Unauthorized charges

Info on MY LIBERIA:
   
   Registrant:
   myPublishing
   One Leicester Place
   Leicester Square
   London, London WC2H 7BP
   uk

   Registrar: DOTREGISTRAR
   Domain Name: MYLIBERIA.COM
   Created on: 25-OCT-03
   Expires on: 25-OCT-08
   Last Updated on: 22-OCT-07

   Administrative, Technical Contact:
   , myPublishing ar@brandcasting.com
   One Leicester Place
   Leicester Square
   London, London WC2H 7BP
   uk
   +44 207 494 2020
   +44 207 494 4040

   Domain servers in listed order:
   NS0.SERVE.CO.UK
   NS0.SERVE.NET.UK

I got hit by a company called embintelligence.com for $6.95.

More complaints tied to phone number: 503-616-3843
Complaints start in september 2007, and increase in rate to the present.
http://www.cjupin.com/2007/09/13/credit-card-scam-digismarketcom

That page had a link to this report, with details about a large "ebook" small charge fraud organization that has been going on for a couple years under many different websites/company names.  Very good research.
http://www.dslreports.com/forum/r19620593-Ebo ... DigitalAgePluto

Report includes "mylibreria.com" and "embintelligence.com", as well as a number of other front sites.  It also outlines how they set up "mules" in the U.S. to act as bank account fronts for the "merchant" transactions, shift the money to a second account to prevent reversal of disputed charges, then wire the money overseas.

Recommendation for victims:

"Again, it is vital that the victims report the charges as fraudulent, then cancel and replace their cards. You play in to the crime syndicates hands by allowing them to issue a credit for the charge. That is what they want to do once they know you have caught it, and will dispute the charge. Victims should also file a complaint online with the Internet Crime Complaint Center (IC3).

By issuing credits or reversals to the percentage of victims that discover and pursue the fraudulent charge, that will help maintain a chargeback ratio below the merchant processor's flag threshold. They have managed to sustain some individual accounts for well over a year by doing this.

In addition, they get to deflect attention away from their operation, by making it appear, however unbelievable, that a team of criminals are trying to scam the websites using hijacked card data to buy useless ebooks, webtemplates, or cellphone games. When in fact the syndicate is just harvesting cash by ploughing card data in batch entries through their scores of fake sites."

http://www.dslreports.com/forum/r19620593-Ebo ... DigitalAgePluto

"Again, the goal is to run high volumes of cards against small amounts multiplied, times numerous simultaneous sites. If the victim catches it give them a fake email address that used it. Quickly give them a credit to prevent a $25 charge back fee, and to prevent triggering a high charge back alert with the merchant account. Tell the victim someone must have used the card on the site. Suggest it even may have been stolen to divert attention away from the operation. keep the cyber mule out of the loop, maximize the return and longevity for each operating domain.

Viewed at the lowest common denominator it is a handful of victims complaining about a trivial charge on their card from one little website. That is not going to trigger any bank investigation, is it spread among many. It also is way below the threshold to trigger any Federal snooping around. Even if a site goes down the rest of the hub are preserved, they do not appear related. If a division goes down, the other divisions still function. Everything hums unless someone grasps the big picture and identifies it as a multi million dollar operation. Add the costs of replacing the cards and we have an annual loss barking at $70 million. But who knows how big it really is.

Most certainly this structure was built around the fact that the syndicate has direct access to this card account data, and volumes of it. The operation is vertical, they are not buying data from carding forums.

While the location and method of the card access is a priority to discover, notable mention of the clear weakness in the merchant account vetting process must not be ignored. There are numerous symptoms indicating that these sites are not legit even before the charge back ratio grows to trigger levels. No traffic, no outbound mail, robots disallow. Card data detail entry reports that would show that the data is batched, and is not coming randomly from assorted IPs as a typical site would have. It is not that it cannot happen every now and then, but for a multi year criminal syndicate to operate well over 100+ domains with impunity, over and over, and not trigger any alert. Would it be so rewarding to criminals if Authorize.net and others did not front the money right away and instead held two months in reserve for new sites, that would enable the charges to cycle. Clearly some changes need to be made, much of this fraud has become acceptable and is tolerated as past of the given percentage that is wrote off annually."

