04
Mar 19

Hackers Sell Access to Bait-and-Switch Empire

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.

Earlier this week, a cybercriminal on a Dark Web forum posted an auction notice for access to a Web-based administrative panel for an unidentified “US Search center” that he claimed holds some four million customer records, including names, email addresses, passwords and phone numbers. The starting bid price for that auction was $800.

Several screen shots shared by the seller suggested the customers in question had all purchased subscriptions to a variety of sites that aggregate and sell public records, such as dmv.us.org, carhistory.us.org, police.us.org, and criminalrecords.us.org.

A (redacted) screen shot shared by the apparent hacker who was selling access to usernames and passwords for customers of multiple data-search Web sites.

A few hours of online sleuthing showed that these sites and dozens of others with similar names all at one time shared several toll-free phone numbers for customer support. The results returned by searching on those numbers suggests a singular reason this network of data-search Web sites changed their support numbers so frequently: They quickly became associated with online reports of fraud by angry customers.

That’s because countless people who were enticed to pay for reports generated by these services later complained that although the sites advertised access for just $1, they were soon hit with a series of much larger charges on their credit cards.

Using historic Web site registration records obtained from Domaintools.com (a former advertiser on this site), KrebsOnSecurity discovered that all of the sites linked back to two related companies — Las Vegas, Nev.-based Penguin Marketing, and Terra Marketing Group out of Alberta, Canada.

Both of these entities are owned by Jesse Willms, a man The Atlantic magazine described in an unflattering January 2014 profile as “The Dark Lord of the Internet” [not to be confused with The Dark Overlord].

Jesse Willms’ Linkedin profile.

The Atlantic pointed to a sprawling lawsuit filed by the Federal Trade Commission, which alleged that between 2007 and 2011, Willms defrauded consumers of some $467 million by enticing them to sign up for “risk free” product trials and then billing their cards recurring fees for a litany of automatically enrolled services they hadn’t noticed in the fine print.

“In just a few months, Willms’ companies could charge a consumer hundreds of dollars like this, and making the flurry of debits stop was such a convoluted process for those ensnared by one of his schemes that some customers just canceled their credit cards and opened new ones,” wrote The Atlantic’s Taylor Clark.

Willms’ various previous ventures reportedly extended far beyond selling access to public records. In fact, it’s likely everyone reading this story has at one time encountered an ad for one of his dodgy, bait-and-switch business schemes, The Atlantic noted:

“If you’ve used the Internet at all in the past six years, your cursor has probably lingered over ads for Willms’s Web sites more times than you’d suspect. His pitches generally fit in nicely with what have become the classics of the dubious-ad genre: tropes like photos of comely newscasters alongside fake headlines such as “Shocking Diet Secrets Exposed!”; too-good-to-be-true stories of a “local mom” who “earns $629/day working from home”; clusters of text links for miracle teeth whiteners and “loopholes” entitling you to government grants; and most notorious of all, eye-grabbing animations of disappearing “belly fat” coupled with a tagline promising the same results if you follow “1 weird old trick.” (A clue: the “trick” involves typing in 16 digits and an expiration date.)”

In a separate lawsuit, Microsoft accused Willms’ businesses of trafficking in massive quantities of counterfeit copies of its software. Oprah Winfrey also sued a Willms-affiliated site (oprahsdietscecrets.com) for linking her to products and services she claimed she had never endorsed.

KrebsOnSecurity reached out to multiple customers whose name, email address and cleartext passwords were exposed in the screenshot shared by the Dark Web auctioneer who apparently hacked Willms’ Web sites. All three of those who responded shared roughly the same experience: They said they’d ordered reports for specific criminal background checks from the sites on the promise of a $1 risk-free fee, never found what they were looking for, and were subsequently hit by the same merchant for credit card charges ranging from $20 to $38.

I also pinged several customer support email addresses tied to the data-broker Web sites that were hacked. I received a response from a “Mike Stef,” who described himself as a Web developer for Terra Marketing Group.

Stef said the screenshots appeared to be legitimate, and that the company would investigate the matter and alert affected customers if warranted. Stef told me he doubts the company has four million customers, and that the true number was probably closer to a half million. He also insisted that the panel in question did not have access to customer credit card data.

