MGDPremium,MVM
join:2002-07-31
kudos:9
1 edit | reply to MGD
Re: Ebook websites, fraud charges, Devbill/DigitalAge/Pluto If you recall, back in September of 2009 there was a post by iDeceive  regarding the OCS cyber-mule recruting of SKYDEX SOFT LTD aka SKYDEXSOFT.COM Alex Malenkovsky career@skydexsoft.com
SKYDEXSOFT:
was the continuation of a long series of runs of fake recruiting companies that fraudulently and repeatedly utilized the significant resources of CAREERBUILDER.COM to source resumes and place job adds to lure cyber-mule victims. However SKYDEX SOFT LTD aka SKYDEXSOFT.COM appeared to hold the known Careerbuilder.com record to date, by placing in excess of 150 concurrent cyber-mule job adds in every major metropolitan area of the US. A fact which highlights the complete failure of Careerbuilder to use reasonable and usual care in protecting either hosted resumes or job seekers from becoming cyber-mule victims.
This thread has documented an extensive series of both recruiting and employer accounts on Careerbuilder orchestrated by this Organized Crime Syndicate. Since many of these multiple job posting campaigns would have cost a significant amount of money it is doubtful that the OCS was utilizing the card fraud proceeds to pay for these resources. My suspicion is that they were charging the costs to their massive hijacked card database. One can test the extent of how criminals have infiltrated careerbuilder.com by placing a bogus resume on there with a valid email address and review the subsequent solicitations.
The skydexsoft.com domain was hosted in the Ukraine, and the domain was fraudulently registered to an identity theft victim from California. As shown in the original post, the email account used for the domain reg jglenn19@gmail.com had a Russian language password recovery option:
At the time of the original uncovering I audited and collected as much relevant data for later forensic examination. I presumed the related recruiting activity went dormant shortly afterwards however it appears that may not have been the case. While many lower level job websites scrape and re issue job postings long after they have expired in order to drum up business, several SKYDEX SOFT LTD aka SKYDEXSOFT.COM job postings were active with February, March, April, and May of 2010 issued dates. Whether these were really fresh postings or the work of scam job sites is difficult to tell:
The reposting of job adds from Sptember of 2009, 6 to 8 months later, even for secondary scammy jobsites, would be a new low, but again it is difficult to account for all of these as reposts.
Part of the data recovered for forensic examination was a Microsoft word document that was subsequently uploaded to the Skydexsoft.com website by the OCS shortly before the massive Careerbuilder.com cyber-mule job posting. If you recall, the job adds directed the potential victims to the skydexsoft.com website to complete the application and resume submittal process. Though it has been discussed before one of the severe issues with the OCS operation is the thousands of resumes which they both collect and peruse over on websites. While normally a resume is not considered an identity theft issue, when they are combined with subsequent picture identity scans by potential recruits, such as driver's licenses, etc, that combination and volume existing in the database of such a crime syndicate raises significant and serious issues. For example, could the personal history and identity documents be used to obtain travel documents, or other significant resources in the pursuit of a criminal operation. One of the unknown factors to date, is whether they are registering the portion of fraud proceeds converted to prepaid debit cards to prior applicants who they have the picture identity and resumes of.
The document recovered from Skydexsoft.com was titled SkydexSoft FAQ:
I have often wondered if the Organized Crime Syndicate's detailed knowledge of the US financial system, structure, taxation, etc, was all acquired from distance learning. I can tell you one thing though, of the hundreds of documents and communications that I have examined from the Organized Crime Syndicate over the past five years, all of them, without exception, including the one above, specify and mandate that AUTHORIZE.NET are to be used for the processing of the card data.
In this case the most interesting data from an evidentiary standpoint, is not the level of detail and knowledge about the US financial system, but rather the meta data contents which were embedded by default within the document. In this case the MS Word document was prepared on a computer whose native language was set to Russian Cyrillic, the user is "Admin", and the default OS computer company name from where the document originated is: "MoBIL GROUP"
An exhaustive search for the name MoBIL GROUP where the native language setting would be Russian Cyrillic yields only one matching entity located in Saint Petersburg, in the Russian federation. How relative or significant this depends on several unknown variables. The data is listed in an image format because there is no direct implication of the company itself being involved:
There are several possible scenarios, including how many computers there are with that installation name, clones etc. If it is the correct company, and the named install is limited to them, it is possible that it could be an employee at any level. Though from "Admin" the focus would not be on the janitor.
Over time, sifting through Terabytes of data to see if any other documents exist anywhere around the globe with the same matching embedded meta data. It is possible that the above meta data could be a "smoking gun", especially if the number of computers configured as "Admin" with an installed company name of "MoBIL GROUP" is a very limited number, though that remains to be seen.
Clearly the document is not ambiguous, and has a specific intent. It serves only one purpose, that is to recruit cyber-mules to act as partners by forming a US business entity, opening a US business bank account, and obtaining merchant processing services. The services are used exclusively to process charges against hijacked card data, then launder the stolen proceeds by wiring them out of the US from the cyber-mule's business bank accounts. Obviously there is a direct connection of some form, between the fraudulent document, its creation, and an entity named "MoBIL GROUP" whose default setting is Cyrillic.
MGD
|