" just ran some new searches after completing the above, and found a news article that I had previously missed. This July 07 notice from the Michigan Attorney General may be a partial reason for the ver 4.5 template sites phasing out and the full blast of ebook sightings. A cyber mule was arrested and charged:


quote:
--------------------------------------------------------------------------------
Office of the Attorney General:

Cox Charges Woman with ID Theft

Agency: Attorney General

July 19, 2007

LANSING -- Attorney General Mike Cox today announced that he has charged Krystal Owens of Detroit with three-counts of identity theft and one-count of conspiring to commit identity theft.

"Identity theft is a devastating crime to its victims," said Cox. "My office will continue to be vigilant in defending Michigan's citizens from having their identities stolen."

Since January 2007, the Michigan Attorney General's Office has received more than 130 complaints from consumers across the country indicating that K.A.T.O. Technology, LLC, also known as K.A.M.K. Technology, LLC, had charged $12.95 against their credit card without their permission. The Attorney General's investigation found that in the summer of 2006, the defendant Krystal Owens conspired with Tomas Lasinkas of POV Web Design Solutions to set up bogus corporations, banking accounts, and other arrangements thereby enabling Lasinkas to make unauthorized charges against consumers credit card accounts using the bogus company names K.A.T.O. Technology, LCC and K.A.M.K. Technology, LLC. From September 2006 to March 2006, Lasinkas made 75 to 100 unauthorized charges, at $12.95 each, on a daily basis, and Owens wired the illegal proceeds to Lasinkas' bank accounts in Bulgaria on a regular basis. Lasinkas and Owens accumulated approximately $200,000 by way of this fraudulent activity during a six month period.

A criminal charge is merely an accusation, and the defendant is presumed innocent until and unless proven guilty. The penalty for identity theft is up to 5 years in prison and/or a fine up to $10,000.
..."

It would appear this operation is still running.

By the way, Faughnan first reported on "small charges" credit card fraud, in the "Ken Taves" case, here:
http://www.faughnan.com/ccfraud.html

Don't mess around sending disputes to the "merchant", as that will just allow them to reverse just the charges people catch without tripping the credit card payment systems' fraud detection.

This appears to be an international criminal enterprise, using front people to handle multiple bank accounts and create the appearance of many different websites and companies to funnel fraudulent charges thru.  Dispute fraudulent credit card charges thru your bank, in writing.  

File complaints with FBI.

You might print out a copy of the report from this site and circle the name, phone number, or other information that ties your fraudulent charge to these people, and send it along with your fraudulent credit card charge disputes.
http://www.dslreports.com/forum/r19620593-Ebo ... DigitalAgePluto

Note:  Based on the above report, it appears that the fraudulent charges, although charged by the front "merchants", are NOT due to someeone using stolen credit card numbers on the front sites, but instead are stolen card numbers obtained from some source, with the "front merchants" being used to create an appearance of multiple on-line businesses, and set up multiple bank accounts to spread the fraudulent activity, trying to avoid detection.

Sort of like the NBC Dateline reports on id theft and U.S. based "mules" duped into forwarding merchandise overseas purchased with stolen credit card numbers, but just laundering the fraudulent credit card transactions without the complication of any real merchandise or purchase.

Bob Sullivan, with MSNBC, reports on these jokers here:
http://redtape.msnbc.com/2007/11/chris-jupin-nev.html

This also appears to be tied to "DEVBILL" and other "website design" CC fraud.
http://www.dslreports.com/forum/r19620593-Ebo ... DigitalAgePluto

Literally hundreds of complaints against this operation under various names since the beginning of 2007:
http://www.sygyzy.com/2007/02/07/e-books-are-the-new-419/

Many more reports on the same scam.  Bob Sullivan referred to this blog in his story on MSNBC.
http://www.cjupin.com/2007/09/13/credit-card-scam-digismarketcom/

Bob Sullivan reported on the Equifax hypothesis in his article.

Consumers on this thread started reporting the names of companies they used their accounts with prior to the appearance of the fraudulent charges.  Highest on the list are:  Equifax, Amazon, eBay, Half.com, Paypal, all heavily used Internet merchants who store account information for repeated consumer business.  
http://www.cjupin.com/2007/09/13/credit-card-scam-digismarketcom/

The clear leading company reported as a possible source for account information used by the scammers is Equifax, despite their denials.

Despite reports of transactions with the other high frequency companies as well, notably missing are reports of transactions with either of the other 2 credit reporting agencies that also sell credit reports and monitoring services.