Nevertheless, it appears from the evidence above that Willms and several others who were named in the FTC’s 2012 stipulated final judgment (PDF) are still up to their old tricks. The FTC has not yet responded to requests for comment. Nor has Mr. Willms.

I can’t help express feeling a certain amount of schadenfreude (schadenfraud?) at the victim in this hacking case. But that amusement is tempered by the reality that the hundreds of thousands or possibly millions of people who got suckered into paying money to this company are quite likely to find themselves on the receiving end of additional phishing and fraud attacks (particularly credential stuffing) as a result of their data being auctioned off to the highest bidder.

Terra Marketing Group’s Web developer Mike Stef responded to my inquiries from an email address at the domain “tmgbox.com.” That message was instrumental in identifying the connection to Willms and Terra Marketing/Penguin. In the interests of better informing people who might wish to become future customers of this group, I am publishing the list of the domains associated with tmgbox.com and its parent entities. This list may be updated periodically as new information surfaces.

In case it is useful for others, KrebsOnSecurity is also publishing the results of several reverse WHOIS lookups for historic domains tied to email addresses of several people Mike Stef described as “senior customer support managers” of Terra Marketing, as these also include some interesting and related (albeit mostly dead) domains.

Reverse WHOIS on Peter Graver and Jesse Willms (rickholl2k9@gmail.com)

Reverse WHOIS on mike@tmgbox.com

Reverse WHOIS on Jason Oster (joster2008@gmail.com)

Public records search domains associated with Terra Marketing Group and Penguin Marketing:

memberreportaccess.com
publicrecords.us.org
dmvrecords.co
dmv.us.org
courtrecords.us.org
myfeeplan.com
police.us.org
warrantcheck.com
myinfobill.com
propertysearch.us.org
homevalue.us.org
carinfo2.com
backgroundchecks.us.org
arrestrecords.us.org
propertyrecord.com
criminalrecords.us.org
jailinmates.us.org
vehiclereportusa.com
dmvinfocheck.com
carrecordusa.com
carhistoryindex.com
autohistorychecks.com
mugshots.us.org
trafficticket.us.org
prison.us.org
reversephonelookup.us.org
deathrecords.us.org
deathrecord.com
deathcertificates.us.org
census.us.org
phonelookup.us.org
vehiclehistoryreports.us.org
vinsearchusa.org

KrebsOnSecurity would like to thank cybersecurity firm Intel471 for their assistance in researching this post.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

34 comments

  1. Brian Fiori (AKA The Dean)

    OK, so what do you do with a recidivist piece of garbage like Jesse Willms? He keeps getting caught and sued. Then settles. So to him, it’s just a business expense.

    I’m not the biggest fan of locking everyone up. This country puts far too many people behind bars at it is. On the other hand, you can’t simply fine a POS like this.

    We need to get creative to punish bottom feeders like this wretched individual. There has to be a way to seriously punish him and remove EVERY dollar he has ever made scamming people.

    His punishment should be severe enough to prevent him from returning to his grifting ways, and discourage others. But what can that be?

    Put him in a half-way house with no internet and let his victims come by and slap the crap out of him on a daily basis? It’s not perfect, I know. But I’d like to hear real answers. I know, in the end, a long prison term currently tends to be our best solution for pond scum like this.

    • Convict him of fraud, then work out a probation agreement in which he agrees to behave well and pay back any victims, in exchange for supervised freedom.

      If the customers signed the right waivers and disclosure agreements, there may not be any crime. (Which would explain why FTC got involved, rather than DOJ).

      It should be noted that FTC allegations have a poor record of success before courts and juries. Instead, FTC suits tend to reach settlements, without admissions of guilt or agreement on facts. All FTC complaints should be treated with skepticism.

      • P.S. if you read the Findings of the 2012 FTC vs. Willms Judgement in article, you’ll see there’s no admission of guilt or agreement on substantive facts. It’s a settlement, not a verdict.

        It’s nice that this guy might lose his business through a hacking, if you believe he’s a criminal.

        But the fact is that he’s never been found to be guilty of a crime, and may now be a victim of one.

