Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto in Spam, Scam and Phishbusters

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 29 Nov 2008 16:20:06 EDT

moike : No new activity for a period of time.... it makes me wonder if Authorize.net got a clue stick, or if the McColo badness shutdown has placed a crimp in their activity. One of the services offered by McColo was a carrier-grade proxy service to mask your connection as any geographic region - something that would let them control things in the background without raising IP Geo-location flags.

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Tue, 11 Nov 2008 03:11:57 EDT

MGD :

said by alp1226 :

Regarding the www.sarmons.com charge, it was posted to my account on Sept. 29. It shows on my account as: WWW.SARMONS.COM 305-5177623 FL 3660.
..

.
Thank you, I rechecked my information and I had the dates incorrect. Sarmons was shut down at the end of September, not on the 12th., as I originally posted.

said by alp1226 :

...Unfortunately, I think my husband thought this was something I had purchased and had just forgotten about, so he really didn't question it too much at the time. When I inquired at the bank yesterday, they researched it and told me that it was an internet transaction, and that the company had something to do with musical instruments, sheet music, or possibly music downloads. I didn't question it at the time (I figured my husband bought something and forgot about it!) until I saw a 2nd transaction a few days ago from Webpage USA LLC San Diego CA. ....

.
That is a very very common scenario with this fraud, and is why many of the charges go uncontested, as high as 80% in some fraud runs. The amount, in the $10 range when done to 2 million cards a year generates significant revenue for the crime syndicate. That is the sweet spot, in that many victims, especially in mutliple card environments presume the charge was made by the other party. They let it go, or do not pay any attention to it at all, that is by design, These criminals have been operating for many years and have fine tuned the process to maximize the rate of return.

said by alp1226 :

...
In looking back, I found 3 transactions in May, 2 from a company called YourSavingsClub, and 1 from Privacy Matters. These 3 transactions were for $1.00 ea. Again, my husband imports this info to Microsoft Money, and since they were such small amounts, he didn't say anything about it. So apparently, we've been having this problem for some time and are just now realizing it. ....

.
I suspect because the $1 charges from YourSavingsClub, »www.yoursavingsclub.com/ and Privacy Matters »www.privacymatters.com/ were either to test for the correct expiration month, or more likely that the crime syndicate had hijacked card data that they were not sure of how fresh it was. They do not ping cards where they know that the data was recently used. However, in the case of the former they need to test it so as not to generate a high failure rate at entry time, and casue the merchant to be flagged. On average only 10% of the card data submitted through the fraud sites is rejected at the time of posting. Preserving the merchant account operation is crucial to them and besides excessive charge back ratios, high invalid entries can also trigger a flag. Based on those earlier $1 transactions I suspect that your card was at least a year old, probably even two years or more, since that number was issued.

said by alp1226 :

....This is so crazy! I want someones head on a platter. Just disputing the charges isn't going to get it for me. It's not about the money for me. It's about the fact that thousands of people, if not more, are being robbed and most of them don't know what to do about it.

It's thosuands of people a week...

You are going to have to get in the long waiting line, there are many ahead of you. Indeed you are correct, it is more than the raw money. Add an additional average cost of around $20 for an institution to replace and reissue a card. The time, effort, and hassle that victims who catch it have go through, all that on top of the original fraud amount, and you have a multi million dollar end cost annually for this syndicate, all of which is paid for by consumers, in one form or another.

Because of the amount some victims even get the run around from their own institutions, case in point:

quote:
Pioneer Media, LLC.
Posted: 2008-11-05 by Derek
Scam charges

$11.89 charge appears on account from Pioneer Media, LLC.. I emailed First Citizens Bank for an explanation of the charge. They responded and advised me to google the name of the co. and (for me) to ask them for a refund. Way to go First Citizens, big help.

Pioneer Media identified on 09/06/2008: »Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

I am sure that the criminals are thrilled at responses like that.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Mon, 10 Nov 2008 14:58:53 EDT

alp1226 : Hubby and I have differing opinions regarding joint accouts. I'm with you.

Unfortunately, we've learned a valuable lesson....if it looks fishy, it probably is.

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sun, 09 Nov 2008 11:24:03 EDT

Doctor Olds :

said by alp1226 :

Regarding the www.sarmons.com charge, it was posted to my account on Sept. 29. It shows on my account as: WWW.SARMONS.COM 305-5177623 FL 3660. Unfortunately, I think my husband thought this was something I had purchased and had just forgotten about, so he really didn't question it too much at the time.

(I figured my husband bought something and forgot about it!) until I saw a 2nd transaction a few days ago from Webpage USA LLC San Diego CA. In looking back, I found 3 transactions in May, 2 from a company called YourSavingsClub, and 1 from Privacy Matters. These 3 transactions were for $1.00 ea. Again, my husband imports this info to Microsoft Money, and since they were such small amounts, he didn't say anything about it. So apparently, we've been having this problem for some time and are just now realizing it. This is so crazy! I want someones head on a platter.

It looks like you and the husband had a breakdown in communications, then the assumptions set in. You assumed he did one thing, he assumed you did another, and neither one of you asked the other. :[

That's why I have never used joint accounts even when I was married.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sun, 09 Nov 2008 08:45:05 EDT

music man : Spiegel & Utrera are a pukka law firm.As the previous poster said- their website may be tacky but thats not a crime (yet)

The website's whois etc are all good

eg
Registry Data
ICANN Registrar: ONLINENIC, INC.
Created: 1996-09-16
Expires: 2011-09-15

Check any of the named lawyers out at »www.martindale.com. All appear to be genuine.

The firm acts as a company formation agent for anyone who is prepared to front the bucks.

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 08 Nov 2008 19:38:00 EDT

K Patterson : You can check the attorneys against their state bar associations. I checked one, Rebecca Rhyne, in California and she is in good standing.

They look a little tacky, but they are performing a legitimate service. I can't imagine a way that they could weed out the bad guys, can you?

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 08 Nov 2008 19:06:09 EDT

alp1226 : Regarding the www.sarmons.com charge, it was posted to my account on Sept. 29. It shows on my account as: WWW.SARMONS.COM 305-5177623 FL 3660. Unfortunately, I think my husband thought this was something I had purchased and had just forgotten about, so he really didn't question it too much at the time. When I inquired at the bank yesterday, they researched it and told me that it was an internet transaction, and that the company had something to do with musical instruments, sheet music, or possibly music downloads. I didn't question it at the time (I figured my husband bought something and forgot about it!) until I saw a 2nd transaction a few days ago from Webpage USA LLC San Diego CA. In looking back, I found 3 transactions in May, 2 from a company called YourSavingsClub, and 1 from Privacy Matters. These 3 transactions were for $1.00 ea. Again, my husband imports this info to Microsoft Money, and since they were such small amounts, he didn't say anything about it. So apparently, we've been having this problem for some time and are just now realizing it. This is so crazy! I want someones head on a platter. Just disputing the charges isn't going to get it for me. It's not about the money for me. It's about the fact that thousands of people, if not more, are being robbed and most of them don't know what to do about it.

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 08 Nov 2008 18:50:15 EDT

alp1226 : Does anyone know if this is a legit law firm, or are they just another phony company appearing to set up phony corporations? I've looked at their website, the pictures of the attorneys they have listed have a not-quite-real quality to them. Do you have any other info about this firm?

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 08 Nov 2008 14:32:47 EDT

MGD :

said by alp1226 :

Thanks for all of the great information! I have a quick question regarding your comment about some people thinking Equifax was a possible leak source...several months ago I received a strange but legit looking email letting me know that someone had tried to access my Equifax account but failed due to an incorrect password. I had not used this service and the account had been disabled for at least a year prior to the email. I tried to log on myself, but was unable to do so without renewing my subscription. I thought it was rather odd at the time, but dismissed it from my mind. Does anyone else recall having a problem like this, with Equifax or any other service?

You are welcome,

I believe that the two Equifax issues that you refer to are unrelated. With respect to the email that you received, that was more than likely a "phishing" email. Likely part of a mass mailing where some of the recipients would be Equifax customers. They would then click on the link and be taken to a cloned rogue webiste to log in to, where the data would be captured by the criminals.

Phishing emails for Equifax are common, in fact, our phishtrack project contains a collection of Equifax phishing mails submitted by DSLR members: »/phishtrack/?pcat=262 As you can see, several of those fraudulent emails contain the subject line of "Equifax AIert: Unauthorized Login Attempts" You can view a sample of one of those emails here »/phishtrack?pi···1&html=1 Therefore I doubt that the Equifax email that you received originated from Equifax, nor was it sent because of any legit issue with your account. In fact, if you still have that email on file, we can analyze it and confirm whether it originated from Equifax, or was a fraudulent phishing email. I am sure it was the latter, and you may recognize it as being identical to the ones in the above link.

The Equifax issue discussed multiple times in this thread, was in regards to many victims reporting that they recently enrolled, or had a legitimate charge from Equifax that immediately preceeded the fraud charge. In some cases fraud vistims reported that the only prior transaction ever on that card was from Equifax. Because of that, many of those victims expressed a belief that their card data was compromised from within Equifax's system. I responded that one could not make an absolute conclusion based on those events, that Equifax was the crime syndicate's source of that card data. Obviously, I could not positively rule it out. However, the coincidental events, in the absence of additional evidence, were not sufficient to make such a positive determination. There were multiple other valid scenarios that could account for the compromise.

