Last week, authorities in New York indicted more than 100 people suspected of being part of a crime ring that used forged credit cards to buy and resell an estimated $13 million worth of Apple products and other electronics overseas. In this post, I offer readers a behind-the-scenes look at a somewhat smaller but similar organized crime operation that uses stolen credit card numbers to purchase and launder high-end electronics.
One of the simplest ways to extract cash from stolen credit card accounts is to buy pricey consumer goods online and resell them on the black market. Most online retailers grew wise to these scams years ago and stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. But these restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.
There are dozens of businesses in the criminal underground engaged in merchandise laundering, known as “Drops for stuff” on cybercrime forums. The “drops” are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and cash bonuses. But the crooks almost always sever communications with drops just before the first payday, usually about a month after the drop ships their first package.
Dropforrent.net account for manager Dick Martin.
A typical drop will receive and reship between two and four packages per day.Β The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.
One drops operation, dropforrent.net, allows “clients” to “rent” drops who have signed up for reshipping jobs. “Managers,” those who facilitate drop recruitment scams, can earn money by purchasing merchandise that the reshipping operation can quickly resell. Most reshipping operations seek consumer electronics that can be easily sold for cash, including laptop computers, cameras, smart phones and parts for sports cars. Dropforrent.com pays managers and clients 30 percent of the value of laptops from ACER, HP, Toshiba, Dell, Compaq and Samsung, for example, and more than 40 percent of the retail price for Apple, Sony, VAIO, Canon and Nikon products.
The phony storefront for a drops recruitment scheme.
Drops also can be used to reship virtually anything else that the client or manager would like to use or consume themselves, such as clothes, jewelry, and candy. For this service, clients and managers pay a flat rate of 50 percent of the value of the goods to have the items reshipped abroad.
The dropforrent.com managers recruit new hires by posing as legitimate businesses. One manager who uses the name Dick Martin operates a dummy business called applestore-direct.com, and actively recruits drops via ads on craigslist.com. Recruited drops are given a login to applestore-direct.com where they receive daily updates about pending shipments. Drops also are required to use this Web-based interface to notify their managers of received and reshipped items.
Kent Tribbett, a 24-year-old from West Berlin, New Jersey, has been reshipping for applestore-direct.com for almost three weeks. He was hired by Martin via an ad on craigslist.com and was given an account at applestore-direct, where he was instructed to log in daily to receive and transmit information about packages arriving at his home. A screen shot of his user account is below.
According to Dick Martin’s account at dropforrent, at least 10 clients were using Tribbett as a drop. Those same records show that Tribbett was one of 60 different drops recruited by Martin in the past 10 months.
I spoke with Tribbett briefly by phone; he denied receiving or reshipping packages for applestore-direct.com, and then hung up. But the numerous USPS tracking numbers and Express Mail bills attached to the past shipments in his account at the site suggest otherwise.
Tribbett's account at applestore-direct.net
Alert readers may have noticed that the dropforrent.net manager account for Dick Martin looks virtually identical to Tribbett’s account at applestore-direct.com (a screen shot of Martin’s account at dropforrent.net is the first image in this blog post).
It may be that applestore-direct.com and dropforrent.net have the same Web interface because they are run by the same person. The two sites are among a dozen or so dodgy-looking sites hosted on the same server, including office-port.org, office-buy.net, officeexchange.info, overselling-depot.com, and zerofaultlogistics.com.
Well-run reshipping schemes can launder huge volumes of stolen goods in a relatively short time. The minimum order dropforrent.net accepts is $300. Records at dropforrent.net show that since the beginning of this year, drops hired through Martin’s applestore-direct.com front site have shipped more than 800 orders — at least a quarter million dollars worth of stolen goods.
Criminals soliciting on Craigslist should be easy to infiltrate for the Feds. A couple fake drops (Honeydrops π owned by the authorities would likely result in plenty of interesting leads.
Well sure – aside from the fact that it’s trivial to hide oneself on the internet that sounds great.
Fortunately criminals only have to make one mistake in order for everything to unravel but the facts still are that a careful and technically savvy criminal is unlikely to be apprehended.
However human nature being what it is criminals do make these mistakes either through carelessness, arrogance (assuming law enforcement is stupid for example), stupidity from behaviour such as drug use etc and so on.