  2. wow, this guy SO DESERVES to be VIOLENTLY killed
    he pulled all trick in the book to CHEAT his customers with multiple fees and to make it almost IMPOSSIBLE to cancel the charges
    he should be tortured and really violently killed ON HD VIDEO to be made an example of
    people like him are too fast for the law to react, but not faster than bullets

  3. “His punishment should be severe enough to prevent him from returning to his grifting ways, and discourage others. But what can that be?” Asks Brian above
    as i said in my previous reply, he should be killed
    no law or lawyer is good enough for this kind of guy
    his lawyers, i must say, deserve the same fate, they are enablers, and they should be killed too

    • Can we build a wall around him?
      Trumping my way through security.

    • This is a democracy. Everyone deserves a lawyer, everyone deserves a fair trial. It needs to be officially ascertained that they are guilty. Screaming murder won’t help anyone, and if it would be acted upon only terror and injustice will result. What if Brian is wrong, and Jesse only had marginal participation? It’s unlikely, of course, but as long as it hasn’t been clearly and officially estabilshed, no verdict can be given yet, and you would kill a man for assistence in fraud, certainly illegal, but definitely not worthy of death.

  4. “schadenfreude (schadenfraud?)”

    Can’t wait for a chance to throw that into a conversation.

  5. I have always seen those adds in news sites and other weird places. Been curious about what the scam was but never curious enough to investigate. I wonder how someone runs something so shady looking for so long with out getting into any kind of real trouble. Its troublesome to me that someone can. Its more troubling that it was some how lucrative enough for him to keep it up all this time.

  6. Your list contains many dead sites. Culling them out, herre are the live sites as of now

    LIVE SITE . . . . . . Sponsoring Registrar

    autohistorychecks.com GoDaddy.com, LLC
    carhistoryindex.com GoDaddy.com, LLC
    carrecordusa.com GoDaddy.com, LLC
    courtrecords.us.org Gandi SAS
    criminalrecords.us.org Gandi SAS
    dmv.us.org Gandi SAS
    dmvinfocheck.com GoDaddy.com, LLC
    homevalue.us.org Gandi SAS
    jailinmates.us.org Gandi SAS
    memberreportaccess.com Domain.com, LLC
    police.us.org Gandi SAS
    propertyrecord.com FastDomain Inc.
    publicrecords.us.org Gandi SAS
    vehiclereportusa.com GoDaddy.com, LLC
    warrantcheck.com FastDomain Inc.

    • All listed by Spamhaus DBL (Domain Black List), except those with registrar Gandi SAS:

      courtrecords.us.org
      criminalrecords.us.org
      dmv.us.org
      homevalue.us.org
      jailinmates.us.org
      police.us.org
      publicrecords.us.org

  7. never, ever sign up for “free” services offered unsolicited from the web or email unless you have checked them out…”free ____” just sign up here…our education system is failing badly…

    • In the US, those over 60 lose the most money to scams. (1) You can’t blame that on today’s schools.

      Modern education also can’t be blamed for the fact that seniors are more frequent scam victims in Australia. (2)

      1. https://www.experian.com/blogs/ask-experian/you-may-be-surprised-whos-getting-scammed-the-most/

      2. https://www.scamwatch.gov.au/about-scamwatch/scam-statistics

      • please provide a cite to your claim that people over 60 are scammed the most…nonsense!

        • your own link said:

          “One surprising trend: More young people are falling victim to fraud and scams than older people.

          The BBB report showed that Americans ages 18 to 34 were more susceptible to scams (43.7% were victims) than Americans 55 and older (27.6% were victims). However, while occurrences are less for older Americans, seniors still lose more money in scams than younger victims.”

          • in any case education is life long…doltship shows no preference for age…

          • Mikey Doesn't Like It

            Chill, Roger.

            First of all, the poster said seniors lose the most money — not that they’re scammed the most. They’re scammed FOR the most.

            But I suggest we all spend less time arguing over silly nits like this here instead of, like Brian, focusing our energy on helping our families, friends and neighbors recognize the dangers lurking out there and how to best avoid them.

            As someone who speaks on cybersecurity awareness, I’m astounded at the number of people I meet who, while seemingly intelligent, are totally clueless about “safe computing.”

            If only more people followed Brian’s outstanding reporting. Right on, Brian!

            • Andy Steverson

              “As someone who speaks on cybersecurity awareness, I’m astounded at the number of people I meet who, while seemingly intelligent, are totally clueless about safe computing.”

