how-to block ads
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
2 edits | The Scriptsstore Scam Exposed !!!
Exhibit 1 | 
Exhibit 2 | 
Exhibit 3 | 
Exhibit 4 | 
Exhibit 5 | 
Exhibit 6 |
How they did it, the story behind the story.
I apologize in advance for the length of this post, however, I do believe it offers a valuable insight into how the scam operated. Since this type of credit card fraud is now rampant, it is not often that we get to have a look behind the operational scene. Additional posts will be forthcoming listing links and connections to several other locations.
Preface:
Within days of tictacsrt  starting this thread on the $29.95 scriptsstore fraud charge, several others showed up and posted about the same charge. It soon became clear that in addition to the victims, shills for the scriptstore operation also started posting. There is no doubt that Araceli Unger ( aiiry ), the wife of Scriptsstore's registrant Matt Unger, was posting on here as aiiry. I can only assume that one or several of the others was also Matt. In addition, IMHO, some of the shill posts appear to have been written by someone whose native language is not English. That combined with other info uncovered, led me to conclude that one possibility is, that this fraud was perpetrated by a criminal conspiracy between two groups. There is also no indication that this was only a one time fraud event. In fact it appeared that the ecommprofits/ishopcentral.com was a work in progress along the same lines, until it was made public.
Summary:
While scriptsstore.biz sat quietly without any measurable traffic on IP 217.107.212.72, the actual processing of the stolen credit card accounts was performed at www.techcommerce.biz [Exhibit 1]. At that time Techcommerce was hosted with Ehostpros.com, and resided at IP Addresses: 67.15.130.27. The victims cards were charged and processed via a free merchant account from Authorize.net. The cost was a $30 monthly fee, plus 2.25% of the billing and 29 cents per transaction. In addition, the money billed could be accessed 48 hours ater the charge was entered. The processing was done in batches as indicated from the evidence data obtained, of which samples are listed below.
When the data was first reviewed some of the victims were contacted and other than the card type, they confirmed that the account details were correct. The data retrieved is not for the entire operation as it only covers a transaction period from 07/06/05 to 07/25/05, and several victims reported charges prior to that date. It is noteworthy that the charging appeared to have ceased around the same time as the first reports of the scam appeared on DSLR. IMO this data clearly indicitates that multiple federal felonies were committed, including conspiracy, wire fraud, credit card fraud, and identity fraud.
As the story of this scam unfolded on this forum, there was ample proof that the evidence was being removed, and domain records were being altered, in an effort to cover their tracks. That process began with scriptsstore being removed from the Russian server, followed by the pulling of Ecommprofits / Ishopcentral.com within hours of it's existence being posted.
Details:
The link to techcommerce.biz was discovered in the scriptsstore source code during an audit. The source data was originally set up to give the impression that a purchase could be made, to pass a minimal review during any merchant account approval process.
...........
<HTML><HEAD><TITLE>ScriptsStore</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"><LINK
href="_images/sft.css" type=text/css rel=stylesheet>
<STYLE type=text/css>.style2 {
COLOR: #0000ff
}
</STYLE>
----->SNIPPED<------
<form action="http://techcommerce.biz/secure/form.php" method="POST">
<hr>
<b>price: 29.95 USD</b><br>
<input type="hidden" name="type" value="payment">
<input type="hidden" name="amount" value="29.95">
<input type="hidden" name="merchant_id" value="ScriptsStore">
<input type="hidden" name="order" value="2">
<input type="hidden" name="description" value="PHP software">
<input type="hidden" name="return" value="http://www.scriptsstore.biz/thankyou.php">
<input type="hidden" name="cancel" value="http://www.scriptsstore.biz/php.htm">
<input type="hidden" name="currency" value="USD">
<INPUT type=submit value=" Order Now ">
<hr>
</form>
..........
There was no data entry form associated with the above script, however, running it returned a page from techcommerce.biz with the following note: "invalid merchant data" [Exhibit 2]. That above link became a prime candidate for review, because though the directory was listed /secure/ it was not SSL, plain old http and not https. The contents of that location can be seen in [Exhibit 3]. The Visa logos for verified and secure were also stored there [Ehhibit 4]. Unknown to the criminals at the time, when the script program burped, it dumped the entire transaction log of all the data here, see [Exhibit 5]. Now let's have a look at who registered techcommerce.biz:
Domain Name: TECHCOMMERCE.BIZ
Domain ID: D9763827-BIZ
Sponsoring Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Domain Status: ok
Registrant ID: 83E3B6753F0C523D
Registrant Name: Hans Gruber
Registrant Address1: 4535 W. Sahara Ave
Registrant City: Las Vegas
Registrant State/Province: NV
Registrant Postal Code: 89102
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2087306984 ------->LOOK
Registrant Email: hansgruber54@yahoo.com ---->LOOK
Administrative Contact ID: 83E3B6753F0C523D
Administrative Contact Name: Hans Gruber ---->LOOK
Administrative Contact Address1: 4535 W. Sahara Ave
Administrative Contact City: Las Vegas
Administrative Contact State/Province: NV
Administrative Contact Postal Code: 89102
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.2087306984
Administrative Contact Email: hansgruber54@yahoo.com
Name Server: NS157.EHOSTPROS.COM
Name Server: NS158.EHOSTPROS.COM
Created by Registrar: ENOM, INC.
Last Updated by Registrar: ENOM, INC.
