dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
815291
MGD
MVM
join:2002-07-31

1 edit

1 recommendation

MGD

MVM

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

said by Robert McMillan :
"We're going to aggressively seek to identify the ultimate masterminds behind this scheme," Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

Wernikoff doesn't know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

It became apparent as far back as 2004 that the OCS was a vertical operation, and was directly infiltrating the financial system to obtain the card data. That conclusion did not come solely from monitoring the going rate at that time for card dumps on multiple hidden underworld forums, did not make the operation economically viable. Back then, at $9 per fraud hit, it would have taken 3 successful hits to a card before a profit was turned.

More than that, it was the repeated reports of some of the victim's card history which pointed to something far more sinister. Take the CENTER COMPANY --> EBSEBOOKS connection above, the "DAVID BERGMAN" bogus deflection replies all the way back to the 2004 era of the ABSOLUTE-SOFT.COM version 2.O and this forum:

Circa early 2004:



»Who is Absolute-soft???

Then: »$9.95 scam.. check your bank statements. security

By 2005 the growing appearance of the real extent of the operation: »Re: I got the same changes ....

The beginning of a comprehensive monitoring of the unusual circumstances of some of the victim card data:

But this is now TWO YEARS Later, one fraud entity is still going:
quote:
===========================================
Mark says:
January 21, 2006 at 8:39 am
Hi all,

I got hit in December on a CC that has NEVER been used at NewEgg, Buy.com, etc, and has never been typed online for that matter. It was only used once with a PHONECALL order. The credit card has been in my safe for months, so ANY charge I get is fraudulent. I am making an educated guess that the breakdown is somewhere in the mechanism that communicates the CC number and info for approval. Maybe the common denomincator is the company that certain merchants are using for CC authentication.

Just a thought…
===========================================

I wondered if there was a connection:
State of California

Entity Name: ABSOLUTE SOFTWARE CONSULTING LLC
Entity Number: 200336010080
Date Filed: 12/22/2003
Status: CANCELED
Jurisdiction: CALIFORNIA
Entity Address: 22806 SAILWIND WAY
Entity City, State, Zip: LAKE FOREST CA 92630
Agent for Service of Process: EVELYN NAZARIO
Agent Address: 22806 SAILWIND WAY
Agent City, State, Zip: LAKE FOREST CA 92630
Digging even deeper, there appeared to be:
quote:
Credit card charged by absolute-soft.com

August 18, 2005

Absolute-soft.com, CA.

They charged my credit card $9.95. I never heard of this company and I never ordered or bought anything from them. I sent them an email detailing the problem. I received an email back from

This is what the email said:

--------------------------------

"My name is David Bergman and I represent Absolute Software Consulting LLC Customer Service.

We got an e-mail from you reporting a charge of $9.95 on your credit card. Thank you for reporting about this situation promptly. I guess I should explain everything to you. Our company produces web design products, mostly website templates - primary web pages with no content. The price of each template is $9.95

thus your card was charged for the price of a template bought on our website. In this regard I have a very important question for you: Are you sure that nobody but you has access to your credit card information(name and number)? You see, if your card was charged and you didn't know about that somebody does have your card information and can use it. Please check it. We have already removed the charge you reported. The refund will be stated in the account within three or four business days. Nevertheless I strongly recommend you to call your bank and ask them to issue another card for you. Because if your card was once charged without your notification there's no guarantee that the person

having access to the CC information wouldn't use it again. It is also possible that some banking error occurred and your card was charged by mistake but still please call them and talk it over. Best regards,

===========================================
joe says:
July 26, 2006 at 3:45 pm

I had this charge, got a new bank card and the charge has appeared again. How did they get my new number that is only a week old. Someone is getting hacked, the bank or the merchants!
===========================================
Eric says:
July 27, 2006 at 6:37 pm

I got this charge back in May on 1 of my cards. I had it corrected and got a new credit card number. Just last week the charge came up again on a different card from a different company. Got that fixed 3 days ago and wouldn’t you know another charge from them yesterday on another different card. PLEASE somebody find out how to stop this. We shouldn’t have to change all our cards because of 1 fake company!
===========================================
Jim says:
August 17, 2006 at 10:10 am

I recieved this charge on my bank account 8/9. I am trying to get it refunded.
===========================================
DC says:
August 17, 2006 at 5:39 pm

Absolute-Soft.com hit me today for 9.95 on my debit card. Called the bank to close/change account. How they can get away with this for over 2 years is beyond me. You’d think the banks would set up some sort of common list where companies like Absolute-Soft wouldn’t even be able to submit charges at major institutions. A 5 minute internet search shows the level of this scam. Ridiculous.

absolute-soft.com
===========================================

This was far more than someone buying card dumps. In several instances over time it appeared that all the cards a victim had, issued by several institutions, were sequentially charged with fraud. It was if they were also accessing combined lists of card data alphabetically.

By 2006 not only are reports of fraud charging all over DSLR, but forum pockets all over the internet can be found of the same fraud reports. Start collecting names:

»www.jerseysmarts.com/200 ··· y-fraud/

I knew back then that killing the websites had no effect on their ability to keep merchant processing accounts:

»www.jerseysmarts.com/200 ··· d-fraud/

They could just resurface anywhere, but remain hidden with the first use of "no index" and "no follow" meta tags:

»Credit card criminals Devbill have a new home !!!

Was the four year and plus, card fraud laundering runs of KCSOFTLLC and EBSEBOOKS.COM aka Electronic Business Resource an aberration, a quirk within the financial system that they managed to slip through and continue fraud processing?.

No, they are just two of many examples. Absolute-soft.com aka ABSOLUTE SOFTWARE CONSULTING LLC began fraud charging in early 2004. Five years, HALF A DECADE later, this crops up in April of 2009:





Let's go back and have another look at that California corporation's database:
Entity Name: ABSOLUTE SOFTWARE CONSULTING LLC
Entity Number: 200924410303
Date Filed: 09/01/2009
Status: ACTIVE
Jurisdiction: CALIFORNIA
Entity Address: 22806 SAILWIND WAY
Entity City, State, Zip: LAKE FOREST CA 92630
Agent for Service of Process: BUSINESS FILINGS INCORPORATED
(C2113485)
Agent Address: *
Agent City, State, Zip: *
Apparently a 2009 refreshed registration.
.

MGD
MGD

1 edit

1 recommendation

MGD to Whip5

MVM

to Whip5
said by Whip5:

...
P.S. I copy and paste your message from page 4 on 800notes to the first page MGD.
ref:»800notes.com/Phone.aspx/ ··· 470-0407

Amazing how crumbs of evidence data can be linked together to demonstrate the size of this extensive massive fraud operation. Take the current INTEGRATEDIDEA.COM aka FBN INTEGRATED IDEA 816-470-0407 listed on the previous page 51




The task of establishing common links across the entire multi-year landscape of this Organized Crime Syndicate, requires the meticuluos cross checking of data snippets over a vast array of data, in order to identify evidence of the intricate connections. With respect to additional tie ins of INTEGRATEDIDEA.COM aka FBN INTEGRATED IDEA 816-470-0407 to the OCS, that came from a small window of opportunity when they let the domain cloaking of INTEGRATEDIDEA.COM slide, and thus exposed the original registration to an identity theft victim:




That victim's name used for the original domain registration is an exact match to another fraud domain registration from early 2008. In fact, this match to a card fraud laundering website domain registration has not been reported on in this thread before now.

The related story begins in March of 2008, when, during an audit of several known servers in use by the OCS, a freshlly minted card fraud laundering website mobilehomestuffstoreplus.com was discovered:





Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Domain Name: MOBILEHOMESTUFFSTOREPLUS.COM
Created on: 22-May-08
Expires on: 22-May-09


A few months later:


Registrant:
Wild West Domains
14455 N Hayden Rd
Suite 219
Scottsdale, AZ 85260
United States

Domain Name: MOBILEHOMESTUFFSTOREPLUS.COM
Created on: 22-May-08
Expires on: 22-May-09
Last Updated on: 03-Sep-08

Administrative Contact:
domains for sale, Wild West Domains
confiscateddomain@wildwestdomains.com


The duped cyber-mule was located and contacted. They were recruited from their resume posted on careerbuilder.com by the known OCS HR fraud of THECAREERPLANET.COM and the fake name of Anneliese Aitken anneliese.aitken@thecareerplanet.com:




Fortunately the cyber-mule had just been approved for a merchant account on the day that they were contacted, so this operation was nipped in the bud:




Glad that they were alerted before the fraud operation got off the ground, the duped cyber-mule turned over records of the communications in order to help. One email from the OCS confirming that they had registered an LLC online called AVANT-GARDE
quote:
From: Anneliese Aitken anneliese.aitken@thecareerplanet.com
To: XXXXXXXXXXXXXXXXXX
Sent: Tue, 4 Mar 2008 9:15 pm
Subject: Re: Independent Contractor Agreement

Dear XXXXXXXXXXXX

The registration of LLC is started.?

The name is "Avant-garde" (title: on-line trading).?

The order for registration is already send and you will receive the documents?

during 1-2 weeks.?

When you receive it, please don't forget to send me the scan of Certificate of Status.?
Sincerely yours,

Anneliese Aitken

www.TheCareerPlanet.com




This was not the LLC that was registered on behalf of the cyber-mule, who also confirmed that only one had been issued, and they never understood the purpose of the email from the OCS.




A check within the home state records of the mule showed no such registration. Clearly the OCS had sent the email to the wrong cyber-mule. Understandable, since they have numerous duped recruits at a time. But who and where did it belong to ?. That "Avant Garde" name os so common it returned thousands of search hits. Plus there was a huge list of businesses formations matching that name across the US, none of which matched the criteria. A cross check of many thousands of various domain name configurations of that name did not turn up a positive ID. The lead was shelved and then returned to intermittingly for rechecking. Surely there would be a future report of fraud charges. Finally, after repeated checking a possible lead was found in the state of Colorado's corporation database records:




And the date of incorporation matched to the email from the OCS:






Then another bloodhound hunt to find the matching card fraud laundering website:

AVANT-GARDE LLC aka AVANTG.ORG 719-387-7249 & 424-785-1586




.

719-387-7249 phone number comments:
quote:
========================================
Laurie -
1 Jan 2009
My debit card gets charged $4.99 every couple of months. I have cancelled the card and received a new one and the same thing has happened. I don't know how the company gets the number because I only use this card for deposits and withdrawals as it is not my main account. The company is listed as Avant Garde LLC in Woodland Park, CO. The number 719-387-7249 listed on my statement is not a working number. I cannot find out much else about this company. I live in Florida.
Caller: Avant Garde LLC
========================================

Individually, within the system there are smart people. However, each is only exposed to tiny segments of the Organized Crime Syndicate. Very few see the big picture, the lack of "collective Intelligence gathering" gathered from outside the walled garden. Only by going out in the field can proper Threat Reconnaissance to the financial system be performed.
quote:
========================================
DIRECT MERCHANTS BANK
8 Jan 2009

CREDIT CARDS ARE BEING CHARGED $ 4.99 EVERY FEW MONTHS. THE COMPANY AVANT GARDE LLC APPEARS TO EXIST ONLY TO COMMIT CREDIT CARD FRAUD, THIS PHONE NUMBER IS NOT A WORKING PHONE NUMBER.
========================================

»whocallsme.com/Phone-Num ··· 93877249

Victim fraud complaints from late 2008: »800notes.com/Phone.aspx/ ··· 387-7249

The contact phone number listed originally on the AVANTG.ORG was used by the known card fraud laundering operation of YOURPLPROJECT.ORG

Now look at the Mar-2008 identity theft domain registration for AVANTG.ORG:


Domain ID:D151986593-LROR
Domain Name:AVANTG.ORG
Created On:11-Mar-2008 23:47:41 UTC
Last Updated On:12-Mar-2008 00:53:24 UTC
Expiration Date:11-Mar-2009 23:47:41 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:ad963fb564e
Registrant Name:Alesia Painter
Registrant Organization:AVANTG.ORG
Registrant Street1:1214 E Main St
Registrant Street2:
Registrant Street3:
Registrant City:Luray
Registrant State/Province:VA
Registrant Postal Code:22836
Registrant Country:US
Registrant Phone:+1.7193877249
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:Apmail1976@gmail.com


Almost a year later the card fraud laundering domain of INTEGRATEDIDEA.COM is registered, but privacy cloaked and hidden:


Domain name: INTEGRATEDIDEA.COM

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (wlfxvmdl@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4259744730
PMB 368, 14150 NE 20th St - F1
C/O integratedidea.com
Bellevue, WA 98007
US

Creation date: 18 Feb 2009
Expiration date: 18 Feb 2010


However, in March of 2010 shortly after the domain registration was renewed for a second year the privacy cloaking fee was not paid and the shield was lifted:


Registration Service Provided By:
Landis Holdings Inc.
Contact: sales[@]jaguarpc.com

Domain name: INTEGRATEDIDEA.COM

Registrant Contact:
-
Alesia Painter (Alesia.Painter555@gmail.com)
+1.8164700407
Fax:
1214 E Main St
Luray, VA 22836
US

Status: Locked

Name Servers:
yns1.yahoo.com
yns2.yahoo.com

Creation date: 18 Feb 2009 00:47:46
Expiration date: 18 Feb 2011 00:47:00

.

MGD
MGD

1 recommendation

MGD

MVM

One of the current most prolific card fraud charging entities:

SCAM FRAUD= AKA SCREENSAVERSRISE.COM 240-284-4437 = FRAUD SCAM




Not only are they generating frequent search hits to this thread, but the huge fraud volume can be seen just by the number of complaints on 800notes during July. Figure at the very least 1,000 victims or more for each one that posts.









»800notes.com/Phone.aspx/ ··· 284-4437

The SCREENSAVERSRISE cyber-mule Saira Bano Farooq lacks contact info and has apparenlty moved from the Washington DC / Rockville MD area. She has also removed her previous LinkedIn profile:

»/r0/do ··· aira.png

The Linkedin.com profile can be found on Google but is NLA on the site.