              Exactly this! I would also add: even those that are within the security field are often clueless as well. There’s countless people within InfoSec that use weak credentials but claim “I am smart enough to recognize fraud or phishing”. That may be the case, but storing weak credentials on a database that gets breached will only make the hash easier to crack. It’s not about being smart enough to recognize the signs, it’s about being aware and actually utilizing safe computing measures like you mentioned.

            • I agree with you! He nitpicked and I rose to the challenge. Instead of saying inane things we should concentrate on educating to make a difference. While elders may lose the most per capita, the losses at Visa are far and away not them.

    • Especially FaceCrook!

      Where you are the product. Zuckerberg should be in Jail and FaceCrook should be dismantled, with all the data they have collected & sold. That same data should be launched into the sun!

      • If I only had a backhand that could reach thrust monitor to yours, you would know.

        DONT TELL ANYONE ANY INFO YOU DONT WANT TO BE KNOWN.

        Didn’t we learn this back in 2nd grade?

        If you write something down in a diary , chances are someone’s gonna read it.

        Same principle , same outcome.

        Don’t be stupid, don’t offer up info you don’t want known.

        Don’t like the convince , don’t use the service .

        Don’t want to pay , don’t play.

        It’s known, hackers gonna hack and sheep are gonna be follow the yellow brick road.

        If you are stupid , at least don’t act like it.

      • If I only had a backhand that could reach thrust monitor to yours, you would know.

        DONT TELL ANYONE ANY INFO YOU DONT WANT TO BE KNOWN.

        Didn’t we learn this back in 2nd grade?

        If you write something down in a diary , chances are someone’s gonna read it.

        Same principle , same outcome.

        Don’t be stupid, don’t offer up info you don’t want known.

        Don’t like the convince , don’t use the service .

        Don’t want to pay , don’t play.

        It’s known, hackers gonna hack and sheep are gonna be follow the yellow brick road.

        If you are stupid , at least don’t act like it.

    • Especially FaceBook!

      Where you are the product. Zuckerberg should be in Jail and FaceCrook should be dismantled, with all the data they have collected & sold. That same data should be launched into the sun!

  8. schadenfreude

    Reading news online seemed like a great idea for a while until I started noticing such a slow down; waiting for the page to load with all its clickbait ads is incredibly painful. Then you see what you think is a cute story about a dog who refuses to eat until its owner discovers… its just a chain of photos complete with margins full of clickbait ads… and the payoff photo is usually disappointing. I’ve learned never to click on those stupid things.

  9. Let’s just take a look at the security certificate for my.equifax.com to see who owns the site:

    “This website does not supply ownership information.”

    D’oh.

    So Equifax even cheaped out on that, getting a DV SSL rather than an OV or EV.

    They did do one thing right, namely they remembered to secure ‘myequifax.com’ and have it redirect to ‘my.equifax.com’. Otherwise the phishers would be having a field day about now.

  10. Brian, I took a look at one of the sites and the “victims” of “fraudulent ” chareges are hardly that. Unless their business model recently changed, they’re pretty explicit about their charges:

    You will be charged $18.95 per month for 12 months of access for 25 reports/month. Total price, $227.40. You will also be charged an initial deposit of $1.00 for your first report. If you no longer require additional reports please call us anytime to cancel your one year payment plan.

    Order Summary
    You will receive your report for $1.00

  11. $467 million for being a douche? Really?

    I was going to say at what point do you wake up one morning with half a billion dollars and just say “stuff it, I’m retiring”? But then we’ve created this marketplace, and even if he goes, clearly there’s a whole bunch of people out there willing to keep handing over the $$$

  12. Americans really

    You put your credit card into a fire , you’re gonna get burnt.

    If a homeless guy was on the corner with a sign saying free background reports and even in little writing explain that you will be screwed in the near future , would you hand your card over so he could swipe it to get what you were after ?

    In HIGHLY DOUBT 1 person would fall for his antics. If so you deserved it.

    BUT put a computer screen on as a disguise and every American will fall victim AND CRY WHEN IT HAPPENS!

    Wtf is this?

    Don’t be stupid
    Don’t get played

    Easy as 1 2 3

    If you think otherwise , move to Antarctica , you’ll be better off and stop feeding the crooks and it will stop happening. Keep feeding the crooks and it will keep being worth the time and effort involved .

    Simple solution, right CrabeS?

  13. pharmacie en ligne

    Acheter Tadalafil 5mg Pharmacie pharmacie en ligne

Leave a comment