Web Fraud 2.0


28
May 15

Phishing Gang is Audacious Manipulator

Cybercriminals who specialize in phishing — or tricking people into giving up usernames and passwords at fake bank and ecommerce sites — aren’t generally considered the most sophisticated crooks, but occasionally they do exhibit creativity and chutzpah. That’s most definitely the case with a phishing gang that calls itself the “Manipulaters Team”, whose Web site boasts that it specializes in brand research and development.

I first learned about the Manipulaters from a source at an Australian bank who clued me in to a phishing group that specializes in targeting Apple’s iCloud services and a whole mess of U.S., European and Asian banks. For whatever reason (probably because they’re proud of their work), these guys leave a calling card of sorts in the WHOIS Web site registration records for most of the phishing domains that they register: According to Domaintools.com, some 329 domains are registered to “admin@manipulaters[dot]com” (complete list of domains: in PDF and CSV).

The Web site for the "Manipulaters Team," a phishing gang that brazenly advertises a specialization in "brand research."

The Web site for the “Manipulaters Team,” a phishing gang that brazenly advertises a specialization in “brand research.”

Manipulaters[dot]com is a pretty amusing site all around. Their home page advises that Mainpulaters “is an institute that caters to brand research & development. We have studied computer related products immensely, and are confident that we can get the job done. The learning never stops for us though, as we are always looking for ways to improve.” Brand research. Yeah, right.

“Our goal is to help each business and brand reach their ultimate potential,” explains the “Our Members” section of the site. “We have contracts with our members that allows us to have guidelines for them to follow on their path to success. We have put these in place for a reason. This provides the stability and direction that companies/brands need to succeed.” Points for brazenness.

Their site advises that interested parties can “become a member” of the Manipulaters Team just by paying a one-time membership fee of $15, and providing a driver’s license/ID card plus a phone or electricity bill. Ah, there’s nothing quite like phishers phishing phishers.

The scary aspect of this fraud gang is that they appear to play in the Web hosting space as well. Most of their phishing pages are in fact hosted on Internet address space that is assigned to Manipulaters[dot]com: Incredibly, the group is listed as the current occupants of an entire Class C range of Internet addresses, from 167.160.46.0 to 167.160.46.255. Continue reading →


26
May 15

IRS: Crooks Stole Data on 100K Taxpayers Via ‘Get Transcript’ Feature

In March 2015, KrebsOnSecurity broke the news that identity thieves engaged in filing fraudulent tax refund requests with the Internal Revenue Service (IRS) were using the IRS’s own Web site to obtain taxpayer data needed to complete the phony requests. Today, IRS Commissioner John Koskinen acknowledged that crooks used this feature to pull sensitive data on more than 100,000 taxpayers this year.

Screenshot 2015-03-29 14.22.55That March story — Sign Up at IRS.gov Before Crooks Do It For You — tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

Koskinen was quoted today in an Associated Press story saying the IRS was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts. The story noted that the IRS said they targeted the system from February to mid-May, and that the service has been temporarily shut down. Prior to that shutdown, the IRS estimates that thieves used the data to steal up to $50 million in fraudulent refunds.

“In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” the IRS said in a statement. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.” Continue reading →


18
May 15

Starbucks Hacked? No, But You Might Be

When it comes to reporting on breaches involving customer accounts at major brands, the news media overall deserves an F-minus. Hardly a week goes by when I don’t hear from readers about a breathless story proclaiming that yet another household brand name company has been hacked. Upon closer inspection, the stories usually are based on little more than anecdotal evidence from customers who had their online loyalty or points accounts hijacked and then drained of value.

javamessThe latest example of this came last week from a story that was responsibly reported by Bob Sullivan, a former MSNBC journalist who’s since struck out on his own. Sullivan spoke with multiple consumers who’d seen their Starbucks card balances emptied and then topped up again.

Those customers had all chosen to tie their debit accounts to their Starbucks cards and mobile phones. Sullivan allowed in his story one logical explanation for the activity: These consumers had re-used their Starbucks account password at another site that got hacked, and attackers simply tried those account credentials en masse at other popular sites — knowing that a fair number of consumers use the same email address and password across multiple sites.