I have a post coming shortly with other reports of Sarmons like clone sites, cross charging with the orange template group. If you first just post the date of your Sarmons charge it will help establish if it occurred before or after the merchant account was revoked. Based on my in depth knowledge of how this crime syndicate operates, I am sympathetic to the cyber-mules that are truly duped into participating, of which the vast majority are. However, that being said, I am also determined that if there is evidence that any of them have crossed the line after their initial involvement, and become knowing participants, that they face the legal consequences. I already know of a few that fall into that category, which is why your Sarmons charge is of great interest to me. Again, it is a serious allegation that should not be made without reconfirming the facts.

Ultimately the goal is to dismantle this long running multi million dollar fraud operation, and have the perpetrators brought to justice. Also, to identify the methods and sources of infiltration of the financial card data systems, that appears to enable them to have unfettered access to this data. It is likely that some of the exploits used to obtain that data are ongoing, and have not been discovered nor patched. Also desirable, is a campaign that educates the public about the recruitment process, in order to cut off the supply of potential cyber-mules. Adjustments to the banking and merchant account vetting process are also needed to filter these setups out at application time, thus cutting off the ability to move the millions of dollars of hijacked funds out of the country.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 08 Nov 2008 12:40:14 EDT

alp1226 : Thanks for all of the great information! I have a quick question regarding your comment about some people thinking Equifax was a possible leak source...several months ago I received a strange but legit looking email letting me know that someone had tried to access my Equifax account but failed due to an incorrect password. I had not used this service and the account had been disabled for at least a year prior to the email. I tried to log on myself, but was unable to do so without renewing my subscription. I thought it was rather odd at the time, but dismissed it from my mind. Does anyone else recall having a problem like this, with Equifax or any other service?

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Fri, 07 Nov 2008 23:06:23 EDT

MGD :

said by alp1226 :

I've had two recent charges to my account. One is listed as www.sarmons.com in Miami Fl for $9.85. The other is Webpage USA LLC in San Diego for 11.89. ....

Hi alp1226,

Your charge is of great interest to me. For some time now the "Orange Template" sites like Webpage USA LLC »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto have been fraud charging in tandem with the "music template" group »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto of which sarmons.com was a part of.

The reason for my interest in your SARMONS fraud charge is that I became aware that around September 12, 2008 that Sarmons.com was identified as one of the crime syndicate's operation and its merchant billing account was revoked. It is my understanding that the account was revoked before it had a chance to process any charges. I also believe that the cyber-mule was contacted and notified of the criminal enterprise. I am in the process of re verifying those circumstances, however, I believe them to be accurate.

I am hoping that you are monitoring this thread, as it is imperative that you stay in contact. I would appreciate it if you would post the exact date of the charge, and the way it appeared on your statement. I may also need some additional info. There are several possible scenarios, including the cyber-mule setting up a subsequent second merchant account elsewhere, thought that would be damming.

MGD

Re: CMS Licensing

Fri, 07 Nov 2008 22:01:27 EDT

MGD :

said by iDeceive :

I run a small collection of blogs relating to online scams, particularly employment-related scams. I've recently been contacted by someone with a query relating to a "CMS licensing" business, which immediately reminded me of what I've read here about organised credit card fraud and the associated money mule merchant accounts. Perhaps MGD would care to sniff around the following leads and see if they are related to the ongoing investigations here.
...
..

Hi iDeceive ,

Sorry for the delay in replying, I will check them out and let you know. I will also send you an IM shortly with an email contact address for me.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Fri, 07 Nov 2008 20:49:37 EDT

K Patterson : It's the other way around - Spiegel & Utrera is a law firm that specializes in setting up corporations. They are the agent for these corporations, and have no other relationship with them.

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Fri, 07 Nov 2008 17:21:33 EDT

anon : I've had two recent charges to my account. One is listed as www.sarmons.com in Miami Fl for $9.85. The other is Webpage USA LLC in San Diego for 11.89. After doing some research with the corporation search websites for each of the states, I see that these are "registered agents" of Spiegel & Utrera, PA. Supposedly a law firm. These are made-up names for companies that don't really exist. There are many other fake names that they will try to use. I have tried to contact them with the number provided on the internet. All you get is a voice mail. I'm not expecting a return call. I will report them to the Attorney Generals office of their respective states to start. Will also see if I can find out anything from the bar assc. to see if it has anything to do with a law firm. Also will report to National Better Business Bureau.

CMS Licensing

Mon, 03 Nov 2008 16:26:21 EDT

iDeceive : I run a small collection of blogs relating to online scams, particularly employment-related scams. I've recently been contacted by someone with a query relating to a "CMS licensing" business, which immediately reminded me of what I've read here about organised credit card fraud and the associated money mule merchant accounts. Perhaps MGD would care to sniff around the following leads and see if they are related to the ongoing investigations here.

The mark responded to an advertisement on Craigslist, offering sales rep positions for a CMS software licensing company using facade identities www.quark2go.com (registered 22-jul-2008 via Yahoo!) and "Daniel Levine" (hereinafter, "the scammers"). The mark is required to provide "software licenses" to customers who order them through a website set up by the scammers. The mark is also required to open a merchant account in connection with this site. The mark is promised $10,000 a month and 9% of each sale.

In his inquiry, the mark provided an example of the merchant's website, and a Google search shows the following set of similar sites.

CMS69.NET (created 03-sep-2008)
CMS94.COM (created 17-oct-2008, website not active)
QRK63.NET (created 13-oct-2008, website not active)
CMSLICENSE.COM (created 02-sep-2008, see »amg.cmslicense.com/)
CMS-LICENSE.COM (created 08-sep-2008, used as email contact address on above site)

MGD, I'd appreciate your opinions on this matter. I've advised the mark that it's a dangerous scam, and to avoid involvement.
--
Suckers Wanted -- Employment Opportunities That Will Cost You

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Fri, 31 Oct 2008 21:56:33 EDT

Doctor Olds :

said by MGD :

This fresh fraud charge from the organized crime syndicate is one for the record books:

a recent report from a fraud victim:

$9.95 charge from KCSOFTLLC COM 509-461-1556 NY

As unbelievable as it may seem, the syndicate's KCSOFT LLC has been processing nothing but fraudulent charges for over four years

Not them again? :[
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Fri, 31 Oct 2008 16:35:06 EDT

MGD : This fresh fraud charge from the organized crime syndicate is one for the record books:

a recent report from a fraud victim:

$9.95 charge from KCSOFTLLC COM 509-461-1556 NY

As unbelievable as it may seem, the syndicate's KCSOFT LLC has been processing nothing but fraudulent charges for over four years

KCSOFT first showed up on DSLR in the security forum back in 2005: »$9.95 scam.. check your bank statements. That poster, Wrath was trying to add to an existing thread in the security forum started by thongsai in mid 2004 about fraud charges from pansalcorp.com, which was another of this crime syndicate's fraud entities. It is clear that over the years they went through multiple merchant account set ups, as a circa 2005 fraud report lists the line item as:

quote:
They hit me on 8/25 for 9.95. Number listed as
KC SOFTWARECOM LLC 509-4611556 NY Standard Purch 9.95

»Re: $9.95 scam, now from kcsoftllc.com

justin 's ominous post over three years ago in the above thread:

quote:
The google searches are starting to find this topic as people look at their bank statements and say, WTF?. I wonder how big it will get.

pcdebb was subsequently proven to be right on the money when she posted:

quote:
i was thinking the same thing. might be Pluto Data part II

»Re: $9.95 scam, now from kcsoftllc.com

KCSOFT LLC was prolific and went on to tandem bill fraud charges alongside the "Digital Age" fraud charges

In September of 2005 Doctor Olds 's card was hit with a $9.95 fraud charge from KCSOFTLLC. Followed in 24 hours by a $24.99 fraud charge from: Digital Age Cypress: »[scam] Digital Age, KCSOFTLLC and Coastal Wave Int

The phone number listed on the current fraud charge 509-461-1556 has been NLA for some time. I am not sure if there is a new associated website, the domain kcsoftllc.com is also NLA. However the fraud site circa 2005 looked like this:

[att=2]

That was a clone of the common version 2.0 template fraud site used in dozens of fraudulent LLC set ups: »I got the same changes .... and »[non-PC related] Credit Card Fraud security and »Credit card criminals Devbill have a new home !!!

Thank you to the current victim of this fraud charge who forwarded the transaction reference number (ARN) to me, which will help identify the acquiring bank, and related merchant account which originated and processed the charge.

KCSOFTLLC COM 509-461-1556 NY has now been tracked down to a New York LLC named KC SOFTWARECOM LLC which was registered on MARCH 09, 2004 by a KIMBERLY COSTANZA, 282 EMBURY ROAD, ROCHESTER, NEW YORK, 14625.

[att=1]


Selected Entity Name: KC SOFTWARECOM LLC
.
Selected Entity Status Information 
Current Entity Name: KC SOFTWARECOM LLC 
Initial DOS Filing Date: MARCH 09, 2004 
County: MONROE 
Jurisdiction: NEW YORK 
Entity Type: DOMESTIC LIMITED LIABILITY COMPANY 
Current Entity Status: ACTIVE 
.
Selected Entity Address Information DOS Process 
.
KIMBERLY COSTANZA
282 EMBURY ROAD
ROCHESTER, NEW YORK, 14625  
Registered Agent 
NONE

A four and a half year survival rate for a fraud set up, even for this crime syndicate must be a record, or close to it.

Besides over 140 hits on a DSLR search going back to February 2005: »/nsearch?q=KCS···70263807 there are a half dozen pages of fraud reports on Google: »www.google.com/search?hl=en&safe···G=Search

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Mon, 27 Oct 2008 14:55:09 EDT

MGD :

said by jorge08 :

Hi I wish to post more information about another one of these websites "synergetic experts and synergetic games" were another copy of oivabisness crime syndicate, please anyone!!!!!!! help me !!!!!!!