Law enforcement on the other hand only has to be right once in order to take these thieves out.
Thanks for another great article again Brian and I’m looking forward to reading the next installments in the series.
The cops always have the edge. Picture a small police force of 100 cops with an average of 15 years on the job for each cop as well as schooling in law enforcement hours that are endless. Now picture a criminal that has only been alive for 25 years. The experience factor and the mind power of an organised group of cops is going to prevail almost every time. Further, the criminal must keep committing crimes to keep income flowing. Every crime is another event and opportunity for discovery by the cops. Frankly it could be as easy as asking a UPS driver or Fed X driver if they have homes that they deliver unusual numbers of items regularly.Simply investigate all in the town that receive many deliveries each month.
Interesting viewpoint, although I couldn’t disagree more. The crooks almost certainly have the “edge” if there is one. In any case, law enforcement, like security technologies, is reactive. Defenders need to defend all possible entry points, while attackers need to find just one way in to be successful. These are not good odds for defenders and good guys.
What you seem to be addressing is the ability of the authorities to prosecute these guys, which is frankly laughable at the moment. I would say less than 1/2 of 1 percent of people involved in this type of crime ever get busted, let alone spend time in prison. A big part of the problem is many of the attackers live in countries that are not friendly to the US, or will never extradite, or they are so corrupt that those responsible — if they do get arrested — can buy their way out of prosecution. In some countries where cybercrime is highest, certain crimes are punishable by up to 5 years in prison OR a $5,000. See a potential problem there?
Speaking of cops and tactics – There was an interesting arrest at a motel near us, a short while ago.
An Albanian, no car, was traveling with a (frame) backpack with a solar cell mounted on top, and a netbook. He was making his routine circuit through the New England states, physically visiting newly recruited mules that he’d picked up on dating sites, exactly for shipping drops.
Struck me as interesting that a personal visit would be used to increase the confidence… but I suspect that it is so the mule will remember that this guy has been to their house, when they get busted. I recall a detail that the shipping involved multiple hops through various mules, eldest (about to be burned) to newest – it kind of begs for an obvious conclusion.
Cheers,
I do agree that the odds of actually getting those responsible are very low. However, I would wonder if we started going after the mules/drops that are in this country, then wouldn’t that kind of help prevent the issue? Or at least decrease the problem?
I know some people really think they’re doing something legit – but I would also think that most at least have a funny feeling about it if not completely know that it’s wrong and just don’t care as long as it’s lining their pockets… if they could get in trouble for it though, people might at least think more before doing it (assuming it’s not just a small slap on the wrist).
You’re neglecting a critical factor. The cops have to play by certain rules. The crooks don’t. That gives them an edge that’s hard to beat.
Those services are legit. They are for the people who want to shop internationally.
you are correct that there are legit ways to shop internatioinally… however purchasing goods with stolen credit cards and having them shipped through alternate channels (through a person who is falsely employeed) is not a legit way to do that.
Good information, Brian.
And this should serve as a reminder to everyone to NOT give your credit card to a waiter you don’t know. A few days ago my local banker told me that so far, on that day, two of their customers reported a series of fraudulent online charges made after eating at the same restaurant. Both had given their credit card to the waiter.
So.. do you always pay with cash at restaurants? insist on following the waiter to the register to monitor your card?
My dad’s card was stolen by a waiter once – ours was the last table at the restaurant before closing, he accidentally left the card and it was used later that night at a store down the road – so I know it happens but how do you protect yourself?
@ DavidA I always take cash when going to a new restaurant.
There is a way to protect yourself. I have set up alerts with my CC company and my smartphone pings me within minutes of every charge that is put on my card. That is how I found out recently that my card # was stolen and within 20 minutes of the charge I had the card canceled. I also called both merchants the thief had bought from and had them cancel the shipments. No cost to the CC company, no cost to me, no payday for the thieves. It’s 2011 people; there are ways of stopping theft if you use the technology available to you.
While we were visiting Hawaii recently our rental car was broken into and my wife’s purse was stolen. As luck would have it this was our last stop before turning in our rental car and boarding a flight to Singapore (think 20+ hours). The flight left about 3 hours after the theft.
We were able to report the theft to ALL of our CC companies within 10 min of the theft (thanks to the USAF!), but even so the thieves managed to charge several thousand dollars to the disabled cards in the next 24 hours!
