October 31, 2011

Would that all cybercriminal operations presented such a tidy spreadsheet of the victim and perpetrator data as comprehensively as profsoyuz.biz, one of the longest-running criminal reshipping programs on the Internet.

Launched in 2006 under a slightly different domain name, profsoyuz.biz is marketed on invite-only forums to help credit card thieves “cash out” compromised credit and debit card accounts by purchasing and selling merchandise online. Most Western businesses will not ship to Russia and Eastern Europe due to high fraud rates in those areas. Underground businesses like Profsoyuz hire Americans to receive stolen merchandise and reship it to those embargoed regions. Then they charge vetted customers for access to those reshipping services.

Below is a screen shot of the administrative interface for Profsoyuz, which shows why its niche business is often called “Drops for Stuff” on the underground. The “Дроп” or “Drop” column lists Americans who are currently reshipping packages for the crime gang; the “Стафф” or “Stuff” column shows the items that are being purchased and reshipped with stolen credit card numbers.

Profsoyuz reshipping service admin panel.

The column marked “Холдер” or “Holder” indicates the cardholder — the name on the stolen credit card account that was used to purchase the stuff being sent to the drops. I rang Laura Kowaleski, listed as the person whose credit card was fraudulently used on Oct. 11, 2011 to buy a Star Wars Lego set for $189, plus $56 in shipping. She told me I reached her while she was in the process of filing a police report online, after reporting the unauthorized charge to her credit card company.

The Lego set was sent via FedEx to Oscar Padilla, a 37-year-old from Los Angeles. Padilla said he believed he was working for Transit Air Cargo Inc. (transitair.com), a legitimate shipping company in Santa Ana, Calif., and that he got hired in his current position after responding to a job offer on careerbuilder.com. However, the Web site used by the company that recruited him was transitac.com.

Padilla said the people who hired him have been sending 3-4 packages daily for the past two weeks, but sometimes as many as seven each day. The packages arrive with prepaid shipping labels, and Padilla’s job is to affix the labels on the packages and arrange for them to be picked up or sent via the corresponding shipping service, usually the US Postal Service or FedEx.

Some of Profsoyuz's other scam companies.

Padilla said he was promised a $1,000 salary via PayPal at the end of his first month of work, what his employers called a “trial period.” He looked up the history of Transit Air Cargo and found that it had an A-plus rating with the Better Business Bureau, and that it had been in business for many years.

“If approved, and I passed the trial period, it was supposed to be $2,500 every month I worked after that,” he said. “I didn’t see any complaints about the company, so I just went ahead and signed the contract.” A copy of the contract is here.

Padilla failed to notice that the emails from his employer came from transitaircargoinc@gmail.com, not from Transitair.com, the legitimate company’s real address. He also had no way of knowing that reshipping mules almost universally are cut loose without pay at the end of their first month’s work.

Gary Syner, chief executive officer at the legitimate Transit Air Cargo, first learned that fraudsters were impersonating his company’s identity about six weeks ago, when he received a phone call from another drop that had fallen for the scam and was never paid for his work.

“You would think that common sense would tell you that if the deal sounds too good to be true, and you don’t even know who the parties hiring you are, then it’s probably not a real job,” Syner said. “I know these are desperate times for some people, but how the hell do you fall for something like this? If you don’t meet the employer in person, it’s probably a good indication that something isn’t right.”

Want to learn more about the “terms and conditions” to which Profsoyuz customers must agree? Check out a translated version of them here. The document helps explain how the service monetizes credit card fraud for itself and for customers.

If you missed the first segment in this series on reshipping scams, please see Shady Reshipping Centers Exposed, Part I.


12 thoughts on “Turning Hot Credit Cards into Hot Stuff

  1. JS

    This is a new twist on an old crime.

    Its called fencing, money laundering, and smuggling.

    However the real tragedy is once again with 10%+ unemployment in the States; it is still seen as “cheaper” to have the banks write off or dilute the cost of this fraud through banking fees than to hire bank examiners, hire investigators and support law enforcement to enforce already existing laws.

    What banking industry effort has there been to invest in better IT professionals to develop a better industry solution?

    Bank cards and ATMs are a 40+ year old “technology” that is creaking and crumbling; as it was designed prior to 1970 in a mileau where the criminal masses lacked of skilled technology professionals. Today that has been inverted.

    Stopping fraud and money laundering would stop the bleeding of 100s Billions from the world economy. If the US President wants to leave a legacy he needs an Elliot Ness for the Modern age.

    In 1980 when we were building B1, B2, M1 A1 and SDI who would think that Russian Crime gangs would be operating with impunity on western shores in 2011.

    I wonder how many KGB and their cohorts from eastern block went over to work for crime gangs…

    We lost that battle.

    1. Neej

      With respect and to be sure I’m no expert in the area I take issue with some of the points you raise in this post:

      To start with the vast majority of banks are entities that exist to make a profit. I have trouble believing that if current levels of criminal activity were to be reduced or disappear then fees and charges would be lowered – these levels are determined by what the market will bear IMO. Also it is incorrect that banks are not hiring examiners, investigators and supporting law enforcement agencies.

