how-to block ads
|
|
Share Topic
 |
 |
|
|
|
MGDPremium,MVM
join:2002-07-31
kudos:9
4 edits | reply to MGD
The Crime Syndicate's UK fraud operation uncovered ! The Crime Syndicate's UK fraud operation uncovered !
This discovery started to unfold over a month ago, and began from the results of the BestTech Solutions cyber-mule debriefing. As you may recall, he was greatly disturbed by the fraud revelation, because he had performed what he thought was good due diligence after the criminals responded to his careerbuilders.com resume. He was adamant that he had confirmed that they were a Microsoft certified partner, and he had found reliable references of their activities from internet searches. As it turned out, the criminals were masquerading as Effectivesoft.com, a software company based in Minsk, Belarus. The crime syndicate had set up numerous lookalike domains, and had multiple cloned copies of the real Effectivesoft.com's website.
Shortly thereafter aa419.org located a second fake recruiting company operating as "Infobite Software" pretending to be based in Warsaw, Poland. Infobite Software was masquerading as another software company Eleks Software, based in Lviv, Ukraine. Once again, the same modus operandi. They were hosting cloned copies of the real Eleks.com on various fraudulently registered domains such as: infobitesoft.com, infobitesoft.info, infobitecompany.com, e-infobite.net, infobiteonline.com, and infobiteonline.biz among others. There was a subsequent write up HERE of this botnet hosted fraud recruiting group. Some of the cyber-mule recruiting documents obtained from Infobite, were identical copies of the ones used to solicit the BestTech Solutions cyber-mule.
One trend noted in the Infobite job sites carpet bombing, was that they were also specifically targeting the UK:
Infobite fraud jobs on Trovit
ref: »jobs.trovit.co.uk/jobs/infobite-···-_11t16o
An intensive cyber hunt was started to try and uncover the fruits of the cyber-mule recruiting program. Credit for that goes to mae_aa419  who located an entire group of related card fraud processing front sites, focused on the UK. The UK "Berry" Group" consisted of some 30 odd sites in various stages of operation, and were directly connected to the Infobite recruiting program:
Cannydesign.com
bbctemplates.com
A behind the scenes operation was conducted in order to gather intelligence, more on that later. At the time no reports of card fraud charges were found. However, at the beginning of this week mae_aa419 picked up several signs that fraud charges were being processed. One victim had recently posted about a fraud charge from one of the known fraud domains cctemplates.net on digitalspy.co.uk
Just checked my online credit card transactions and on the 10th June at 5.07pm, a transaction of £9.90 was made to my credit card from "www.cctemplates.net".
However:
- From looking at the website they dont offer any service that I require, and
- At that time on Tuesday I was sat in my car at home trying out a new iTrip I had bought.
Anyone know who they are, and if they offer other services apart from the one advertised on the website above? I have never ordered a bespoke logo, and nothing else comes to mind!
Cheers.
Another victim was charged for registering another of the UK fraud domains hephzitechdesign.com. Since a considerable amount of data had already been gathered, and there were now confirmed fraud charges, a decision was made to unmask this UK fraud operation and go public.
On 06/18 mae_aa419 posted a list of the crime syndicate's UK fraud sites
.
www.ubrtemplate.com UBR Limited
www.info-templates.com InfoBite UK Ltd
www.gw-templates.com GW INTERNATIONAL INVESTMENT &TRADE CO.,LTD
www.cannydesign.com Canny IT Limited
www.akshartemplate.com Akshar Consultancy Limited
www.afrtemplate.com AFREZ6 Limited
www.vtdiz.com Vivid Technologies Ltd
www.tsdiz.com Techsets Ltd
www.sudiz.com Sucre Services Limited
www.gsdiz.com Greer Services Ltd
www.vividtemplates.net Vivid Technologies Ltd
www.techtemplate.net Techsets Ltd
www.sucretemplates.com Sucre Services Limited
www.infobite-templatestore.com Stonegate Ltd
www.ibtemplates.com InfoBite Solutions Limited
www.bbcv-templates.com Bubble Burst Creative Ventures Limited
www.bbctemplates.com Bubble Burst Creative Ventures Limited
www.toytemplates.com Toyk Design Ltd
www.simplytemplate.net Simply Websites Ltd
www.scorpiotemplates.com Scorpio Connect Ltd
www.infobitedesign.com INFOBITE SOFTWARE LIMITED
www.greerdesign.net Greer Services Ltd
www.gracefuldesign.net GRACEFUL MOVE LIMITED
www.creative-templates.net Creative Communications UK LTD
www.hephzitechdesign.com HEPHZITECH TECHNOLOGIES UK LIMITED
www.cctemplates.net Computer Consultants, LTD
www.ubrdiz.com UBR Limited
www.htdiz.com HEPHZITECH TECHNOLOGIES UK LIMITED
www.ibdiz.com InfoBite Solutions Limited
www.dizib.comINFOBITE SOFTWARE LIMITED
www.ccdiz.com Computer Consultants, LTD
.