Domain Registration Date: Wed May 18 03:37:09 GMT 2005
Domain Expiration Date: Wed May 17 23:59:59 GMT 2006
Domain Last Updated Date: Wed May 18 04:02:27 GMT 2005
Also, note that the techcommerce contact number is the same voice mail box number as Matt Unger's contact number on the scriptsstore.biz registration:
Domain Name: SCRIPTSSTORE.BIZ
Domain ID: D9241395-BIZ
Sponsoring Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Domain Status: ok
Registrant ID: D676C88248E0ABD0
Registrant Name: Nebula Corp.
Registrant Organization: ScriptsStore
Registrant Address1: 1009 LUNAR LANE
Registrant City: BANNING
Registrant State/Province: CA
Registrant Postal Code: 92220
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.2087306984 --->LOOK
Registrant Email: *******@scriptsstore.biz
Name Server: NS1.WEB-BOX.RU
Name Server: NS2.WEB-BOX.RU
Created by Registrar: ENOM, INC.
Last Updated by Registrar: ENOM, INC.
Domain Registration Date: Thu Mar 17 15:17:09 GMT 2005
Domain Expiration Date: Thu Mar 16 23:59:59 GMT 2006
Domain Last Updated Date: Tue Aug 09 17:45:55 GMT 2005
You will remember Hans Gruber as the registrant for Smartpaymall.com, that was linked in Matt Unger's Ishopcentral/ecommprofits.com website in this post. The Vegas address is a mail drop/forwarding location.
Registration Service Provided By: Active-Domain Co.
Domain name: smartpaymall.com
Registrant Contact:
H Gruber (support@mysitelive.com)
+1.8882694215
Fax:
4535 W. SAHARA AVE
LAS VEGAS, NV 89102
US
Name Servers:
NS2.nsknet.ru
ns3.nsknet.ru
And where is techcommerce.biz now?, Well around the time that the banking analysis was posted it was moved and parked at the same Active-Venture.com location that all the others were moved too. In an obvious case of covering up the crime, just look at what happened to the Techcommerce.biz domain registration, amazing!, not a trace left! see [Exhibit 6]:
Domain Name: TECHCOMMERCE.BIZ
Domain ID: D9763827-BIZ
Sponsoring Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Domain Status: ok
Registrant ID: BCE7501E0B3F5771
Registrant Name: Domain Registrar
Registrant Organization: Active-Domain Co.
Registrant Address1: 10 Anson Road
Registrant Address2: International Plaza, #16-16
Registrant City: Singapore
Registrant Postal Code: 079903
Registrant Country: Singapore
Registrant Country Code: SG
Registrant Phone Number: +65.67838339
Registrant Email: registrar@active-domain.com
The billing data that was recovered from techcommerce.biz, clearly shows that the billing interface script had Russian origins. The beginning of the log is dated 05/05, and shows the script being tested. Notations that I inserted begin with ----->.
------------------------------------
[NEW request at 2005-05-05 17:05:20]
------------------------------------
[GET]
pa_ip => 127.12.54.1
[POST]
type => payment
processor => authorize_OnlineData
amount => 10.00
merchant_id => magazin1 -------------------------------------> RUSSIAN DOMAIN
order => 1000
description => Testing of the processing form
return => http://localhost/return.php
cancel => http://billing.my/outer_scripts/payment/test.html
currency => RUR ----------------------------------> LOOK
first_name => John
last_name => Doe
payer_email => john@doe.me
custom1 => aaa
custom2 => bbb
custom3 => ccc
------------->SNIPPED MULTIPLE ENTRIES--->
------------------------------------
[NEW request at 2005-05-05 17:29:10]
------------------------------------
[GET]
[POST]
PaRes =>
MD =>
------------------------------------
[NEW request at 2005-05-05 17:29:39]
------------------------------------
[GET]
[POST]
PaRes =>
MD =>
--------->SNIPPED---->
-------------------------TESTING NEW VERSION------>
------------------------------------
[NEW request at 2005-05-05 17:55:06]
------------------------------------
[GET]
[POST]
type => process
amount => 10.00
item_number => 1000
merchant_id => magazin1
item_name => Testing of the processing form
currency => USD
cancel => http://billing.my/outer_scripts/payment/test.html
return => http://localhost/return.php
custom1 => aaa
custom2 => bbb
custom3 => ccc
original_referer => http://billing.my/outer_scripts/newform/test.html
cookie_enabled => 1
javascript_enabled => 1
first_name => John
last_name => Doe
card_type => visa
payer_email => john@doe.me
card_number => 45634563456
payer_email_confirm => john@doe.me
exp_month => 02
exp_year => 09
address => wer
card_holder => wer
city => wer
cvv2 => 234
state => asdf
bank_name => asdf
zip => asdf
bank_phone => asdf
country => RU
phone => asdfasdf
sbmt => Process transaction
------------------------------------
[NEW request at 2005-05-05 17:55:07]
------------------------------------
[GET]
type => accheck
cseed => 20050505175507-1325059270
[POST]
------------------------------------
[NEW request at 2005-05-05 17:55:35]
------------------------------------
[GET]
type => accheck
cseed => 20050505175507-1325059270
[POST]
--------->SNIPPED---->REPEATED----->
-------------------------TESTING CONTINUES---NEXT DAY--->
------------------------------------
[NEW request at 2005-05-06 18:44:39]
------------------------------------
[GET]
pa_ip => 127.12.54.1
[POST]
type => payment
processor => authorize_OnlineData
amount => 10.00
merchant_id => magazin1
order => 1000
description => Testing of the processing form
return => http://localhost/return.php
cancel => http://billing.my/outer_scripts/payment/test.html
currency => RUR
first_name => John
last_name => Doe
payer_email => john@doe.me
custom1 => aaa
custom2 => bbb
custom3 => ccc
The log picks up on 07/06 and the program is now configured for the scriptsstore operation. The order # 30202 is a fixed entry, and will be used on all victim's entries. The amount is now also entered, and the currency has been changed from Rubbles to USD.
