Posts Tagged: Inc.

Jan 14

Deconstructing the $9.84 Credit Card Hustle

Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84. Many wondered whether this was the result of the Target breach; I suppose I asked for this, having repeatedly advised readers to keep a close eye on their bank statements for bogus transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom.

homecsOne reader said the $9.84 charge on her card  came with a notation stating the site responsible was I soon discovered that there are dozens of sites complaining about similar charges from similarly-constructed domains; for example, this 30-page thread at Amazon’s customer help forums includes gripes from hundreds of people taken by this scam.

I did a bit of digging into that domain, ordering a historic WHOIS report from The report shows that the domain was originally registered using the email address Domaintools also reports that this email address was used to register more than 230 other sites; a full list is available here (CSV).

A closer look at some of those domains reveals a few interesting facts., for example, is a Web site for a call center and a domain that has been associated with these $9.84 fraudulent charges. lists as its local phone number 43114300. That number traces back to a call center in India, Call Connect India, Inc., which registers its physical address as Plot No 82, Sector 12 A, Dwarka. New Delhi – 110075.

iwepThe next site like that one on the list — — references the domain, another domain on the list of sites registered to that email address. The homepage of lists the following contact information:

Copyright © 2014. All Rights Reserved – Lasorea Ltd

Lasorea Ltd.
Site and billing supported
Premier Business Centre 47-49 Park Royal Road
London UK NW107LQ

A search at, a government site which maintains records about companies based in the United Kingdom, turned up incorporation records (PDF) showing that Lasorea Ltd. was founded in January 2013 by Emil Darbinian, a 28-year-old self-described accountant from Nicosia, Cyprus. Other records searches on Mr. Darbinian indicate he owns at least two other companies at the same address, including Testohealth Labs. Ltd — which appears to be a software company — and a firm called Levantos Venture Ltd. Mr. Darbinian did not return messages seeking comment.

Another domain on the list — — is listed as the support and billing site for, a site which bills itself as an “affiliate learning system.” In fact, of the 235 domains registered to, all seem to be either affiliate programs of one kind (diet pills, work-at-home) or support/call center sites.

Dozens of sites like this one are the source of the $9.84 charges.

Dozens of sites like this one are the apparent source of the $9.84 charges. lists on its homepage a company named Lukria, Ltd., and an address at the same London business park as Mr. Darbinian’s companies. If we step through the signup process to become an affiliate at, we can see that everything — from the “online store in a box” to “pay per click extreme” and the tutorial on “how to get FREE web traffic — all retail for….wait for it….$9.84!

Lukria, according to incorporation documents (PDF) purchased from, was created on the same day as Lasorea Ltd., and lists as its director a Sergey Babayan, also from Cyprus. According to the Facebook pages of both Mr. Darbinian and Mr. Babayan, the two men are friends. Mr. Babayan has not responded to requests for comment.

Mr. Babayan’s Facebook profile says he works at a company called Prospectacy Limited, which LinkedIn says is an accounting firm in Nicosia, Cyprus. According to Prospectacy’s Web site, this company specializes in “corporate services,” including “company formation,” “banking,” and “virtual office” services. The company seems to be in the business of establishing offshore firms; according to a reverse WHOIS record lookup from, the email address used to register Prospectacy’s domain also was used to register at least ten other domains, including,, and

A number of these affiliate sites include on their home page links to, a Southborough, Mass. based acquiring bank Malta-based acquiring bank that is in the business of processing credit and debit card payments for merchants. It’s not clear whether either or use Credorax Inc. for payment processing, but it seems to suggest that by association. I reached out to Credorax to learn whether this site (and perhaps others that are the subject of this story) are customers, and will update this story if I hear back from them.

Update, 12:43 p.m. ET: I heard from Michael Burtscher, vice president of acquiring risk and fraud management at Credorax. Burtscher clarified that his company has offices in the U.S. but is based in Malta. Burtscher confirmed that Credorax had until recently helped to process cards for the network of sites named in this story, but that the company has severed that relationship. He declined to say when exactly the relationship ended, or indeed whether my information about the client’s identities was accurate. Burtscher would only say that Credorax terminated its relationship with the client in response to consumer complaints about the fraudulent charges. “This was one of those cases where when we onboarded them it looked like a legitimate account, but when we saw there were issues we decided to take action.”

Continue reading →

Jul 13

Hacker Ring Stole 160 Million Credit Cards

U.S. federal authorities have indicted five men — four Russians and a Ukrainian – for allegedly perpetrating many of the biggest cybercrimes of the past decade, including the theft of more than 160 million credit card numbers from major U.S. retailers, banks and card processors.

The gang is thought to be responsible for the 2007 breach at credit card processor Heartland Payment Systems that exposed some 130 million card numbers, as well as the 2011 breach at Global Payments that involved nearly a million accounts and cost the company almost $100 million.

Federal prosecutors in New Jersey today called the case the largest hacking scheme ever prosecuted in the U.S. Justice Department officials said the men were part of a gang run by Albert “Soupnazi” Gonzalez, a hacker arrested in 2008 who is currently serving a 20-year-prison sentence for his role in many of the breaches, including the theft of some 90 million credit cards from retailer TJX.

One of the accused, 27-year-0ld Dmitriy Smilianets, is in U.S. custody. Vladimir Drinkman, 32 of Syktyvkar, Russia, is awaiting extradition to the United States. Three others named in the indictments remain at large, including Aleksandr Kalinin, 26 of St. Petersburg; 32-year-old Roman Kotov from Moscow; and Mikhail Rytikov, 26, of Odessa, Ukraine.

According to the government’s indictment, other high-profile heists tied to this gang include compromises at:

Hannaford Brothers Co: 2007, 4.2 million card numbers

Carrefour S.A.: 2007, 2 million card numbers

Commidea Ltd.: 2008, 30 million card numbers

Euronet: 2010, 2 million card numbers

Visa, Inc.: 2011, 800,000 card numbers

Discover Financial Services: 500,000 Diners card numbers

In addition, the group is being blamed for breaking into and planting malware on the networks of NASDAQ, 7-Eleven, JetBlue, JCPenny, Wet Seal, Dexia, Dow Jones, and Ingenicard.

The hackers broke into their targets using SQL injection attacks, which take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Once inside, the attackers can upload software and siphon data.

The government’s indictment alleges that the thieves were at times overwhelmed by the sheer amount of data yielded by their SQL attacks.  On Aug. 12, 2007, Kalinin allegedly sent Gonzalez  an instant message that he’d just gained access to 30 SQL servers on NASDAQ’s network, but hadn’t yet cracked the administrator passwords that secured the data inside. “These [databases] are hell big and I think most of info is trading histories.” On Jan. 9, 2008, after Gonzalez offered to help attack the trading floor’s computer systems, Kalinin allegedly messaged back, “NASDAQ is owned.”

Continue reading →

Aug 10

Texas Firm Blames Bank for $50,000 Cyber Heist

A business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000.

Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas. Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line.

While the contents of that deposition remain closed under a confidentiality order, Hi-Line’s lawyers say the information gleaned in the interviews shows serious security missteps by Community Bank, and that they are ready to sue if the bank does not offer a settlement.

“In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

Hi-Line president Gary Evans said the fraud began on Thursday, Aug. 20, about the same time the company processes its normal $25,000 payroll. After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24.

Continue reading →