011 00:47:00

.

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

reply to MGD

One of the current most prolific card fraud charging entities:

SCAM FRAUD= AKA SCREENSAVERSRISE.COM 240-284-4437 = FRAUD SCAM




Not only are they generating frequent search hits to this thread, but the huge fraud volume can be seen just by the number of complaints on 800notes during July. Figure at the very least 1,000 victims or more for each one that posts.









»800notes.com/Phone.aspx/1-240-284-4437

The SCREENSAVERSRISE cyber-mule Saira Bano Farooq lacks contact info and has apparenlty moved from the Washington DC / Rockville MD area. She has also removed her previous LinkedIn profile:

»/r0/download/1···aira.png

The Linkedin.com profile can be found on Google but is NLA on the site.

===============================
Saira Bano Farooq

President at SCREENSAVERSRISE.COM

Washington D.C. Metro Area
Contact Saira Bano Farooq
Add Saira Bano Farooq to your network

Current President, Owner, Producer, and
Writer at TheFantasticBlog

President at SCREENSAVERSRISE.COM
Past President, Owner, Writer at
BeautifulMoonlight
Industry Entertainment
-------------------------------

Saira Bano Farooq’s Experience
President, Owner, Producer, and Writer
TheFantasticBlog
(Entertainment industry)

2009 — Present (1 year )

President
SCREENSAVERSRISE.COM
(Entertainment industry)

2009 — Present (1 year )

President, Owner, Writer
BeautifulMoonlight
(Entertainment industry)

2006 — 2009 (3 years )
===============================

If a fraud victim can post the first 7 digits of the ARN, we will be able to identify the banking institution where the business account which is receiving the fraud proceeds is located. That bank and account will also be serving as the conduit where the card fraud proceeds are being wired out of the country from. Needless to say VISA which now owns authorize.net / Cybersource is undoubtly serving as the gateway processing counduit for the OCS card fraud laundering operation.

The fraud charging apparently began sometime back in January 2010 with the first victim report in this forum HERE:

Also noteworthy is that arounf June 9th the OCS moved the website hosting from:

====================================
NS1.CROW.ARVIXE.COM
NS2.CROW.ARVIXE.COM

Server Type:Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28

IP Address:174.120.229.131
IP Location: - Texas - Dallas - Theplanet.com Internet Services Inc
Response Code: 200
Domain Status: Registered And Active Website
====================================


NAMESERVER FROM TO
-------------------------------------------------------------
2010-06-09 Transfer Arvixe.com Siteprotect.com
.
.
HOSTING FROM TO
-------------------------------------------------------------
2010-06-09 Change 174.120.229.131 207.150.212.132


To here: »SCREENSAVERSRISE.COM

Server Type: Apache
IP Address: 207.150.212.132
IP Location: - United States - Affinity Internet Inc
Response Code: 200
Domain Status: Registered And Active Website

Domain servers in listed order:

ADNS.CS.SITEPROTECT.COM
BDNS.CS.SITEPROTECT.COM

MGD

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 edit

1 recommendation

reply to MGD

If you recall, back in September of 2009 there was a post by iDeceive See Profile regarding the OCS cyber-mule recruting of SKYDEX SOFT LTD aka SKYDEXSOFT.COM Alex Malenkovsky career@skydexsoft.com

SKYDEXSOFT:




was the continuation of a long series of runs of fake recruiting companies that fraudulently and repeatedly utilized the significant resources of CAREERBUILDER.COM to source resumes and place job adds to lure cyber-mule victims. However SKYDEX SOFT LTD aka SKYDEXSOFT.COM appeared to hold the known Careerbuilder.com record to date, by placing in excess of 150 concurrent cyber-mule job adds in every major metropolitan area of the US. A fact which highlights the complete failure of Careerbuilder to use reasonable and usual care in protecting either hosted resumes or job seekers from becoming cyber-mule victims.

This thread has documented an extensive series of both recruiting and employer accounts on Careerbuilder orchestrated by this Organized Crime Syndicate. Since many of these multiple job posting campaigns would have cost a significant amount of money it is doubtful that the OCS was utilizing the card fraud proceeds to pay for these resources. My suspicion is that they were charging the costs to their massive hijacked card database. One can test the extent of how criminals have infiltrated careerbuilder.com by placing a bogus resume on there with a valid email address and review the subsequent solicitations.