------------------------------------
[NEW request at 2005-07-06 20:16:44]
------------------------------------
[GET]
[POST]
order => 30202
type => payment
amount => 29.95
description => Perl software
merchant_id => ScriptsStore
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
currency => USD
------------------------------------
[NEW request at 2005-07-06 20:17:16]
------------------------------------
[GET]
[POST]
order => 30202
type => payment
amount => 29.95
description => Perl software
merchant_id => ScriptsStore
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
currency => USD
Shortly thereafter the scamming begins:
(NOTE, all individual's personal information has been redacted, information entered by the Scriptstore registrant which is already in the public domain is left as is, to provide further evidence of participation in the fraud)
An example of some of the more than 5,000 entries that began on 07/06. The stolen data contains all of the victim's account information including the CVV2 code, in about 7% of the cases the victim's email is entered, though I have not confirmend if they were valid or not. Note the time stamp sequence, indicating batch entries.
------------------------------------
[NEW request at 2005-07-06 20:27:10]
------------------------------------
[GET]
[POST]
PHPSESSID => f75837c8b2e464b37a3670a80519bdb9
type => process
amount => 29.95
item_number => 30202
merchant_id => ScriptsStore
item_name => Perl software
currency => USD
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/purchase.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => XXXXXXX
last_name => XXXXX
card_type => master
payer_email => XXXXXXX@banet.net
card_number => XXXXXXXXXXXXXXXX
payer_email_confirm => XXXXXXX@banet.net
exp_month => 01
exp_year => 06
address => XXXXXXXXXXXXXXXX
card_holder => XXXXXXXXXXXXX
city => Blue Springs
cvv2 => XXX
state => mo
bank_name => COMMERCE_BANK,_N.A.
zip => 64014
bank_phone =>
country => US
phone => XXX XXXXXXX
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-06 20:27:14]
------------------------------------
[GET]
[POST]
order => 30202
type => payment
amount => 29.95
description => Perl software
merchant_id => ScriptsStore
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
currency => USD
------------------------------------
[NEW request at 2005-07-06 20:27:23]
------------------------------------
[GET]
type => accheck
cseed => 20050706222724-1084036921
[POST]
PHPSESSID => f75837c8b2e464b37a3670a80519bdb9
------------------------------------
[NEW request at 2005-07-06 20:27:41]
------------------------------------
[GET]
[POST]
PaRes => eJzNWFmzqsoVfs+vOLXzaM5lEoVb7p1qJgUZZBbfEJBZZBZ+fVo9w87---<SNIPPED>---cVV2mht/Tj9
*BfmQV1S/p0koIgRqZzGC5o0mBgU4bo+q5r53A6tJU2rd2sxOY9uv0VpiGfjqvIjzPsz9Pt83vW87Pb4xPM589xfw
*NY
*NnqR
MD => 3D20050706222739-1115826028
------------------------------------
[NEW request at 2005-07-06 20:27:45]
------------------------------------
[GET]
[POST]
order => 30202
type => payment
amount => 29.95
description => Perl software
merchant_id => ScriptsStore
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
currency => USD
------------------------------------
[NEW request at 2005-07-06 20:27:55]
------------------------------------
[GET]
[POST]
PHPSESSID => bf35dfd80807962457d43c08c3bbb4d0
type => process
amount => 29.95
item_number => 30202
merchant_id => ScriptsStore
item_name => Perl software
currency => USD
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/purchase.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => XXXXX
last_name => XXXXXXXX
card_type => master
payer_email => XXXXXXXX@yahoo.com
card_number => XXXXXXXXXXXXXXXXX
payer_email_confirm => XXXXXXXX@yahoo.com
exp_month => 03
exp_year => 06
address => XXXXXXXXXXXXXX
card_holder => XXXXXXXXXXXXXX
city => Leesville
cvv2 => XXX
state => la
bank_name => PULASKI_BANK_AND_TRUST_COMPANY
zip => 71446
bank_phone =>
country => US
phone =>
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-06 20:27:57]
------------------------------------
[GET]
type => accheck
cseed => 20050706222809-1029387827
[POST]
PHPSESSID => bf35dfd80807962457d43c08c3bbb4d0
------------------------------------
[NEW request at 2005-07-06 20:29:12]
------------------------------------
[GET]
[POST]
order => 30202
type => payment
amount => 29.95
description => Perl software
merchant_id => ScriptsStore
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
currency => USD
------------------------------------
[NEW request at 2005-07-06 20:29:33]
------------------------------------
[GET]
[POST]
PHPSESSID => 315166c53be1dce33fe70d432b04cf2c
type => process
amount => 29.95
item_number => 30202
merchant_id => ScriptsStore
item_name => Perl software
currency => USD
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/purchase.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => XXXXXXX
last_name => XXXX
card_type => master
payer_email => XXXXXXXXXXX@pionet.net
card_number => XXXXXXXXXXXXXXXX
payer_email_confirm => XXXXXXXXXXX@pionet.net
exp_month => 06
exp_year => 06
address => XXXXXXXXXXXX
card_holder => XXXXXXXXXXXX
city => Butler
cvv2 => XXX
state => nj
bank_name => BANK_ONE,_DELAWARE,_N.A.