I have information you may need

Please give me a contact I can email or call

Jorge08

My last reply did not show as a reply to your post, and may not trigger an email reply notification to you. I am trying a new reply in order to trigger that flag, as it appears that you have not logged back in since the first posting.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Mon, 27 Oct 2008 12:21:35 EDT

MGD :

.

Hi jorge08 ,

I sent you an Instant Message (IM) which includes an email address for you to contact me at. Look for a flashing icon on the upper left. I do need to make contact you, and have been trying to reach you for several months. The fact that you connected oivabisness

Snapped 2008-10-27 12:20:17

»oivabisnes.com/

to synergetic experts and synergetic games tells me a lot. oivabisness AKA Oiva Bisness is one of many major Command & Control Hub and recruiting sites operated by this crime syndicate. They have been repeatedly trolling and recruiting cyber-mules from resumes posted on Careerbuilders.com and others. They were first reported on here as the C&C that recruited the cyber-mule for:

BENNUTECH.COM AKA BENNU TECHNOLOGIES LLC 973-944-3970
and
CALLIDORADESIGNS.NET AKA CALLIDORA DESIGNS LLC 973-735-2361

»Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Jorge, Please contact me as soon as possible.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thu, 23 Oct 2008 15:28:04 EDT

jorge08 : Hi I wish to post more information about another one of these websites "synergetic experts and synergetic games" were another copy of oivabisness crime syndicate, please anyone!!!!!!! help me !!!!!!!

I have information you may need

Please give me a contact I can email or call

Jorge08

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Fri, 17 Oct 2008 13:25:52 EDT

MGD :

said by Rowan :

MGD, I sent the ARN number to you a bit ago via IM. Let me know if you've received it, and if there's anything else I can do. ~Rowan PS: Yes, it was the -7814 number that appeared on my statement. :mad:

Excellent, thank you Rowan , got it, I have already forwarded the ARN number for processing. The toll free division of this fraud has been very difficult to track down, and they tend to survive much longer than the others. The tool free group never list associated domains / websites in their contact info, and repeated searches for matching business FBN and LLC/Corp registrations have been fruitless.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Fri, 17 Oct 2008 11:07:18 EDT

Rowan : MGD, I sent the ARN number to you a bit ago via IM. Let me know if you've received it, and if there's anything else I can do. ~Rowan PS: Yes, it was the -7814 number that appeared on my statement. :mad:

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thu, 16 Oct 2008 18:53:09 EDT

Rowan :

said by MGD :

said by Rowan :

I have requested it from my bank, and will get it to you via IM (I joined the site this afternoon). I'm also interested in 'joining the fight' as it were. Is there a place on this site where I can learn how to track the different information? The more the merrier, I always say!

Will get back to you as soon as I hear from my bank.
~Rowan

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thu, 16 Oct 2008 18:27:04 EDT

Rowan : Absolutely, MGD, I'll get it to you via IM as soon as my bank responds (usually takes 24 hours). I joined the site this afternoon. I'm interested in joining the fight against these jerks. Is there a place on this site (or some other site) where I can learn how to track down the different bits of information to add to the mix?

Thanks again, and I'll be in touch. Oh, and BTW, sorry for the clumsy reply format (i.e., no quote) -- I haven't figured out how to do anything other than cut & paste, and that didn't work very well either. :hmm: ~Rowan

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thu, 16 Oct 2008 17:19:15 EDT

MGD :

said by Rowan :

Hello,

I was dunned $.15 by EST Company last week, then yesterday someone tried to purchase three gift cards -- Dell, in fact. Fortunately I caught on and my debit card is cancelled. I don't have the transaction reference (I don't get that kind of detail online), but I'm sure I can get it from my bank if it will be of any help.

And thanks for everyone's efforts in trying to run these fools down. Until yesterday, I was totally ignorant of this nonsense. ~Rowan

Hi Rowan,

Absolutely, I am in dire need of that transaction reference number, usually 23 alpha numeric digits called an ARN number. I need that refernce from any victims of the toll free / generic named fraud divisions, as none of that group have been tracked down. As stated previously there is embedded code within the reference characters that can be used to identify the originating merchant account, and have it shut down promptly.

For the record, the crime syndicate has two fraud operations that are currently charging between $.09 and $.15 to thousands of cards. This is a process known as "pinging" to validate the card data. The ping charge is a precursor to additional fraud charges.

EST has been operating and processing fraud charges since October of 2007.

Originally as: EST COMPANY Boca Raton, FL US 800-596-7814. See page 1 from circa 12/2007: »whocallsme.com/Phone-Number.aspx/8663470931 When you get to Page 3 at the end of September victims are the reporting the 10 cent ping charges in lieu of the $10 fraud charges: »whocallsme.com/Phone-Number.aspx···470931/3 There are another four pages of fraud reports dating back to 12/2007 also on 800Notes.com: »800notes.com/Phone.aspx/1-866-347-0931

In addition, they are now processing fraud charges using a new number EST COMPANY 866-347-0931 There are multiple forums with fraud reports and pinging charges under the new number: »www.google.com/search?hl=en&q=80···e+Search

Rowan I am very anxious to obtain that transaction ARN number in order to identify and shut down this long running fraud entity.

DO NOT post the ARN number in public on the forum. Instead just register on this site, it is free, and then you will be able to send me an Instant Message. I would post an email contact address except that cyber criminals monitor the forum, and, as before, they will quickly mailbomb the account out of existence within hours. Sending me an Instant Message via this forum, is the easiest way.

EDIT ADD:

EST has been directly tied to this organized crime syndicate because back in December they were cross hitting fraud charges alongside many of the template / Ebook sites.

EDIT #2

Changed the EST company first contact number that was used in 2007.
correct listing:

original ~ $10 fraud charges:

EST COMPANY Boca Raton, FL US 800-596-7814.

now, submitting 10 cent ping charges:

EST COMPANY 866-347-0931

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thu, 16 Oct 2008 16:30:16 EDT

MGD :

said by POd in USA :

16 Oct 08-- yet another site perpetrating fraudulent credit card charge, same home page template as recent predecessors:
WebPage USA, LLC
www.wp-technolgies.com
»www.wp-technologies.com
WHOIS registration info:
Visit AboutUs.org for more information about WP-TECHNOLOGIES.COM
...
..

Thanks for the alert. Though I originally located the fraud site wp-technologies.com AKA WebPage USA, LLC 405-463-2417 at the beginning of September, and posted it on the 7th: »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto there were no reports of fraud charges at that time. Thanks to your heads up, there are now, on two threads: starting on 09/29: »800notes.com/Phone.aspx/1-405-463-2417
and 10/07:
»phoneowner.info/Number.aspx/4054632417

This set up also confirms a new emerging pattern. On my 09/07 posting, I listed the contents of the "contact us" page:

------------------------------
Wp-technologies.com

WebPage USA, LLC

Contact us

WebPage USA, LLC
www.wp-technologies.com
8507 Capricorn Way # 74,
San Diego, CA,
92126, USA

Phone/Fax:
1-(405)-463-2417

Support e-mail:
support@wp-technologies.com
------------------------------

Now that information has been changed, and the address details have been removed:

[att=1]

------------------------------
Contact us

WebPage USA, LLC
www.wp-technologies.com

Phone/Fax:
1-(405)-463-2417

Support e-mail:
support@wp-technologies.com
------------------------------

That address, apparently an apartment:

8507 Capricorn Way # 74,
San Diego, CA,
92126, USA

Does correspond to the address that the cyber-mule used to register the California LLC:


LP/LLC
WEBPAGE USA LLC
Number: 200816410193
Date Filed: 6/4/2008
.
Status: active
Jurisdiction: CALIFORNIA
.
Address
8507 CAPRICORN WAY #74
SAN DIEGO, CA 92126
.
Agent for Service of Process
SPIEGEL & UTRERA, P.A.,
WHICH WILL DO BUSINESS IN CALIFORNIA AS
SPIEGEL & UTRERA, P.C. (C2237836)

During the merchant account application and vetting time period, the organized crime syndicate is listing the full contact details of the cyber-mule on the webpage, which matches the LLC reg. This is done to "appear" legit and pass the vetting. However, the syndicae removes the detail contact info as soon as the account is approved, and before the victims see the fraud charges and reach the website.

That is done in order to hide the cyber-mule, and thwart any attempt to locate them. Remember, they are already using a contact number of 405-463-2417, that is an Oklahoma area code. So victims will think the fraud operater must be in Oklahoma. Complaints directed to state authorities in OK., will be a dead end. Likewise, if victims check the domain registration for wp-technologies.com, that fake registration will lead to Bradenton, FL 34212, another dead end. So once the operation is up and processing fraud charges, and victims start looking for a culprit, they will be diverted to Oklahoma, or Florida. In the interim the Russian / Ukrainian criminals have hidden the cyber-mule, who is actually located in San Diego, California, and at this stage would be very difficult to find.

This tactic, now seen repeatedly, is the result of discovering the fraud operations during the pre-op, or manufacturing stage. You can only see it if you catch the contact page at that stage and shadow them. There will be no archived record of that page, as the website is again coded via a robots.txt file to block all search engine archiveing:

[att=2]

In the last several pages of this thread I have posted over a dozen sites that had no record of fraud reports at the time of archiving. So if there are now fraud victims who search and do not see fraud charge reports here for a particular fraud entity, please post them. it is difficult to keep back tracking and repeatedly checking for fraud reports.