The skydexsoft.com domain was hosted in the Ukraine, and the domain was fraudulently registered to an identity theft victim from California. As shown in the original post, the email account used for the domain reg jglenn19@gmail.com had a Russian language password recovery option:

»/r0/download/1···eset.png

At the time of the original uncovering I audited and collected as much relevant data for later forensic examination. I presumed the related recruiting activity went dormant shortly afterwards however it appears that may not have been the case. While many lower level job websites scrape and re issue job postings long after they have expired in order to drum up business, several SKYDEX SOFT LTD aka SKYDEXSOFT.COM job postings were active with February, March, April, and May of 2010 issued dates. Whether these were really fresh postings or the work of scam job sites is difficult to tell:













The reposting of job adds from Sptember of 2009, 6 to 8 months later, even for secondary scammy jobsites, would be a new low, but again it is difficult to account for all of these as reposts.

Part of the data recovered for forensic examination was a Microsoft word document that was subsequently uploaded to the Skydexsoft.com website by the OCS shortly before the massive Careerbuilder.com cyber-mule job posting. If you recall, the job adds directed the potential victims to the skydexsoft.com website to complete the application and resume submittal process. Though it has been discussed before one of the severe issues with the OCS operation is the thousands of resumes which they both collect and peruse over on websites. While normally a resume is not considered an identity theft issue, when they are combined with subsequent picture identity scans by potential recruits, such as driver's licenses, etc, that combination and volume existing in the database of such a crime syndicate raises significant and serious issues. For example, could the personal history and identity documents be used to obtain travel documents, or other significant resources in the pursuit of a criminal operation. One of the unknown factors to date, is whether they are registering the portion of fraud proceeds converted to prepaid debit cards to prior applicants who they have the picture identity and resumes of.

The document recovered from Skydexsoft.com was titled SkydexSoft FAQ:












I have often wondered if the Organized Crime Syndicate's detailed knowledge of the US financial system, structure, taxation, etc, was all acquired from distance learning. I can tell you one thing though, of the hundreds of documents and communications that I have examined from the Organized Crime Syndicate over the past five years, all of them, without exception, including the one above, specify and mandate that AUTHORIZE.NET are to be used for the processing of the card data.

In this case the most interesting data from an evidentiary standpoint, is not the level of detail and knowledge about the US financial system, but rather the meta data contents which were embedded by default within the document. In this case the MS Word document was prepared on a computer whose native language was set to Russian Cyrillic, the user is "Admin", and the default OS computer company name from where the document originated is: "MoBIL GROUP"




An exhaustive search for the name MoBIL GROUP where the native language setting would be Russian Cyrillic yields only one matching entity located in Saint Petersburg, in the Russian federation. How relative or significant this depends on several unknown variables. The data is listed in an image format because there is no direct implication of the company itself being involved:








There are several possible scenarios, including how many computers there are with that installation name, clones etc. If it is the correct company, and the named install is limited to them, it is possible that it could be an employee at any level. Though from "Admin" the focus would not be on the janitor.

Over time, sifting through Terabytes of data to see if any other documents exist anywhere around the globe with the same matching embedded meta data. It is possible that the above meta data could be a "smoking gun", especially if the number of computers configured as "Admin" with an installed company name of "MoBIL GROUP" is a very limited number, though that remains to be seen.

Clearly the document is not ambiguous, and has a specific intent. It serves only one purpose, that is to recruit cyber-mules to act as partners by forming a US business entity, opening a US business bank account, and obtaining merchant processing services. The services are used exclusively to process charges against hijacked card data, then launder the stolen proceeds by wiring them out of the US from the cyber-mule's business bank accounts. Obviously there is a direct connection of some form, between the fraudulent document, its creation, and an entity named "MoBIL GROUP" whose default setting is Cyrillic.

MGD


MGD
Premium,MVM
join:2002-07-31
kudos:9
reply to MGD

Re: Rosmann Enterprises LLC 305-767-1953

FRAUD ALERT: IM-GAMED.COM LLC aka IM-GAMED.COM 303-872-7857

Attention FTC, what happens when victims do not cancel their cards after the first fraud charge.

It may take a while, but MGD then picks up another of the Organized Crime Syndicate's fresh card fraud laundering entity.

