dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
2105
share rss forum feed

Spice300
Premium
join:2006-01-10

[WildBlue] PSREC Billing and Internet Education D

I have an unauthorized charge on my credit card which recurs monthly from:

INTERNETEDUCATIOND 800-446-5140 MD $9.95

There are only a few authorized transactions on my card during the last year since it was issued. One of those authorized transactions is the monthly recurring charge from my Internet service provider, Plumas Sierra Telecommunications or Plumas Sierra Rural Electric Cooperative or PSREC or formerly Gotsky. I am trying to determine if and how my card information was compromised. One possibility is that is was stolen from PSREC's records or during their transaction in January 2014. So does anyone else out there who does business with PSREC (Gotsky, Wildblue reseller) have this unauthorized transaction on their statement?
--
Wildblue Value Pack, beam 31, Riverside gateway

DrStrangLov

join:2012-03-28
kudos:1

Spice300
Premium
join:2006-01-10
reply to Spice300
False Charge reports that Internet Education D was first reported as suspicious on June 11, 2013. It is those online reports from others that makes me think the people making the charge are committing the fraud rather than an accounting error by the bank or someone who stole my card information signing up at their Internet site.

The mystery is how did these fraudsters get my card information?

exedekatina

join:2014-02-25
Rockford, IL
reply to Spice300
Spice 300 we had a phishing email that started happening last month with ours this email states that update our payment information. You are at risk of losing the services.
Dear Customer,
We will be unable to automatically renew your service on the date listed below because the payment method is either expired or missing. Please update your card information....IF you receive this information do not click the link.

»support.google.com/accounts/answ···61?hl=en

Thank you
ExedeKatina

Spice300
Premium
join:2006-01-10
I did not receive one and certainly did not reply to it.
--
Wildblue Value Pack, beam 31, Riverside gateway

Spice300
Premium
join:2006-01-10

1 edit
reply to Spice300
According to a Whois search Plumas Sierra Telecom's Internet site is hosted by GoDaddy:


PLUMASSIERRATELECOMMUNICATIONS.COM - Site Location
Country United States
City/Region/Zip Code Scottsdale, Arizona 85260
Organization GoDaddy.com, LLC
Internet Service Provider GoDaddy.com, LLC

PLUMASSIERRATELECOMMUNICATIONS.COM - DNS Information
IP Address 64.202.189.170
Domain Name Servers ns54.domaincontrol.com 208.109.255.27
ns53.domaincontrol.com 216.69.185.27
Mail Exchange mailstore1.secureserver.net 72.167.238.29
smtp.secureserver.net 72.167.238.201


However, its billing site, ebill.psrec.org is not hosed by GoDaddy according to a whois search: psrec.org:

Domain Name:PSREC.ORG
Domain ID: D67868289-LROR
Creation Date: 2001-03-15T16:57:53Z
Updated Date: 2011-11-15T23:57:27Z
Registry Expiry Date: 2015-03-15T16:57:53Z
Sponsoring Registrar:Network Solutions, LLC (R63-LROR)
Sponsoring Registrar IANA ID: 2
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:6020706-NSI
Registrant Name:PlumasSierraRural Electric Coopertive
Registrant Organization:PlumasSierraRural Electric Coopertive


GoDaddy is significant because there are several reports about security problems on sites they host. Plumas Sierra is the only company to whom I have given my card information and that has a site hosted by GoDaddy.

GoDaddy Security Breach: How the Hackers Likely Got In, American Banker, David Heun, SEP 23, 2011 12:57pm ET

GoDaddy: WordPress Security Breach? Yikes., Torque, John Saddington, January 31, 2013

The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack, Jan 31, 2014



--
Wildblue Value Pack, beam 31, Riverside gateway

Spice300
Premium
join:2006-01-10
reply to Spice300
A link from DrSL: Retailers to Congress: There’s no end in sight for credit card breaches, Washington Post, February 4, 2014. The spyware is in the retailers' computer systems, and the retailers do not know it. Anti-malware software might not detect it in customers' computers too.