Following up on Sullivan’s story, the media pounced, suggesting that Starbucks had been compromised. In a written statement, Starbucks denied the unauthorized activity was the result of a hack or intrusion into its servers or mobile applications.

“Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account,” the company wrote. “This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”

In most cases, a flurry of fraudulent account activity targeting a major brand is preceded by postings on noob-friendly hacker forums about large numbers of compromised accounts for sale, and the publication of teachable “methods” for extracting value from said hacked accounts.

crackedstarbucks

Unsurprisingly, we saw large numbers of compromised Starbucks accounts for sale in the days leading up to the initial story about the Starbucks fraud, as well as the usual “methods” explaining to clueless ne’er-do-wells about how to perpetrate fraud against hacked accounts. Here’s another noob-friendly thread explaining how to cash out compromised Subway accounts; how long until we read media reports shouting that Subway has been hacked? Continue reading →


14
May 15

Mobile Spyware Maker mSpy Hacked, Customer Data Leaked

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.”

mSpy has not responded to multiple requests for comment left for the company over the past five days. KrebsOnSecurity learned of the apparent breach from an anonymous source who shared a link to a Web page that is only reachable via Tor, a technology that helps users hide their true Internet address and allows users to host Web sites that are extremely difficult to get taken down.

The Tor-based Web site hosting content stolen from mobile devices running Mspy.

The Tor-based Web site hosting content stolen from mobile devices running mSpy.

The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions.

The exact number of mSpy users compromised could not be confirmed, but one thing is clear: There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations. Also included in the data dump are thousands of support request emails from people around the world who paid between $8.33 to as much as $799 for a variety of subscriptions to mSpy’s surveillance software.

Mspy users can track Android and iPhone users, snoop on apps like Snapchat and Skype, and keep a record of every key the user types.

mSspy users can track the exact location of Android and iPhone users, snoop on apps like Snapchat and Skype, and keep a record of every word the user types.

It’s unclear exactly where mSpy is based; the company’s Web site suggests it has offices in the United States, Germany and the United Kingdom, although the firm does not appear to list an official physical address. However, according to historic Web site registration records, the company is tied to a now-defunct firm called MTechnology LTD out of the United Kingdom. Continue reading →


6
May 15

PayIvy Sells Your Online Accounts Via PayPal

Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBox Live or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivy[dot]com, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts.

A PayIvy seller advertising Netflix accounts for a dollar apiece.

A PayIvy seller advertising Netflix accounts for a dollar apiece. Unlike most sites selling hacked accounts, this one takes PayPal.

Marketed and sold by a Hackforums user named “Sh1eld” as a supposed method of selling ebooks and collecting payments for affiliate marketers, PayIvy has instead become a major conduit for hawking stolen accounts and credentials for a range of top Web services.

There is no central index of items for sale via PayIvy per se, but this catalog of cached sales threads offers a fairly representative glimpse: License keys for Adobe and Microsoft software products, user account credentials in bulk for services like Hulu, Netflix, Spotify, DirecTV and HBO Go, as well as a raft of gaming accounts at Origin, Steam, PlayStation and XBox Live. Other indexes at archive.is and PayIvy’s page at Reddit reveal similar results.

It’s not clear how or why PayPal isn’t shutting down most of these merchants, but some of the sellers clearly are testing things to see how far they can push it: In just five minutes of searching online, I found several PayIvy sellers who were accepting PayPal payments via PayIvy for…wait for it…hijacked PayPal accounts! The fact that PayIvy takes PayPal as payment means that buyers can purchase hacked accounts with [stolen] credit cards — or, worse yet, stolen PayPal accounts.

Jack Christin, Jr., associate general counsel at PayPal, said while the site itself is not in violation of its Acceptable Use Policies (AUP), there have been cases where PayPal has identified accounts selling goods that violate its policy and in those cases, the company has exited those merchants from its system.  Continue reading →


1
Apr 15

‘Revolution’ Crimeware & EMV Replay Attacks

In October 2014, KrebsOnSecurity examined a novel “replay” attack that sought to exploit implementation weaknesses at U.S. financial institutions that were in the process of transitioning to more secure chip-based credit and debit cards. Today’s post looks at one service offered in the cybercrime underground to help thieves perpetrate this type of fraud.