===============================
Saira Bano Farooq

President at SCREENSAVERSRISE.COM

Washington D.C. Metro Area
Contact Saira Bano Farooq
Add Saira Bano Farooq to your network

Current President, Owner, Producer, and
Writer at TheFantasticBlog

President at SCREENSAVERSRISE.COM
Past President, Owner, Writer at
BeautifulMoonlight
Industry Entertainment
-------------------------------

Saira Bano Farooq’s Experience
President, Owner, Producer, and Writer
TheFantasticBlog
(Entertainment industry)

2009 — Present (1 year )

President
SCREENSAVERSRISE.COM
(Entertainment industry)

2009 — Present (1 year )

President, Owner, Writer
BeautifulMoonlight
(Entertainment industry)

2006 — 2009 (3 years )
===============================

If a fraud victim can post the first 7 digits of the ARN, we will be able to identify the banking institution where the business account which is receiving the fraud proceeds is located. That bank and account will also be serving as the conduit where the card fraud proceeds are being wired out of the country from. Needless to say VISA which now owns authorize.net / Cybersource is undoubtly serving as the gateway processing counduit for the OCS card fraud laundering operation.

The fraud charging apparently began sometime back in January 2010 with the first victim report in this forum HERE:

Also noteworthy is that arounf June 9th the OCS moved the website hosting from:

====================================
NS1.CROW.ARVIXE.COM
NS2.CROW.ARVIXE.COM

Server Type:Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28

IP Address:174.120.229.131
IP Location: - Texas - Dallas - Theplanet.com Internet Services Inc
Response Code: 200
Domain Status: Registered And Active Website
====================================


NAMESERVER FROM TO
-------------------------------------------------------------
2010-06-09 Transfer Arvixe.com Siteprotect.com
.
.
HOSTING FROM TO
-------------------------------------------------------------
2010-06-09 Change 174.120.229.131 207.150.212.132


To here: »SCREENSAVERSRISE.COM

Server Type: Apache
IP Address: 207.150.212.132
IP Location: - United States - Affinity Internet Inc
Response Code: 200
Domain Status: Registered And Active Website

Domain servers in listed order:

ADNS.CS.SITEPROTECT.COM
BDNS.CS.SITEPROTECT.COM

MGD
MGD

1 edit

1 recommendation

MGD

MVM

If you recall, back in September of 2009 there was a post by iDeceive See Profile regarding the OCS cyber-mule recruting of SKYDEX SOFT LTD aka SKYDEXSOFT.COM Alex Malenkovsky career@skydexsoft.com

SKYDEXSOFT:




was the continuation of a long series of runs of fake recruiting companies that fraudulently and repeatedly utilized the significant resources of CAREERBUILDER.COM to source resumes and place job adds to lure cyber-mule victims. However SKYDEX SOFT LTD aka SKYDEXSOFT.COM appeared to hold the known Careerbuilder.com record to date, by placing in excess of 150 concurrent cyber-mule job adds in every major metropolitan area of the US. A fact which highlights the complete failure of Careerbuilder to use reasonable and usual care in protecting either hosted resumes or job seekers from becoming cyber-mule victims.

This thread has documented an extensive series of both recruiting and employer accounts on Careerbuilder orchestrated by this Organized Crime Syndicate. Since many of these multiple job posting campaigns would have cost a significant amount of money it is doubtful that the OCS was utilizing the card fraud proceeds to pay for these resources. My suspicion is that they were charging the costs to their massive hijacked card database. One can test the extent of how criminals have infiltrated careerbuilder.com by placing a bogus resume on there with a valid email address and review the subsequent solicitations.




The skydexsoft.com domain was hosted in the Ukraine, and the domain was fraudulently registered to an identity theft victim from California. As shown in the original post, the email account used for the domain reg jglenn19@gmail.com had a Russian language password recovery option:

»/r0/do ··· eset.png

At the time of the original uncovering I audited and collected as much relevant data for later forensic examination. I presumed the related recruiting activity went dormant shortly afterwards however it appears that may not have been the case. While many lower level job websites scrape and re issue job postings long after they have expired in order to drum up business, several SKYDEX SOFT LTD aka SKYDEXSOFT.COM job postings were active with February, March, April, and May of 2010 issued dates. Whether these were really fresh postings or the work of scam job sites is difficult to tell:













The reposting of job adds from Sptember of 2009, 6 to 8 months later, even for secondary scammy jobsites, would be a new low, but again it is difficult to account for all of these as reposts.

Part of the data recovered for forensic examination was a Microsoft word document that was subsequently uploaded to the Skydexsoft.com website by the OCS shortly before the massive Careerbuilder.com cyber-mule job posting. If you recall, the job adds directed the potential victims to the skydexsoft.com website to complete the application and resume submittal process. Though it has been discussed before one of the severe issues with the OCS operation is the thousands of resumes which they both collect and peruse over on websites. While normally a resume is not considered an identity theft issue, when they are combined with subsequent picture identity scans by potential recruits, such as driver's licenses, etc, that combination and volume existing in the database of such a crime syndicate raises significant and serious issues. For example, could the personal history and identity documents be used to obtain travel documents, or other significant resources in the pursuit of a criminal operation. One of the unknown factors to date, is whether they are registering the portion of fraud proceeds converted to prepaid debit cards to prior applicants who they have the picture identity and resumes of.

The document recovered from Skydexsoft.com was titled SkydexSoft FAQ:












I have often wondered if the Organized Crime Syndicate's detailed knowledge of the US financial system, structure, taxation, etc, was all acquired from distance learning. I can tell you one thing though, of the hundreds of documents and communications that I have examined from the Organized Crime Syndicate over the past five years, all of them, without exception, including the one above, specify and mandate that AUTHORIZE.NET are to be used for the processing of the card data.

In this case the most interesting data from an evidentiary standpoint, is not the level of detail and knowledge about the US financial system, but rather the meta data contents which were embedded by default within the document. In this case the MS Word document was prepared on a computer whose native language was set to Russian Cyrillic, the user is "Admin", and the default OS computer company name from where the document originated is: "MoBIL GROUP"




An exhaustive search for the name MoBIL GROUP where the native language setting would be Russian Cyrillic yields only one matching entity located in Saint Petersburg, in the Russian federation. How relative or significant this depends on several unknown variables. The data is listed in an image format because there is no direct implication of the company itself being involved:








There are several possible scenarios, including how many computers there are with that installation name, clones etc. If it is the correct company, and the named install is limited to them, it is possible that it could be an employee at any level. Though from "Admin" the focus would not be on the janitor.

Over time, sifting through Terabytes of data to see if any other documents exist anywhere around the globe with the same matching embedded meta data. It is possible that the above meta data could be a "smoking gun", especially if the number of computers configured as "Admin" with an installed company name of "MoBIL GROUP" is a very limited number, though that remains to be seen.

Clearly the document is not ambiguous, and has a specific intent. It serves only one purpose, that is to recruit cyber-mules to act as partners by forming a US business entity, opening a US business bank account, and obtaining merchant processing services. The services are used exclusively to process charges against hijacked card data, then launder the stolen proceeds by wiring them out of the US from the cyber-mule's business bank accounts. Obviously there is a direct connection of some form, between the fraudulent document, its creation, and an entity named "MoBIL GROUP" whose default setting is Cyrillic.

MGD

MGD

MGD

MVM

Re: Rosmann Enterprises LLC 305-767-1953

FRAUD ALERT: IM-GAMED.COM LLC aka IM-GAMED.COM 303-872-7857

Attention FTC, what happens when victims do not cancel their cards after the first fraud charge.

It may take a while, but MGD then picks up another of the Organized Crime Syndicate's fresh card fraud laundering entity.

The last post only a few hours ago:
said by whocallsme.com :
=====================================
NCvictim
11 May 2010
They got me today as well, but only for $1.89. Called and canceled card, passed along the above information to financial institution.
Caller: IM-GAMED.COM LLC
=====================================
truely disgusted
13 May 2010
Noticed the same $4.89 charge from IMGAMED.COM today on my visa account. When I went to investigated the site I came across multiple bloggs with complaints about this fraud. Called and cancelled credit card~now must wait for new ones:( This is absolutely rediculous! Thanks for all your post!
=====================================
jefepiloto replies to Old Computer Wizard
24 May 2010
Just got the same charge to my Chase account
=====================================
royallen
16 Aug 2010
the scam continues,seems like the banks don't care,law enforcement doesn't care,and the thieves continue to get rich five dollars at a time
=====================================
DBS
10 h 55 min ago
I too had this happen to me back in May. I got just a similar "not in svc" msg when I called it. Thinking it may have been just a fluke I didn't bother to cancel my debit card. I just had a similar charge ($4.97) from a Rosmann Enterprises LLC with a phone number of 305-767-1953 from Keys, Fla. When I called it I was told (by a persone w/a British accent) the person I was calling was unavailable & instructed to lve a msg. Keep an eye out for this one too folks! My card is changed as soon as the bank opens in the morning!
=====================================

»whocallsme.com/Phone-Num ··· 727857/2

FRAUD SCAM = ROSMANNENTERPRISES.COM aka Rosmann Enterprises LLC 305-767-1953 »rosmannenterprises.com




LOL!!! = "TOYS UNDER $10"

Address: 2221 NE 164th Street,
North Miami Beach, FL 33160
Phone: 1-(305)-767-1953
Email: support@rosmannenterprises.com

You can also use the form below to send a quick message.
Please tell us your name, your question and your email information.
Your issue will be addressed as soon as possible. Full Name:




ROSMANNENTERPRISES.COM

Registrar: ENOM, INC.

Registration Service Provided By:
NameCheap.com
Contact: support[@N]ameCheap.com

Domain name: rosmannenterprises.com

Registrant Contact:
WhoisGuard
WhoisGuard Protected ()

Fax:
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Administrative Contact:
WhoisGuard
WhoisGuard Protected
(b9e143e0ff1f442b9ff27a9845f6f5d7.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
8939 S. Sepulveda Blvd. #110 - 732
Westchester, CA 90045
US

Name Servers:
dns1.registrar-servers.com
dns2.registrar-servers.com
dns3.registrar-servers.com
dns4.registrar-servers.com

Creation date: 21 Jun 2010 14:42:00
Expiration date: 21 Jun 2011 09:42:00


===============================
IP Location: United States Scottsdale Godaddy.com Inc
Resolve Host: ip-97-74-216-48.ip.secureserver.net
IP Address: 97.74.216.48
===============================

===============================
Florida Limited Liability Company

ROSMANN ENTERPRISES LLC

Filing Information
Document Number L10000065008
FEI/EIN Number NONE ----------->LOOK
Date Filed 06/17/2010
State FL
Status ACTIVE

Principal Address

2221 NE 164TH STREET
SUITE 377
NORTH MIAMI BEACH FL 33160

Mailing Address
2221 NE 164TH STREET
SUITE 377
NORTH MIAMI BEACH FL 33160

Registered Agent Name & Address
CORPORATION SERVICE COMPANY
1201 HAYS ST
TALLAHASSEE FL 32301 US

Manager/Member Detail
Name & Address

Title MGRM
PAUL ROSMAN
2221 NE 164TH STREET SUITE 377
NORTH MIAMI BEACH FL 33160
===============================





The listed address:

Title MGRM
PAUL ROSMAN
2221 NE 164TH STREET SUITE 377
NORTH MIAMI BEACH FL 33160

is a mail drop and forwarding service:
quote:
Mail Bags Private Mail Box Business Center
2221 NE 164th Street
North Miami Beach, FL 33160
US

Full Service Business Center
Home / FAQ / About Mail Bags / Contact Us 305-945-3222 · Fax: 305-949-1689 · mailbags[@]earthlink.net

Private U.S. Mailing Address

Convenient and Confidential

Your Private Mailing Address With Your Personal Suite Number in
North Miami Beach, FL 33160

Pick up your mail and packages at your convenience or we can forward your mail and packages to you anywhere in the world, once a month or as often as you wish.

Private Florida Mailing Address

Call Ellen or Valerie to check your incoming mail
305-945-3222

Ask us about our other business services

Contact Us Today

Private Mail Address Fee Schedule:

Monthly $22.47
Quarterly $67.41
Semi-Annually $134.82
Annually $240

All prices include tax.
There is a one-time $15 setup fee.

The forwarding fee for mail and packages is $10 (plus cost), and a forwarding opening account balance of $50 is required.

We provide you with a street address and suite number.

You may call at any time to inquire about mail received and give instructions regarding forwarding. We will forward your mail at your request anywhere in the world.

You may also fax the information to us 24 hours a day, seven days a week.

We will accept deliveries from UPS, DHL, FedEx, US Post Office and all private courier services.

For $30 a month, you get your own phone number and can receive an unlimited number of calls.

We accept all major credit cards.

You will need to download a form which is required by the post office. Two pieces of identification (driver's license or some other identification that has your picture, and a major credit card, etc.) are needed. All this can be faxed or emailed to us.

If you have any further questions, please do not hesitate to call us, or email us.

»www.mailbags.org





Since Mail Bags Private Mail Box Business Center aka
»www.mailbags.org can be set up without ever showing a live body in the office, was it really opened by PAUL ROSMAN ?. All of the opening documents, including those required by the Post Office can be downloaded and faxed in along with two forms of identification, one a picture ID. We already know that the Organized Crime Syndicate has an ample supply of US identification edocuments and corresponding picture IDs. I have personally seen the OCS use them.

In this case, I am suspicious because there is no IRS tax id listed in the filings, and the name is spelled wrong is has two "N"s. Also because of the type of confidential mail forwarding service offered by Mail Bags Private Mail Box Business Center aka »www.mailbags.org. Is PAUL ROSMAN a cyber-mule or could he be an identity theft victim and the cyber-mule is really someone else. Since recent infiltrations and blocking of the fraud wire proceeds going offshore the Organized Crime Syndicate is using more sophisticated tactics to shelter and hide the true cyber-mules.