From various online searches I have linked the following sites together suggesting they are operated by the same crooks:

»directoryforsuccess.com
»directorytosuccess.com
»internetedublog.com
»www.netlearningkit.com
»www.academylevelupgrade.com (closed)
»premiummoneykit.com
»premiumwebcareer.com
»webcareerpilot.com/

When some of these sites were registered, a privacy protection service was not used. The registrant's information for Directory For Success is:

Registrant Name: Evangelou Papanoutsou
Registrant Organization: Dentreho Management Ltd
Registrant Street: City Witch 7, 2nd floor, Offic
Registrant City: Lanarca
Registrant Postal Code: 6027
Registrant Country: CY
Registrant Phone: +1.3019284912

The "registrant name" appears to be a street name and "City Witch" appears to be a single word referring to apartment buildings. I think the address in Cyprus is:

Dentreho Management Ltd.
Evangelou Papanoutsou Street
Citywitch Building 7, 2nd floor, Office 207
Lanarca 6027 Cyprus

This could be a mail drop, residential apartment, office suite or even a fake address. This address is also associated with Leivadio Ltd. According to cyprus-data.com, both of these companies are listed in the Cyprus Companies Registry.

Dentreho Management Limited
Cyprus Companies Registry Number: C274609
Date of Registration: 30 September 2010

Leivadio Limited
Cyprus Companies Registry Number: C317332
Date of Registration: 31 December 2012

The crooks may or may not be located in Cyprus, but there is a chance their real names and locations are in the Cyprus Companies Registry. Leivadio sells Natural Green Cleanse which are health, energy and/or diet pills.

The phone number, 301-928-4912, on the whois page for Directory For Success is, according to reverse phone number lookup at WhitePages.com, a Verizon Wireless Mobile in Silver Spring, MD, USA. Maryland is the state indicated in the fraudulent charge on my bank statement.

This fraud appears to be related to fraudulent billing that began in October 2013 using the phone number 800-975-6103 according to posts at 800 Notes for 1-800-975-6103. MaxGarciniaBurn.com's records may have been hacked, sold to or otherwise related to the crooks. Many posters claim to have done business with this company. One claimed the unauthorized charges began in July 2013. A whois lookup for Max Garcinia Burn shows the site is closed and was registered to:

Registrant Name: Walter Korsevo
Registrant Organization: Walter Korsevo
Registrant Street: 86 rue de Paris
Registrant City: Parc Orsay
Registrant State/Province: Not Applicable
Registrant Postal Code: 91400
Registrant Country: FR


Upset

@162.115.108.x
reply to Spice300
I don't do business with them and I see their headquarters is in California a state I have never been. I just discovered the charge on my banking statement and I did not authorize it. I visited their website.

Spice300
Premium
join:2006-01-10
I can not find correlation among us victims posting online. It looks more and more like the breach happened at the bank or a card processing subcontractor instead of at a vendor or from an error of the card holder. So far I have run 4 anti-virus and/or anti-spyware programs and none of them find any spyware on my computer. I am mystified as to how the crooks got my information.
--
Wildblue Value Pack, beam 31, Riverside gateway


Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18
said by Spice300:

I can not find correlation among us victims posting online. It looks more and more like the breach happened at the bank or a card processor.

[snip]

I am mystified as to how the crooks got my information.

Cypess has been used for money funneling of Millions each Year for the last 5 to 10 Years.

»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus
reply to Spice300
said by Spice300:

I am mystified as to how the crooks got my information.

Card data has been available for years, even cards that have NEVER been used, just authorized, have had fraudulent charges applied to them. It is suspected that the payment processors or even the banks issuing them have been mined for good card numbers (likely insider jobs).

Since your card number is now in criminal hands you must assume it will forever be compromised and expect to see more such recurring charges. Contact your bank, point out to them that this charge is fraudulent (do not "dispute" the charge, that will just delay the inevitable) and get a brand new card.