We don't know the levels of business that would determine the relative probabilities of expected reporting among Equifax, Amazon, eBay, Half.com, and Paypal, however we would expect that there would be at least comparable levels of business across the 3 credit reporting agencies: Equifax, Experian, and TransUnion.

If Equifax's presence on this list was only due to common patterns in types of on-line charges made by people who buy on-line ("baseline" probability of using credit reporting or monitoring services, consistent with the null hypothesis that Equifax is NOT the source of the leak), then there should have been reports of charges made to the other 2 credit reporting agencies, Experian and Transunion.  

They are notably MISSING!

Either Experian and Transunion are abysmal failures at marketing their consumer credit report and monitoring services compared to Equifax,
OR
Equifax and its credit monitoring subsidiaries MUST BE the source of the data leak.

Look for data breaches involving Equifax, that might involve breach of customer credit card account data, not including breach of Equifax employee data, or consumer credit report data.

Lists of data breaches:

http://www.privacyrights.org/ar/ChronDataBreaches.htm#10
http://www.idtheftcenter.org/artman2/publish/ ... each_List.shtml
http://www.pogowasright.org/



Equifax employee using the stolen identity of a "Tonia Leach", hired by Equifax, then used information obtained thru her job at Equifax for further id theft.  "Beginning in 2006", employed for "less than a year", but they hadn't caught up with her in May 2007.  

They apparently have reason to believe she is using information obtained from Equifax for further id theft, beyond the id theft she used to get employed in the first place.  Yet this appears to be presented as an individual "id theft", not as an Equifax "data breach"???

http://www.pogowasright.org/article.php?story=20070516164622632&query=Equifax

"Former Equifax Employee Accused Of Identity Theft
Wednesday, May 16 2007 @ 05:46 PM EDT
Contributed by: PrivacyNews

GWINNETT COUNTY, Ga. -- Authorities are looking for a woman who may have had access to the personal information of millions of people.

Tonia Leach said her identity was stolen by a woman who worked at a major U.S. credit reporting agency and investigators believe the identity thief is in the Gwinnett County area.

... Investigators want to find the woman because they are not sure how much personal information she had access to at Equifax. "She probably had access to other information and she’s apparently using it," said Mayes.
Equifax released a statement that said, "We can confirm that an individual posing as Ms. Leach was employed with Equifax for less than a year, beginning in early 2006. There were no indications with the identification information that she provided or through the work history or the credit report that this was a stolen identification."

Arraignment of one person who may be connected to one of the front sites:

http://www.cjupin.com/2007/09/13/credit-card-scam-digismarketcom/

"#237 Steve D. on 01.12.08 at 1:09 pm Below is the BS charge found on my amex. This is the second time I have recieved a charge of this nature. Like the first time i called amex and disputed it. i was nieve and did not research the first charge. I just made like an honest consumer and said “I don’t think I made this charge but if is did then I will be happy to pay it.” I called a week or so later and amex said they would just refund my the $6.95. I said great but are you not going to follow up? They said it was not worth it.
So here I am again with a second charge from a different company. Before I even called them I found this great board with others like me. So this called started off with “I am a victime of fraud. Take it off a look into it.”

...

Transaction Date: 01/06/2008
Transaction Description: VALLJRSX VALL-JRSX WEST SACRAMENTO CA
S1E34A6C4 DIRECT MKTG INTERNET

Charge: $9.59
Merchant Address: VALLJRSX
900 SIMON TERRACE
UNIT # 88
WEST SACRAMENTO CA 95605
USA

Merchant Type: INTERNET DOWNLOADS
Doing Business As: VALLJRSX"
...
"#241 VALL-JRSX on 01.12.08 at 11:41 pm HEY EVERYONE! The dude from VALL-JRSX got busted! I looked up his name from the ‘Ficticous name search’ in cali.. its VALENTIN SHIKHANTSOV.

http://yolo.courts.ca.gov/Calendars/DailyCale ... =37&Submit.y=11

January 9 2008 DPT9
Date Time  Dept  Name                  Case #  Hearing Type   Defense Atty   Comments

1/9  830   DPT9  SHIKHANTSOV, VALENTIN  CRM76592  CORR LTR - ARR DATE
1/9  830   DPT9  SHIKHANTSOV, VALENTIN  CRM73265  AVP