A check of public data bases shows only one PAUL ROSMAN in the state of Florida, located about 50 miles away in Port Saint Lucie:




Did the OCS use his Name, picture identity, and SSN to open up the mail drop and then register a Florida LLC in his name?. Did they pick a full service mail and faxing forwarding drop close by the address in order to then apply for a merchant account. I am still amazed that merchant accounts could not only be opened specifically and exclusively for card fraud laundering, but also using identity theft. I do not know the answer.

I need a fraud charge victim to post the first 7 digits of the ARN so that the bank business and fraud proceeds wiring Bank can be located.

According to the FTC filings the toll free division repeatedly used identity theft victims:




said by FTC :
The websites of the fake companies purport to sell some kind of product such as electronics and office supplies. (Id.) Each fake company also has a toll-free telephone number, as well as a "home" telephone number for the "owner" of the company. (ld.~ 27-31.) The toll-free numbers forward to a cell phone number registered in Belarus. (Id.~~ 30-31.) Defendant( s) Doe also use the names of identity theft victims as "owners" of these fake companies. (PX 1 ~ 39; PX 2 ~ 15, Att. D; PX 3 (identity theft victim); PX 4 (same).) Without their knowledge, Defendant(s) Doe provide the victims' name, social security number, and date of birth on merchant account applications. (Id.) Before Defendant( s) Doe use an identify theft victim's name to open an account, they run credit checks on the stolen identities to ensure that the victims have good credit scores so that the merchant accounts are approved by credit card processors. (PX I ~ 40.) These fictitious companies are therefore "owned" by identity theft victims without their knowledge.

MGD
Jodon2
join:2010-09-20

Jodon2

Member

Add another one to the list, a $4.97 charge from Rosmann Enterprises LLC 305-767-1953 showed up on my credit card statement. Called my bank Friday and filed it as a fraud charge. They are sending me a new card.
Zenith5
join:2008-03-12
Danville, IL

Zenith5 to MGD

Member

to MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Spoke with MGD. He tells me that this thread will go inactive if there aren't any posts made for some period of time. I think this thread has helped many people to realize what is going on out there and how this fraud operation works. MGD is currently working on some very important matters and may be unable to post on the thread for awhile. I'd like to suggest that we attempt to keep this thread active by posting any pertinent information that you may have during his absence so the education that MGD has provided us will continue to help others.
Zenith5

Zenith5 to MGD

Member

to MGD
A very similar scam taking place:

»www.msnbc.msn.com/id/394 ··· er_news/

garys_2k
Premium Member
join:2004-05-07
Farmington, MI

garys_2k

Premium Member

I don't think phone bill cramming is the quite the same. This thread's subject scam is all about a widespread Russian organized crime syndicate using mules to set up phony businesses to process fraudulent credit card data (obtained from multiple sources). But maybe the Russian mob is doing the phone cramming, too.
MGD
MVM
join:2002-07-31

2 edits

MGD

MVM

Not only are some of the OCS's long standing card fraud laundering websites such as SCREENSAVERSRISE.COM and IM-GAMED.COM still rolling right along spewing card fraud charges,





now some of the OCS's fraud websites first reported here during their factory creation phase back in May of 2010, are now well seasoned and in full card fraud blasting mode. One such example which I first reported during its birthing phase in May, is now generating high volumes of search referrals to this thread is VPNMONSTER.




Since search referrals can only come from someone who knows the domain name, and that is hidden from the world, then the most likely place it is being seen is on bank statements. Very little data has been captured as to the likely location of the crime syndicate's cyber-mule, however recent postings of the billing descriptor on 800notes.com confirm that the cyber-mule and merchant bank account is based in Fresno, California. Though one report also shows an additional three letter tag of QPS FRESNO CA a check of both Fresno county Fictitious business name registrations and the state of California corporations database has yet to identify the most likely candidate. Again, a posting of the first 7 digits of the ARN for a VPNMONSTER fraud charge would go a long way in identifying the rogue account.

Though the original SCREENSAVERSRISE.COM card fraud domain has now expired and is pending deletion or sale, that apparently has no effect on the merchant account status.


Registrant:
Pending Renewal or Deletion
P.O. Box 430
Herndon, VA. US 20172-0447

Domain Name: SCREENSAVERSRISE.COM

Administrative Contact, Technical Contact:
Pending Renewal or Deletion
P.O. Box 430
Herndon, VA 20172-0447
US
570-708-8786

Record expires on 16-Sep-2010.
Record created on 16-Sep-2009.

»SCREENSAVERSRISE.COM

It has been noted for several years that there was only minimal benefit to killing off the websites, as it appeared to have little or no effect on the syndicate's ability to process fraud charges under the domain once the merchant account has been obtained. There is no apparent ritual of checking by the providers that a functioning website remains in operation for a given merchant account. The only change is that instead of victims reporting charges on their cards from an entity they never actually made a purchase from, it now becomes a charge from an entity that no longer exists, which they could not have made a purchase from. Though in most victim complaint cases that material fact fails to raise much concern in the financial card processing community.

In previous posts I documented multiple systemic errors in the FTC's analysis report on the operation by attorney Wernikoff. As I noted then, the multiple incorrect conclusions were understandable, since a thorough forensic examination would have required significant additional resources. A primary flaw in their conclusion was the the Organized Crime Syndicate was "abusing" the card processing system.
said by Robert McMillan :
...... "We're going to aggressively seek to identify the ultimate masterminds behind this scheme," Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies. .....
That conclusion is seriously flawed, the OCS is neither "abusing" the systems, nor are they using "loopholes". The Organized Crime Syndicate is simply "USING" the existing system. The FTC's flawed conclusion is that it tends to "absolve" the merchant account system and infer it as being adequate, when in fact it is not. In addition, the FTC's description of "setting up fake U.S. companies" is also flawed. The OCS caused "US companies" to be registered in the proper and normal manner. There was nothing "fake" about the registrations, as per many of the documents that I have posted. Of course the ultimate intent was to operate a fake business, but the registration process contains no process of validating the intent or purpose. While some state's rules require an affirmation that the business be established for lawful purposes, there is neither a vetting process nor actively used criminal statues of enforcement. Essentially it is an honor system, one in which both the banks and merchant processing system assigns significant inherent legitimacy to the fact that a business entity is a properly "registered company". No such legitimacy should be conferred, as other than a small filing fee and a completed form, filed remotely via the Internet in many cases, no validation has been performed, including verifying the identity of the filer.

With such low standards to gain entry on to the card processing highway, and the ability to fleece consumer's account data, "abusing" the system is not necessary, just use it. It is reasonable to expect that eventually this decade long organized criminal operation and the modus operandi used, may generate Congressional hearings once sustained media attention is reached. That such an uninhibited and perpetual system can extort millions of dollars a year from consumers, and shuttle the laundering of the fraud proceeds out of the country unfettered in a post 911 era of a Patriot Act encumbered banking system, should raise significant concerns. Not that the entire system is belligerent, rather that there are significant variables in both the detection ability and behavior of the companies involved. The recognition ranges from leading edge and active systems to detect and block it, to the "We do not want to know" why don't you go after Careerbuilder instead, attitude.

One of the top five major financial system processors has for several years now, devoted significant resources to detecting and preventing the OCS from utilizing their services to launder hijacked card data through merchant accounts. Not only have they revised many of the procedures for issuing merchant accounts after recognizing that the OCS was routinely using them, but they also altered the vetting process and instituted advanced detection systems to catch any that may get through. A major west coast corporation with a merchant processing division also has an aggressive active operation to detect, block, and eradicate any of the Crime Syndicate's card fraud laundering operations from their systems. Both of those entities have not only devoted resources to the problem they have an effective strategy that significantly mitigates the ability for their systems to be abused in this manner. The problem is that though these entities are the "gold" standard for proper practices, it is not universal within the merchant processing system.

The FTC's Wernikoff is correct when he states:
said by Robert McMillan :
....."It was a very patient scam," said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. "The people who are behind this are very meticulous." ....
The OCS has no problem probing, identifying, then flooding the merchant account providers and processors with substandard vetting and monitoring procedures, thus mitigating the effect of the few that do practice and utilize leading edge standards for fraud mitigation. In fact, one does not need to be a guru statistician to derive reasonable conclusions as to where First Data Corp fits in the picture in terms of the preventative standards of merchant fraud account implementations:
said by Robert McMillan :
..... One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data.
......... First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation. .....
95% of the fraud merchant accounts uncovered by the FTC were through First Data Corp, clearly an overwhelmingly path of least resistance to the fraud operation. More significant is that the fact that the entire FTC operation does not even address 5% of the Organized Crime Syndicate's operation during the relevant period, so the actual number of accounts that were, and still are, using the services of First Data Corp can be any significant multiple of that number. It is therefore reasonable to assume that a significant number of fraud charging is still occurring through their system today.

It is not that First Data Corp intentionally facilitates the Crime syndicate, try as you might with any merchant account provider, and describe on your account application that you want a merchant account to process hijacked card data into cash, and you will never get one. In fact, it was First Data Corp who stepped up to the plate in 2008, and without hesitation immediately froze the merchant account of the OCS's EyeCon Technologies LLC. First Data Corp intervened after a security official at PNC Bank in Pittsburgh stated that he had no interest in delving into potential fraud and money laundering business accounts operating in his institution. Though First Data Corp acted immediately, they failed to recognize the implications that if you have one, then you probably have many.

Remember, the most incorrect and flawed statement made to date by the FTC's Wernikoff, is:
said by Robert McMillan :
.... The FTC's Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

"Does it prevent the people from ultimately responsible from building up again from scratch?" he asked. "No. But we do hope that this seriously disrupts them.". ...
Ref: »www.computerworld.com/s/ ··· ompanies

Though well intentioned, that diagnosis and conclusion could not be any further away from reality. They removed half a tentacle from the Octopus and declared it immobilized. Eventually, if there is an award for the most complacent entity in the entire operation, that will undoubtedly be given to Authorize.net / Cybersource / VISA. Over 90% of the OCS's fraudulent merchant accounts contain at least one, if not several, "red flags" which classifies them as suspicious. While the communications from the OCS shows that they are adept at monitoring and adapting to the weakest link in the chain for obtaining and sustaining the fraudulent merchant accounts, the never varied from designating Authorize.net / Cybersource / VISA as the gateway provider.

Edit Add:

There are far too many victim reports such as this, that may never be included in the FTC's type of analysis:

SCREENSAVERSRISE.COM:
quote:
robbie
5 h 14 min ago

I saw the charge and my bank said I had to call screen savers, they were polite and said the charge would be removed . Two weeks later they charged me again . My bank would do nothing .. so I had them issue me a new debit card...six months later I recieved another charge right after making a small purchase from an online store in New Jersey . I canceled the card . I filed a complaint with the FBI site mentioned above..it was kinda lose info but hope it helps stop these creeps .

»800notes.com/Phone.aspx/ ··· 284-4437

MGD
MGD

2 edits

1 recommendation

MGD

MVM

One of the most egregious type of events which has occurred numerous times during this fraud operation, is when a victim files a fraud complaint with their bank and it is subsequently denied. Their bank legally forces them to pay the organized Crime Syndicate. The FTC incorrectly states in its report that ~ 94% of the fraud charges went uncontested by consumers:
said by Robert McMillan :
............... U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed.

My research indicates that the real number is around 80%. The FTC may only be counting complaints filed with them, or numbers provided by the merchant provider. However, many more consumers do recognize the fraud charge, but are sometimes unable to overcome the variable responses from their institutions, and give up. The bank CSR responses range from perfect:
quote:
Dave O
15 Sep 2010

Just got my card statement with the charge (4.89) on it, called B of A and they reversed the charge immediately, also cancelled the card.
Caller: vpnmonster.net

.

To painfully incompetent:
quote:
Constance v
24 Sep 2010

My card was charged $1.89 on 7/30/10 and $4.89 on 8/16/10. When I reported fraudulent charges to my credit union they sent me a letter saying that I had to cancel "recurring charges" with the company myself.

TOTALLY NO SUPPORT FROM MY C/U

Caller: vpnmonster.net

Though only one of the above may end in successfully addressing the fraud, I count both as being instances where consumers / victims DID catch the fraud charge, irrespective of the outcomes.