TL/DR: There are a lot of way for crooks to get card numbers, yours has been acquired to the only thing you can do now is get a brand new card.

Spice300
Premium
join:2006-01-10
Yes. I sent the bank surface mails, one for each fraudulent charge. I did not call the toll-free phone number because I know they are crooks. The bank finally responded with:

quote:
Your account has been credited for $19.90. This credit is permanent and we consider this claim resolved.
Naturally my ensuing expenses so far exceed the amount stolen. I instructed the bank to halt transactions from INTERNETEDUCATIOND and did not instruct them to cancel the card. I wanted a new card before they canceled the compromised one. It would be fine if they allowed only my ISP to charge it. On March 24 I received an email from my ISP that their monthly charge, which has been recurring since 2005, was declined. The bank has not informed me that they canceled my card and has not sent me a new card. I can not pay for Internet service now and presumably service will be terminated on April 1. My ISP, Plumas-Sierra Telecommunications, is refusing to communicate with me. They are acting like their lawyer told them to give me the silent treatment after I pointed out the data breach might have occurred in their records. Consequences....

said by Doctor Olds:

Cypess has been used for money funneling of Millions each Year for the last 5 to 10 Years.

»Ebook websites, fraud charges, Devbill/DigitalAge/Pluto

Thanks for this link. Russians were my first thought when I uncovered the address in Cyprus. This is the sort of scam I was thinking was happening based on my research. If they are the same crooks characterized in that thread, they have been getting away with it for 14 years.

Spice300
Premium
join:2006-01-10
reply to Spice300
Here is a screen capture of Directory For Success which looks similar to Directory To Success and Internet Edu Blog. The male and female model look the same as the ones in the image for "Byers ebooks" in the first post on December 17, 2007, of Ebook websites, fraud charges, Devbill/DigitalAge/Pluto (third image from the top) suggesting the same crooks are still operating.






SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
reply to Spice300
said by Spice300:

On March 24 I received an email from my ISP that their monthly charge, which has been recurring since 2005, was declined.

Did you make absolutely sure that this e-mail was genuine and not exactly the phishing attempt mentioned earlier?

DrStrangLov

join:2012-03-28
kudos:1
reply to Spice300
said by Spice300:

It looks more and more like the breach happened at the bank or a card processing subcontractor instead of at a vendor or from an error of the card holder.

Apr 4 2014

Experian in hot seat after exposing millions of social security numbers

Regulators from several states are investigating a data breach from a subsidiary of the credit-tracking behemoth Experian.

The investigation by attorneys general in these states concerns whether the subsidiary adequately secured some 200 million social security numbers and whether victims were properly notified. The investigation, first disclosed by Reuters, comes as the Obama administration is pressing for legislation requiring companies to better secure customer data.

Spice300
Premium
join:2006-01-10
reply to SYNACK
said by SYNACK:

Did you make absolutely sure that this e-mail was genuine and not exactly the phishing attempt mentioned earlier?

Yes. The bank canceled my card without issuing me a new one and without informing me. I visited a bank branch to begin to fix the mess they created. Plumas-Sierra Telecom., fka Gotsky, terminated my Internet access on March 31, and Wildblue service can not be reinstated because they insist that I get Exede.
--
Formerly Wildblue Value Pack

Spice300
Premium
join:2006-01-10

1 edit
reply to DrStrangLov
said by DrStrangLov:

... some 200 million social security numbers...

That is 2/3 of the people in the U.S. which covers most of the adults. They got all of us in that data breach

This protected (aka Putin is getting a percentage) Russian syndicate sounds like the one who stole from me and the one MGD posted about in "Ebook websites, fraud charges, Devbill/DigitalAge/Pluto":

Neiman Marcus Data Breach Said Work of Russians Who Eluded U.S., Business Week, April 7, 2014.

Still, the core of the gang has emerged as one of the most prolific and successful criminal hacking syndicates in the world, according to former and current law enforcement officials who asked not to be named when discussing an active investigation.
--
Formerly Wildblue Value Pack