It is worth mentioning, that the reason why the crime syndicate mostly directly targets potential cyber-mules, and is less likely to mass email spam for them, is that not everyone duped individual will make an ideal cyber-mule candidate. While mass spamming for carded electronics re-shippers and check cashers is common, as the former requires no set up by the mule, and the latter only needs a personal bank account. The ideal cyber-mule for this criminal operation is someone who has an excellent credit rating. The syndicate directs the cyber-mules to one of the Banks that are affiliated with Authorize.net / Cybersource. When a mule submits his LLC/Corp documents to the listed banks and opens a business account, they then ask to apply for a merchant card processing account. As part of the approval process the bank will check the cyber-mules credit rating. A good credit rating is needed because the bank will require the cyber-mule to sign a personal liability guarantee. That will negate the cyber-mule's banking and merchant activities from the LLC protection, and make them personally responsible for any and all debts. A cyber-mule's excellent rating is also ideal for the crime syndicate, because if they qualify with the bank for the liability waiver, there is an inherent reduction in the merchant account vetting process. The bank is less apt to review the website set up with a fine tooth comb, because the cyber-mule meet the qualifications for the personal guarantee and LLC liability waiver.

There have been many examples of fraud setups where the cyber-mules did not apparently have a squeaky clean credit rating and qualify for a merchant account at the bank. The syndicate subsequently sent the mules in to the secondary market for a merchant account. While those are easier to obtain they are far more stringent in the vetting process. Chances are, if you see a website that is processing fraud charges, and there is a full name and address on the contact page, then that is a secondary market merchant account. Further evidence of that will be a cloaked or privacy domain registration, because it will be registered to the cyber-mule. Approvals for those type accounts are far more stringent due to the higher rate of fraud. They will mandate a matching contact listing info on the website, and will make sure that the domain is in fact owned by the applicant.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thu, 16 Oct 2008 15:33:59 EDT

anon : >>The other common mule recruiting functions involve package re-shipping. That is where the criminals purchase electronics, etc, with stolen credit card data or Paypal accounts, and have them shipped to the mule, who then forwards the packages abroad to the criminals.

Hello,

I was dunned $.15 by EST Company last week, then yesterday someone tried to purchase three gift cards -- Dell, in fact. Fortunately I caught on and my debit card is cancelled. I don't have the transaction reference (I don't get that kind of detail online), but I'm sure I can get it from my bank if it will be of any help.

And thanks for everyone's efforts in trying to run these fools down. Until yesterday, I was totally ignorant of this nonsense. ~Rowan

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thu, 16 Oct 2008 12:45:42 EDT

anon : 16 Oct 08-- yet another site perpetrating fraudulent credit card charge, same home page template as recent predecessors:
WebPage USA, LLC
www.wp-technolgies.com
»www.wp-technologies.com
WHOIS registration info:
Visit AboutUs.org for more information about WP-TECHNOLOGIES.COM
AboutUs:
WP-TECHNOLOGIES.COM

Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: »www.namecheap.com/

Domain name: WP-TECHNOLOGIES.COM

Registrant Contact:
wstd llc
john stobbe

14909 17th Ave E
Bradenton, FL 34212
US

Administrative Contact:
wstd llc
john stobbe (wstdesign@yahoo.com)
+1.3094376756
Fax: +1.3094376756
14909 17th Ave E
Bradenton, FL 34212
US

Technical Contact:
wstd llc
john stobbe (wstdesign@yahoo.com)
+1.3094376756
Fax: +1.3094376756
14909 17th Ave E
Bradenton, FL 34212
US

Status: Locked

Name Servers:
ns1.hostdone.com
ns2.hostdone.com

Creation date: 08 Jul 2008 17:07:07
Expiration date: 08 Jul 2009 17:07:07
=-=-=-=
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us.

We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002

Current Registrar: ENOM, INC.
IP Address: 66.152.162.116 (ARIN & RIPE IP search)
IP Location: US(UNITED STATES)-CALIFORNIA-CANYON COUNTRY
Lock Status: clientTransferProhibited
DMOZ no listings
Y! Directory: see listings
Data as of: 14-Jun-2005

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Tue, 14 Oct 2008 16:09:46 EDT

K Patterson : y'all might want to look at the news link in this thread.

»C1al!$$ and V14GrA Might Dissappear from Inbox

"Credit card information being processed in Cyprus and Georgia"

Now, where have I heard that before?

Hmm.

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Mon, 13 Oct 2008 10:31:20 EDT

anon : I did a search on this site for these and nothing came up.
Here appears to be a new one.
The original site I researched is suspended:

aif-investment-consulting

Registration Service Provided By: COMPLETE OFFSHORE SOLUTIONS
Contact: +74.9592798

Domain Name: AIF-INVESTMENT-CONSULTING.COM

Registrant:
aif-investment-consulting
John Walker (mail@aif-investment-consulting.com)
Washington st.7
Washington
Washington,435905
US
Tel. +435.94535353

Creation Date: 28-Sep-2008
Expiration Date: 28-Sep-2009

Domain servers in listed order:
ns2.egns.vg
ns1.egns.vg

Administrative Contact:
aif-investment-consulting
John Walker (mail@aif-investment-consulting.com)
Washington st.7
Washington
Washington,435905
US
Tel. +435.94535353

Technical Contact:
aif-investment-consulting
John Walker (mail@aif-investment-consulting.com)
Washington st.7
Washington
Washington,435905
US
Tel. +435.94535353

Billing Contact:
aif-investment-consulting
John Walker (mail@aif-investment-consulting.com)
Washington st.7
Washington
Washington,435905
US
Tel. +435.94535353

Status:SUSPENDED
Note: This Domain Name is Suspended.
In this status the domain name is InActive and will not function.
The data in this whois database is provided to you for information purposes only,

However, another variation has the same contact info but is active:

aif-invest-consulting.com

Registration Service Provided By: COMPLETE OFFSHORE SOLUTIONS
Contact: +74.9592798

Domain Name: AIF-INVEST-CONSULTING.COM

Registrant:
aif-investment-consulting
John Walker (mail@aif-investment-consulting.com)
Washington st.7
Washington
Washington,435905
US
Tel. +435.94535353

Creation Date: 28-Sep-2008
Expiration Date: 28-Sep-2009

Domain servers in listed order:
ns2.egns.vg
ns1.egns.vg

Administrative Contact:
aif-investment-consulting
John Walker (mail@aif-investment-consulting.com)
Washington st.7
Washington
Washington,435905
US
Tel. +435.94535353

Technical Contact:
aif-investment-consulting
John Walker (mail@aif-investment-consulting.com)
Washington st.7
Washington
Washington,435905
US
Tel. +435.94535353

Billing Contact:
aif-investment-consulting
John Walker (mail@aif-investment-consulting.com)
Washington st.7
Washington
Washington,435905
US
Tel. +435.94535353

Status:ACTIVE

The data in this whois database is provided to you for information purposes only,

As you can see, they were create in Sept.2008 but the sites(suspended site is in google cache) both have job opening listings for 5 months prior to attempt to look legit. There are also too many digits in the zip code as well as a funky phone number.

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 11 Oct 2008 03:03:18 EDT

MGD :

said by Whip412 :

Can we assume this is from the syndicate? I have my own business so I don't have a resume on the job employment websites.
..
.
If you are interested, please send your resumes to us and also feel free to ask any questions to the email adress you can see below. You will be replied the same day:

phc.consulting.staff.department@gmail.com

Best regards,
German Makovski
hxxp://consulting-phc.biz/

As nwrickert postd it is obviously a mule recruiting spam. The consulting-phc.biz website had been removed so I contacted them in order to see what specific mule job this was. The cyber-mule function of this criminal operation involves the mule registering an LLC/Corp, obtaining an IRS ein number, and opening a business bank account an obtaining merchant card processing services. The other common mule recruiting functions involve package re-shipping. That is where the criminals purchase electronics, etc, with stolen credit card data or Paypal accounts, and have them shipped to the mule, who then forwards the packages abroad to the criminals. Another mule function involves depositing either fraudulent checks, or transfers from hijacked accounts, into the mules personal bank acount then forwarding the cash via Western Union/ MoneyGram to the criminals.

The reply from the criminals indicates that this job is the latter.

quote:
from Jonny Dwayne jd.phc.consulting@gmail.com
date Oct 8, 2008 5:37 PM
subject Re: Employment Offer
mailed-by gmail.com

Hello George
We do have a web site: www.phc-consulting.org
Also to clear out some questions have a look at our FAQ:

Q - What does your company do?

A-
We are selling consulting software to clients in Europe and USA however as our corporate account is located abroad we use third-party people to receive the payments and then send them to our colleagues.
This reduces transaction costs and we get to pay less taxes. This is absolutely legal, there is now law in US which prohibits to do so.

Q How does the job process?

A –
1) You send us your account details (we are NOT asking for any passwords or security codes or any other information that can possibly give us access to your funds, we are only asking for details required to make a transfer to your account)
2) We add you in our database and make you available to our clients.
3) In a few days you will be informed about a transaction coming to your account.
4) As soon as you receive the payment, we will contact you and explain what to do next.
5) You will be informed about your commission that you receive as being a "middle-man" which you then will have to deduct yourself.

Q- What are the daily responsibilities?
A- You daily responsibilities are to check your email at least twice a day, check your voice mail also and respond on the phone during the day if possible.

Q- What is the salary and who pays for the expenses for Western Union transfers?
You get a fixed monthly salary which is $2000 plus 5% commission from each deposit our clients make to your account.
We pay for WU commission, when you come to their office just say that you have X amount of money and ask them to calculate how much that would be with the commission.