Though not malicious, an egregious case of bank incompetence in dealing with this fraud can be found in another of the organized Crime Syndicate's card fraud entities not previously reported on here:

SCAM FRAUD DIGIQUALITY.BIZ 517-759-1231 aka DIGIQUALITY.ORG = FRAUD SCAM »DIGIQUALITY.ORG




Same non existent free screen savers as the rest of the group:




Do not even have any contact info posted:




But if you can find them:




you can apply for a refund:




Though fraud charge reports go back to the end of 2009, the DIGIQUALITY.BIZ domain appears to have been registered on 08/03/2009:


Domain Name: DIGIQUALITY.BIZ
Domain ID: D33043405-BIZ
Sponsoring Registrar: NETWORK SOLUTIONS INC.
Sponsoring Registrar IANA ID: 2
Domain Status: clientTransferProhibited
Registrant ID: 43817531V
Registrant Name: Anderson Bill
Registrant Address1:
Registrant Address2: care of Network Solutions
Registrant Address3: PO Box 447
Registrant City: Herndon
Registrant State/Province: VA
Registrant Postal Code: 20172
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5707088780
Registrant Email:
bz6gu2rg7uf@
networksolutionsprivateregistrati on.com

Name Server: NS39.WORLDNIC.COM
Name Server: NS40.WORLDNIC.COM
Created by Registrar: NETWORK SOLUTIONS INC.
Last Updated by Registrar: NETWORK SOLUTIONS INC.
Domain Registration Date: Mon Aug 03 20:38:55 GMT 2009
Domain Expiration Date: Mon Aug 02 23:59:59 GMT 2010


The domain appears to have been revoked sometime around the end of May, 2010, and the card fraud laundering website was quickly replaced by DIGIQUALITY.ORG


Domain ID:D158787470-LROR
Domain Name:DIGIQUALITY.ORG
Created On:05-Apr-2010 23:09:33 UTC
Last Updated On:05-Jun-2010 03:47:39 UTC
Expiration Date:05-Apr-2011 23:09:33 UTC
Sponsoring Registrar:Active Registrar, Inc. (R1709-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_11449402
Registrant Name:Whois Manager
Registrant Organization:Whois Proof LLP
Registrant Street1:PO Box 4120
Registrant Street2:
Registrant Street3:
Registrant City:Portland
Registrant State/Province:OR
Registrant Postal Code:97208-4120
Registrant Country:US
Registrant Phone:+1.2024700599
Registrant Phone Ext.:
Registrant FAX:+1.8663666681
Registrant FAX Ext.:
Registrant Email: ms7195t91@whoisproof.com

Name Server:NS2.DNSEXIT.COM
Name Server:NS1.DNSEXIT.COM
Name Server:NS3.DNSEXIT.COM
Name Server:NS4.DNSEXIT.COM


There were accumulations of victim fraud reports on numerous websites, included Sitejabber.com










»www.sitejabber.com/revie ··· lity.biz

After numerous complaints were filed with a branch of the BBB, they could not pin point the cyber-mule: »www.bbb.org/toledo/busin ··· 90051907 and some of the listed data is not accurate. However, the posted billing descriptor from several victims showed DIGIQUALITY.BIZ 517-759-1231 MI. Other posts of the fraud billing on a Wordpress blog narrowed the city down to OKEMOS, MICHIGAN:
quote:
Transaction date: 02/26/2010*
Amount: $4.91
Merchant: DIGIQUALITY.BIZ -OKEMOS ,MI

More on that excellent blog thread in a minute, which was started by a victim of the fraud in December of 2009, and eventually accumulated 146 posts from other victims through August of 2010. Information on that blog merged with data that I already had enabled the cyber-mule and the layered companies to be identified.

The county business records had a DBA business filing from October of 2009 that matched to the billing entity:




========================
Date Start
10/19/09
Date End
10/23/09

File # D-0091650
DIGIQUALITY.BIZ
D-0091650

Business Address
DIGIQUALITY.BIZ
5053 MADISON AVE
OKEMOS, MI 48805

Owner(s) Name
SAINT MARIE PAPTRICK
========================

The correct spelling of the registered owner's name and thus the cyber-mule is PATRICK SAINT MARIE. Excellent detailed postings by a fraud charge victim on that wordpress blog fills in some crucial gaps in the data. This determined victim does every thing correctly, and reports the charge as fraudulent. Her bank issues a temporary credit and then unfortunately files a dispute notice to the OCS's merchant account. What happens next is one of the most egregious and shameful behavior by a Bank, JPM CHASE. When the cyber-mule / OCS receive the dispute notice, they print out the transaction record from the Authorize.net Cybersource account which showed the date time stamp and IP address of the fraud transaction. Upon receipt of this response to the charge back dispute notice, Chase promptly turns around and puts the charge back on the victim's account. Because it was a debit card, Chase removes the funds from the victim's account and forwards it to the organized Crime Syndicate's merchant bank account. There is no finer example of how this decade long OCS really "OWNS" the system. In the victim's own words:
By: AS on April 21, 2010
at 1:42 am

To the original poster – thank you for providing this information. It’s nice (I suppose) knowing that I’m not the only one who has fallen victim to the scam. However, my situation has taken an interesting turn…

I was charged $7.91 on 02/05/10. I called my bank, Chase, while the charge was still pending, and was told to contact the fraud department once the charge had cleared. I did so, and was immediately refunded the amount. Like most of you, I had to deal with the hassle of canceling my debit card as well. After that, it was an out-of-sight, out-of-mind situation, until today…

I received a letter today from Chase informing me they that they were reversing the credit because the merchant provided them with information that I had authorized the charge. At least Chase was nice enough to provide me with copies of the documents they received from the so-called merchant. The information provided on these faxes collaborates a great deal of the information many of you have been generous enough to share. There are two specific items of interest:

1. A Chargeback Notification which was mailed from Chase/Merchant Services to the following address:

Alternative Investments
PO Box 73
Alternative Investments
Okemos, MI

I can only assume that “Alternative Investments” is the company responsible for Digiquality.biz. (And as of this time of this post, I cannot access Digiquality.biz because the website times-out).

It also appears that this Chargeback Notification was faxed to Chase/Merchant Services from a Fedex Kinkos with the following phone number: 517-347-8658. A simple Google search returns the address of that Kinkos, also located in Okemos:

Fedex Kinko’s Office & Print
2243 W Grand River Ave
Okemos, MI,
48864-1650

2. Attached to this Chargeback Notification was a print out of my fraudulent transaction from Authorize.Net. This print out included my billing information – my first and last name, my address, and zip code. So, not only did DigiQuality.biz obtain my debit card information, but my name and address as well.

Based upon their website, Authorize.Net appears to be a legitimate company. Depending upon the outcome of my conversation with my bank tomorrow, I might contact Authorize.Net so that they know they are doing business with a company that is defrauding innocent individuals. At this point, it’s not about the money; it’s the principle of the issue.

Contact info for Authorize.Net:
>http://www.authorize.net/support/

Authorize.Net’s BBB listing:
>http://www.bbb.org/utah/business-reviews/credit-card-processing-companies/authorizenet-a-cybersource-solution-in-american-fork-ut-2009493

Many of you have mentioned Amazon as the source of our information, and I’m inclined to believe that this is the case in my situation. My debit card was on file with Amazon, although rarely used. Also, I commonly use a nickname as opposed to my legal name. My nickname is on file with Amazon, and Amazon by default uses my nickname for my billing address. In all other transactions where I am prompted to provide my billing address, I use my legal name. Amazon is the only instance where my nickname is used as opposed to my legal name.

Anyways, I hope this information can be of help to someone else who is dealing with this irritating situation. Best of luck to you, and I’ll be checking back often…

Ref:»inforodeo.wordpress.com/ ··· y-theft/

What a complete and utter travesty by CHASE. Kudos to the victim though for posting such a detailed account and treasure trove of information. Of course the fact that processing services for this fraud operation were provided by AUTHORIZE.NET / CYBERSOURCE now owned by VISA should not be a surprise to any regular reader. AUTHORIZE.NET / CYBERSOURCE / VISA, are merely maintaining their almost decade long 100% perfect record of supplying crucial support services to what is now probably thousands of fraudulent merchant accounts used to extort a cyber fraud tax from consumers. Not lost is the irony that VISA is also the brander and controlling entity of over half of all credit / debit cards provided to consumers, and regulates the processing of charges. VISA's cash register rings twice for every fraudulent charge perpetrated against consumers by the the Organized Crime Syndicate. It will also ring a third time for a chargeback. There is no incentive to stop the fraud, short of damming publicity, a class action lawsuit for malfeasance, or federal criminal charges, or Government / Congressional intervention.

The first thing that we can tell from her detailed information is that the cyber-mule PATRICK SAINT MARIE used an existing LLC of his, in order to obtain the merchant account:

=======================
Alternative Investments
PO Box 73
Alternative Investments
Okemos, MI
=======================

You frequently see the OCS mention in many of the posted mule recruiting documents that an existing owned LLC or Corp can be used, and is preferable. You may have also read where I frequently state that almost ALL the merchant fraud accounts have serious vetting deficiencies and contain several red flag violations that should have denied them merchant processing services. The most blatant and significant of those is that ALTERNATIVE INVESTMENTS LLC has not been in good standing since 2-15-2007, as it has not filed the required annual reports:




=======================
ALTERNATIVE INVESTMENTS LLC

ID Num: B2905F

Name: ALTERNATIVE INVESTMENTS LLC
Type: Domestic Limited Liability Company

Resident Agent: PATRICK G SAINT MARIE
Registered Office Address: 16553 LAFLEUR DR
EAST LANSING MI 48823

Mailing/Office Address:

Formation/Qualification Date:2-18-2003

Jurisdiction of Origin: MICHIGAN

Managed by: Members

Status: ACTIVE, BUT NOT IN GOOD STANDING AS OF 2-15-2007
Date: Present
=======================

In fact, other than the original filing in 2003 for ALTERNATIVE INVESTMENTS LLC:




only one annual report has been filed since, in 2004:




Running this set up configuration through my vetting rules, red flags once for an out of current status LLC. PATRICK G SAINT MARIE opens a merchant under "ALTERNATIVE INVESTMENTS LLC" which is flagged as failing to meet the good standing Michigan state requirements. PATRICK G SAINT MARIE subsequently registers a DBA name of DIGIQUALITY.BIZ # D-0091650 which becomes the operating entity. He then uses the merchant account obtained under "ALTERNATIVE INVESTMENTS LLC" to process credit card charges on a website domain DIGIQUALITY.BIZ. That domain registration, though cloaked, is registered to an individual named Bill Anderson, major red flag #2, and most likely carded. Not only is the second red flag an MGD violation trigger, it also violates the Card Associations rules as well:
quote:
"Card Associations require that we have documents to prove that the website through which any sales are processed is owned and operated by the business with which the merchant account is associated. Therefore, please ensure that the domain name registration (the "WHOIS") for your URL is updated to show the "Registrant" matching. We must be able to view the updated "WHOIS" at your domain registrar's website prior to setting your account "live"".

.

Great rule !! not always enforced, and more importantly, do not tell the criminals to "make it match", which they can easily do after first registering it carded to an identity theft victim. Flag and refuse the account because it was not registered to the applicant in the first place. Giving them the opportunity to "make it match" later is asinine. My original red flag is never removed when the domain changes, as that can be easily forged, the failure is because the original registration did not match, thus an obvious indicator of fraud.

[The act itself of applying for merchant processing services for a domain not registered to the applicant, is in itself a fraudulent application. There has to be documented contact between the original registrant and the merchant provider qualifying any subsequent change. Moreover, there must be a 30, 60, and 90 day recheck that the domain remains registered and non cloaked to the original applicant. In many cases the OCS will temporarily change the domain reg to the cyber-mule applicant, then change it to hide the mule after the merchant account is set up. Over the course of this multi year fraud operation the most prevalent red flag and fraud indicator, has been the fact that the merchant account domain was registered to a carded victim and not the applicant in over 90% of the card fraud laundering cases. As previously documented, during undercover communications with the OCS in 2008, this anomaly was presented to the criminals as a reason why a merchant account was difficult to obtain. The OCS replied that it should not matter as "they know" that the system does not check for this match. ]

So in the case of this determined victim of the fraud, CHASE BANK, forces the victim to pay the fraud charge to the criminals because they blatantly accept a print out status from AUTHORIZE.NET as being prima facia evidence that the card holder actually consummated a transaction. CHASE is in clear violation of multiple federal banking rules including REG E which requires them to conduct a good faith investigation of a consumer fraud complaint. Not only did CHASE not meet those requirements, they just rubber stamped the Crime Syndicate's AUTHORIZE.NET transaction submission. Now of course CHASE never did really "investigate" the complaint as required by law. The amount in dispute was too small to make it past a level 1 incompetent clerical evaluation. Not only is the website DIGIQUALITY.BIZ now DIGIQUALITY.ORG is NOT capable of processing an externally submitted purchase. I have previously documented exactly how the Organized Crime Syndicate batch processes fraud charges using a script originating from IP addresses in Eastern Europe, which then connect through a bot proxy network of thousands of compromised US computers. Previous interceptions of card processing data originating from the OCS's network in eastern Europe document the processing of stolen card data via a botnet of US hijacked computers:

[An example of a running OCS script, pumping card data via random US bot net IPs into a hidden php file stashed on the fake website, emulating purchases]:



The Authorize.net submission which Chase used to establish that the victim is responsible for the charges is nothing more than which hijacked US computer was used as a proxy to inject that specific charge card data into Authorize.net's card processing network. The documented IP does not even meet the minimal legal requirement of establishing a connection to the real card holder. In a "normal" investigation they would need to establish that the IP address was connected to the card holder at the time of the transaction via ISP records. However, because of the amount, no one has any intention of fulfilling their legal obligation, thus the victim is forced by Chase to pay the criminals. They OCS repeatedly laughs all the way to the bank when picking up their millions a year extracted from consumers with the crucial and repeated decade long assistance from the financial system. A process which the FTC apparently calls in their report, the abusing of "loopholes" in the system by criminals. "Loopholes" they are not, massive open gateways in which huge fraud trucks can be repeatedly driven through unfettered is what they really are.

As usual there are always reports from victims who never used the card online for a card not present CNP transaction. In theory, the victims card number and correct name and address, required for a CNP, should not have existed in any database outside of the issuing bank or where the card was printed at:
quote:
Anybody every get a fraudulent charge on their bank account from digiquality.biz?
I did it is only $1.91 but I researched it and found its a scam. it supposed to be a website where you buy screensavers. I called the bank and they said it was done with my debit card. I dont know how they did it-- I never buy anyhting online. so beware.
5 months ago (Tiebreaker)
Additional Details
my card is never used by anyone else- I only use it at the grocery store or walmart. my husband has his own

There are other victim reports of interest in that 9 month 148 entry worpress blog which began in December of 2009: »inforodeo.wordpress.com/ ··· y-theft/

such as:
quote:
===========================================
The US Navy Supply Command at Pearl Harbor just got hit for $4.91. We contacted the bank and reported it to the Fraud Unit. We have closed our account and requested a new one. Thank you everyone for confirming this fraud.