#242 Kevin on 01.13.08 at 3:36 am oh yes, you are right- here’s the FBN entry for VALL-JRSX in Sacramento County-
http://www.efbn.saccounty.net/eFBNBusinessNameDetail.asp?FilingNum=200703682
"


Earlier arraignment in 2006, found via Google cached page:

http://209.85.173.104/search?q=cache:-tefQ6C- ... clnk&cd=7&gl=us

"Official Calendar
Superior Court of the State of California
County of Yolo
Department 8
September 20, 2006
...
60920 830 DPT8 SHIKHANTSOV, VALENTIN CRM64785 ARRAIGNMENT
..."

Is this the same person?
http://www.cassne.org/wanted.asp

Equifax is aware that some of their customers have seen fraudulent small charges related to "ebooks".  They as yet claim to have not found a breach on their side.

Reply from Equifax:
http://cybercjh.com/blog/?p=21

"Equifax security has received your concern and we are currently investigating this matter. As you are aware, the charges are related to an overall online fraud scam related to the purchase of eBooks. Several blogs discuss the matter. Although many consumers have indicated a link to Equifax, we have not identified a common source for any of the complaints. Of the small number of consumers that have actually contacted Equifax, no unauthorized access of their accounts has been found. Equifax is continuing to investigate, however, and will do so until resolution. I will contact you personally, when this matter is resolved. Please do not hesitate to contact me with any concerns or questions.
Thanks,
Nicole Smith
EQUIFAX
Senior Director
Global Threat & Intelligence
..."

Background on "Pinging" credit card accounts to see if they are valid:
http://www.boingboing.net/cardfraud.html

Does a scam outfit with lots of diversified access to the payment system need stolen credit cards, if it can just generate a bunch of numbers and expiration dates, and throw it at the wall to see what sticks?

Although normal merchants check address and zip code to help check if a customer is legitimate, why bother when you aren't shipping a real product anyway?

Fraud pattern would then appear to match general merchant charge pattern.  Lots of Amazon, eBay, etc, with no actual connection to what particular recent charge a consumer had made.

If you were engaged in CC fraud, and if you were already using diversified channels for charging to hide the level of activity, as these scammers apparently are, how would you maximize resistance to VISA and MC countermeasures?

The first level of defense is the consumer and bank dispute processes.  Use of multiple mules, and small charges, are already aimed at defeating this level.  Spreading charges across many front merchants, with small charges below bank investigation thresholds, and a continued stream of new mules, already has shown it can keep the operation going a long time.

But the sources of the numbers are hard to track, too.  What if they are just randomly generated, using diversity again to hide that that is all they are doing.  How would you maximize avoidance of the CC system catching on and closing down your strategy?

If they are truly random, checked only to make sure they pass the checksum, then that pattern would start to show up in the pattern of fraudulent passed and rejected charges.  

If they were from stolen numbers, the pattern would start to show up as fraudulent charged accounts having matching earlier charges from whatever source the theft has occurred from, something the CC system appears to be tuned into detecting.

MGD seems to have ruled out patterns tied to recent visible charges, although he is looking at patterns tied to payment processors.

What if there is no "source" to the numbers?  How would you maximize the survival of the scam without revealing that the numbers are just generated, redirecting the focus of your opponent from trying to find a non-existent source to instead responding to a systemic security hole that requires system wide cracking down on fraudulent merchant accounts and tightening the vetting process?  

Although that action would ultimately shut down the fraud regardless of the source of numbers, diversified submission of generated numbers might tilt the payment system's decision in that direction, a course of action not beneficial to the continued survival of the scheme.  Is the scheme engaged in a counter-countermeasure, similar to the original front diversification, intended to evade that countermeasure?

What we are dealing with is the adaptive co-evolution of two systems:  1)  a scam;  and 2)  the bank and payment system's countermeasures to it.  Or alternatively, we have a sequence of "antigen/immune system" responses and counter-responses.

Successful response to the defense countermeasures has already adapted the scammer's system toward diversity.  Why is the defense apparently "blind" to the overall scope of the attack, even when parts of it appear to respond to components of the threat (i.e.: Michigan prosecution, Equifax internal investigation), without causing a more global response?

Overview of deception from a military viewpoint:
Deception 101 - Primer on Deception
http://www.fas.org/irp/eprint/deception.pdf