      There have been industry efforts to reduce fraud through better technology through investment in IT employees.

      Bank cards and ATMs are old (although they’ve changed significantly since their introduction) – however what would you have them replaced with? Criminals have and still do target other forms of monetary transactions such as cheques but the levels of loss due to criminal activity do not make these other forms of transaction not worth using still for some people.

      Comparing financial crime to the Cold War is a bit rich: your basically comparing two former super powers with opposing ideologies and the capacity to wipe out mankind with the world’s financial system and thieves. The thieves aren’t at the level of bringing down the system let alone destroying the earth …

      And (and I’ll cop to feeling a little petty here with this last point) purloined money is not lost to the world economy: whomever makes these ill gotten gains is still going to use their money, indeed many criminals enjoy looking rich etc. and so spend a great deal of money rather than saving or investing in assets (like people who actually understand money and retire rich).

      1. grumpy

        True, banks are in business to make profits. But losses can be covered in two different ways:

        1) Prevent, detect and prosecute
        2) Transfer to customers (fees, interest rates etc.)

        They *will* choose the cheapest option. If that is to let the customers carry the cost, they will. It’s our job to make option 2 the most expensive by forcing our political servants to enact laws or possibly even just enforce those already in place.

        1. J.T. Wenting

          Banks go a long way to detect and prevent fraud, and will file charges and prosecute when it is detected. That’s one reason for their fees on your account, not to relay losses from fraud you report to them, but to help fund efforts to prevent such fraud from harming you in the first place.

          I’ve personally been involved in software development for banks, and the processes and people there are (overall, there’s lemons everywhere of course) high quality.
          But you have to draw a line somewhere between being 100% secure and being still usable.
          A 100% secure system could be created but it would be a system where it’s impossible to access the content of your bank account in any way (after all, a thief could have a fake account book, fake ID in your name, etc. and plunder it if we went back to those days, where the only way to access your account was by physically going to the bank and asking for money after being positively identified by several employees as the account holder).

          Efforts are underway to replace the current ATM cards with more secure versions, and implementations are being fielded in several countries already.
          But when the hardware to read the devices has been compromised, it’s still possible to skim them and it won’t be long before the new cards can be created by criminals (though at least initially the cost to them will be higher than it is now).
          Ditto with credit cards, the vast majority of fraud is because people aren’t mindful of who they give their card to, buying from shady websites or handing cards to restaurant waiters who skim them behind a counter while the card owner isn’t watching.
          No amount of IT can change such things…

  2. doug burkhart

    50 packages per week? Items that must be signed for?? Wouldn’t that raise suspicion with UPS, USPS, or FedEx? Is it unreasonable to ask these shipping companies for help in fighting this stuff? Plus they have records of delivery, signatures, etc. Seems like they could be raising a red flag or two in this.

    1. EJ

      Asking a shipper to hassle their customers on the off chance that they could be a mule? Asking a shipper to spend their own funds to fight something that isn’t costing them money directly? Asking a shipper to red flag activity that the police aren’t going to be able to act upon because there isn’t sufficient cause to investigate?

      Yes, it is unreasonable.

  3. John

    Money in Minutes was shut down via Western Union about 2 years ago. I personally upgraded over 35 locations in Virginia to new hardware and new software.

    ALL transfers now require a min of 3 days to process.

    As to the other comment about monitoring via UPS/USPS/Fed Ex. If you are getting more than 2 packages a day (on a regular basis) addressed to a different name than the one living at the address (which is on file at most shipping offices), the account and address is flagged for fraud. The local tax office, and police WILL be notified and you will be put under investigation.

    The investigation may take up to 2 years to complete, at which time you will be arrested. Normally for credit card fraud. As drop shipping is NOT illegal, package forwarding is NOT illegal either.

    What tends to happen is that the crooks will likely change the billing address on the Credit card to your address, and then start making fradulent purchases, many banks have fraud departments that monitor this change of address activity.

    Once you are charged, the investigation continues. Experience is the best teacher. I have been involved in many related and unrelated cases gives me significantly more exp than the average person.

    Trust me, no matter how bad it gets, it is better to be on the side of the Feds, than the side of the criminals.

  4. Patrik Jagge

    excellent post Brian someone was planning on sending you money through a stolen credit card and pasting the credit card information he was going to use could you report it to the owner so he may cancel it thanks I would but I wouldn’t know how I live in Singapore.

    Ryan Kolinberd [] 4744XXXXXXXXXX 0615 746 [11206 ] United States [] New York [] BROOKLYN [] 889 BROADWAY APT 3D

  5. BrianKrebs Post author

    Thanks, Patrik. Maybe next time send me a private note, or just paste a part of the information? I redacted part of the credit card number.

  6. Julia

    I’m writing from Spain. I’ve ben sent one of those this mails from transitaircargo As it seemed a bit suspicious i’ve been looking for information and found your web. Thank you very much.

Comments are closed.