If you are willing to work with us, please let me know and I'll send you all the necessary forms.

Jonny Dwayne !! LOL! Jonski Dwanski.. maybe

Though the dns server for the original site: consulting-phc.biz and the replacemnet listed above www.phc-consulting.org is NS1 & NS2.EGNS.IR registered in Iran, it clearly controlled by Russian criminals:


domain:		egns.ir
remarks:	(Domain Holder) Farshad Esmailian
remarks:	(Domain Holder Address) No.4, Nesa st,
 Zafar st., Shariati st.,, Tehran, Tehran, IR
admin-c:	as558-irnic
tech-c:		as558-irnic
zone-c:		as558-irnic
nserver:	ns1.egns.ir
nserver:	ns2.egns.ir
source:		IRNIC # Filtered
 
person:		Ahmad Shaban
remarks:	---
address:	---
e-mail:		ahmad.sheban4@gmail.com
phone:		+96472371831
fax-no:		
nic-hdl:	as558-irnic
source:		IRNIC # Filtered

The DNS domain along with the fraud sites are all hosted in Buenos Aires, Argentina.


IP Address/Hostname:
.
190.183.63.224
.
1.  Phc-consulting.biz
2.  Phcconsulting.biz  
3.  Phc-consulting.org

.
Many of the domains are registered to carded victims. The contact email address that the criminals use shows up on multiple fraud listings on aa419.org »www.google.com/search?hl=en&q=al···e+Search

In fact an audit of a range of that IP space shows that it is under the control of Russian criminals, and is infested with various fraud recruiting., Package reshipping, and money transfer, Escrow fraud, and other financial fraud websites:


IP Address/Hostname:
.
 190.183.63.220
.
1.  Ablb.org 
2.  Bestglobalroadinc.com 
3.  Bgremail.com 
4.  Ejeg.biz 
5.  Employment-mgr.com 
6.  Google-analysing.com 
7.  Hini.biz 
8.  Mgr2u.com  --> SEE »Mgr2u.com
9.  Mgrepost.com 
10.  Olsie.com 
11.  Removeeis.com 
12.  Talogist.com 
13.  Thenationalsolutionsonline.com 
14.  Yrue.org 
15.  Advena-exchange.com 
16.  Advena-exchnage.com 
17.  Abl-acp.com 
.
IP Address/Hostname:
.
190.183.63.221
.
1.  Academicleague.net 
2.  Darthvader777.com 
3.  Italia777.com 
4.  Jasonpipes.com 
5.  Xdraculaxs.com 
.
IP Address/Hostname:
.
190.183.63.223
.
1.  Alphafox.info 
2.  Baserfox.com 
3.  Daserfox.com 
4.  Deifafox.com 
5.  Nalogirf.com 
6.  Nalogirf.org 
7.  Nalogivrf.com 
8.  Rfconsalt.com 
9.  Rfkonsult.com  
10.  Rfnalogi.com 
11.  Ruseminars.com 
12.  Vierafox.com 
13.  Zarubli.com 
14.  Zazerfox.com 
.
IP Address/Hostname:
.
IP 190.183.63.225
.
1. Kraemerlogistics.com ->See »Kraemerlogistics.com
.
190.183.63.228
.
1. Trustshippingcompany.com

.
The EGNS.IR DNS servers control some 47 odd domains, all of which are fraudulent Russian operations. That entire netspace needs to be blacklisted and wiped clean.

It is a Russian operated criminal operation, however on the face of it, it does not appear to have any direct linkage to this one.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Fri, 10 Oct 2008 03:14:27 EDT

MGD :

said by jeph89 :

i have some serious anger issues re: $11.89 (ktech solutions). thanks for your obvious hard work MGD, before today i knew nothing of this scam. are the mules really innocent? i notice they have relatively common names. was wondering if looking up their criminal histories is/has been helpful?

I did actually do some background checking in 2005, as the first layers of this criminal operation began to be unfolded, and the role of a "cyber-mule" surfaced. At that time I did not know who the real criminals behind it were, so anyone connected to the operation, was considered a suspect.

The first break in 2005 came after multiple fraud charge reports from GENEREXTECH.COM, some in tandem with the Digital Age fraud charges. After hours of sifting through public records a related LLC was uncovered in Ohio, GENEREX TECHNOLOGY, LLC which ultimately lead to the first designation of a "cyber-mule", the registrant, Mambwene L Wamba. That was followed by a second cyber-mule in 2006 for a sister website MOBALLTECH.COM which also had fraud charge reports coming in to DSLR. Moball turned out be an LLC registered in Virginia by an Allan F. Burns. Mr. Burns was a retired physician and Cornell graduate, and certainly did not fit any profile of a criminal. In fact, though he did not reveal much about his role, it was enough to establish that he was for certain a duped cyber-mule. The little information that he provide was enough to lead to the first Command and Control recruiting site, Circa 2004/2005: MODERNNETSERVICE.COM operating under the name of Modern Network Service Using a headquarter address in the now familiar Baltic States of: Sutiste tee 180, 51019, Tartu, Estonia was, along with the non native English website configurations, the first clue that this criminal enterprise was probably based somewhere in Eastern Europe, most likely Russia.

At that time I still had yet to uncover the mechanics of how the operation functioned, and where and how the stolen money went. However it was clear that the US operatives were being recruited unknowingly, and duped into playing a crucial role necessary for the operation to function. The third operation to be cracked in 2006 was Z-WEB-TEMPLATES.COM which was billing fraud charges as On-X Inc out of Minnesota. The individual who set it up, Dennis Cote, was also no criminal, but rather another duped cyber-mule. He shut the operation down shortly after being contacted. The two facts that were established, was, that the domestic portion of each fraud operation was set up by a recruited and duped cyber-mule, and that authorize.net was always mandated by the criminals as the sole and exclusive merchant gateway provider. Though, it has taken a few thousand hours of research to get from there to where we are at now in late 2008, those two items have been a constant ingredient in every operation that has been rolled over.

To expand on what Doctor Olds stated, while every cyber-mule is duped into the operation at start up, there are some that have ignored copious warning signs, and clearly embraced their role with some vigor. This year there are at least two cyber-mules, who, in my opinion, have gone way past the role of being duped, and ignored repeated evidence that they may be participating in an organized criminal conspiracy. If you continue for almost a year, ignore the massive chargebacks and account cancellations, and participate in setting up eight distinct operations, you have crossed the line. If you have been contacted and shown that the operation is a fraud, ignored the evidence and chosen to continue, you have crossed the line also. There is clearly a greed factor that motivates one to throw all caution to the wind. Remember that many of the cyber-mules have ceased participation of their own accord at various stages, once the mounting evidence became clear.

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sun, 05 Oct 2008 11:59:17 EDT

nwrickert :

Can we assume this is from the syndicate?

It sure looks like a mule recruiting email.

And yes, some of those are sent out to spam mailing lists. People registering on job sites are not the only targets.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sun, 05 Oct 2008 11:28:26 EDT

anon : Can we assume this is from the syndicate? I have my own business so I don't have a resume on the job employment websites.

Content-Type: text/plain; charset="us-ascii"
Date: Wed, 1 Oct 2008 09:19:59 +0200 [10/01/2008 02:19:59 AM CDT]
Delivery-date: Wed, 01 Oct 2008 02:20:10 -0500
Envelope-to: john@not-so-scammable.com
From: Adele Payton
Importance: Normal
MIME-Version: 1.0
Message-ID:
Received: from [193.110.165.112] (helo=ip165-112.mono.lv) by server147.hostingrevolution.com with esmtp (Exim 4.63) (envelope-from ) id 1Kkw08-0005nx-1V for john@not-so-scammable.com; Wed, 01 Oct 2008 02:20:01 -0500
from [193.110.165.112] by pbimail1.prodigy.net; Wed, 1 Oct 2008 09:19:59 +0200

Return-path:
Subject: ***SPAM*** Job position
To: john@not-so-scammable.com
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
X-Priority: 3 (Normal)
X-Spam-Bar: +++++
X-Spam-Flag: YES
X-Spam-Report: Spam detection software, running on the system "server147.hostingrevolution.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Greetings dear potential employee! PHC Consulting has an opening for a Transaction Specialist position. We do our best to fit all our customers� needs as soon as possible. That�s why all are staff is professionally trained and can solve any problem that occurs on their way. We are not just a set of people, we are a family. And we offer you to join us. The details on the position opened right now are below: [...] Content analysis details: (5.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: consulting-phc.biz] 1.6 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: consulting-phc.biz] 2.1 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: consulting-phc.biz] 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
X-Spam-Score: 58
X-Spam-Status: Yes, score=5.8
Headers: Show Limited Headers

Greetings dear potential employee!
PHC Consulting has an opening for a Transaction Specialist position.

We do our best to fit all our customers� needs as soon as possible. That�s why all are staff is professionally trained and can solve any problem that occurs on their way.
We are not just a set of people, we are a family. And we offer you to join us. The details on the position opened right now are below:

General Requirements:

- Be at least 21 years old.
- No special Qualifications Needed.
- Have a minimal experience and knowledge of basic bank operations.
- Ability to maintain confidentiality of all information.
- Willingness to work from home, take responsibility, set up and achieve goals.
- The ability to create good administrative reporting.
- Honesty, responsibility and promptness in operations.
- The ability to operate with more than one task effectively, and have an adaptable, flexible, professional attitude.
- The ability of stable communication with our company and on-time and detailed reporting.
- Be Familiar to working online, Internet and e-mail skills.