Within hours, the criminals who already had been given a "heads up" by a well meaning poster on the digital Spy forum, who thought the OP was maligning the company by calling them a fraud, apparently began searching for other fraud references about their UK operation. The crime syndicate in an attempt to preserve the fraud operation, immediately began a campaign to reduce the search engine rankings of the fraud reports by posting comments on hundreds of forums and listing their domains:
Hiding the fraud reports
Altering search rankings
That is the tactic that the poster "Web Forum Mod" was referring to in the above post.
The crime syndicate's UK fraud division's modus operandi is a carbon copy of the US fraud operation. Documents recovered from the UK operation indicate that the criminals must have a large supply of UK card data. By their own estimates, even at twenty or so sites fully operational, they planned on fraudulently billing close to 1 million GBP a month, around 100,000 cards. That is just with the known "Berry" group, there could be others.
..... You have to talk to the bank's business manager, and he will put you through with the department that you need to work with to receive the E-commerce Merchant Account.
The important detail is that for the merchant account you will need Payment Gateway, so that the website and the merchant account might be integrated; Payment Gateway will be the virtual cash desk at the Internet store, it will be either the company Protx.com or the company SecPay.net
Below is the list of questions about a merchant account that your business manager can ask.
Your website : [url]www.REDACTED.com[/url] [It will be activated within the next few hours.]
Q: What is the supposed turnover per month?
A: ~45.000GBP a month
Q: How many transactions will there be?
A: ~4500 a month
Q: What is the cost of the product you sell?
A: About 10GBP per one item
Q: What kind of merchandise are you intending to sell?
A: We sell ready-to-go web designs (templates), logos for the websites and clip arts. .
In addition to the search engine fraud hiding tactic, the criminals immediately pulled many of the sites from view, some give a 500 error. The only site that appears to be up now is Toyk Design Ltd AKA toytemplates.com. I will follow up with more posts on additional on information and specific details for the UK fraud operation.
Screen shots of the sites were taken at various times and are available HERE in slideshow mode, or you can select full resolution images.
MGD
EDIT=corrected pic caption | | |
|
MGDPremium,MVM
join:2002-07-31
kudos:9
3 edits | Even though the organized crime syndicate has pulled many of the sites and set others to 505 codes, not all were active in card processing. Presumably the domains that are being forum spammed for search ranking have been actively processing fraud charges. The criminal's preservation tactic in hiding the fraud references from search results has failed.
To further reinforce the direct connection between the US and UK fraud: THIS POST a while back addressed how the uniquely worded "mission" statement on the black X templated flash fraud sites, could be found on only one other location, template5.com. As noted, that website was registered to a "cyber entrepreneur" in Kharkov, Ukraine. Well scratch the "only one other place", and change it to two places, the strawberry group:
Not only is that portion duplicated, but the "About Us" on both website groups are identical as well:
So the frequently used black X flash template in the US fraud operation, was cloned under a new design for the UK berry fraud program. In addition, first reports are that at least some of hijacked UK funds are being wired to Cyprus.
Now lets have a look at some of the crime syndicate's detailed insructions for the set up of the UK operation:
From: Natalya Shpankova [mailto:n.shpankova@gmail.com]
Since we have good contacts in hosting business, we are going to use our partner's service for the website.
You will receive the salary literally every day because your salary is 10% from each sale. The salary a month is about £2,000-£3,000 a month.
The salary of the Sales representative : Percentage of sales
Frequency of payment – immediately after the first successful sale
Amount – 10% of the sum of purchase (~2000-3000 GBP/Month)
Method of payment – from the turnover of the merchant account
The website will be prepared within 5-7 days after we receive a signed contract. Once the website is ready, you can begin registering your Merchant account.