===========================================

Thank you for your investigation on this scam. I too had a charge for $4.91 on 2/8/10. I called my credit union about the charge and got additional information and then googled digiquality.biz which gave me the info I needed from this wonderful blog. I called their number and got a recording of a very thickly accented Asian woman that said they couldn’t come to the phone and to leave a message.

I then called back my credit union and got a different very uncooperative customer no service rep. She wasn’t interested in checking this blog for info on how this scam works and said since it was less than $10 there wasn’t anything they could do. That set me off! I asked for a supervisor and she said I got wrong info and I simply need to stop in at one of their branches and fill out a fraud report. They then would credit back the $4.91 if the fraud checks out. I will be doing that tomorrow. Thankfully, my credit union just issued new debit cards and the charge was from the old debit card that has been closed.

If you are being stonewalled by your bank or credit union don’t let them get away with it. Ask for a supervisor or talk with the CFO’s office. It’s bad enough being ripped off without having your financial institution being an accessory to the fraud. Persevere my friends!

=================================

This is a great site. I got hit with $4.91 (and an international transaction fee!) this month. I queried it with the bank, who were great and are investigating it. After looking at your site I cancelled my card. I reckon a lot of people won’t even notice this small charge on their credit card statements. Hope they can catch the lousy so and sos.

=================================

Last night got an email from Bank of America that my husband’s debit card had been used to make a purchase at digiquality.biz for $4.91. I track all CC charges via email alert – even the $1 charges.

He only uses the card at Wal-mart, Wal-Greens, US Post Office, at the pump at gas stations, and at times at fast food where he swipes the card himself. Sometimes the clerk swipes but always right in front of him where he can view the transaction. Never has it been used on the internet or phone. He always uses it as a CC & never enter the PIN.

Wonder how they got his debit card number. This card is only about 3 mo old.

Transaction date: 02/26/2010*
Amount: $4.91
Merchant: DIGIQUALITY.BIZ -OKEMOS ,MI

Immediately canceled card and called bank this AM to dispute charge. Told them BofA was mentioned in this Blog & problem has been going on for months. Asked why these thieves were still being allowed to do business. They said they’d investigate.

Our new plan is to carry enough cash or alternate CC. If the transaction does not go through where we swipe ourselves, we pay a different way. We’re not handing a card to anyone any more.
===============================

“2/25/2010, Miscellaneous Transaction, DIGIMARK.BIZ 517-759-1231 MI, $4.91?

What disturbs me the most, is that this card is really new… I let the ATM chew up the old one a few months ago. Nearly all of my purchases since were in person, not online. I’ve literally only bought a song online with the card since then, and that from Amazon, who should be trusted. (right?) I had a paypall charge, too, but Paypal goes directly through the bank account without using the debit card. If these scammers were using paypal info, wouldn’t it come across as a transfer, rather than a debit deduction?

I’m going in to my credit union today to deliver a signed statement and pick up a new card, and I’ll see if I can learn anything more about the charge.

I suspect either JC was right, above, when he suggested a security breach in a retail store, OR these people are just trying numbers at random and seeing what they get. If the latter is the case, what’s to stop them from randomly hitting the card I’m about to go pick up?

In any case, lets hope they can be stopped soon. This has definitely gone on too long!

Signed,
Paranoid and Annoyed

==================================

Mine happened a couple of days after I donated to a political organization. First there was a $5 charge to a candidate in Florida I’ve never heard of but that charge did not go through as they did not have my correct info – just the card #

The man in Florida said someone was using the name “Bill Gates” to make the charges. Next there was a $10 from Skype that never went through and finally the $4.91 charge from .Biz that did go through so I finally cancelled my card.

I do have an Amazon account but none of my info is stored there. Also have Pay Pal but it is rarely used.

I agree with reporting the BBB – it’s definitely a start! Grrr… there’s no telling who has our numbers with the amount of outsourcing America does plus people right here who are rip off artists! That’s a world of thievery!

======================

I also got hit with a $4.91 debit charge on my debit card from Michigan. Three days later a $29.90 hit from a phonesandcalls.com both scams. I will talk to the bank tomorrow. Thanks for the good information on this website

=========================

This victim report is interesting,

they first post this on March 13th to the blog:
quote:
By: Paula on March 13, 2010

3/09/10 my debit card was used for a $4.91 purchase from digiquality.biz Rarely use this card online. While I have paypal and amazon, it’s not linked to this card. I may have purchased embroidery designs, that makes 3 of us who mentioned that. I checked the BBB.org and they don’t show any complaints for this company. I was notified by my bank of this charge. So they must be aware of the company. Of course the card was canceled.

Paula returns two months later and posts this:
quote:
By: Paula on May 12, 2010
at 2:37 pm

I had my credit card number stolen and posted back in March. I wanted to say that I received a letter from an embroidery design merchant that said they were a victim of a theft of sensitive data information and they had contacted the FBI. Internet hackers were able to steal credit card info back to Feb. The letter said it is similar to several large scale attacks affecting 75,000 computer systems at 2,500 companies. The company says it no longer stores personal information in it’s database and it is now handled by a third party company. I think the lesson is to make sure the company you deal with online does not store your information in it’s computer. I am now going to ask companies if they do before I purchase, so that if the company gets hacked my information isn’t stored there.
Paula

One very irritated victim posts the ARN for the fraud charge:
quote:
======================================
Fucking stupid American Banking system. Why it’s happens to people.I saw the charges today 7.91.It means that in this country i can’t believe to anybody.
Stupid people use banking system and i have the account in Bank of America, i was thinking that this is the best bank, but everything is bullshit.

CHECKCARD 0502 DIGIQUALITY.ORG 517-759-1231 MI 24110390123286178700307

==========================================

»inforodeo.wordpress.com/ ··· comments

That ARN data appears to point to HARRIS TRUST AND SAVINGS BANK aka Harris N.A. USA Chicago Illinois »www.harrisbank.com as being the acquirer bank where the business account is located. However, there does not appear to be any bank branches anywhere in Michigan, nevermind in Okemos, Mi., where the mule appears to be located.

Wikipedia states:

Harris Bank is an American bank based in Chicago, Illinois. The bank founded by Norman Wait Harris, is primarily located in the Midwest, and is owned by the Toronto-based Bank of Montreal. Today the bank holding company is formally named Harris Bankcorp, Inc.

So at this point the actual acquirer bank for ALTERNATIVE INVESTMENTS LLC aka DIGIQUALITY.ORG 517-759-1231 FKA DIGIQUALITY.BIZ needs further confirmation.

MGD
MGD

3 edits

1 recommendation

MGD

MVM

In a previous posting on 08/14/2010 regarding the massive Careerbuilder cyber-mule recruiting campaign of SKYDEX SOFT LTD aka SKYDEXSOFT.COM, I discussed the results of comprehensive forensic analysis of all the data recovered from that operation. Highlighted in that post was evidence recovered from the meta data of the SKYDEX SOFT LTD FAQ MS Word document recovered from the website SKYDEXSOFT.COM. The embedded data showed that the language set on the computer was Russian Cyrillic, and that the system default settings adopted during the Microsoft Word install was for a company named MoBILL GROUP and the author was "Admin":

»/r0/do ··· roup.jpg

I posted that data because I believed that it was an important clue. The FAQ document laid out the specific functions and responsibilities for the cyber-mules recruited for the massive card fraud laundering operation. While potential recruits may have no idea what they were getting involved with, the same could not be said about the author of the document. They clearly were well aware that they were preparing instructions for someone who was going to be an accomplice in a major global card fraud laundering operation. The document even includes bogus office addresses for SKYDEX SOFT Ltd., in both Hong Kong and Shanghai China. Though I believed that "MoBILL GROUP" clue to be important, how significant it was would depend on how many Cyrillic set computers exist, and where, with those settings. For example, are there thousands of Russian PCs all with some sort of generic cloned settings, or on the other hand are those settings unique to a specific entity. If the latter is correct, then we know that someone in that organization, with or without the knowledge of the principals, created that document. They would also have been aware of its purpose and would therefore be a co-conspirator to some degree. I ruled out the possibility that the document may have been an altered version of an original non nefarious creation based on the time line of original creation date compared to the final modification date:




So far, I have been unable to establish who or what that specific "MoBILL GROUP" is, nor answer the question of how limited or widespread that meta data is. However, I have been able to locate another Microsoft Word document written in Russian Cyrillic with the identical embedded Meta Data of Author "Admin" and Company "MoBIL GROUP". Not only are they identically worded, they are also capitalized identically. I am currently unable to comment on, or discuss, either how the document was located or from where it originated. I can tell you that there is a known connection between where the document was purportedly located at, and the foreign routing through which a significant amount of the fraud proceeds were laundered, in the millions. Whether they were passed through this laundering conduit with their direct knowledge I do not know. The point to elaborate is that there is at least an incidental connection between these two seemingly unrelated documents, both of which have the identical meta data.

For now, I am not going to type the names of the listed entities in this new document and will display only the images. However, you can search and see that they are significant entities in the Russian Federation. The document is a contract between two entities for almost 84,000,000 Roubles (84 Million), a little under $2.8 Million USD. The contract is for computer and electronic equipment, plus installation and training.

As you can see, the meta data of both default author and company from this new contract document are identical to that of the Skydex Soft Ltd card fraud laundering cyber-mule FAQ. This is indeed the proverbial forensic needle from within many hundreds of haystacks:




The original document is shown first, followed by a best attempt Google translation:








.
For clarity the specified equipment list is shown both in its original native version as well as translated:









Again, the reason for not typing the names of the entities in searchable text format at this time is because the significance or relative uniqueness of the embedded document meta data is unknown. For example, at the lowest end of the potential significance scale, there could be a large chain of Cyber Cafes throughout the Russian Federation each with a few dozen computers all with identically installed MS Word containing "Admin" and "MoBIL GROUP". Combine that with the possibility that each document was then authored at two different locations by unrelated individuals several months apart, and that the 0.5 degree of separation between a long term laundering conduit of the card fraud proceeds is just coincidental. Obviously the possibility scale can range far in the other direction also, where there are a very limited group of like configured machines all within one entity. I do not know that answer at this time. However, while I cannot elaborate on the contract document, nevertheless, the specific facts are that they do contain the identical embedded meta data:







This apparent high level of commonality only serves to further emphasizes the significance of the multi year Organized Crime Syndicate fleecing global consumers of many millions of dollars a year, while the multiple branches of the US Banking and financial system appears neutered in both its ability to formally recognize, report, or prevent the majority of it from taking place. Confounding is that in an era of Patriot Act financial regulation, where every one of the weekly wire transfers of the card fraud proceeds from each of probably hundreds of bank accounts, all meet, and even exceed, the federal SAR (Suspicious Activity Report) and FINCEN required reporting.

Though SAR reports are totally secret and contained only to the government, they are not even allowed to be revealed in court, it is highly doubtful that they are being triggered as required. As stated before, contrast that with Elliot Spitzer, who reportedly triggers a SAR filing when he transfers a few thousand of his own money between two banks on its way from New York to DC, to cover his anticipated sexual escapades expenses. He reportedly gets nailed as a result of a SAR report filing on the suspicious format. The Organized Crime Syndicate on the other hand extracts and wire launders hundreds of transactions a month out of the country, no less, year in year out, and barely an eyelid bats.

You know for sure that at some point down the road, eventually, the proverbial excrement from this will hit some giant sized fans.

.

MGD
MGD

1 edit

MGD

MVM

While I discussed a range of potential scenarios for the common connection between the above two documents, obviously I do not believe that their relationship is purely coincidental, otherwise it would not be worth mentioning. At the least there was a connection between the conduits used in the global laundering of the card fraud proceeds. Another notch up is that both documents apparently have roots in global Cyber Crime.

The Moscow based purchasing party of the 84 Million Rouble contract for IT related equipment and services matches to an entity widely reported this year as the source of a major fake Anti Virus infecting trojan which hijacks global computers and ransoms victims for their card data. Many victims who succumbed to the ransom demand report that they were repeatedly charged various fees on their submitted card data.

The operation of a fake Anti Virus trojan is by deliberate design a cyber crime operation from the ground up. In this case the operation which matches to the buyer on the above contract is:




=========================

Domain name: WORLD-WIDESOFT.COM

Registrant:
Shamil Gubaidullin (SROW-1444816)

Informsvyaz LLC
support@world-widesoft.com
Garibaldi str., 23 4
Moscow Moscow
117335 RU
+1 8007736802

Administrative contact:
Shamil Gubaidullin (SRCO-2275735)
Informsvyaz LLC
support@world-widesoft.com
Garibaldi str., 23 4
Moscow Moscow
117335 RU
+1 8007736802

Technical contact:
Host Master (SRCO-2275736)
MT Management Group Limited
hostmaster@mydomain-in.co.uk
122 - 126 Tooley street
London London
SE1 2TU GB
+44 2032390693

Domain servers in listed order:
ns1.mydomain-in.net 217.20.163.71
ns2.mydomain-in.net 72.55.168.74
ns3.mydomain-in.net 94.229.71.169

Created: 18 Dec 2009 13:55:49:423 UTC
Expires: 18 Dec 2010 13:56:13:000 UTC
Last updated: 18 Dec 2009 13:55:49:423 UTC

=========================

There are a multitude of reports of the fake AV infections and subsequent ransom:





»www.google.com/search?hl ··· gs_rfai=




»www.google.com/search?hl ··· gs_rfai=

The other contract party is apparently a Russian capital investment and underwriting funding entity:



»www.google.com/search?q= ··· =en&sa=2

So both documents which have common originations with "Admin" and company "MoBIL GROUP" each have connections to global Cyber Crime and card fraud processing.

MGD
MGD

2 edits

1 recommendation

MGD

MVM

Part 1 of 2
Many of this group were first located in a factory set up on IP 67.214.175.68 which also hosted the DIGIQUALITY.ORG and DIGIQUALITY.BIZ card fraud laundering sites addressed earlier.