zip => 07405
bank_phone =>
country => US
phone =>
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-06 20:29:39]
------------------------------------
[GET]
type => accheck
cseed => 20050706222948-1196910876
[POST]
PHPSESSID => 315166c53be1dce33fe70d432b04cf2c
------------------------------------
[NEW request at 2005-07-06 20:30:11]
------------------------------------
[GET]
[POST]
PaRes => eNrNmFmTo0iSgP9KWs2jpptL6ChTpllwCiSQuEFv3LdA4ubXT0iqrKquKZvt3Ye1k---<SNIPPED>---2
*spKbD6g/G+Qhvx4lEW+P97+ePB9vix7vt57vN/5+bXfvwBHF51g
MD => 3D20050706222955-1320542360
------------------------------------
[NEW request at 2005-07-06 20:32:36]
------------------------------------
[GET]
[POST]
order => 30202
type => payment
amount => 29.95
description => Perl software
merchant_id => ScriptsStore
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
currency => USD
------------------------------------
[NEW request at 2005-07-06 20:32:41]
------------------------------------
[GET]
[POST]
order => 30202
type => payment
amount => 29.95
description => Perl software
merchant_id => ScriptsStore
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
currency => USD
------------------------------------
[NEW request at 2005-07-06 20:32:44]
------------------------------------
[GET]
[POST]
PHPSESSID => 56fc71018e26b3f0e2ee57658f927a27
type => process
amount => 29.95
item_number => 30202
merchant_id => ScriptsStore
item_name => Perl software
currency => USD
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/purchase.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => XXXXXXX
last_name => XXXXX
card_type => master
payer_email => XXXXXXX@banet.net
card_number => XXXXXXXXXXXXXXXX
payer_email_confirm => XXXXXXX@banet.net
exp_month => 01
exp_year => 06
address => XXXXXXXXXXXXXXXX
card_holder => XXXXXXXXXXXXX
city => Blue Springs
cvv2 => XXX
state => mo
bank_name => COMMERCE_BANK,_N.A.
zip => 64014
bank_phone =>
country => US
phone => XXX XXXXXXX
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-06 20:32:46]
------------------------------------
[GET]
type => accheck
cseed => 20050706223259-1019553054
[POST]
PHPSESSID => 56fc71018e26b3f0e2ee57658f927a27
------------------------------------
[NEW request at 2005-07-06 20:32:51]
------------------------------------
[GET]
(*) WARNING 2 long line(s) split
(*) WARNING 1 long line(s) split
Multiple "fingerprints" are found embedded in the
data file.....
ON 07/08 an interesting event occured, it seems that the MBS was tested for invalid entry responses. This test is noteworthy in that it clearly ties the techcommerce registrant to the fraud:
------------------------------------
[NEW request at 2005-07-08 04:42:24]
------------------------------------
[GET]
[POST]
type => payment
amount => 29.95
merchant_id => ScriptsStore
order => 1
description => Perl software
return => http://www.scriptsstore.biz/thankyou.php
cancel => http://www.scriptsstore.biz/perl.htm
currency => USD
------------------------------------
[NEW request at 2005-07-08 04:43:48]
------------------------------------
[GET]
[POST]
PHPSESSID => 7a41203731d25f23bf7f58ce1caddf6a
type => process
amount => 29.95
item_number => 1
merchant_id => ScriptsStore
item_name => Perl software
currency => USD
cancel => http://www.scriptsstore.biz/perl.htm
return => http://www.scriptsstore.biz/thankyou.php
custom1 =>
custom2 =>
custom3 =>
original_referer =>
cookie_enabled => 1
javascript_enabled => 1
first_name => Jops
last_name => Srychkoi
card_type => master
payer_email => hgruber54@yahoo.com --------> LOOK VIP !!!
card_number => 54903505XXXXXXXX ------> bogus card number
payer_email_confirm => hgruber54@yahoo.com
exp_month => 12
exp_year => 06
address => 6972 Private Pine Dr ------> Fake
card_holder => Jonda Ramones
city => Midland
cvv2 => 140
state => GA
bank_name => MBNA
zip => 38119 -------------> Memphis zip code (NOTE THIS)
bank_phone => 888-78453123
country => US
phone => 4267894512
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-08 04:43:49]
------------------------------------
[GET]
type => accheck
cseed => 20050708064352-1273799924
[POST]
PHPSESSID => 7a41203731d25f23bf7f58ce1caddf6a
------------------------------------
[NEW request at 2005-07-08 04:44:32]
------------------------------------
[GET]
[POST]
PaRes => eJzVWVeTq7qyfudXrFrn0WcvogO7PHNKZLDBJtpQ94VkgsFggsH8+it7VpgVdjr36brKY0-<SNIPPED>-
*2WXcDYZjY6nZPacCxPPFweVvu0txUDCuW1oXVdS5jb9NJEJB5Xuv8H9y8UC/vRpDv74u+/Yi7flK/fn+//EW+P3/
*Bf
*4XodLmDg==
MD => 3D20050708064401-1249720174
(*) WARNING 1 long line(s) split
(*) WARNING 1 long line(s) split
Over four hours later another test with the same bogus card number:
------------------------------------
[NEW request at 2005-07-08 09:10:37]
------------------------------------
[GET]
[POST]
PHPSESSID => 558d6629d158046e213dfddbeddb71a0
type => process
amount => 29.95
item_number => 30202 -------> All other charges are for this item number
merchant_id => ScriptsStore
item_name => Perl software
currency => USD
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.html
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/purchase.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => John
last_name => Durko
card_type => master
payer_email => hgruber54@yahoo.com --------> LOOK VIP !!!
card_number => 54903505XXXXXXXX ------> Same bogus card number as above
payer_email_confirm => hgruber54@yahoo.com --------> LOOK LOOK VIP !!!
exp_month => 12
exp_year => 06
address => 6972 Syringe Pine Dr. ------> Fake
card_holder => John Hennesy
city => Magasaka --------> ??????