Here is the list of banks providing the merchant account for E-commerce :
• Natwest Plc - Highly Recommended
• Barclays Bank
• Royal Bank of Scotland
• Bank of Scotland
• Lloyds Plc
• HSBC Plc
What are our responsibilities to you?
1) High-quality support for our products.
2) Full responsibility before future customers.
3) Thorough marketing policies in order to ensure a good level of sales.
4) Our guarantee of providing only high quality and tested products.
5) Paying salary in full and on time.
What are your responsibilities before us?
1) Maintaining of efficient marketing scheme:
- Active Merchant Account;
- Active company;
- Timely payments for Merchant account fees (through future turnover of the company).
2) Timely payments from Merchant Account turnover:
- Transfers to the corporate account of the company InfoBite Software
(2 times a week: Tuesday, Friday);
* All costs or fees for transfers are covered by InfoBite Software.
3) Providing accounting reports 1-2 times a month in order to synchronize with accounting reporting of InfoBite Software
What else would require your attention?
Chargeback is inevitable for any online business, and every seller of goods on the Internet has to face it. The company Visa and MasterCard set the maximum amount of chargeback to 3% of total sales. We have developed an effective program to fight with chargeback, and the chargeback percentage does not exceed the allowable level of global proportions.
Your task is to catch when a chargeback occurs, and inform us in a timely manner. We prepare a set of documents for you that is necessary to dispute the chargeback in the bank, then we send the package to you so that you can submit it to the bank for a dispute.
If all the steps are done correctly, we can surely provide a successful ground for our partnership and our business.
.
Once again take note of the specifc list of banks that the mules can use. They are steering them to banks that use specific merchant processors. Also, they are preparing the cyber-mules for the inevitable charge backs. Though the above states that "Natwest Plc" is "Highly Recommended". Apparently those preferences can vary:
......... Now you can begin the registration merchant account at the bank.I will provide the list of the banks where you can receive the merchant account:
Lloyds Bank
Bank of Scotland
Royal Bank of Scotland - Recommended
HSBC Bank
Natwest Bank - Recommended
Barclays Bank
If the company's account was opened at one of the above banks, I recommend that you should open the merchant account at the same bank.
It will be simpler and less expensive. So, if the account for the company is at the
Lloyds, the merchant account is best to be opened at the Lloyds Bank, too.
If you do not find the bank where you opened the account for the company, I recommend that you open the second account for the company at one of the recommended banks, and open the merchant account at that same bank too.
You have to talk to the bank's business manager, and he will put you through with the department that you need to work with to receive the E-commerce Merchant Account.
The important detail is that for the merchant account you will need Payment Gateway, so that the website and the merchant account might be integrated; Payment Gateway will be the virtual cash desk at the Internet store, it will be either the company Protx.com or the company SecPay.net
Below is the list of questions about a merchant account that your business manager can ask.
Your website : www.REDACTED.com [It will be activated within the next few hours.]
Q: What is the supposed turnover per month?
A: ~45.000GBP a month
Q: How many transactions will there be?
A: ~4500 a month
Q: What is the cost of the product you sell?
A: About 10GBP per one item
Q: What kind of merchandise are you intending to sell?
A: We sell ready-to-go web designs (templates), logos for the websites and clip arts.
Q: Where can Refund Policy, Privacy Policy and Shipping Policy be found?
A: All the information will be presented on our website.
If you have any further questions, you can always contact me and I will answer them for you.
Best Regards,
Natalya Shpankova
.
In the above they list two UK merchant gateway processors: Protx.com or SecPay.net that are to be used.
Even though the organized crime syndicate has pulled many of the sites, and set others to 505 codes, not all were active in card processing. Some mules even for the prepared sites, became suspicious and dropped out of the operation before it got off the ground.
The enitre group of "Berry" fraud sites were hosted in the US on McColo Hosting Solutions. Though records indicate that McColo is a Delaware registered company, some initial scratching of their surface indicates that they are in fact based in Russia. The Delaware corp was set up via an online drive thru window, SIMILEX. Besides being the "preferred" hosting provider of 30 something card fraud laundering sites, McColo recenlty played host to both the author and the files of the Rustock.C aka Ntldrbot, an undetectable rootkit for botnets. Also, alleged RBN infiltration, botnet C&C histing, and a history back to the notorious email bot harvester Psycheclone, and more.