What we offer:

- Generous salary (over 3,000.00 USD monthly).
- Free training.
- Paid Holidays plus 2 weeks of Paid Time Off (PTO).
- Trial period of a month
- 5% Commision from our deals.

This is not a hard job, but your help is very important for us and our clients. This job does not require any special education. You wouldn't have to pay us for taking you on our list. However we guarantee stable income.

If you are interested, please send your resumes to us and also feel free to ask any questions to the email adress you can see below. You will be replied the same day:

phc.consulting.staff.department@gmail.com

Best regards,
German Makovski
hxxp://consulting-phc.biz/

___________________________________________________________

Suspect registration as it is new and an incomplete contact number.

Domain Name: CONSULTING-PHC.BIZ
Domain ID: D27355059-BIZ
Sponsoring Registrar: ESTDOMAINS INC
Sponsoring Registrar IANA ID: 832
Domain Status: clientDeleteProhibited
Domain Status: clientHold
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: DI_8774114
Registrant Name: Richard Summers
Registrant Organization: N/A
Registrant Address1: NY st.17, 24
Registrant City: New York
Registrant State/Province: New York
Registrant Postal Code: 93583
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +534.767567
Registrant Email: mail@consulting-phc.biz
Administrative Contact ID: DI_8774114
Administrative Contact Name: Richard Summers
Administrative Contact Organization: N/A
Administrative Contact Address1: NY st.17, 24
Administrative Contact City: New York
Administrative Contact State/Province: New York
Administrative Contact Postal Code: 93583
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +534.767567
Administrative Contact Email: mail@consulting-phc.biz
Billing Contact ID: DI_8774114
Billing Contact Name: Richard Summers
Billing Contact Organization: N/A
Billing Contact Address1: NY st.17, 24
Billing Contact City: New York
Billing Contact State/Province: New York
Billing Contact Postal Code: 93583
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +534.767567
Billing Contact Email: mail@consulting-phc.biz
Technical Contact ID: DI_8774114
Technical Contact Name: Richard Summers
Technical Contact Organization: N/A
Technical Contact Address1: NY st.17, 24
Technical Contact City: New York
Technical Contact State/Province: New York
Technical Contact Postal Code: 93583
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +534.767567
Technical Contact Email: mail@consulting-phc.biz
Name Server: NS1.EGNS.IR
Name Server: NS2.EGNS.IR
Created by Registrar: ESTDOMAINS INC
Last Updated by Registrar: ESTDOMAINS INC
Domain Registration Date: Mon Sep 29 12:03:04 GMT 2008
Domain Expiration Date: Mon Sep 28 23:59:59 GMT 2009
Domain Last Updated Date: Tue Sep 30 10:35:00 GMT 2008

If this is in error or in the incorrect place, feel free to delete or move. Just trying to help.

Re: ACCEPT-ALL-PAYMENTS.COM, AL-PAY, E-SPRINT, 24-HOUR CORP

Wed, 01 Oct 2008 06:51:44 EDT

MGD : ACCEPT-ALL-PAYMENTS.COM, AL-PAY, E-SPRINT, 24-HOUR CORP 800 682-7189 800-683-6024

It has been almost six months since we have heard anything regarding the parallel AMEX fraud charges ran by Sacramento California Russian Expatriate cyber-mules. History tells us that even though we are not hearing anything, the chances that this multi year fraud operation has been abandoned, are between slim and none. Though I have routinely sniffed around looking for signs of them, unsuccessfully, that certainly did not mean they had stopped. Since fraud reports can show up in a myriad of places, it can be very difficult to monitor.

What brings the Sacramento county Russian cyber-mule operation to the forefront once again, is a recent ongoing AMEX fraud with a twist, and some publicity. The current Amex fraud charge run can be directly tied to the same long running criminal operation, and also highlights new cyber-mules. The twist is that the fraudulent AMEX merchant accounts are now processing bogus charges to both US and UK victims with AMEX affiliated cards. I hit on this by changing some of the key word combo searches that I mentioned earlier that were routine exercises.

It unfolded as follows:

First was a search that returned a TV News video report from CBS 13 News in Sacramento, CA.

quote:
Local residents Targeted By Credit Card Scam
Worldwide complaints from American Express card owners have led investigators to the Sacramento area, where a false business was allegedly making false charges. Elyce Kirchner reports: »cbs13.com/video/?id=39375@kovr.dayport.com

Well with those keywords "American Express" "Sacramento" "false business" false charges", I knew before I even watched the video where and to who this would lead to.

Sure enough, a new crop of Russian expatriate Amex cyber-mules, and one not so new. What was driving this were complaints from the USA and UK victims of fraud charges originating from:

24 HOUR CORP 800-682-7189

6104 Holt Ln.
Carmichael, CA 95608
800-682-7189

By the way, these fraud charges vary from $25 to $50 per hit.

Sample extracts follow from:

»www.complaintsboard.com/complain···7/page/1

quote:
18 days ago by Aimee
Same exact thing just happened to me- amex card, same business name, same notes, except they did it 2 times, and the charge was 44.19 each time.

--------------------------------------------------

17 days ago by Michele
Same thing. Two charges on my AX card for $37.69 each!

When you double hit in this range, then these are intended to be short lived fast burn accounts. Remember they can usually draw the money within 48 hours of submitting the charge. As long as they pile them in they can cover and keep adding to the draw, they can move the funds out fast. it is long gone by the time the victim sees the statement.

Emphasis added:

quote:
16 days ago by J. F. [send email]
I agree that I think this company is fraudulent. This is the information that I have found about the supposedly company.

I did a reverse search lookup for the company's address on whitepages.com and these are the results that I have found:

1 Result matching "6104 Holt Ln, Carmichael, CA."

Andrey Yakovlev ------------->Strike One = Russian
6104 Holt Ln
Carmichael, CA 95608-3972 ----->Strike Two = Sacramento County
phone number unavailable

Fraud charges in these amounts are what drew the national media attention to the "Pluto" and "Digital Age" card fraud. Likewise here:

quote:
9 days ago by Katie

ATTENTION ALL VICTIMS OF 24 HOUR CORP SCAM:

I work for the Better Business Bureau in North East California. We are currently working on the 24 Hour Corp Scam with AMEX card holders. This scam has reached all the way to the UK.

PLEASE EMAIL ME at your earliest convenience. We are meeting with channel 3 and 13 and would love to schedule more interviews and find out more information as to the number of people affected.

I look forward to hearing from you. Thanks,

Sincerely,
Katie Robison
Public Relations and Program Services
katier[@]necal.bbb.org

Several, but not all, of the UK victims had visited the USA:

quote:
14 days ago by Nigel Barber
I went to the States in May and only spent money at the hotel on my credit card and got US Dollars before I went.
I have been back for nearly 4 months and now I get a 24hour corp on my statement for 23.18$.
I have phoned my bank and they are aware of it and now they are investigating. Ihave given them the address above and we shall see what happens. This really is annoying.

More on why AMEX ~~could~~ should have prevented this, they have known about this fraud group for several years. This is not "new" to American Express, at all.

quote:
7 days ago by Janice
I am based in the UK and noticed the unauthorised charges because they were the only ones in US Dollars on my statement. I hadn't used my card abroad or over the internet.

Amex (in the UK) said that they are aware of the problem and their fraud team are investigating. They have stopped my card and will credit me for the two unauthorised charges which were $28.04 each.

Many thanks for posting the alerts. Without it, I would not have known I was a victim of fraud.

Can you believe this bank !!!
This is asinine!:

quote:
13 days ago by Clare Gomme
Each month for the last 3 months, I have had charges on my Lloyds card to this company. I have tried to cancel the card to prevent this fraudulent use but Lloyds inform me that, even though they are investigating this company on behalf of a large number of clients, my account cannot be closed until the investigation is complete. In the mean time I am having to phone up each month to dispute this charge. This month I have also been charged for late payment with interest for the disputed amounts on my current statement. To make matters worse I have never used the Amex card on this duo card account so how has 24 hour corp got hold on my account number. Could the fraudster must be an employee of Lloyds?

And it is not just that thread, this one too:

24 hour corp and/or e-sprint LLC

800 682-7189 and 800-683-6024

accept-all-payments.com

»www.complaintsboard.com/complain···057.html

quote:
28 days ago by Pl
AMEX (from MBNA) in the UK recognised this as fraud & cancelled the card - it is said that the amounts are low because its below the authorisation limit so they go through automatically - but some AMEX issuers are waiting for customers to complain before they do anything.

Spreading to other countries:

quote:
27 days ago by George
I had two charges from them on my Greek Alpha Bank AMEX, within July, the amounts were 17, 05 and 17, 18 euros...it is amazing the way they let this company charging people all this time. The Bank returned the amounts but I still find it unacceptable...
I have reported it since 4 of AUGUST and AMEX still let them charge.

A UK victim's thread on the UK forums Moneysavingsexpert.com:

»forums.moneysavingexpert.com/sho···1&page=2

quote:
Lloyds TSB Credit Card

------------------------

Beware, its seems that some thing suspicious is happening with transactions with Lloyds TSB cards.

LLoyds TSB have said they have had alot of the same, but they dont know who the company is.

It showed on some statements as

24 HOUR CORP 24HOUR CARMICHAEL CA£18.340806 35.37 USD @ 1.9286

24 HOUR CORP 24HOUR CARMICHAEL CA £19.54
##0805 37.69 USD @ 1.9289

So make sure you check your statements!!