cvv2 => 140
state => GA
bank_name => MBNA
zip => 38119 -------------> Memphis zip code (NOTE THIS) #2
bank_phone => 888-77841227
country => US
phone => 456-784-2150
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-08 09:10:37]
------------------------------------
[GET]
type => accheck
cseed => 20050708111044-1326459598
[POST]
PHPSESSID => 558d6629d158046e213dfddbeddb71a0
------------------------------------
[NEW request at 2005-07-08 09:11:08]
------------------------------------
[GET]
[POST]
PaRes => eJzVWVmXosqyfudX9Orz6NnN6MBeVp2VjIKCMgqs+8I8yKAggvz6m1o9VA97OvfpukrJTCIj4wsyvoik1
*v8Zq/LDLW67vKlfPuKfsI8f4jpsorxOXz5apvDb6uN/XpG1-<SNIPPED>-XUuK2/SzeEjEr3Xub/5OCBfns1hn59
*Xf
*btRdrzlfrz/f/jLfD7/wv8L6dZ5aE=
MD => 3D20050708111048-1020630249
(*) WARNING 1 long line(s) split
(*) WARNING 1 long line(s) split
Stats for the Zip code used in both of the invalid data tests,
We will see these later in other links to this area:
Zip ----- City --- State -- Area Code --- County
38119 - - Memphis -- TN -- 901 -- Shelby
Later on 07/08 another batch of charges is ran starting with:
------------------------------------
[NEW request at 2005-07-08 15:48:11]
------------------------------------
[GET]
type => accheck
cseed => 20050708174819-1358757296
[POST]
PHPSESSID => 574b0045a7c663e87838332153e9704b
------------------------------------
[NEW request at 2005-07-08 15:48:45]
------------------------------------
[GET]
[POST]
order => 30202
type => payment
amount => 29.95
description => Perl software
merchant_id => ScriptsStore
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.php
currency => USD
------------------------------------
[NEW request at 2005-07-08 15:49:22]
------------------------------------
[GET]
[POST]
PHPSESSID => 709a62a6582e49fe30460ae205aabcc4
type => process
amount => 29.95
item_number => 30202
merchant_id => ScriptsStore
item_name => Perl software
currency => USD
cancel => http://www.scriptsstore.biz
return => http://www.scriptsstore.biz/thankyou.php
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/purchase.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => FinanceAccounting ---->Budget dept. at (UCF) University of Central Florida
last_name =>
card_type => master ------> all victims cards enterd as "Master"
payer_email => @ .
card_number => XXXXXXXXXXXXXXXX
payer_email_confirm => @ .
exp_month => 03
exp_year => 07
address => 12424 Research Pkwy --->Mail Box address for UCF
card_holder => FinanceAccounting
city => Orlando
cvv2 => XXX
state => FL
bank_name =>
zip => 32826
bank_phone =>
country => US
phone =>
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-08 15:49:25]
------------------------------------
[GET]
type => accheck
cseed => 20050708174934-1088145088 ---->NOTE The time difference, the
* Merchant processor is 2 hrs ahead
[POST]
PHPSESSID => 709a62a6582e49fe30460ae205aabcc4
------------------------------------
[NEW request at 2005-07-08 15:49:50]
------------------------------------
(*) WARNING 1 long line(s) split
The following three incriminating transactions were not found at first. Remember, this was a 25MB data text file over 10,000 pages long, and covering over 5,000 card submissions for ~ $150,000. The data was searched for clues as to where the entire victims account details may have came from. The analysis previously posted on the Banks and geograhic area did not appear to shed any light on the possible source or sources of the account information.
The data was again searched to see if any area was specifically excluded, such as the registrants home area of Banning, CA. The thinking was "don't scam the neighbors" too close to home. Or maybe the data was saturated with local victims indicating a local source of the data. A search was then ran for local addresses and four results were found for Banning. The first one was a downtown address belonging to a female. The next three results were mind blowing!!. There in the middle of the run was Unger's fingerprints, testing the script by submitting three charges against his own credit cards. Two charges against one card and one on another card. All of the other submits were for the perl software 30202, these charges were unique, as they were marked item 3 Templates. In addition, the submits were the only ones that contained the Bank's phone numbers, also included was the card holders phone number 877-274-7870. That number was posted in the thread by one of the victims RitaBallou, and was given to her on a voice message as a call back number for Scriptsstore, until now that was the only public reference to the number.
------------------------------------
[NEW request at 2005-07-14 08:43:13]
------------------------------------
[GET]
[POST]
type => payment
amount => 29.95
merchant_id => ScriptsStore
order => 3
description => Templates
return => http://www.scriptsstore.biz/thankyou.php
cancel => http://www.scriptsstore.biz/templates.htm
currency => USD
------------------------------------
[NEW request at 2005-07-14 08:49:25]
------------------------------------
[GET]
[POST]
PHPSESSID => 8b6d9251f5649223ba040242c638bc85
type => process
amount => 29.95
item_number => 3
merchant_id => ScriptsStore
item_name => Templates
currency => USD
cancel => http://www.scriptsstore.biz/templates.htm
return => http://www.scriptsstore.biz/thankyou.php
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/templates.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => Matthew -------> LOOK
last_name => Unger -------> LOOK
card_type => visa
payer_email => scriptsstore@yahoo.com -------> LOOK
card_number => XXXXXXXXXXXX8270
payer_email_confirm => scriptsstore@yahoo.com -------> LOOK
exp_month => 01
exp_year => 09
address => 1009 Lunar Lane -------> LOOK
card_holder => matthew unger
city => Banning -------> LOOK
cvv2 => XXX
state => California
bank_name => Bank of America
zip => 92220
bank_phone => 18006228731 ---> knows the phone number of BOA !!!
