A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years.
onlinelearningaccess.com, one of the fraudulent affiliate marketing schemes that powers these bogus micropayments.
At issue are a rash of phony charges levied against countless consumers for odd amounts — such as $10.37, or $12.96. When they appear on your statement, the charges generally reference a company in St. Julians, Malta such as BLS*Weblearn or PLI*Weblearn, and include a 1-888 number that may or may not work (the most common being 888-461-2032 and 888-210-6574).
I began hearing from readers about this early this month, in part because of my previous sleuthing on an eerily similar scheme that also leveraged payment systems in Malta to put through unauthorized junk charges ($9.84) for “online learning” software systems. Unfortunately, while the names of the companies and payment systems have changed, this latest scam appears to be remarkably similar in every way.
Reading up on this latest scam, it appears that the payments are being processed by a company called BlueSnap, which variously lists its offices in Massachusetts, California, Israel, Malta and London. Oddly enough, the payment network used by the $9.84 scams that surfaced last year — Credorax — also lists offices in Massachusetts, Israel, London and Malta.
And, just like with the $9.84 scam, this latest micropayment fraud scheme involves an extremely flimsy-looking affiliate income model that seems merely designed for abuse. According to information from several banks contacted for this story, early versions of this scam (in which fraudulent transactions were listed on statements as PLI*WEBLEARN) leveraged pliblue.com, formerly associated with a company called Plimus, a processor that also lists offices in California and Israel (in addition to Ukraine).
The very first time I encountered Plimus was in Sept. 2011, when I profiled an individual responsible for selling access to tens of thousands of desktop computers that were hacked and seeded with the TDSS botnet. That miscreant — a fellow who used the nickname “Fizot” — had been using Plimus to accept credit card payments for awmproxy.net, an anonymization service that was sold primarily to individuals engaged in computer fraud.
Apparently, the Internet has been unkind to Plimus’s online reputation, because not long ago the company changed its name to BlueSnap. This blog has a few ideas about what motivated the name change, noting that it might have been prompted in part by a class action lawsuit (PDF) against Plimus which alleges that the company’s marketing campaigns include the “mass production of fabricated consumer reviews, testimonials and fake blogs that are all intended to deceive consumers seeking a legitimate product and induce them to pay. Yet, after consumers pay for access to any of these digital goods websites, they quickly realize that the promotional materials and representations were blatantly false.”
![The administration page of ssndob[dot]ru. Note the logged in user, ssndob@ssa.gov, is the administrator.](https://krebsonsecurity.com/wp-content/uploads/2014/03/ssndobadmin.png)