-------------------------------------------------------

I have had a charge on my Virgin Amex for approx $23 which translates at £13.84 from 24 Hour Corp Carmichael. Virgin have said they will contact the merchant and ask for documentation. They give them 40 days for a response and if it's not a legitimate charge they will refund the money back to my account. In the meantime the amount is frozen so it doesn't accrue interest but they won't issue me with a new card until it is confirmed as a fraudulent transaction.

This is a known fraud

------------------------------------------------------

A similar charge has appeared on my British Airways Blue Amex card. $44.92 USD on 10 Aug 08.

I am just off the phone to Amex and I was told that this is a known fraud which is impacting numerous cardholders. They will refund it and they have insisted that my card is cancelled and a replacement issued.

What dissapoints me is that their fraud team are aware of this and they are not proactively identifying customers that are impacted. When I pushed them on this I was told: "It would take too long to review every account, so we are waiting for customers to call us - Amex have revoked the merchant's Amex authorisation, but because the transactions are below the "floor limit" they are applied automatically to customer accounts without being checked to see if they are valid".

Please keep your eyes open!!!

What is even more disappointing is the fact that American Express has known about this specific fraud operation for several years. Contributing to the problem is how easy Amex doles out merchant accounts. Since a core function of this long running fraud is the use of Russian expatriate cyber-mules from a concentrated area around Sacramento County, a simple add on in the vetting process that was listed in the above post, could easily filter these out at application time.

So lets look over some of the info that has already been posted, and add some to it:

ACCEPT-ALL-PAYMENTS.COM, AL-PAY, E-SPRINT, 24-HOUR CORP 800 682-7189 800-683-6024

The website ACCEPT-ALL-PAYMENTS.COM is now down, two cached pages still exist from August 26th 2008:

[att=1]

Snapped 2008-10-01 06:12:04

»74.125.45.104/search?hl=en&suggo···G=Search

[Att=2]

Snapped 2008-10-01 06:11:46

»74.125.45.104/search?hl=en&suggo···G=Search

from the page:

Contact Us
E-Sprint LLC,.
2721 Rio Linda blvd. Sacramento, CA, 95815
Phone/fax +1(800)683-6024

So, did American Express improve the vetting process for individual merchant accounts, and the criminals moved up to the next rung on the ladder and were operating as a secondary wholesaler / affiliate?:

quote:
Welcome to AL-Pay! The best credit card and E-check payment system on the net.

Did you know that when you accept credit cards and checks online, you can expect your sales to increase by an astounding 50 to 400%? You simply can't compete if you don't accept credit cards and e-check. With our free online application, you can start accepting credit cards and e-checks on your web site in less than 24 hours! In addition to accepting credit cards and e-checks on your web site in real-time, you will also receive our simple-to-use, web-based payaments administration system. With our versatile ecommerce software, you have a complete solution.

Or was that just a ruse?

Running down the names:

E SPRINT is a California LLC registered on March 11th 2008 by a PAVEL UDALOV:

[att=3]


LP/LLC 
E SPRINT LLC  
Number: 200807110216  
Date Filed: 3/11/2008  Status: active 
Jurisdiction: CALIFORNIA
.  
Address  
2721 RIO LINDA BLVD  
SACRAMENTO, CA 95838  
.
Agent for Service of Process 
PAVEL UDALOV  
2721 RIO LINDA BLVD  
SACRAMENTO, CA 95838

There was also a matching Sacrament Country Fictitious Business Registration for E SPRINT LLC:

[Att=4]

There is no phone listing for either PAVEL UDALOV or a reverse for that address. In fact, there is no public records for a Pavel Udalov within the entire state of California. That home however does show up as having being last purchased on 08/07/2007 and was put back on the market a month later. That home was recently listed on "Sacramento Area Flippers In Trouble", as having a 37% drop in asking price from the previous sale, and has unpaid back property taxes for 2007.

[att=5]

»74.125.45.104/search?q=cache:DEd···=5&gl=us The address is no longer on the MLS listing.

I am unable to find anything specific for "Al-Pay". However, the ACCEPT-ALL-PAYMENTS.COM domain as "StillAtIt" posted, brings us to a very familiar name:


Registered through: GoDaddy.com, Inc
.
Whois Record
Registrant:
   ESprint Corp.
   4351 marysville blvd
   Sacramento, California 95838
   United States
.
   Domain Name: ACCEPT-ALL-PAYMENTS.COM
      Created on: 27-Apr-08
      Expires on: 27-Apr-09
      Last Updated on: 27-Apr-08
.
   Administrative Contact:
      piglitsin, roman  piglitsin@hushmail.com
      ESprint Corp.
      4351 marysville blvd
      Sacramento, California 95838
      United States
      (916) 308-7086      Fax -- 
.
   Domain servers in listed order:
      NS13.DOMAINCONTROL.COM
      NS14.DOMAINCONTROL.COM

From February 2008:

quote:
Julia:
VIN design, Roman Piglitsin and Solomka from Sacramento and Plumas, CA have hit my Amex three times now since November for $12.38, $9.45 and $9.59. Fortunately, Amex has been good about crediting my account.

»Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

From March 2008:

quote:
Angry:
Oh my! I did a search of some bogus charges that were on my AMEX and this site popped up! Thank goodness I'm not alone. I apologize in advance if this is not the correct place to post this or if you all have discussed this information previously.

The two companies that charged my AMEX have already been posted by others:

1) ROMAN I PIGLITSIN Telecom Service 2/20/08, $11.87
ROMAN I PIGLITSIN DBA
4351 Marysville Blvd
Sacramento, CA 95838
Cellular Telephones
R And P Web Designer

2) SOLOMKA DESIGN, Computer network 2/08/08 $11.95
SOLOMKA Design
4282 Pinell St Ste 101
Sacramento, CA 95838
Internet Downloads

I immediately flagged it online, but didn't submit it as a fradulent charge. At the time I thought it MIGHT have been something connected to my MONTHLY charge from EXPERIAN that is SUPPOSED to cover credit report monitoring and protection. Imagine that! ....
..

AMEX has sinced given me a credit and sent letters stating they are investigating.

»Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

That ties ROMAN I PIGLITSIN to SOLOMKA, which ties to VALLJRSX VALL-JRSX »Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto and also to Mobil Txt, and on up the ladder we go!.

Roman's directory listing does show him as the owner of "R And P Web Designer",

[att=6]

which means that the White Pages picked it up from a business filing, a search of both Sacramento County, and California records does not yield a hit. It is possible that it could be registered in another county.

These are the only two listings:

[att=7][att=8]

Did the crime syndicate do the same as they do in the other divisions, and after the ROMAN I PIGLITSIN DBA cyber-mule merchant account burned up, and he became black listed, then used his identity to register the ACCEPT-ALL-PAYMENTS.COM domain?

The last several months have been a dry spell in terms of fraud charge information on this Amex division, though I doubt that they were on vacation. In fact Domain Tools shows that there are a total of 6 domains registered using the piglitsin@hushmail.com email address.

[att=9]

One of them as late as July. You should presume the other 5 are also tied to fraudulent American Express merchant accounts that we do not know about. Some of them may have been already active, I have searched for fraud reports.

That brings us to 24-HOUR CORP, there were three Corporate registrations of that name:

The first one was in the beginning of 2005, and subsequently suspended:

[att=10]


Corporation 
24 HOUR CORP.  
Number: C2715247  
Date Filed: 1/10/2005  
Status: suspended  
Jurisdiction: California 
.
Address  
6104 HOLT LANE 
CARMICHAEL, CA 95608
.  
Agent for Service of Process 
LEO YAKOVLEV  
6104 HOLT LANE  
CARMICHAEL, CA 95608

Then registered again on 08/18/2006 with a new address:

[att=12]


Corporation 
24 HOUR CORP.  
Number: C2892866  
Date Filed: 8/18/2006  
Status: suspended  
Jurisdiction: California
. 
Address  
2370 MARKET ST STE 111 
SAN FRANCISCO, CA 94114
.  
Agent for Service of Process 
LEO YAKOVLEV  
2370 MARKET ST STE 111  
SAN FRANCISCO, CA 94114

Registered for a third time in June of 2008, new agent name, but the same address as the 2006 registration:

[att=13]


Corporation 
24 HOUR CORP  
Number: C3150801  
Date Filed: 6/23/2008  
Status: active  
Jurisdiction: California
. 
Address  
2370 MARKET ST STE 111 
SAN FRANCISCO, CA 94114
.  
Agent for Service of Process 
DAVID BLESS  
2370 MARKET ST STE 111  
SAN FRANCISCO, CA 94114

.

The 2370 MARKET ST STE 111 address is the same as that of a company called Ferro Rosso Corp. www.ferro-rosso.com »www.ferro-rosso.com

Snapped 2008-10-01 06:11:29

»www.ferro-rosso.com/contact.htm

Yelena Milovanova
2370 Market Street, Suite 111
San Francisco, CA 94114
888-870-7797

Ferro Rosso Corp.
2370 Market Street, Suite 111
San Francisco, CA 94114

What the connection is to this apparently legit company, I do not know. However, they have more than an address in common:

[att=11]

They share the same "24 Hour Corp" as the agent, which in 2007 would have been LEO YAKOVLEV. A check of all FBNs' registered to either Andrey or Leo:

[att=14]

With so little information thus far, I do not necessarily suspect a formal conspiracy between the criminals and the cyber-mules, because of the common Russian heritage link. Evidence of hiding, or otherwise participating in the obfuscation of the set ups would indicate some level of complicity.