country => US
phone => 877-274-7870 --------> This number was given to a victim for a call back
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-14 08:49:26]
------------------------------------
[GET]
type => accheck
cseed => 20050714104933-1408700955
[POST]
PHPSESSID => 8b6d9251f5649223ba040242c638bc85
------------------------------------
[NEW request at 2005-07-14 08:49:34]
------------------------------------
[GET]
[POST]
PaRes => eNrNmFmPo0qygP9Kq+fRcw6bsXHLVVKy2YDBZje8YcDsi9nNr79pu7q7T 2up4X9tpgc0SuvsN0pCf78D
*Ij/fin2/Mz69sz++Cjw9Dn78X/g+/A7F7
MD => 3D20050714104935-1058587267
------------------------------------
[NEW request at 2005-07-14 08:51:13]
------------------------------------
[GET]
[POST]
type => process
amount => 29.95
item_number => 3
merchant_id => ScriptsStore
item_name => Templates
currency => USD
cancel => http://www.scriptsstore.biz/templates.htm
return => http://www.scriptsstore.biz/thankyou.php
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/templates.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => Matthew -------> LOOK
last_name => Unger -------> LOOK
card_type => visa
payer_email => scriptsstore@yahoo.com
card_number => XXXXXXXXXXXX8270 --------> 2nd charge to this card
payer_email_confirm => scriptsstore@yahoo.com -------> LOOK
exp_month => 01
exp_year => 09
address => 1009 Lunar Lane
card_holder => matthew unger
city => Banning
cvv2 => XXX
state => California
bank_name => Bank of America
zip => 92220
bank_phone => 1-800-622-8731 -------> LOOK
country => US
phone => 877-274-7870 -------> LOOK
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-14 08:51:13]
------------------------------------
[GET]
type => accheck
cseed => 20050714105121-1241757338
[POST]
PHPSESSID => 67c6e31d2d5506c8d93997b7a87df878
------------------------------------
[NEW request at 2005-07-14 08:51:19]
------------------------------------
[GET]
[POST]
PaRes => eNrNmFmPo0qygP9KqefRcw6b8dJylZSsBgw2ZjO8se/GZod j14wnZrqOK2trMRmCeV/gzTk5zsw8uO9+
*Ocb8/Mr2/O74OPD0Ofvhf8DFPCwbQ==
MD => 3D20050714105122-1173241140
------------------------------------
[NEW request at 2005-07-14 08:54:26]
------------------------------------
[GET]
[POST]
type => process
amount => 29.95
item_number => 3 ----->First entry ever with thos item # "Templates"
merchant_id => ScriptsStore
item_name => Templates
currency => USD
cancel => http://www.scriptsstore.biz/templates.htm
return => http://www.scriptsstore.biz/thankyou.php
custom1 =>
custom2 =>
custom3 =>
original_referer => http://www.scriptsstore.biz/templates.htm
cookie_enabled => 1
javascript_enabled => 1
first_name => Matthew -------> LOOK
last_name => Unger -------> LOOK
card_type => visa
payer_email => scriptsstore@yahoo.com
card_number => XXXXXXXXXXXX6119 ---> Different card #
payer_email_confirm => scriptsstore@yahoo.com
exp_month => 04
exp_year => 07
address => 1009 Lunar Lane -------> LOOK
card_holder => matthew unger
city => Banning -------> LOOK
cvv2 => XXX
state => California
bank_name => BMW
zip => 92220
bank_phone => 1-800-3324269 ---> knows the phone number of BMW Finance !!!
country => US
phone => 877-274-7870 -------> This number was given to a victim for a call back and poste
*d.
sbmt => Process transaction
------------------------------------
[NEW request at 2005-07-14 08:54:27]
------------------------------------
[GET]
type => accheck
cseed => 20050714105434-1087692227
[POST]
PHPSESSID => d1781c9c9adde02988c54c8968d7f7dd
------------------------------------
[NEW request at 2005-07-14 08:54:33]
------------------------------------
(*) WARNING 3 long line(s) split
I would appreciate any info on what type of script was used from the data examples listed . Also any info on a state coding anomaly that shows up on about 40 of the charge entries, as to where it may have came from, or what software may use the codes. If that coding was on the original victims data, it may be a clue as to where it originated. On some of the card processing transactions the following code for the state was listed in lieu of the state abbreviation: JP-05 = AK, JP-07 = FL, JP-09 = TN, JP-10 = GA, JP-11 = SC, JP-12 = CA, JP-14 = KS, JP-15 = NE, JP-27 = OH, JP-30 = WA.
One of the scenarios that I have compiled from the considerable research on this operation, is that one group, we will call them the "Bannning Crew", set up the front end of the operation. Included in that was the domain reg, the merchant billing account, the bank transfer account and US based hosting. In addition they also managed the "customer" (victims) telephone calls and merchant disputes.
The back end of the operation, we will call them the "Hans Gruber" crew, they have a decidedly Russian flavor, and managed the technical functions. This group created and modified the scripts, designed the websites and probably sourced the credit card data. Some of them may have been based in Russia, however there are anecdotal links that ties into Tennessee, and even the Computer science Dept at UOM.
You may come to different conclusions after reviewing this and subsequent posts, and I am interested in hearing them. I would also appreciate any insight on the origins of the script. Specifically, as to what billing software it was, and what some of the non obvious commands are. I do not as of yet, have much info on where the credit card data may have came from. So any info or hypotheses on the origins of that data, especially regarding the fact that the issuing bank, the cvv2 number, and the account name and full address is included in the stolen data, is also appreciated. Is the cvv2 number encoded on the magnetic card strip?.