The last post only a few hours ago:

said by whocallsme.com :
=====================================
NCvictim
11 May 2010
They got me today as well, but only for $1.89. Called and canceled card, passed along the above information to financial institution.
Caller: IM-GAMED.COM LLC
=====================================
truely disgusted
13 May 2010
Noticed the same $4.89 charge from IMGAMED.COM today on my visa account. When I went to investigated the site I came across multiple bloggs with complaints about this fraud. Called and cancelled credit card~now must wait for new ones:( This is absolutely rediculous! Thanks for all your post!
=====================================
jefepiloto replies to Old Computer Wizard
24 May 2010
Just got the same charge to my Chase account
=====================================
royallen
16 Aug 2010
the scam continues,seems like the banks don't care,law enforcement doesn't care,and the thieves continue to get rich five dollars at a time
=====================================
DBS
10 h 55 min ago
I too had this happen to me back in May. I got just a similar "not in svc" msg when I called it. Thinking it may have been just a fluke I didn't bother to cancel my debit card. I just had a similar charge ($4.97) from a Rosmann Enterprises LLC with a phone number of 305-767-1953 from Keys, Fla. When I called it I was told (by a persone w/a British accent) the person I was calling was unavailable & instructed to lve a msg. Keep an eye out for this one too folks! My card is changed as soon as the bank opens in the morning!
=====================================

»whocallsme.com/Phone-Number.aspx···727857/2

FRAUD SCAM = ROSMANNENTERPRISES.COM aka Rosmann Enterprises LLC 305-767-1953 »rosmannenterprises.com




LOL!!! = "TOYS UNDER $10"

Address: 2221 NE 164th Street,
North Miami Beach, FL 33160
Phone: 1-(305)-767-1953
Email: support@rosmannenterprises.com

You can also use the form below to send a quick message.
Please tell us your name, your question and your email information.
Your issue will be addressed as soon as possible. Full Name:




ROSMANNENTERPRISES.COM

Registrar: ENOM, INC.

Registration Service Provided By:
NameCheap.com
Contact: support[@N]ameCheap.com

Domain name: rosmannenterprises.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()

Fax:
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Administrative Contact:
WhoisGuard
WhoisGuard Protected
(b9e143e0ff1f442b9ff27a9845f6f5d7.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com

Creation date: 21 Jun 2010 14:42:00
Expiration date: 21 Jun 2011 09:42:00


===============================
IP Location: United States Scottsdale Godaddy.com Inc
Resolve Host: ip-97-74-216-48.ip.secureserver.net
IP Address: 97.74.216.48
===============================

===============================
Florida Limited Liability Company

ROSMANN ENTERPRISES LLC

Filing Information
Document Number L10000065008
FEI/EIN Number NONE ----------->LOOK
Date Filed 06/17/2010
State FL
Status ACTIVE

Principal Address

2221 NE 164TH STREET
SUITE 377
NORTH MIAMI BEACH FL 33160

Mailing Address
2221 NE 164TH STREET
SUITE 377
NORTH MIAMI BEACH FL 33160

Registered Agent Name & Address
CORPORATION SERVICE COMPANY
1201 HAYS ST
TALLAHASSEE FL 32301 US

Manager/Member Detail
Name & Address

Title MGRM
PAUL ROSMAN
2221 NE 164TH STREET SUITE 377
NORTH MIAMI BEACH FL 33160
===============================





The listed address:

Title MGRM
PAUL ROSMAN
2221 NE 164TH STREET SUITE 377
NORTH MIAMI BEACH FL 33160

is a mail drop and forwarding service:

quote:
Mail Bags Private Mail Box Business Center
2221 NE 164th Street
North Miami Beach, FL 33160
US

Full Service Business Center
Home / FAQ / About Mail Bags / Contact Us 305-945-3222 · Fax: 305-949-1689 · mailbags[@]earthlink.net

Private U.S. Mailing Address

Convenient and Confidential

Your Private Mailing Address With Your Personal Suite Number in
North Miami Beach, FL 33160

Pick up your mail and packages at your convenience or we can forward your mail and packages to you anywhere in the world, once a month or as often as you wish.

Private Florida Mailing Address

Call Ellen or Valerie to check your incoming mail
305-945-3222

Ask us about our other business services

Contact Us Today

Private Mail Address Fee Schedule:

Monthly $22.47
Quarterly $67.41
Semi-Annually $134.82
Annually $240

All prices include tax.
There is a one-time $15 setup fee.