American Express deserves a huge “attaboy” since they had NEW cards for us when we woke up in Singapore about 38 hours later. Citibank still insists that they sent replacements to our home address (DUH!).
We had contacts from the various bank/CC security people for more than a years afterwards concerning use of the cards!
We never paid US$0.01, but the CC companies paid out a LOT!
Oh yes the cards all had US50K+ limits and presumably “this is a good guy” designation of some sort.
Protect from what? There is not threat to you by losing your credit card. No identity theft threat and no threat of losing any assets. By law you are only responsible for at most ~$50 of any fraudulent charges and I have never heard of anyone being charged that.
There is no reason to be afraid of having a card lost or stolen. You are not responsible for the charges. You do not need to follow the waiter when using a credit card unless you are worries about the hassles of credit card fraud, but that is all they will be, hassles.
Just because you don’t have to pay for it doesn’t mean someone else won’t… besides that – you should care about the hassle to yourself if nothing else.
It’s the thought of, “it’s not my problem” that allows this to be such an issue. Stores thought it wasn’t their issue, CC companies and banks got tired of that and are now holding them responsible (well, working on it at least). Consumers think it because they have 0 liability… but that could change someday too if everyone just doesn’t care… someone’s losing money and you can bet they’ll be finding ways to get it back. Even if it’s just higher interest rates or yearly fees to start with.
It’s a pain having all the people on the credit card account (you and your spouse, typically) take off work to visit a notary public to sign a form attesting that you didn’t make the fraudulent charges. A lot of working people can’t take time off work so easily, and they will lose wages if they do. It also lowers your credit score, so if you are taking out a loan, it could cost you dearly in extra interest over the life of the loan.
“And this should serve as a reminder to everyone to NOT give your credit card to a waiter you donβt know.”
Why? If the waiter steals my card number, I dispute the charges and the card company sends me a new card. It’s happened several times this year (though due to use of the card online…purchases for work, not always from the most secure websites).
Now, a *debit card* I won’t use. The difference is that a credit card doesn’t risk the contents of my bank account, but a debit card does. That’s exactly why I use a credit card…it eliminates any risk to me.
THIS
If all you have is a debit card, process any transactions on it as a credit transaction; you never know if a terminal is compromised and is capturing your PIN.
Really it’s best to have a credit card and use that everywhere and pay it off every month. The card holder has a lot of power when it comes to disputing transactions. If you see a fraudulent transaction on your card, call the card issuing bank, dispute the transaction, and the bank will issue a chargeback. What happens during a chargeback is the money is taken out of the merchant’s bank account and credited back to the card holder’s account; if the merchant doesn’t have those funds, the merchant’s processing gateway or front end processor will have to provide the funds. From there, it is on the merchant to prove that the transaction was legitamite.
If you truly have a fraudulent charge on your account, issuing a chargeback shouldn’t be a difficult process. It should only take one phone call. If the CSR is giving you grief, hang up and call back to get a different rep or ask for a supervisor/manager that doesn’t want to get the bank into trouble with VISA or MC.
And no, Chip+PIN is not the solution. It just takes away the liability from the merchant and puts it back on you. Processing terminals can and have been compromised.
@Peter
So, what you’re saying is that you don’t care if merchandise is effectively stolen using your credit card as long as someone else gets stuck with the bill?
That’s not what he’s saying at all. What he’s saying is that he has no liability when using a credit card and hence doesn’t care. If his card is used in illicit purchases, that’s the banking system’s fault for continuing to insist on these and other insecure methods when better ones are available. Hell, even the current methods would have lower liability for banks if even these few options were available:
1. Any out-of-state use requires phone verification for first use & only authorizes that state for a given amount of time.
2. Limit of X dollars per day w/out secondary authentication & authorization.
3. ATM use requires secondary authorization or an activation code & is only good for an hour.
The bank’s software could have fields for these in the account database. A phone app + PIN or SMS system w/ OTP scheme would do this cheaply & with better security than the current system. Attacks would be harder & higher risk. Remote attacks would fail most of the time because the user elevates their privileges just *before* the transaction, not during or after. It would be really cheap.