MGD
Edit=Typo | |
Angra Mainyu
join:2004-02-13
Spain |  WOW! Impressive work, MGD!
I hope that these scum end behind bars... | |
Mordy
Comfortably Numb
Premium,MVM,ExMod 2004-07
join:2001-12-02
Denver, CO
 ·Comcast Formerly ..
| reply to MGD
Phenominal work MDG9 ! I moved this to it's own topic, because it is too valuable to be left at the end of the other discussion of this, but that original thread can can be found at »www2.dslreports.com/forum/remark,13966841
--
Give generously to the Red Cross Hurricane Disaster Relief Fund | |
yeahTehRussiansAgain
@pacbell.n | reply to MGD
uhm so did you contact the FBI/police??? | |
DVOOR8
join:2001-12-24
USA | Hans Gruber is the villan from the Die Hard movies. | |
c0mmander
join:2001-10-03 | reply to MGD
scary!!! | |
captokita
Premium
join:2005-02-22
Calabash, NC
| reply to MGD
Wow.......
I caught this thread just from the main BBR news page, and went back to the start of it and read it all.....
MGD - You are AMAZING!!!! I'd say obsessed, but it's not really that, unless it's obsession on revealing scams like this, which is a GOOD THING!!!!!
The level of info you've provided here is just above and beyond. Thanks! | |
Network Guy
join:2000-08-25
New York
 ·PHONE POWER
·Broadvox Direct
 ·Verizon Online DSL
| reply to DVOOR8
said by DVOOR8 :Hans Gruber is the villan from the Die Hard movies. I was gonna say that. LOL | |
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: 
1 edit | reply to DVOOR8
said by DVOOR8 :Hans Gruber is the villan from the Die Hard movies. You know, I kept playing the scene back in my head when the detectives in the van was telling bruce that simon gruber is hans gruber's brother, rang the bell instantly!! Hmmm, kinda makes you wonder if this is in fact the b*stard's real name?
Anyhow, MGD you deserve VIP or MVM or something. Or at least get paid for the work you just put into this. I didnt understand much of that code there, but I know I'm hopping mad over the whole situation (and my card,thankfully, hasnt been hit). Scum like this dont even belong behind bars. The things I'd like to do to these MOFOS!!!!!!!!!!!!!!!!!
--
babbling | Donate to hurricane relief | |
GemSnake
Premium
join:2000-10-19
3rd layer
clubs:
| reply to MGD
first_name => Jops
last_name => Srychkoi LOL  They even misspelled that. Should be 'Jopa' which means 'ass'; 'srychkoi' which is 's rychkoi' means 'with a handle'. Russian slang.
--
"In a fight between you and the world, bet on the world." - Franz Kafka | |
soulburner
join:2002-09-23
Pahrump, NV
| reply to MGD
No, the CVV2 code isn't stored in the magnetic strip. From what I understand, it's really only used for card not present transactions, such as internet sales/mail order.
As for the issuing bank, that's easy to find out with the credit card number. The first six digits of the card number give a lot of info, such as (obviously) card type, and not so obviously, the issuing bank.
About the Hans Gruber/Die Hard connection, that's the first thing that popped into my mind as well. I guess that would make MGD John McClane? | |
itguy05
join:2005-06-17
Camp Hill, PA | reply to MGD
MGD,
How did you get hold of the billing file? Are you a LEO? | |
DSLucky
Premium
join:2002-04-23
Maud, OK
clubs: | reply to soulburner
When I saw Hans Gruber....my mind drifted off to the old song "Boot to the Head" heard on Dr. Demento...A Hans Gruberman was the dimwitted student who got the boot to the head by his sensai.
Just my 2 cents, adjusted for inflation. | |
Sith HMP
I Did What?
Premium
join:2004-04-25
Bloomington, IL
| reply to MGD
MGD, I just wanted to say it is a pleasure knowing that there are people out there like you. I am even more pleased that they frequent this site. Kudos to you, nice work, job well done. 
--
I am not as dumb as you think I think I am. | |
gnx87
Premium
join:2001-02-20
Oakdale, PA | MGD, give your self a pat on the back for the time and effort you put into revealing that to us. Bravo man. | |
user4275
Location, Location, Location
Premium
join:2003-11-27
Chicago, IL
clubs: | reply to MGD
Brilliant investigative work MGD. With all this evidence in hand, shouldn't we be looking forward to some indictment against any of these scumbags any time soon? | |
gnx87
Premium
join:2001-02-20
Oakdale, PA
3 edits | MGD,
Have you thought about bringing in a major news outlet on this? ie foxnews, ABC, etc Bringing some big media power to this investigation might just help put these people in jail.
Or even drudgereport, matt drudge would blow this wide open, he lives on news like this.
Just my 2 cents
--
MY rig :
Boistar M7NCD Nforce2 mobo
AMD XP 2500+ Barton oc'ed to 3200+
Maxtor 160GB 7200 8MB
WD 80GB 7200 8MB
GeForce 4 MX440
512MB Geil PC3200 DDR | |
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | reply to MGD
Thanks to everyone for all the Kudos!!
I appreciate it very much!!, I am humbled. It makes all the hours of research and digging worthwhile.
Many of you have asked if law enforcement was notified. The answer is yes, I contacted them two months ago within hours of discovering the data. I refrained from posting the info in order to allow ample time for an investigation to be done, and records to be accumulated.
I first contacted the FBI who referred me to the Secret Service, I called them and gave them the links to where the data was at, so they could see the activity in real time. I wanted to have the site pulled because the data was open, though difficult to find. They advised me not to make contact as "you don't know who all is involved in it", and that made sense.