The forwarding fee for mail and packages is $10 (plus cost), and a forwarding opening account balance of $50 is required.

We provide you with a street address and suite number.

You may call at any time to inquire about mail received and give instructions regarding forwarding. We will forward your mail at your request anywhere in the world.

You may also fax the information to us 24 hours a day, seven days a week.

We will accept deliveries from UPS, DHL, FedEx, US Post Office and all private courier services.

For $30 a month, you get your own phone number and can receive an unlimited number of calls.

We accept all major credit cards.

You will need to download a form which is required by the post office. Two pieces of identification (driver's license or some other identification that has your picture, and a major credit card, etc.) are needed. All this can be faxed or emailed to us.

If you have any further questions, please do not hesitate to call us, or email us.

»www.mailbags.org





Since Mail Bags Private Mail Box Business Center aka
»www.mailbags.org can be set up without ever showing a live body in the office, was it really opened by PAUL ROSMAN ?. All of the opening documents, including those required by the Post Office can be downloaded and faxed in along with two forms of identification, one a picture ID. We already know that the Organized Crime Syndicate has an ample supply of US identification edocuments and corresponding picture IDs. I have personally seen the OCS use them.

In this case, I am suspicious because there is no IRS tax id listed in the filings, and the name is spelled wrong is has two "N"s. Also because of the type of confidential mail forwarding service offered by Mail Bags Private Mail Box Business Center aka »www.mailbags.org. Is PAUL ROSMAN a cyber-mule or could he be an identity theft victim and the cyber-mule is really someone else. Since recent infiltrations and blocking of the fraud wire proceeds going offshore the Organized Crime Syndicate is using more sophisticated tactics to shelter and hide the true cyber-mules.

A check of public data bases shows only one PAUL ROSMAN in the state of Florida, located about 50 miles away in Port Saint Lucie:




Did the OCS use his Name, picture identity, and SSN to open up the mail drop and then register a Florida LLC in his name?. Did they pick a full service mail and faxing forwarding drop close by the address in order to then apply for a merchant account. I am still amazed that merchant accounts could not only be opened specifically and exclusively for card fraud laundering, but also using identity theft. I do not know the answer.

I need a fraud charge victim to post the first 7 digits of the ARN so that the bank business and fraud proceeds wiring Bank can be located.

According to the FTC filings the toll free division repeatedly used identity theft victims:






said by FTC :
The websites of the fake companies purport to sell some kind of product such as electronics and office supplies. (Id.) Each fake company also has a toll-free telephone number, as well as a "home" telephone number for the "owner" of the company. (ld.~ 27-31.) The toll-free numbers forward to a cell phone number registered in Belarus. (Id.~~ 30-31.) Defendant( s) Doe also use the names of identity theft victims as "owners" of these fake companies. (PX 1 ~ 39; PX 2 ~ 15, Att. D; PX 3 (identity theft victim); PX 4 (same).) Without their knowledge, Defendant(s) Doe provide the victims' name, social security number, and date of birth on merchant account applications. (Id.) Before Defendant( s) Doe use an identify theft victim's name to open an account, they run credit checks on the stolen identities to ensure that the victims have good credit scores so that the merchant accounts are approved by credit card processors. (PX I ~ 40.) These fictitious companies are therefore "owned" by identity theft victims without their knowledge.

MGD

Jodon2

join:2010-09-20

Add another one to the list, a $4.97 charge from Rosmann Enterprises LLC 305-767-1953 showed up on my credit card statement. Called my bank Friday and filed it as a fraud charge. They are sending me a new card.


Zenith

join:2008-03-12
Danville, IL
reply to MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Spoke with MGD. He tells me that this thread will go inactive if there aren't any posts made for some period of time. I think this thread has helped many people to realize what is going on out there and how this fraud operation works. MGD is currently working on some very important matters and may be unable to post on the thread for awhile. I'd like to suggest that we attempt to keep this thread active by posting any pertinent information that you may have during his absence so the education that MGD has provided us will continue to help others.