However, what has been frustrating, is the inability to obtain information from known cyber-mules. Their unwillingness to even talk about it, or cooperate, certainly leaves an impression of being complicit, which may or may not be accurate. Repeated contact attempts yields mules who claim to be only able to speak Russian. When you hear others speaking English in the background, and point that out, they still refuse to have them act as translators. They do know the subject matter, and most of the calls end abruptly. In a case where a translator was available and the issue was discussed with them, they offered to call back with the cyber-mule present, but never did. Repeated follow up calls were ignored. That makes the Sacramento case a difficult area to crack and gather intelligence data on. Based on this stonewalling, which may be more cultural that anything else, a Dslr member who spends time in that area attempted several months ago to generate local media interest in the case, and was not successful.

How complicit some of these cyber-mules are may be revealed in the upcoming Federal case of the 2005 cyber-mule, ALEX BERNIK of LEXBAY LIMITED ROSEVILLE CA: »Re: VALL-JRSX, VIN-DESIGN, E NAT, PARADISE WEB

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Tue, 30 Sep 2008 20:57:07 EDT

MGD :

said by StillAtIt :

I found this site as I was backtracking a fraudulent Amex charge from "24-hour corp" in Carmichael, CA. .....

Thank you for posting, and what a coincidence !!

I ran across that several days ago while performing routine searches looking for signs of the American Express card fraud division. As some of you may recall, it has been almost 6 months since a posting has been made on this division which uses Sacramento County based Russian expatriate cyber-mules. Previous reports have been under the heading of:
--------------------------------------------------
VALL-JRSX, VIN-DESIGN, aka VIN DESIGN, E NAT, PARADISE WEB, aka PARADISEWEB, TIM-WEB, SOLOMKA DESIGN, Mobil Txt, MOBIL DESIGN LLC, ROMAN I PIGLITSIN Telecom Service, DBA ROMAN PIGLITSIN, et all

What do they all have in common?. They are a just a few of the LLCs or Fictitious Business Names that were registered in the Sacramento County or surrounding area by Russian expatriate cyber-mules. The business were registered for the sole purpose of obtaining a business merchant processing account from American Express. They were specifically set up in order to use AMEX's own system to launder hijacked American Express victim card data into cash. This was done by submitting and processing fraudulent charges against the stolen card data. The cyber-mules then wired the hijacked funds out of the country which presumably ended up in Russia and the Ukraine. This fraud has been operating out of that area, virtually uninterrupted since at least 2003 - 2002. The fraud runs in parallel with the indentical Visa / MasterCharge operation.
--------------------------------------------------

I have been scouring for signs of their continued operation, which is sometimes difficult to find. However, knowing that this operation has been running in parallel for several years also, I knew that they were active somewhere, and it was just a matter of time before they hit the radar again.

I was preparing a post over the last several days, while digging into:

ACCEPT-ALL-PAYMENTS.COM AL-Pay, E-Sprint, and 24-hour corp

I can now tie this recent American Express card fraud directly to the same operation, no question about it.

I will follow with with the post that I have been preparing over the last several days, which includes both the UK and USA victim reports of the Amex fraud charges.

In the interim watch this local Sacramento CBS 13 news report:

»cbs13.com/video/?id=39375@kovr.dayport.com

They are correct in that it is the "tip of the iceberg". However a whole section of the iceberg has been revealed already. The worst part of the American Express fraud charges, is that Amex has known about this format for over two years, and supposedly investigated it. Yet they are either unable, or unwilling, to take simple preventative measures to at least make it somewhat difficult for these cyber-mules to keep obtaining Merchant accounts from American Express.

Remember, American Express has their own proprietary merchant processing system. This organized crime syndicate obtains the merchant account via the Sacramento County Russian cyber-mules direct from AMEX. That is how the American Express card holders become victims of this fraud. The bad part is that the syndicate has been obtaining these accounts from AMEX via this modus operandi for at least 5 years

In an excerpt from my work in progress post, I prepared a simple script example of how they could have screened this out:

[att=1]

Now obviously that will not shut down the operation. After all, the organized crime syndicate has had a constant supply of American Express card holder account data for years. However, American Express ought to at least make it somewhat difficult for the criminals to launder that card data into cash using the Amex merchant processing system.

With the Visa / MasterCharge fraud division, the cyber-mules can be located anywhere within 50 states, which is a little more difficult to nail down. This one is so simple to at least place a minor road block in front of, that it borders on negligence, in my opinion.

In addition, if you have not been alert to this over the past 5 years, then you have also lost the ability to do specific card fraud analysis on all of the data that was submitted via the dozens of fraudulent merchant accounts. That analysis is a crucial function as it may well reveal some of the points of initial compromise of the data. If so, that would have enabled those sources to be re-secured, and if unique, possibly prevent other sources from being compromised.

MGD
EDIT= corrected FBN/LLC names, added text

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Tue, 30 Sep 2008 19:48:44 EDT

anon : I found this site as I was backtracking a fraudulent Amex charge from "24-hour corp" in Carmichael, CA. The now defunct website for them, accept-all-payments.com (AKA AL-Pay and E-Sprint) came back from a whois search as:
Registrant:
ESprint Corp.
4351 marysville blvd
Sacramento, California 95838
United States
Domain Name: ACCEPT-ALL-PAYMENTS.COM
Created on: 27-Apr-08
Expires on: 27-Apr-09
Last Updated on: 27-Apr-08
Administrative Contact:
piglitsin, roman
ESprint Corp.
4351 marysville blvd
Sacramento, California 95838
United States

This information will look familiar to you guys. I won't bore you with the same details of fake websites that are there only to launder credit card charges, but this scam is global (UK in particular as well as here in the US).

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 27 Sep 2008 18:40:26 EDT

Doctor Olds :

said by jeph89 :

are the mules really innocent? i notice they have relatively common names. was wondering if looking up their criminal histories is/has been helpful?

I've not seen any with known criminal histories. Most all are duped. There are regular people missing the needed technical knowhow to spot a scam business model.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Sat, 27 Sep 2008 00:33:33 EDT

anon : i have some serious anger issues re: $11.89 (ktech solutions). thanks for your obvious hard work MGD, before today i knew nothing of this scam. are the mules really innocent? i notice they have relatively common names. was wondering if looking up their criminal histories is/has been helpful?

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thu, 25 Sep 2008 17:55:47 EDT

MGD :

quote:
Mystery charge shows up on Lawrence woman’s credit card
Wednesday, 6 August 2008

Judi Mahaley almost didn’t notice the $9.87 billing to one of her little-used credit cards.

The Lawrence woman checks her statements online to avoid receiving paper statements. She was checking this particular card’s statement to review her finance charges when she saw the a mysterious charge from Imagecrater.com.

“I have hardly used that card at all,” Mahaley said. “I had not been to that Web site.”

Mahaley checked the Web site and found what appeared to be a harmless place to view and order photographs and art images. She did other online searches and found there were plenty of other people who also had received credit card charges without their initial knowledge from the same Web site.

Mahaley called a phone number listed with the charge on her bill and which also is listed as a contact number on the Web site. She got a recording saying the call could not be completed ......
....
..

Continued:
ref:»www2.ljworld.com/blogs/common_ce···y_theft/

MGD

Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Wed, 24 Sep 2008 20:50:40 EDT

MGD : ahptemplates.com AKA Alternecare Health Products, Inc. 402-408-9453

[att=1]

--------------------
Contact us

Alternecare Health Products, Inc.
www.ahptemplates.com

Phone/Fax:
1-(402)-408-9453

Support e-mail:
support@ahptemplates.com
--------------------

A muti state search for the corporation led to Florida. That was corroborated by the fact that the crime syndicate used the corporation owner's name DONALD MONTELLESE, in the domain contact email address donaldmontel@yahoo.com. That is a common tactic used in many of the fraudulent registrations.

[att=2]


Florida Profit Corporation  
ALTERNECARE HEALTH PRODUCTS, INC. 
Filing Information 
Document Number P02000003007 
FEI Number 043626812 
Date Filed 01/09/2002 
State FL 
Status ACTIVE 
.
Principal Address 
1825 NW 38TH AVENUE
LAUDERHILL FL 33311  
Changed 08/18/2006
. 
Mailing Address 
1825 NW 38TH AVENUE
LAUDERHILL FL 33311  
Changed 08/18/2006 
.
Registered Agent Name & Address 
MARGOLIS, JOHN A
9990 S.W. 77TH AVENUE
SUITE 330
MIAMI FL 33156-2699 US
. 
Officer/Director Detail 
Name & Address 
Title DP 
MONTELLESE, DONALD
1825 NW 38TH AVENUE
LAUDERHILL FL 33331-1

The above is a 2002 corporation and appears to be in the supplement business. the contact number on this website:

Snapped 2008-09-24 20:47:46

»www.alternecare.com/contactus.shtml

matches to the the number listed for their address here: »integrativepractitioner.com/mark···308.aspx

The domain registration is just over amonth old:

Snapped 2008-09-24 20:47:28

»ahptemplates.com


Registrant:
Katherine Fitzgerald
344 East 112th Street Apt 4B
NEW YORK, New York 10029
United States
.
Registered through: GoDaddy.com, Inc. 
Domain Name: AHPTEMPLATES.COM
Created on: 15-Aug-08
Expires on: 15-Aug-09
Last Updated on: 15-Aug-08
.
Administrative Contact:
Fitzgerald, Katherine donaldmontel@yahoo.com
344 East 112th Street Apt 4B
NEW YORK, New York 10029
United States
(720) 596-3375
.
Domain servers in listed order:
NS1.HOSTDONE.COM
NS2.HOSTDONE.COM

.

MGD