Several U.S. financial institutions last year reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the October 2014 breach at Home Depot. The affected banks were puzzled by the attacks because the fraudulent transactions were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question hadn’t yet begun sending customers chip-enabled cards.

Seller in underground forum describes his "Revolution" software to conduct  EMV card fraud against banks that haven't implemented EMV correctly .

Seller in underground forum describes his “Revolution” software to conduct EMV card fraud against banks that haven’t implemented EMV fully.

Fraud experts said the most likely explanation for the activity was that crooks were pushing regular magnetic stripe transactions through the card network as chip card purchases using a technique known as a “replay” attack. According to one bank interviewed at the time, MasterCard officials explained that the thieves were likely in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real chip-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account data on-the-fly.

Recently, KrebsOnSecurity encountered a fraudster in a popular cybercrime forum selling a fairly sophisticated software-as-a-service package to do just that. The seller, a hacker who reportedly specializes in selling skimming products to help thieves steal card data from ATMs and point-of-sale devices, calls his product “Revolution” and offers to provide buyers with a list of U.S. financial institutions that have not fully or properly implemented systems for accepting and validating chip-card transactions. Continue reading →


30
Mar 15

Sign Up at irs.gov Before Crooks Do It For You

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes. Continue reading →


25
Mar 15

Tax Fraud Advice, Straight from the Scammers

Some of the most frank and useful information about how to fight fraud comes directly from the mouths of the crooks themselves. Online cybercrime forums play a critical role here, allowing thieves to compare notes about how to evade new security roadblocks and steer clear of fraud tripwires. And few topics so reliably generate discussion on crime forums around this time of year as tax return fraud, as we’ll see in the conversations highlighted in this post.

File 'em Before the Bad Guys Can

File ’em Before the Bad Guys Can

As several stories these past few months have noted, those involved in tax refund fraud shifted more of their activities away from the Internal Revenue Service and toward state tax filings. This shift is broadly reflected in discussions on several fraud forums from 2014, in which members lament the apparent introduction of new fraud “filters” by the IRS that reportedly made perpetrating this crime at the federal level more challenging for some scammers.

One outspoken and unrepentant tax fraudster — a ne’er-do-well using the screen name “Peleus” — reported that he had far more luck filing phony returns at the state level last year. Peleus posted the following experience to a popular fraud forum in February 2014:

“Just wanted to share a bit of my results to see if everyone is doing so bad or it just me…Federal this year has been a pain in the ass. I have about 35 applications made for federal with only 2 paid refunds…I started early in January (15-20) on TT [TurboTax] and HR [H&R Block] and made about 35 applications on Federal and State..My stats are as follows:

Federal: 35 applications (less than 10% approval rate) – average per return $2500

State: 35 apps – 15 approved (average per return $1600). State works just as great as last year, their approval rate is nearly 50% and processing time no more than 10 – 12 days.

I know that the IRS has new check filters this year but federals suck big time this year, i only got 2 refunds approved from 35 applications …all my federals are between $2300 – $2600 which is the average refund amount in the US so i wouldn’t raise any flags…I also put a small yearly salary like 25-30k….All this precautions and my results still suck big time compared to last year when i had like 30%- 35% approval rate …what the fuck changed this year? Do they check the EIN from last year’s return so you need his real employer information?”

A seasoned tax return fraudster discusses strategy.

A seasoned tax return fraudster discusses strategy.

Several seasoned members of this fraud forum responded that the IRS had indeed become more strict in validating whether the W2 information supplied by the filer had the proper Employer Identification Number (EIN), a unique tax ID number assigned to each company. The fraudsters then proceeded to discuss various ways to mine social networking sites like LinkedIn for victims’ employer information.