Zenith

join:2008-03-12
Danville, IL
reply to MGD

A very similar scam taking place:

»www.msnbc.msn.com/id/39423196/ns···er_news/


garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus

I don't think phone bill cramming is the quite the same. This thread's subject scam is all about a widespread Russian organized crime syndicate using mules to set up phony businesses to process fraudulent credit card data (obtained from multiple sources). But maybe the Russian mob is doing the phone cramming, too.


MGD
Premium,MVM
join:2002-07-31
kudos:9

2 edits
reply to MGD

Not only are some of the OCS's long standing card fraud laundering websites such as SCREENSAVERSRISE.COM and IM-GAMED.COM still rolling right along spewing card fraud charges,





now some of the OCS's fraud websites first reported here during their factory creation phase back in May of 2010, are now well seasoned and in full card fraud blasting mode. One such example which I first reported during its birthing phase in May, is now generating high volumes of search referrals to this thread is VPNMONSTER.




Since search referrals can only come from someone who knows the domain name, and that is hidden from the world, then the most likely place it is being seen is on bank statements. Very little data has been captured as to the likely location of the crime syndicate's cyber-mule, however recent postings of the billing descriptor on 800notes.com confirm that the cyber-mule and merchant bank account is based in Fresno, California. Though one report also shows an additional three letter tag of QPS FRESNO CA a check of both Fresno county Fictitious business name registrations and the state of California corporations database has yet to identify the most likely candidate. Again, a posting of the first 7 digits of the ARN for a VPNMONSTER fraud charge would go a long way in identifying the rogue account.

Though the original SCREENSAVERSRISE.COM card fraud domain has now expired and is pending deletion or sale, that apparently has no effect on the merchant account status.


Registrant:
Pending Renewal or Deletion
P.O. Box 430
Herndon, VA. US 20172-0447

Domain Name: SCREENSAVERSRISE.COM

Administrative Contact, Technical Contact:
Pending Renewal or Deletion
P.O. Box 430
Herndon, VA 20172-0447
US
570-708-8786

Record expires on 16-Sep-2010.
Record created on 16-Sep-2009.

»SCREENSAVERSRISE.COM

It has been noted for several years that there was only minimal benefit to killing off the websites, as it appeared to have little or no effect on the syndicate's ability to process fraud charges under the domain once the merchant account has been obtained. There is no apparent ritual of checking by the providers that a functioning website remains in operation for a given merchant account. The only change is that instead of victims reporting charges on their cards from an entity they never actually made a purchase from, it now becomes a charge from an entity that no longer exists, which they could not have made a purchase from. Though in most victim complaint cases that material fact fails to raise much concern in the financial card processing community.

In previous posts I documented multiple systemic errors in the FTC's analysis report on the operation by attorney Wernikoff. As I noted then, the multiple incorrect conclusions were understandable, since a thorough forensic examination would have required significant additional resources. A primary flaw in their conclusion was the the Organized Crime Syndicate was "abusing" the card processing system.

said by Robert McMillan :
...... "We're going to aggressively seek to identify the ultimate masterminds behind this scheme," Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies. .....
That conclusion is seriously flawed, the OCS is neither "abusing" the systems, nor are they using "loopholes". The Organized Crime Syndicate is simply "USING" the existing system. The FTC's flawed conclusion is that it tends to "absolve" the merchant account system and infer it as being adequate, when in fact it is not. In addition, the FTC's description of "setting up fake U.S. companies" is also flawed. The OCS caused "US companies" to be registered in the proper and normal manner. There was nothing "fake" about the registrations, as per many of the documents that I have posted. Of course the ultimate intent was to operate a fake business, but the registration process contains no process of validating the intent or purpose. While some state's rules require an affirmation that the business be established for lawful purposes, there is neither a vetting process nor actively used criminal statues of enforcement. Essentially it is an honor system, one in which both the banks and merchant processing system assigns significant inherent legitimacy to the fact that a business entity is a properly "registered company". No such legitimacy should be conferred, as other than a small filing fee and a completed form, filed remotely via the Internet in many cases, no validation has been performed, including verifying the identity of the filer.