There are also total redesigns of the EFT systems that are better, but the overall point is that the banks created these problems for us & they have refused to implement measures to stop them. Hence, anything that happens with Peter’s card is their fault mainly & partly his for contributing to the system. It’s not like they give anyone a more secure alternative. And the sneaky stuff they are doing with Chip & Pin shows they don’t care how much damage they do to the customers so long as they are making a profit.
Why the fuck are people down-voting you?
Good question. This happens a lot on this blog. Those troll-like, non-contributing readers also rarely specific any counter-arguments or even alternative proposals. Fortunately, the good journalism & certain contributing readers keep me coming back here. The down-voting trolls might also be coming here from Slashdot. Just what I’d expect from that crowd.
Just speaking for myself, the answer is in the first two sentences of your comment. The second sentence contradicts the first. The remainder of your comment is not relevant to the post with which you disagree in your first sentence and then subsequently concur in the second sentence.
Perfect example for you, bt.
On a related note, how much stuff for sale on ebay is laundered, do you think?
It occurs to me that an unscrupulous person could sign up with one of these reshipping scams. Instead of forwarding the actual merchandise, keep it. It would probably take a week for the scammers to realize that they’ve been had and quit shipping to you. What’s their recourse?
The carders probably start with small stuff first, so one would have to receive ship a couple of stolen items of insignificant value before receiving something valuable.
But the unscrupulous person would not get to keep the merchandise, would he ? Because once the transaction is discovered to be fraudulent, the first law-enforcement check would be done at the original shipping address that is supposed to be in some way related/controlled to/by him. I guess this is the main reason the “drop” is abandoned after about a month (and the collateral is that they don’t have to pay the guy any salary) because it just so happens to take about 4 weeks from the fraudulent transaction until someone comes to speak to the addressee ?
Their recourse? They know where you live.
Yes, and they’ll probably arrive ‘heavy.’ On the other hand, this would be a great, albeit risky, method for law enforcement to attack. When the thugs arrive, if they use illegal force or arrive ‘heavy,’ violent felonies and arms charges are on the crooks’ resume’.
In this economy, there are plenty of addresses one could use to rip off the scammers. Sign up as a reshipper at all of the vacant homes in the neighborhood! Hang out in the front yard about the time of day you know the UPS guy will arrive…
The only question is: do you sign up one after the other, since you can only do this for a little while before they figure out you’re scamming them, or do you go for a big, quick in & out operation, signing up for 5 jobs at a time and hope they accept all those signups in one area at once?
Good plan, but then you would be stealing from the guy that paid unwillingly for the goods. While you are at that, you may as well hire some others that will reship that for you…
$50 max, maybe nothing. Gotta love those liability laws. Unless he is careless & doesn’t regularly check for fraudulent charges. That’s his fault though, cuz even the banks themselves make bogus charges & fees. There’s no excuse for not monitoring the activity of one’s bank accounts.
Depending on the nastiness of the parties involved their “recourse” might be to ship you a bomb. Merry Christmas, Charlie Brown!
I went to purchase an Airpcap adapter by CACEtech once on Ebay (thought I could get a used one for cheaper), but nothing seemed right about the seller. I emailed Cacetech customer support if the adapters were genuine, and it turned out the adapters were legit, but were purchased from a fraudulent credit card transaction a few weeks before. They shipped them to a buyer in Indonesia, and used the information to begin prosecution. They thanked me for informing them by sending me one for free. Keep an eye out for this sort of thing and who knows, maybe you can help the little guy.
Do you have the postal addresses for Dick Martin and Kent Tribbett? I’d like to send them some spare underpants. I figure they will be needing them right now.
If the criminal is brazen enough to send the drop shipping labels addressed to himself, he must live in a country where he feels that law enforcement will not take any action, perhaps because they’re getting a cut of the action. (As the Russian pill pushers have found, however, the local authorities can change their policies without prior notice.)
OTOH, it’s quite possible the prepaid shipping labels lead to a second drop, to limit the damage if the reshipping mule calls the retailer to inquire and provides them the new shipping address. The scammers may also have their own truck pick up the goods from a drop’s house rather than having the drop re-address and ship them via a commercial carrier, so the trail runs cold at that point.
Am I the only one wondering how these screenshots were made? Of course, I’m pre-coffee and assuming these are legitimate.
I can’t really go into sources and methods on this one, sorry. What I can tell you, though, is that many of these fraud sites allow open registration. Ironically, these sites sometimes are not very well thought-out or secure. Often times after you have created an account, it is trivial to see other information than what is in your account, by simply changing the URL slightly.