The operation was shadowed until active fraud charging reports could be located. Once a fraud victim made this post »[Credit Card Fraud] BEWARE***Fruadulant charges from ICON-MONSTE then the confirmed Organized Crime Syndicate's factory server and contents were posted.


NetRange: 67.214.160.0 - 67.214.191.255
CIDR: 67.214.160.0/19
OriginAS: AS12260
NetName: COLOSTORE-COM
NetHandle: NET-67-214-160-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.COLOSTORE.COM
NameServer: NS2.COLOSTORE.COM
Comment: >http://www.colostore.com
RegDate: 2007-09-28
Updated: 2008-07-21
Ref: >http://whois.arin.net/rest/net/
NET-67-214-160-0-1

OrgName: Colostore.com
OrgId: KCA-7
Address: 1805 South Michigan Street
City: South Bend
StateProv: IN
PostalCode: 46613
Country: US
RegDate: 1999-05-04
Updated: 2009-11-03
Ref: >http://whois.arin.net/rest/org/KCA-7


They are not the exclusive hosts of that IP. They are however utilizing the inhouse services of sitehttps.com in order to meet the authorize.net and merchant account requirements of having SSL:


Domain: siteHttps.com
Registration Date: 2007-01-14
Expiration Date: 2011-01-14

Registrant
Lisa Zheng
jchen@dnsexit.com
ND
988 Eight Mile Rd
Cincinnati OH, 45255
+1.8595728480
CA


This grouping is also part of the new strategy of trying to remain totally hidden by utilizing larger groups of fraud domains in order to disperse the fraud over a much larger range and thus remain hidden. Since most of the domains are privacy cloaked then the cyber-mule and acquirer business bank account may be located in the same geographic area as the area code of the listed contact number:

SCAM FRAUD = THESCREENART.COM 904-263-5578 = FRAUD SCAM





»thescreenart.com
Snapped 2010-10-16 16:50:17



Registration Service Provided By:
Active-Domain LLC

Domain Name: THESCREENART.COM
Expiry Date: 31-Mar-2011
Creation Date: 31-Mar-2010

Name servers:
ns1.dnsExit.com
ns2.dnsExit.com
ns3.dnsExit.com
ns4.dnsExit.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681

Domain Name: THESCREENART.COM
Expiry Date: 31-Mar-2011
Creation Date: 31-Mar-2010

Name servers:
ns1.active-dns.com
ns2.active-dns.com



»thescreenart.com/contact_us
Snapped 2010-10-16 16:50:00


===========================
Have questions? Get in touch with us!

For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.

Our contact details

Phone: 984-263-5578

Email: support@thescreenart.com
==========================


IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-04-01 New -none- 67.228.37.8
2010-04-07 Change 67.228.37.8 67.214.175.68



»thescreenart.com/about_us
Snapped 2010-10-16 16:49:43





SCAM FRAUD = THADECKSCREEN.COM 813-305-7373 = FRAUD SCAM





»thadeckscreen.com
Snapped 2010-11-03 08:02:15



ICANN Registrar:
ACTIVE REGISTRAR, INC.
Registration Service Provided By:
Active-Domain LLC

Domain Name: THADECKSCREEN.COM
Expiry Date: 31-Mar-2011
Creation Date: 31-Mar-2010

Name servers:
ns1.dnsExit.com
ns2.dnsExit.com
ns3.dnsExit.com
ns4.dnsExit.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681



»thadeckscreen.com/contact_us
Snapped 2010-11-03 08:02:02


===========================
Have questions? Get in touch with us!

For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.

Our contact details

Phone: 813-305-7373

Email: support@thadeckscreen.com
==========================


IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-04-01 New -none- 67.228.37.8
2010-04-07 Change 67.228.37.8 67.214.175.68



»thadeckscreen.com/about_us
Snapped 2010-10-16 16:50:36


SCAM FRAUD = WEBTEMPERS.COM 623-399-4354 = FRAUD SCAM





»webtempers.com
Snapped 2010-10-16 17:08:07



ICANN Registrar:
ACTIVE REGISTRAR, INC.
Registration Service Provided By:
Active-Domain LLC

Domain Name: WEBTEMPERS.COM
Expiry Date: 08-Apr-2011
Creation Date: 08-Apr-2010

Name servers:
ns1.dnsExit.com
ns2.dnsExit.com
ns3.dnsExit.com
ns4.dnsExit.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681




»webtempers.com/contact_us
Snapped 2010-10-16 17:07:50


===========================
Have questions? Get in touch with us!

For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.

Our contact details

Phone: 623-399-4354

Email: support@webtempers.com
==========================


IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-04-10 New -none- 67.214.175.68
2010-04-1 Not Resolvable 67.214.175.68 -none-
2010-04-24 New -none- 67.214.175.68



»webtempers.com/about_us
Snapped 2010-10-16 17:07:33





SCAM FRAUD = XOBBOSCREEN.COM 443-569-0946 = FRAUD SCAM





»xobboscreen.com
Snapped 2010-10-16 17:16:55



ICANN Registrar:
ACTIVE REGISTRAR, INC.
Registration Service Provided By:
Active-Domain LLC

Domain Name: XOBBOSCREEN.COM
Expiry Date: 13-Apr-2011
Creation Date: 13-Apr-2010

Name servers:
ns1.dnsExit.com
ns2.dnsExit.com
ns3.dnsExit.com
ns4.dnsExit.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681



»xobboscreen.com/contact_us
Snapped 2010-10-16 17:16:38


===========================
Have questions? Get in touch with us!

For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.

Our contact details

Phone: 443-569-0946
Email: support@xobboscreen.com

Contact our support team easily
You can send us a message directly from this page using the form below and we'll try to answer you shortly. We are eager to help you!
Contact Form
==========================


IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-04-15 New -none- 67.214.175.68



»xobboscreen.com/about_us
Snapped 2010-10-16 17:16:21


As has been the pattern of the OCS's mobile, game, icon, template, group the contact phone number and domain are displayed from an image generated script to prevent any chance of search engine index. These websites are only intended to be seen by a select group:

»xobboscreen.com/contact_ ··· ge/email

»xobboscreen.com/contact_ ··· ge/phone

SCAM FRAUD = MODESIGNSTORE.COM 678-666-0036 = FRAUD SCAM





»modesignstore.com
Snapped 2010-10-16 17:24:32




ICANN Registrar:
ACTIVE REGISTRAR, INC.
Registration Service Provided By:
Active-Domain LLC

Domain Name: MODESIGNSTORE.COM
Expiry Date: 08-Apr-2011
Creation Date: 08-Apr-2010

Name servers:
ns1.dnsExit.com
ns2.dnsExit.com
ns3.dnsExit.com
ns4.dnsExit.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681



»modesignstore.com/contact_us
Snapped 2010-10-16 17:24:55


===========================
Have questions? Get in touch with us!
For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.
Our contact details

Phone: 678-666-0036
Email: support@modesignstore.com

Contact our support team easily
You can send us a message directly from this page using the form below and we'll try to answer you shortly. We are eager to help you!
Contact Form

==========================





IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-04-10 New -none- 67.214.175.68
2010-04-11 Not Resolvable 67.214.175.68 -none-
2010-04-24 New -none- 67.214.175.68



»modesignstore.com/about_us
Snapped 2010-11-03 08:01:49





MGD
MGD

1 edit

1 recommendation

MGD

MVM

Part 2 of 2:

SCAM FRAUD = MEETTHEICONS.COM 952-955-4871 = FRAUD SCAM

[imaging failed]
»meettheicons.com
Snapped 2010-10-18 23:05:39



ICANN Registrar:
ACTIVE REGISTRAR, INC.
Registration Service Provided By:
Active-Domain LLC

Domain Name: MEETTHEICONS.COM
Expiry Date: 23-Apr-2011
Creation Date: 23-Apr-2010

Name servers:
ns1.ipage.com
ns2.ipage.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681

Name servers:
ns1.active-dns.com
ns2.active-dns.com


[imaging failed]
»meettheicons.com/contact_us
Snapped 2010-10-18 23:05:21


===========================
Have questions? Get in touch with us!
For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.
Our contact details

Phone: 952-955-4871

Email: support@meettheicons.com

Contact our support team easily
You can send us a message directly from this page using the form below and we'll try to answer you shortly. We are eager to help you!
Contact Form
==========================


IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-04-24 New -none- 67.228.37.8
2010-04-24 Not Resolvable 67.228.37.8 -none-
2010-04-28 New -none- 66.96.147.113
2010-10-04 Change 66.96.147.113 207.148.254.83


[imaging failed]
»meettheicons.com/about_us
Snapped 2010-10-18 23:05:59


From ~ 04/28/2010 until 10/4/2010 meettheicons.com was hosted on IP 66.96.147.113 Since shadowing it has

=============================================
IP Location: United States Burlington The Endurance International Group Inc
Resolve Host: 113.147.96.66.static.eigbox.net
IP Address: 66.96.147.113
Reverse IP: 2,825 other sites hosted on this server.

Server Type: Apache
IP Address: 66.96.147.113
IP Location: - Massachusetts - Burlington - The Endurance International Group Inc
Domain Status: Registered And Active Website
=============================================

Since shadowing it has now recently moved to a dedicated IP on thar same host 207.148.254.83

Resolve Host: 83.254.148.207.static.yourhostingaccount.com

That may be indicative that it has now been assigned to a cyber-mule and has recently obtained a merchant account. I suspect that the other multi use IP did not have dedicated SSL available. Watch for reported fraud charging in about 30 to 60 days.

Could not have sales, besides no operating shopping cart, no one knows it is there:

[imaging failed]
»meettheicons.com/robots.txt
Snapped 2010-11-03 18:51:57

.

SCAM FRAUD = A-PLUS-ICONS.COM 252-377-4462 = FRAUD SCAM




Added archived image as a-plus-icons.com appears to be offline currently

[imaging failed]
»a-plus-icons.com
Snapped 2010-11-03 18:52:59



ICANN Registrar:
ACTIVE REGISTRAR, INC.
Registration Service Provided By:
Active-Domain LLC

Domain Name: A-PLUS-ICONS.COM
Expiry Date: 23-Apr-2011
Creation Date: 23-Apr-2010

Name servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681



»a-plus-icons.com/contact_us
Snapped 2010-11-03 18:52:46


===========================
Have questions? Get in touch with us!
For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.
Our contact details

Phone: 252-377-4462

Email: support@a-plus-icons.com

a-plus-icons.com
Contact our support team easily
You can send us a message directly from this page using the form below and we'll try to answer you shortly. We are eager to help you!
==========================





IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-04-24 New -none- 67.214.175.68






»a-plus-icons.com/about_us
Snapped 2010-11-03 18:52:10

.

.
SCAM FRAUD = ICON-MONSTER.COM 810-678-9694 = FRAUD SCAM





»icon-monster.com
Snapped 2010-11-03 08:00:29


2010-09-14
said by EBMOM3 :

JUST A HEADS UP THAT ANOTHER NAME THESE PEOPLE ARE USING IS ICON-MONSTER.COM. A FAKE WEBSITE CLAIMING TO SELL "ICONS". I GOT THE 7.42 CHARGE ON MY DEBIT-VISA LAST WEEK AND IMMEDIATELY CANCELED MY CARD. HOPEFULLY THE SAME DOESN'T HAPPEN WITH THE REPLACEMENT. THIS JUST PLAIN SUCKS. THE SAME EVENING THE CHARGE SHOWED UP, I DID USE PAYPAL, AND MY STUDENT LOAN PAYMENT WENT THROUGH (ONLINE). I'M GUESSING IT'S ON PAYPAL'S END, BUT WHO REALLY KNOWS. WHAT I DON'T GET IS THAT THERE IS SO MUCH INFORMATION HERE IN REGARDS TO THIS WHOLE FRAUD ORGANIZATION, THAT THERE CAN'T BE ANYTHING DONE ABOUT IT.
»[Credit Card Fraud] BEWARE***Fruadulant charges from ICON-MONSTE


Registration Service Provided By:
Active-Domain LLC

Domain Name: ICON-MONSTER.COM
Expiry Date: 16-Jun-2011
Creation Date: 16-Jun-2010

Name servers:
ns1.webprole.com
ns2.webprole.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681

Name servers:
ns1.active-dns.com
ns2.active-dns.com



»icon-monster.com/contact_us
Snapped 2010-10-18 23:22:14


===========================
Have questions? Get in touch with us!
For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.
Our contact details

Phone: (810) 678-9694

Email: support@icon-monster.com

Contact our support team easily
You can send us a message directly from this page using the form below and we'll try to answer you shortly. We are eager to help you!
Contact Form
==========================


IP Address History

Event Date Action Pre-Action IP Post-Action IP
2010-06-17 New -none- 67.228.37.8
2010-06-19 Change 67.228.37.8 174.132.168.254
2010-07-03 Change 174.132.168.254 174.132.168.244



»icon-monster.com/about_us
Snapped 2010-10-18 23:21:57


Server Type:
Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
IP Address: 174.132.168.244
IP Location: - Texas - Dallas - Theplanet.com Internet Services Inc
Response Code: 200
Domain Status: Registered And Active Website
[reverse DNS - f4.a8.84ae.static.theplanet.com]
.