I realized that this fraud may not rank that high with them, when compared to all the others that are going on. However, with close to $150,000 racked up in a twenty day period on just that one area, I believed that if there were several set ups operating at the same time, this could amount to several million dollars a year.
Two weeks later I contacted the Riverside County D.A.'s office, as I had learned they they will directly investigate computer crime fraud within the jurisdiction. They were very helpful, and referred me to an agent of the tri-county computer crime task force called CATCH Computer And Technology Crime High-tech Response Team. I provided the same links for the data to the agent, along with a summary of the forum thread. They seemed to be a relevant group to look into this, since in addition to the Scriptsstore registrant, at least 80 of the victims also resided in that tri-county area. I do not know the current status of the case.
In working on this project I had to archive a considerable amount of data. As you follow the trail leaving no stone unturned looking for clues or mistakes, you don't know at the time what is relevant or not. A small piece of information accumulated at the beginning may turn out to be a significant piece of the puzzle later on. With that in mind, I had decided to enlist the scammers help in pointing me in the right direction. I did this by dropping clues in some of my previous posts. For example in the "what are they up to now" post, I first listed the pseudonym registrant of smartpaymall.com, Hans Gruber, and just mentioned that he was a "prolific registrant". I then monitored all the places that I had found that name looking for a reaction, and here is one:
It is important to emphasize that one cannot make conclusions about any involvement in the original fraud from this, only note the anecdotal name association. I originally made an inventory of all domain names hosted at the same IP address as scriptsstore.biz for later review. One of them was this one:
Registration Service Provided By: Active-Domain Co.
Domain name: netcomex.net
Registrant Contact:
Net Commerce Exchange
ILJA ZALANS (hansgruber54@yahoo.com) ---------> HELLO !!
+1.2087306984 ---------> HELLO !!
Fax: none
8 Ilukstes St.
Riga, LV-1057
LV
Administrative Contact:
Net Commerce Exchange
ILJA ZALANS (hansgruber54@yahoo.com)
+1.2087306984
Fax: none
8 Ilukstes St.
Riga, LV-1057
LV
Technical Contact:
Net Commerce Exchange
ILJA ZALANS (hansgruber54@yahoo.com)
+1.2087306984
Fax: none
8 Ilukstes St.
Riga, LV-1057
LV
Billing Contact:
Net Commerce Exchange
ILJA ZALANS (hansgruber54@yahoo.com)
+1.2087306984
Fax: none
8 Ilukstes St.
Riga, LV-1057
LV
Status: Locked
Name Servers:
ns1.web-box.ru
ns2.web-box.ru
Creation date: 23 Mar 2005 09:24:16
Expiration date: 23 Mar 2006 09:24:1
Now after the word got out, let's go back and take another look:
Registration Service Provided By: Active-Domain Co.
Contact: registrar@active-domain.com
Domain name: NetComEx.net
Registrant Contact:
Net Commerce Exchange
ILJA ZALANS (info[]netcomex.net) --------> What happened to HANS !!
541-2018 -------------> LOOK
Fax: none
8 Ilukstes St.
Riga, LV-1057
LV
Administrative Contact:
Net Commerce Exchange
ILJA ZALANS (info[]netcomex.net)
541-2018
Fax: none
8 Ilukstes St.
Riga, LV-1057
LV
Technical Contact:
Net Commerce Exchange
ILJA ZALANS (info[]netcomex.net)
541-2018
Fax: none
8 Ilukstes St.
Riga, LV-1057
LV
Billing Contact:
Net Commerce Exchange
ILJA ZALANS (info[]netcomex.net)
541-2018
Fax: none
8 Ilukstes St.
Riga, LV-1057
LV
Status: Locked
Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com
Creation date: 23 Mar 2005 09:24:16
Expiration date: 23 Mar 2006 09:24:16
I would like to know why it was changed...... Just a coincidence, well maybe ??
MGD
edit rem @ | |
MeanPeepsSuk
Premium
join:2004-11-21
Muddy Field
clubs:
| reply to MGD
MGD, First.. What can I say? Awesome work just doesn't cut it. You are 'Da Man. Just brilliant.
On your question: "I would also appreciate any insight on the origins of the script. Specifically, as to what billing software it was, and what some of the non obvious commands are. "
Some moons ago, I wrote a cart to process through the Authorize.net gateway. It's fairly straight forward post-get stuff when it comes to passing data to them. Today's 12 year olds can write the script. This gang most likely wrote it themselves (but scripts & carts are widely available for it from cheap to free) That's to say it's a good possibility you might not find the actual script or software.
You can match up the script writer's variables with the API's field codes shown here: »authorize.net/resources/documentlibrary/. .
After many merchants got their authorize.net accounts hacked a few years ago, they implemented some stronger features ("stronger", from very weak). This was after I was no longer on that project but I still received the tech bulletins from them. So, I did not code those but I believe the long strings being passed are the MD5 hash/fingerprint authorize.net added to increase security. See page 43 here ( »www.authorize.net/support/AIM_guide.pdf ). There is also info about passing the "Verified by Visa" variables. I am guessing you have to pass those too to "qualify" for the program. See the "Simple Integration Method (SIM)" guide posted for the quick-n-dirty.
Aside from processing transactions live through their gateway, Authorize.net also will allow you to batch process if you prefer that.
I hope this helps.
--
"There are no victories against stupidity; only battles." | |
tictacsrt
But What Is The Reason And Why?
Premium
join:2002-01-16
ohio
1 edit | Who Ya.. gonna call... MGD!....the Spam Buster.. ! Good Job! Thanks! yep! Scam Buster! sounds better!!! | |
|