What is especially tragic is that people who travel a lot actually need legitimate services of this kind.
We spent 13 years sailing around the world and used a mail forwarding service to send out mail and any packages twice a month.
One phone call or email to the forwarder with a pickup address and the mail package would be there when we arrived.
We used the service for 13 years and never had a package go astray, despite some VERY exotic mail drops!
Legit mail forwarding services don’t use random tools recruited from Craisglist to do the forwarding. π
True, but shippers cannot tell the difference!
Never EVER EVER use your debit card at a restaurant. I hear all the time from these financial “experts” to not get credit cards and never to use them but I would rather use my CC at a restaurant and have that hijacked than my debit card with my actual cash being stolen. I can use a CC and pay it off right away and maybe at the most have a small fee associated with doing that. It’s still cheaper than dealing with the after affects of your account being drained and there being a bunch of over drafts and the inability to pay your bills/mortgage/car payment or whatever. It’s also cheaper than paying for credit monitoring. Only use your credit card for online shopping and out to eat. It’s a simple solution that has worked for me.
Or use prepaid temporary/disposable debit cards that a lot of banks do now. That is also a good solution for when eating out and buying online, etc
I agree with your recommendations. The part that befuddles me is where you say “financial experts” tell people to use a debit & not a credit card. Are you talking about people try to tell people how to stay out of debt? The one card expert I know of wrote a book called “Credit Card Secrets.”
In it, he encouraged use of credit card over debit for these exact reasons. He also added that using a rewards card & paying off balance regularly essentially makes you money. He also mentioned that credit cards have more legal protections than debit cards, particularly the stop payment methods & the $50 max liability. So, yes, nobody should be using debit cards at stores AT ALL if they’re concerned about crooks getting their card number.
Good Job Brian!
Seems like the crooks took all sites down π
It’s not a good thing. It means [likely] they relocated the sites. Now, they have to be found again. Their forums infiltrated again (will be easier though). They might have also read his comment about how he’s compromised their site & corrected the vulnerability. The good news is he might have disrupted their business a bit & given the police more to go on. And more awareness.
The comments about the police having the edge may be true if they give a shit, but in the case of the London Metropolitan Police, they clearly don’t, since they put rather more effort into frustrating my efforts to give them a statement than they ever did to following up on the arrest that I managed to facilitate for the Dublin Garda.
In 2009 my Debit card details leaked, almost certainly via a compromised system at a theatre booking agent. I know that because I use unique email addresses for each transaction, and that’s the email address that the criminals used to register at nike.com to order a load of trainers (pretty dimwitted of them, eh?)
After a spot of detective work, I contacted my bank and then the police in the hope that I could get some action before the trainers were delivered to the address I now knew — after being repeatedly fobbed off, I contacted the drop’s local Garda station in Dublin, and they were much keener, and once I’d evaded The Met’s attempts to stop me making a statement, they went round and arrested her.
In fact, they got in touch with UPS, borrowed a uniform, a Garda constable dressed up and delivered the items and then went back in her proper uniform and said “Recognize me? … you’re under arrest” π
After that The Met reacted to the news that the drop’s destination address was back in the UK by suggesting that I contact another UK police force, rather than being willing to liaise on behalf of the Garda, which pretty much killed my enthusiasm (I’d wasted a large chunk of that week already, about half of that routing around the Met).
So, yes if they get off their fat arses the police should have the upper hand, but when they tell people that are able to provide them with timely information that they don’t care it’s another story.
They could really easily have done the UPS delivery trick in Manchester and caught a criminal, but instead they put enough effort into frustrating things that the Garda Sargent I was talking to phoned me up a couple of times after clocking off his shift to vent about the fact that the DCI at the Met had declared that she’d refuse to cooperate with him even if he sent the request via Interpol.
It all boils down to budgets and priorities, i.e. what annoys the politicians this week.
According to our local police you get an longer sentence for damaging a mailbox than for murder! The penalty for murder is much more severe, but th e odds of getting away with it are very good!
It seems that “time served per recorded crime” is around 3 months for murder in the US! The highest on that list: Income tax evasion.
The current presidential name calling contest shows the underlying reasons quite well. π
I agree it matters to you, but please
no spam, on topic & sensible english