With such low standards to gain entry on to the card processing highway, and the ability to fleece consumer's account data, "abusing" the system is not necessary, just use it. It is reasonable to expect that eventually this decade long organized criminal operation and the modus operandi used, may generate Congressional hearings once sustained media attention is reached. That such an uninhibited and perpetual system can extort millions of dollars a year from consumers, and shuttle the laundering of the fraud proceeds out of the country unfettered in a post 911 era of a Patriot Act encumbered banking system, should raise significant concerns. Not that the entire system is belligerent, rather that there are significant variables in both the detection ability and behavior of the companies involved. The recognition ranges from leading edge and active systems to detect and block it, to the "We do not want to know" why don't you go after Careerbuilder instead, attitude.

One of the top five major financial system processors has for several years now, devoted significant resources to detecting and preventing the OCS from utilizing their services to launder hijacked card data through merchant accounts. Not only have they revised many of the procedures for issuing merchant accounts after recognizing that the OCS was routinely using them, but they also altered the vetting process and instituted advanced detection systems to catch any that may get through. A major west coast corporation with a merchant processing division also has an aggressive active operation to detect, block, and eradicate any of the Crime Syndicate's card fraud laundering operations from their systems. Both of those entities have not only devoted resources to the problem they have an effective strategy that significantly mitigates the ability for their systems to be abused in this manner. The problem is that though these entities are the "gold" standard for proper practices, it is not universal within the merchant processing system.

The FTC's Wernikoff is correct when he states:

said by Robert McMillan :
....."It was a very patient scam," said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. "The people who are behind this are very meticulous." ....
The OCS has no problem probing, identifying, then flooding the merchant account providers and processors with substandard vetting and monitoring procedures, thus mitigating the effect of the few that do practice and utilize leading edge standards for fraud mitigation. In fact, one does not need to be a guru statistician to derive reasonable conclusions as to where First Data Corp fits in the picture in terms of the preventative standards of merchant fraud account implementations:

said by Robert McMillan :
..... One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data.
......... First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation. .....
95% of the fraud merchant accounts uncovered by the FTC were through First Data Corp, clearly an overwhelmingly path of least resistance to the fraud operation. More significant is that the fact that the entire FTC operation does not even address 5% of the Organized Crime Syndicate's operation during the relevant period, so the actual number of accounts that were, and still are, using the services of First Data Corp can be any significant multiple of that number. It is therefore reasonable to assume that a significant number of fraud charging is still occurring through their system today.

It is not that First Data Corp intentionally facilitates the Crime syndicate, try as you might with any merchant account provider, and describe on your account application that you want a merchant account to process hijacked card data into cash, and you will never get one. In fact, it was First Data Corp who stepped up to the plate in 2008, and without hesitation immediately froze the merchant account of the OCS's EyeCon Technologies LLC. First Data Corp intervened after a security official at PNC Bank in Pittsburgh stated that he had no interest in delving into potential fraud and money laundering business accounts operating in his institution. Though First Data Corp acted immediately, they failed to recognize the implications that if you have one, then you probably have many.

Remember, the most incorrect and flawed statement made to date by the FTC's Wernikoff, is:
said by Robert McMillan :
.... The FTC's Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

"Does it prevent the people from ultimately responsible from building up again from scratch?" he asked. "No. But we do hope that this seriously disrupts them.". ...
Ref: »www.computerworld.com/s/article/···ompanies

Though well intentioned, that diagnosis and conclusion could not be any further away from reality. They removed half a tentacle from the Octopus and declared it immobilized. Eventually, if there is an award for the most complacent entity in the entire operation, that will undoubtedly be given to Authorize.net / Cybersource / VISA. Over 90% of the OCS's fraudulent merchant accounts contain at least one, if not several, "red flags" which classifies them as suspicious. While the communications from the OCS shows that they are adept at monitoring and adapting to the weakest link in the chain for obtaining and sustaining the fraudulent merchant accounts, the never varied from designating Authorize.net / Cybersource / VISA as the gateway provider.

Edit Add:

There are far too many victim reports such as this, that may never be included in the FTC's type of analysis:

SCREENSAVERSRISE.COM:

quote:
robbie
5 h 14 min ago

I saw the charge and my bank said I had to call screen savers, they were polite and said the charge would be removed . Two weeks later they charged me again . My bank would do nothing .. so I had them issue me a new debit card...six months later I recieved another charge right after making a small purchase from an online store in New Jersey . I canceled the card . I filed a complaint with the FBI site mentioned above..it was kinda lose info but hope it helps stop these creeps .

»800notes.com/Phone.aspx/1-240-284-4437

MGD