.
SCAM FRAUD = ICON-O-MATIC.ORG 262-891-4869 = FRAUD SCAM





»icon-o-matic.org
Snapped 2010-11-03 07:59:44



Domain ID:D159972929-LROR
Domain Name:ICON-O-MATIC.ORG
Created On:24-Aug-2010 11:06:10 UTC
Last Updated On:05-Sep-2010 12:40:21 UTC
Expiration Date:24-Aug-2011 11:06:10 UTC
Sponsoring Registrar:
Active Registrar, Inc. (R1709-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:ACTR1009056783
Registrant Name:Whois Manager
Registrant Organization:Whois Proof LLP
Registrant Street1:PO Box 4120
Registrant Street2:
Registrant Street3:
Registrant City:Portland
Registrant State/Province:OR
Registrant Postal Code:97208-4120
Registrant Country:US
Registrant Phone:+1.2024700599
Registrant Phone Ext.:
Registrant FAX:+1.8663666681
Registrant FAX Ext.:

Name Server:NS51.1AND1.COM
Name Server:NS52.1AND1.COM



»icon-o-matic.org/contact_us
Snapped 2010-10-18 23:21:40


===========================
Have questions? Get in touch with us!
For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.
Our contact details

Phone: (262) 891-4869

Email: support@icon-o-matic.org

Contact our support team easily
You can send us a message directly from this page using the form below and we'll try to answer you shortly. We are eager to help you!
Contact Form

==========================

Not too difficult to figure out what the fraud charge amount is going to be, in this case $7.85, $4.85, $1.85


»icon-o-matic.org/product ··· ption/32
Snapped 2010-10-18 23:32:15



»icon-o-matic.org/product ··· ption/22
Snapped 2010-10-18 23:31:58


The OCS always randomizes the amount so that searches of the actual fraud amount do not bring up multiple instances of the fraud under various names. Remember, a primary goal is to prevent anyone from recognizing the full extent of the massive fraud operation. The most current example of the successful tactic is the FTC action which only unearhthed a very small portion of the operation. The FTC was even fooled into thinking that they have seriously disrupted an ongoing fraud. A conclusion no different than many of the previous investigative incidents, e.g. "Pluto Data" & "Digital Age" etc.


IP Address History

Event Date Action Pre-Action IP Post-Action IP
2010-08-25 New -none- 67.228.37.8
2010-09-04 Change 67.228.37.8 74.208.237.116



»icon-o-matic.org/about_us
Snapped 2010-10-18 23:19:58


IP Address: 74.208.237.116
IP Location: - Pennsylvania - Wayne - 1&1 Internet Inc
Response Code: 200
Domain Status: Registered And Active Website
.

.

SCAM FRAUD = DESIREEFFECT.ORG 360-203-3909 = FRAUD SCAM


»desireeffect.org
Snapped 2010-10-18 23:42:41



Domain ID:D159275469-LROR
Domain Name:DESIREEFFECT.ORG
Created On:26-May-2010 18:14:56 UTC
Last Updated On:26-Jul-2010 03:49:07 UTC
Expiration Date:26-May-2011 18:14:56 UTC
Sponsoring Registrar:DomainPeople, Inc. (R30-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:fe4be1089bed0c06
Registrant Name:WhoisProtector desireeffect.org
Registrant Organization:WhoisProtector Inc.
Registrant Street1:100 N Riverside, Suite 800
Registrant Street2:
Registrant Street3:
Registrant City:Chicago
Registrant State/Province:IL
Registrant Postal Code:60606
Registrant Country:US
Registrant Phone:+1.3129947654


==========================
Have questions? Get in touch with us!
For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.
Our contact details

Phone: (360) 203-3909

Email: support@desireeffect.org

Contact our support team easily
You can send us a message directly from this page using the form below and we'll try to answer you shortly. We are eager to help you!
Contact Form
==========================





»desireeffect.org/contact_us
Snapped 2010-11-03 07:59:30



IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-05-27 New -none- 207.150.212.131


Resolve Host: 113.147.96.66.static.eigbox.net
Server Type: Apache/Nginx/Varnish
IP Address: 66.96.147.113
IP Location: - Massachusetts - Burlington - The Endurance International Group Inc
Domain Status: Registered And Active Website


»desireeffect.org/about_us
Snapped 2010-11-03 07:59:15

.

.

SCAM FRAUD = WONDERFULICONS.COM 707-682-5738 = FRAUD SCAM


»wonderfulicons.com
Snapped 2010-10-19 00:09:00


==========================
Have questions? Get in touch with us!

For all issues related to use and operation of product purchased on our website and for all billing and technical support, please give us a call or email.

Our contact details

Phone: 707-682-5738

Email: support@wonderfulicons.com

Contact our support team easily

You can send us a message directly from this page using the form below and we'll try to answer you shortly. We are eager to help you!
==========================


»wonderfulicons.com/contact_us
Snapped 2010-10-19 00:08:42



Registration Service Provided By:
Active-Domain LLC

Domain Name: WONDERFULICONS.COM
Expiry Date: 31-May-2011
Creation Date: 31-May-2010

Name servers:
ns1.eleven2.com
ns2.eleven2.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address:
cd2zp0dlq6@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State//www.active-domain.com
/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681



»wonderfulicons.com/about_us
Snapped 2010-10-19 00:20:31



IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-06-03 New -none- 174.136.32.19
2010-06-12 Change 174.136.32.19 174.136.32.156

.

MGD
MGD

3 edits

1 recommendation

MGD

MVM

This OCS fraud group rounded out with the last of the pack which deserves another post. Over the last half decade plus of this crime syndicate's card fraud laundering operation, you can weave a forensic evidence thread that connects all of the groups together. Sometimes there are multiple and significant connections, other times it may be just one crumb. In this case it was SCAM FRAUD = WONDERFULICONS.COM 707-682-5738 = FRAUD SCAM which reached back in history and connected this run to another OCS 2008 fraud operation group


»wonderfulicons.com
Snapped 2010-10-19 00:09:00


As listed in the prior post WONDERFULICONS.COM's hosting history:

wonderfulicons.com

IP Address History

Event Date Action Pre-Action IP Post-Action IP

2010-06-03 New -none- 174.136.32.19
2010-06-12 Change 174.136.32.19 174.136.32.156


The OCS's dedicated server on IP 174.136.32.156 also hosted another fraud domain EXTRASCREENSAVER.COM which never made it to prime time:


Extrascreensaver.com

IP Address History

Event Date Action Pre-Action IP Post-Action IP

2009-09-24 New -none- 205.178.145.65
2010-07-21 Change 205.178.145.65 174.136.32.156
2010-09-13 Change 174.136.32.156 68.178.232.99


Though now parked at GoDaddy, it is the domain registration of EXTRASCREENSAVER.COM which ties this fresh group back to prolific fraud domains active from late 2008 through most of 2009:

Not only was this Florida victim's identity and card data used for the September 2009 registration of Extrascreensaver.com:

===========================
Registrant:
Catren Safarjalani
2005 Brandon Crossing Gooble Apt 203
Brandon, Florida 33571
United States

Domain Name: EXTRASCREENSAVER.COM
Created on: 09-Sep-09
Expires on: 09-Sep-10
Last Updated on: 09-Sep-09

Administrative Contact:
Safarjalani, Catren Csmail888@gmail.com
2005 Brandon Crossing Gooble Apt 203
Brandon, Florida 33571
United States
18504178537 Fax --
===========================

It was also used a year earlier to register and cloak the October 2008 domain registration of the prolific 2008 - 2009 fraud charging operation of EASTCOASTMOBILESTYLE.BIZ

===========================
Domain Name: EASTCOASTMOBILESTYLE.BIZ
Domain ID: D27495449-BIZ
Sponsoring Registrar: MELBOURNE IT LTD
Sponsoring Registrar IANA ID: 13
Domain Status: clientTransferProhibited
Registrant ID: A122332135397149
Registrant Name: Catren Safarjalani
Registrant Organization: Private Registration US
Registrant Address1: P O Box 99800
Registrant City: EmeryVille
Registrant State/Province: CA
Registrant Postal Code: 94662
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5105952002
Registrant Email: contact@myprivateregistration.com

Billing Contact ID: A122332135397147
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Created by Registrar: MELBOURNE IT LTD
Domain Registration Date: Mon Oct 06 19:34:21 GMT 2008
Domain Expiration Date: Mon Oct 05 23:59:59 GMT 2009
===========================


»EASTCOASTMOBILESTYLE.BIZ
Snapped 2009-03-20 03:50:38



»eastcoastmobilestyle.biz ··· acts.php
Snapped 2009-03-20 03:50:20



»eastcoastmobilestyle.biz ··· bots.txt
Snapped 2009-03-20 03:50:03


The prolific card fraud operation of EASTCOASTMOBILESTYLE.BIZ gained global attention for processing fraud charges on card victims from Australia to South Africa to South America, to Hungary, the UK, France and Switzerland, and many other countries: »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

The prolific fraud charging not only generated numerous pages of search results on Google:»www.google.com/search?hl ··· ILESTYLE it even gained the attention of a journalist in Switzerland, Desiree Pompes, who wrote about a Swiss victim of the EASTCOASTMOBILESTYLE fraud charge, translated snip:



»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

You can take a needle, then thread the links from the latest Digiquality.org to the dozen Icon website frauds at the production factory, then back to the 2008 EASTCOASTMOBILESTYLE and its prolific CHEAPESTTHEMES.COM sister:


»cheapestthemes.com
Snapped 2009-03-07 00:55:52


... which managed to generate its own warning page in mid 2009 on the Ocean City, MD, police dept. website: »ocpdmdinfo.blogspot.com/ ··· est.html

Despite the Organized Crime Syndicate's renewed and vigorous efforts to disperse the operation and make it appear like minor unrelated cluster frauds, they still leave a connecting trail which continues to expose a massive multi-million dollar global organized fraud operation.

MGD

ea
@comcast.net

ea to MGD

Anon

to MGD
I was taken for a ride and never saw any money from this...I am also a victim.

Evelio areas
nobounds
join:2003-07-15
Rancho Santa Margarita, CA

2 recommendations

nobounds to MGD

Member

to MGD
I found some more sites associated with this group. A few of them have been reported elsewhere on the web in relation to fraudulent charges, others appear to be unused so far. I haven't had a lot of time to gather additional data about them other than a quick whois (which isn't very useful in most of them), but here's what I found:

Fraud scam site: xeniums.com

»xeniums.com/
Snapped 2010-11-01 00:23:30


Domain Name: XENIUMS.COM
Administrative Contact, Technical Contact:
Kenny, Alicia w82282jv43q@networksolutionsprivateregistration.com
ATTN XENIUMS.COM
care of Network Solutions
PO Box 459
Drums, PA 18222
US
570-708-8780

Record expires on 04-Dec-2011.
Record created on 04-Dec-2009.
Database last updated on 1-Nov-2010 00:05:37 EDT.

Domain servers in listed order:

NS61.WORLDNIC.COM 205.178.190.31
NS62.WORLDNIC.COM 206.188.198.31


Fraud scam site: screensrevolution.com

»screensrevolution.com/
Snapped 2010-11-01 00:23:11


Domain Name: screensrevolution.com
Expiry Date: 30-Dec-2010
Creation Date: 30-Dec-2009

Name servers:
ns89.worldnic.com
ns90.worldnic.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: o1wd6p784@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681



Fraud scam site: savingdisplays.com

»savingdisplays.com/
Snapped 2010-11-03 04:36:30


Domain Name: savingdisplays.com
Expiry Date: 13-Jul-2011
Creation Date: 13-Jul-2010

Name servers:
adns.cs.siteprotect.com
bdns.cs.siteprotect.com

Registrant Name: Caroline Nixon
Registrant Company: savingdisplays.com
Registrant Email Address: snmail322@gmail.com
Registrant Address: 5827 London Ln
Registrant City: Dallas
Registrant State/Region/Province: TX
Registrant Postal Code: 75252
Registrant Country: US
Registrant Tel No: +1.3215896654
Registrant Fax No:


Fraud scam site: yourspecialstyle.com

»yourspecialstyle.com/
Snapped 2010-11-01 00:26:42


Domain name: yourspecialstyle.com

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O yourspecialstyle.com
Bellevue, WA 98007
US

Name Servers:
ns85.worldnic.com
ns86.worldnic.com

Creation date: 24 Mar 2010 19:10:00
Expiration date: 24 Mar 2012 14:10:00


Fraud scam site: theiconique.com

»theiconique.com/
Snapped 2010-11-03 04:36:16



Domain name: THEICONIQUE.COM

Administrative Contact:
Horn, Anna theicmail77@gmx.com
2879 Philip Ave
Bronx, NY 10465
US
+1.5856586995
Technical Contact:
Administrator, Domain domreg@ipage.com
70 Blanchard Road
Burlington, MA 01803
US
+1.8774724399 Fax: +1.7812726550

Registration Service Provider:
iPage, support@ipage-inc.com
+1.8774184999
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 13-May-2010.
Record expires on 13-May-2011.
Record created on 13-May-2010.

Registrar Domain Name Help Center:
»tucowsdomains.com

Domain servers in listed order:
NS2.IPAGE.COM
NS1.IPAGE.COM


Fraud scam site: art-o-screen.com

»art-o-screen.com/
Snapped 2010-11-01 00:21:42


Domain Name: art-o-screen.com
Expiry Date: 19-May-2011
Creation Date: 19-May-2010

Name servers:
ns3.tgc-dns.net
ns4.tgc-dns.net

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: ayvon9j7@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681


Fraud scam site: colorbluedesign.com

»colorbluedesign.com/
Snapped 2010-11-01 00:26:23


Domain name: COLORBLUEDESIGN.COM

Administrative Contact:
contactprivacy.com, colorbluedesign.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Technical Contact:
contactprivacy.com, colorbluedesign.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457

Registration Service Provider:
iPage, support@ipage-inc.com
+1.8774184999
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 19-Feb-2010.
Record expires on 19-Feb-2011.
Record created on 19-Feb-2010.

Registrar Domain Name Help Center:
»tucowsdomains.com

Domain servers in listed order:
NS2.IPAGE.COM
NS1.IPAGE.COM


Fraud scam site: kbwpcbdesign.com

»kbwpcbdesign.com/
Snapped 2010-11-03 04:36:01


Domain Name: kbwpcbdesign.com
Expiry Date: 31-Mar-2011
Creation Date: 31-Mar-2010

Name servers:
ns1.asia.eleven2.com
ns2.asia.eleven2.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: a55nr1fj@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681



Fraud scam site: thedigitart.com

»thedigitart.com/
Snapped 2010-11-01 00:27:20


Domain name: THEDIGITART.COM

Administrative Contact:
contactprivacy.com, thedigitart.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Technical Contact:
contactprivacy.com, thedigitart.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457

Registration Service Provider:
iPage, support@ipage-inc.com
+1.8774184999
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 11-Jun-2010.
Record expires on 10-Jun-2011.
Record created on 10-Jun-2010.