The McColo hosted "Berry" fraud site group, have for the most part, one of these two variations of domain registrations:
Registrant:
SimpleBytes
Tech. Administrative (dekroon.andr@gmail.com)
UK - PL
Sales Representative, Independent Contractor
0,98472
GB
Tel. +48.5748225562
.
OR
.
Registrant:
Global Payments
jerry delince (j.delince@gmail.com)
8952 SW 142nd Ave
Miami
3523,33186
US
Tel. +1.3052190782
Below is anoher copy of the list, linked to the hosting and domain registrations for each site at the time aa419.org inventoried them:
ubrtemplate.com UBR Limited
info-templates.com InfoBite UK Ltd
gw-templates.com GW INTERNATIONAL INVESTMENT &TRADE CO.,LTD
cannydesign.com Canny IT Limited
akshartemplate.com Akshar Consultancy Limited
afrtemplate.com AFREZ6 Limited
vtdiz.com Vivid Technologies Ltd
tsdiz.com Techsets Ltd
sudiz.com Sucre Services Limited
gsdiz.com Greer Services Ltd
vividtemplates.net Vivid Technologies Ltd
techtemplate.net Techsets Ltd
sucretemplates.com Sucre Services Limited
infobite-templatestore.com Stonegate Ltd
ibtemplates.com InfoBite Solutions Limited
bbcv-templates.com Bubble Burst Creative Ventures Limited
bbctemplates.com Bubble Burst Creative Ventures Limited
toytemplates.com Toyk Design Ltd
simplytemplate.net Simply Websites Ltd
scorpiotemplates.com Scorpio Connect Ltd
infobitedesign.com INFOBITE SOFTWARE LIMITED
greerdesign.net Greer Services Ltd
gracefuldesign.net GRACEFUL MOVE LIMITED
creative-templates.net Creative Communications UK LTD
hephzitechdesign.com HEPHZITECH TECHNOLOGIES UK LIMITED
cctemplates.net Computer Consultants, LTD
ubrdiz.com UBR Limited
htdiz.com HEPHZITECH TECHNOLOGIES UK LIMITED
ibdiz.com InfoBite Solutions Limited
dizib.com INFOBITE SOFTWARE LIMITED
ccdiz.com Computer Consultants, LTD
MGD | |
| Not sure if it's connected, but this guy's name and location match up with the name on the domain registration for cannydesign.com:
»www.cs.man.ac.uk/~ezolin/ | |
| reply to MGD
Hello, guys. My name is Alexander I'm an owner of templates5.com and saney.com. Just looked visitors stats on hosting and find this thread. First at all I want to say that I have no relations with all of these carders you wrote. I am outraged  . Are you thinking that in Ukraine only 2 web developers and one of them is me? LOL. Ukraine is a big country, about 53 mln peoples. Only in my city Kharkov are about 100 different web development companies and teams.
And now some facts:
1. templates5.com was registered long time before
in contrast with these fishing sites, and I do not hide whois info.
2. I created the design of templates5 with my own hands, but all these sites have template design from templatemonster or so.
3. Text copy of templates5 was created by copywriter from my company originally in russian and then translated to english by other guy. This text for now not looking as writen by native american, it looks like translated from russian and I know about it.
As for the text duplicates on other sites:
I am not responsible for it. My site has good positions in google and some peoples can copy this text to other sites in hope to get the same positions. I have some copywriters in stuff and I have no problems with an original content, LOL, also I have no problems with money as that guys that can't buy dedicated server and hide whois info.
4. Templates5.com is an affiliate of templatemonster.com. I use special content management system for this. Templatemonster gave it to me. Not so many sites use this engine, its only for friends  . BUT ALL transactions operated by templatemonster, you can contact them and clarify. So, templates5.com is not a fishing site, I will create in future the free templates servise on it and all commercial thing will gone. I have no problems with creating really good websites and businesses, so, why I need to be related to these carders which steal few dollars and then go to the school.
So, I beg you no longer use either my name nor my sites here in dark role without an arguments. I'm not very pleased. | |
|