GET YER EINs HERE

A sidebar is probably in order here. EINs are not exactly state secrets. Public companies publish their EINs on the first page of their annual 10-K filings with the Securities and Exchange Commission. Still, EINs for millions of small companies here in the United States are not so easy to find, and many small business owners probably treat this information as confidential.

Nevertheless, a number of organizations specialize in selling access to EINs. One of the biggest is Dun & Bradstreet, which, as I detailed in a 2013 exposé, Data Broker Giants Hacked by ID Theft Service, was compromised for six months by a service selling Social Security numbers and other data to identity thieves like Peleus.

Last year, I heard from a source close to the investigation into the Dun & Bradstreet breach who said the thieves responsible made off with more than six million EINs. In December 2014, I asked Dun &Bradstreet about the veracity of this claim, and received a blanket statement that did not address the six million figure, but stressed that EINs are not personally identifiable information and are available to the public. Continue reading →


18
Mar 15

Dark Web’s ‘Evolution Market’ Vanishes

The Evolution Market, an online black market that sells everything contraband — from marijuana, heroin and ecstasy to stolen identities and malicious hacking services — appears to have vanished in the last 24 hours with little warning. Much to the chagrin of countless merchants hawking their wares in the underground market, the curators of the project have reportedly absconded with the community’s bitcoins — a stash that some Evolution merchants reckon is worth more than USD $12 million.

The "Fraud Related" section of the Evolution Market before it vanished.

The “Fraud Related” section of the Evolution Market before it vanished.

Reachable only via the Tor network (a.k.a. the “dark web” or “darknet”), Evolution Market quickly emerged as the go-to online bazaar for buyers and sellers of illicit goods following the shutdown of the infamous Silk Road marketplaces in 2013 and again late last year.

Evolution operates on an escrow system, allowing buyers and sellers to more confidently and successfully consummate sales of dodgy goods. But that means the market’s administrators at any given time have direct access to a tempting amount of virtually untraceable currency.

Denizens of the darkweb community say the moderators in charge of Evolution (known as just “Evo” by vendors and buyers alike) had in the past few days instituted long delays in responding to and processing withdrawal requests from the marketplace’s myriad vendors.

According to chatter from the Evolution discussion page on Reddit, Evo’s administrators — who go by the handles “Kimble” and “Verto” — initially blamed the delays on an unexpected influx of huge withdrawal requests that the community’s coffers could not satisfy all at once. The administrators assured anxious vendors that the issue would be resolved within 24 hours.

But before that 24 hours could elapse, the Evo community — its marketplace and user discussion forum — went offline. Now, volunteer moderators from those communities are posting to Reddit that the administrators have “exit scammed,” — essentially taken all the money and run. Continue reading →


16
Mar 15

‘AntiDetect’ Helps Thieves Hide Digital Fingerprints

As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies.

Every browser has a relatively unique “fingerprint” that is shared with Web sites. That signature is derived from dozens of qualities, including the computer’s operating system type, various plugins installed, the browser’s language setting and its time zone. Banks can leverage fingerprinting to flag transactions that occur from a browser the bank has never seen associated with a customer’s account.

Payment service providers and online stores often use browser fingerprinting to block transactions from browsers that have previously been associated with unauthorized sales (or a high volume of sales for the same or similar product in a short period of time).

In January, several media outlets wrote about a crimeware tool called FraudFox, which is marketed as a way to help crooks sidestep browser fingerprinting. However, FraudFox is merely the latest competitor to emerge in a fairly established marketplace of tools aimed at helping thieves cash out stolen cards at online merchants.

Another fraudster-friendly tool that’s been around the underground hacker forums even longer is called Antidetect. Currently in version 6.0.0.1, Antidetect allows users to very quickly and easily change components of the their system to avoid browser fingerprinting, including the browser type (Safari, IE, Chrome, etc.), version, language, user agent, Adobe Flash version, number and type of other plugins, as well as operating system settings such as OS and processor type, time zone and screen resolution.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

The seller of this product shared the video below of someone using Antidetect along with a stolen credit card to buy three different downloadable software titles from gaming giant Origin.com. That video has been edited for brevity and to remove sensitive information; my version also includes captions to describe what’s going on throughout the video. Continue reading →