Registrar Domain Name Help Center:
»tucowsdomains.com

Domain servers in listed order:
NS1.IPAGE.COM
NS2.IPAGE.COM


Fraud scam site: displaymajesty.com

»displaymajesty.com/
Snapped 2010-11-03 04:35:14


Domain Name: displaymajesty.com
Expiry Date: 24-Aug-2011
Creation Date: 24-Aug-2010

Name servers:
adns.cs.siteprotect.com
bdns.cs.siteprotect.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: x0x688v331p@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681


Fraud scam site: deliapcworld.com

»deliapcworld.com/
Snapped 2010-11-01 00:24:43


Domain Name: deliapcworld.com
Expiry Date: 09-Aug-2011
Creation Date: 09-Aug-2010

Name servers:
ns1.tmdhosting940.com
ns2.tmdhosting940.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: u9dq4i060@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681


Fraud scam site: rlrscreensaver.com

»rlrscreensaver.com/
Snapped 2010-11-01 00:24:26



Domain name: RLRSCREENSAVER.COM

Administrative Contact:
contactprivacy.com, rlrscreensaver.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Technical Contact:
contactprivacy.com, rlrscreensaver.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457

Registration Service Provider:
iPage, support@ipage-inc.com
+1.8774184999
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.

Registrar of Record: TUCOWS, INC.
Record last updated on 10-Mar-2010.
Record expires on 19-Feb-2011.
Record created on 19-Feb-2010.

Registrar Domain Name Help Center:
»tucowsdomains.com

Domain servers in listed order:
NS1.IPAGE.COM
NS2.IPAGE.COM



Fraud scam site: bpcontent.com

»bpcontent.com/
Snapped 2010-11-01 00:24:08



Domain Name: bpcontent.com
Expiry Date: 31-Mar-2011
Creation Date: 31-Mar-2010

Name servers:
ns1.dnsExit.com
ns2.dnsExit.com
ns3.dnsExit.com
ns4.dnsExit.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: fb63au9u9qd8@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681



Fraud scam site: cloudnamejenny.com

»cloudnamejenny.com/
Snapped 2010-11-01 00:23:50



Domain Name: cloudnamejenny.com
Expiry Date: 19-May-2011
Creation Date: 19-May-2010

Name servers:
ns1.asia.eleven2.com
ns2.asia.eleven2.com

Registrant Name: Whois Manager
Registrant Company: Whois Proof LLP
Registrant Email Address: v3znmh4b@whoisproof.com
Registrant Address: PO Box 4120
Registrant City: Portland
Registrant State/Region/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: US
Registrant Tel No: +1.2024700599
Registrant Fax No: +1.8663666681

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by nobounds:

I haven't had a lot of time to gather additional data about them other than a quick whois (which isn't very useful in most of them), but here's what I found:

Very impressive!
Your attention to formatting is a strong indicator that you nailed it.
Good showing nobounds See Profile

garys_2k
Premium Member
join:2004-05-07
Farmington, MI

garys_2k to MGD

Premium Member

to MGD
Regarding the prosecutors who think they've done a lot of good by cutting off one of the hydra's heads, I suspect that only MGD and the readers of this thread really understand what's going on. I also think that, given its size and complexity (plus, of course, that it's more than likely that higher ups in the Russian government are complicit) that anyone who possibly could do something is flat out intimidated at the prospect of taking it on.

To really cut this off you'd have to go at it two ways: fix the card system on our end (find out where the stolen numbers come from and fix that), change the behavior of some off shore card processing companies that have no incentive to do so (and may be protected by their governments) or take on the Russian mob. Hmm, with choices like those I'd probably find other things to do, too.
Whip5
join:2009-01-23
Califon, NJ

Whip5 to nobounds

Member

to nobounds
Awesome find.
moike
join:2007-03-31
Atlanta, GA

1 recommendation

moike

Member

Several more:


»abcgaming.net
Snapped 2010-11-02 21:00:09


[imaging failed]
»www.tommygames.net
Snapped 2010-11-03 18:50:13
nobounds
join:2003-07-15
Rancho Santa Margarita, CA

nobounds

Member

Are we sure those are part of the same operation?
moike
join:2007-03-31
Atlanta, GA

1 recommendation

moike to MGD

Member

to MGD
Another (It looks like she is ecstatic about *something* )


»designboom.biz/
Snapped 2010-11-06 22:36:48


Domain ID: D40801525-BIZ
Sponsoring Registrar: ACTIVE REGISTRAR, INC.
Sponsoring Registrar IANA ID: 1090
Registrar URL (registration services): whois.activeregistrar.com
Domain Status: ok
Registrant ID: ACTR1010297445
Registrant Name: Whois Manager
Registrant Organization: Whois Proof LLP
Registrant Address1: PO Box 4120
Registrant City: Portland
Registrant State/Province: OR
Registrant Postal Code: 97208-4120
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2024700599
Registrant Facsimile Number: +1.8663666681
Registrant Email: uqa0gzm9r@whoisproof.com

Name Server: NS1.ACTIVE-DNS.COM
Name Server: NS2.ACTIVE-DNS.COM
Created by Registrar: ACTIVE REGISTRAR, INC.
Last Updated by Registrar: ACTIVE REGISTRAR, INC.
Domain Registration Date: Tue Aug 10 02:03:27 GMT 2010
Domain Expiration Date: Tue Aug 09 23:59:59 GMT 2011
Domain Last Updated Date: Fri Oct 29 09:00:54 GMT 2010
nobounds
join:2003-07-15
Rancho Santa Margarita, CA

1 recommendation

nobounds to MGD

Member

to MGD
Fraud scam site: mygalaxy.org

»mygalaxy.org/
Snapped 2010-11-07 18:39:38


Whois

Domain ID:D159972931-LROR
Domain Name:MYGALAXY.ORG
Created On:24-Aug-2010 11:06:31 UTC
Last Updated On:01-Nov-2010 12:43:58 UTC
Expiration Date:24-Aug-2011 11:06:31 UTC
Sponsoring Registrar:Active Registrar, Inc. (R1709-LROR)
Status:OK
Registrant ID:ACTR1011011035
Registrant Name:Whois Manager
Registrant Organization:Whois Proof LLP
Registrant Street1:PO Box 4120
Registrant Street2:
Registrant Street3:
Registrant City:Portland
Registrant State/Province:OR
Registrant Postal Code:97208-4120
Registrant Country:US
Registrant Phone:+1.2024700599
Registrant Phone Ext.:
Registrant FAX:+1.8663666681
Registrant FAX Ext.:
Registrant Email:cvbzv831p64@whoisproof.com


Nameservers

mygalaxy.org. 14400 IN NS adns.cs.siteprotect.com.
mygalaxy.org. 14400 IN NS bdns.cs.siteprotect.com.


IP Addresses

IP: 207.150.212.133
PTR: none (SERVFAIL)


Netblock info

NetRange: 207.150.192.0 - 207.150.223.255
CIDR: 207.150.192.0/19
OriginAS: AS7097
NetName: AHNET-207-BLK
NetHandle: NET-207-150-192-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.SITEPROTECT.COM
NameServer: NS.SITEPROTECT.COM
Comment: 10. Additional Information:
RegDate: 1999-10-26
Updated: 2009-07-16
Ref: »whois.arin.net/rest/net/ ··· -192-0-1

OrgName: Affinity Internet, Inc
OrgId: AFFI
Address: Corporate headquarters
Address: 3250 W. Commercial Blvd.
City: Ft. Lauderdale
StateProv: FL
PostalCode: 33309
Country: US
RegDate:
Updated: 2006-08-31
Ref: »whois.arin.net/rest/org/AFFI
nobounds

1 recommendation

nobounds to MGD

Member

to MGD
Sorry if there are repeats here. The search doesn't seem to work very well (and Google doesn't even appear to have indexed the recent posts in this thread).

Fraud scam site: GUI4U.com

»GUI4U.com/
Snapped 2010-11-07 20:38:54


Whois

Domain name: gui4u.com

Registrant Contact:
ADRIANNE FOX
ADRIANNE FOX ()

Fax:
18650 SW 280TH ST
HOMESTEAD, FL 33031
US

Administrative Contact:
ADRIANNE FOX
ADRIANNE FOX (alisarich554@gmail.com)
+1.5653568849
Fax:
18650 SW 280TH ST
HOMESTEAD, FL 33031
US

Technical Contact:

Domain Administrator (domreg@ipage.com)
+1.8774724399
Fax: +1.7812726550
70 Blanchard Road
Burlington, MA 01803
US

Status: Locked


Nameservers

gui4u.com. 3600 IN NS ns2.ipage.com.
gui4u.com. 3600 IN NS ns1.ipage.com.


IP Addresses

IP: 66.96.147.106
PTR: 106.147.96.66.static.eigbox.net.


Netblock info

NetRange: 66.96.128.0 - 66.96.191.255
CIDR: 66.96.128.0/18
OriginAS:
NetName: BIZLAND-FC01
NetHandle: NET-66-96-128-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.BIZLAND.COM
NameServer: NS1.BIZLAND.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-04-03
Updated: 2005-03-31
Ref: »whois.arin.net/rest/net/ ··· -128-0-1

OrgName: The Endurance International Group, Inc.
OrgId: EIG-12
Address: 70 Blanchard Road
City: Burlington
StateProv: MA
PostalCode: 01803
Country: US
RegDate: 2005-02-07
Updated: 2010-09-16
Ref: »whois.arin.net/rest/org/EIG-12

OrgTechHandle: BBR189-ARIN
OrgTechName: Brock, Brian
OrgTechPhone: +1-781-852-3254
OrgTechEmail: bnbrock@maileig.com
OrgTechRef: »whois.arin.net/rest/poc/ ··· 189-ARIN

OrgNOCHandle: ENO74-ARIN
OrgNOCName: EIG Network Operations
OrgNOCPhone: +1-339-234-9762
OrgNOCEmail: netmon@maileig.com
OrgNOCRef: »whois.arin.net/rest/poc/ ··· O74-ARIN
nobounds

1 recommendation

nobounds

Member

Interesting on that last one (gui4u.com). The contact name is "Adrianne Fox" but the email address includes the name "Alisa Rich." That email address and name have been implicated in other scams using the domain sparecaptial.com.

»www.phonenoinfo.com/Phon ··· 1/1.html

I don't see sparecapital.com mentioned here, but sparecapital.biz and .org were, over two years ago:

»Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto
MGD
MVM
join:2002-07-31

1 recommendation

MGD

MVM

Outstanding work nobounds See Profile

From circa 2008, in addition to sparecap.biz & sparecapital.biz,
sparecap.org shared the same "contact us" number 208-629-8051 as sparecapital.com

The email contact for the sparecapital.com domain was alisarich554@gmail.com and had a matching registration:

sparecapital.com

Alisa Rich
8126 SE Lake Rd, Apt 122
Portland, OR 97267
US

Administrative Contact:
sparecapital.com
Alisa Rich (alisarich554@gmail.com)
+1.2086298051
Fax: +1.5555555555
8126 SE Lake Rd, Apt 122
Portland, OR 97267
US

Another historic connection is that sparecapital.com fraud victims reported being cross charged by CODE-X-ONLINE »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto
said by whocallsme.com :
Caligula
1 Oct 2008
Yep ... just like Sparecapital.com about four months ago (where I was fraudulently "dinged" for $4.96 on my Visa), this appears to be another such outfit. This will be the third such event in the past 14 months. Time to cancel the card, I reckon.

===================================

Frank in Houston
23 Oct 2008
My credit card account was scammed by both sparecapital.com and code - X: however, I disputed the charges with the bank that issued my card, and the sparecapital.com charge has already been removed.
The letter disputing the code - X charge has just been sent, but I expect that charge to be removed from my account also.

»whocallsme.com/Phone-Num ··· 03300621

----------------------------
gui4u.com

GUI for you

Our contact details:

phone: 952-955-4871

email: support@gui4u.com

-----------------------------

The contact phone number for SCAM FRAUD = GUI4U.COM aka GUI for You 952-955-4871 is the same number as listed on the "contact us" of SCAM FRAUD = MEETTHEICONS.COM 952-955-4871 = FRAUD SCAM

The number of current fraud domains is likely to be in the many hundreds. This current genre is just one of several, there are numerous active themed groups, such as the electronics theme: »/r0/do ··· ainA.jpg Toys: »/r0/do ··· ainA.jpg Pet Supply stores, and many more.

MGD
nobounds
join:2003-07-15
Rancho Santa Margarita, CA

nobounds

Member

Do you have HTML archives of sites from the other genres (rather than just screenshots)? I've based most of my digging on attributes of the sites that I've still found to be live (e.g. the screen savers, icons, etc.); I didn't have enough forethought to keep archives of the others before they went down, so I can't use them as a basis for looking for additional examples. As soon as I find a live example of a new style, I add it to my repertoire, but just a screenshot isn't usually enough to go on unfortunately.
MGD
MVM
join:2002-07-31

1 recommendation

MGD

MVM

Unfortunately, I did not capture html source code on any organized basis, other than a few of specific interest. There is not likely to be any other archiving of them due to the robots.txt config. I frrequently had domiantools pull archive images of the sites, however, they are just screen shots also.

On one of my excursion and infiltration tours into the syndcate'e network I did bring back a full and complete website including directories, codes, etc. It was from that analysis that the PHP script was located which is connected to from a socks proxy bot network of compromised US IP addresses to dump the compromised card data into authorize.net for processing.

MGD