Webmoney by гаманець
Webmoney by гаманець - Все про кредити. Webmoney by гаманець
Posts Tagged: webmoney
Cards Stolen in Target Breach Flood Underground Markets
Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $ 20 to more than $ 100 per card, KrebsOnSecurity has learned.
Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank's card accounts from a well-known "card shop" - an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.
There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality "dumps," data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim's bank account.
At least two sources at major banks said they'd heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop's wares and effectively bought back hundreds of the bank's own cards.
When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.
On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.
This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank's cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank was not exactly chomping at the bit to re-issue the cards; that process costs around $ 3 to $ 5 per card, but more importantly it did not want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.
On the other hand, this bank had identified nearly 6,000 customer cards - almost 5 percent of all cards issued to customers - that had been used at Target stores nationwide during the breach window described by the retailer.
"Nobody has notified us," my source said. "Law enforcement has not said anything, our statewide banking associations have not sent anything out... nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we have not gotten anything. "
When I mentioned that a big bank I 'd spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called Rescator [dot] la . my source at the small bank asked would I be willing to advise his fraud team on how to do the same?
Ultimately, I agreed to help in exchange for permission to write about the bank's experience without actually naming the institution. The first step in finding any of the bank's cards for sale was to browse the card shop's remarkably efficient and customer - friendly Web site and search for the bank 's "BINs"; the B ank I dentification N umber is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.
According to the "base" name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.
A quick search on the card shop for the bank's BINs revealed nearly 100 of its customers's cards for sale, a mix of MasterCard dumps ranging in price from $ 26.60 to $ 44.80 apiece. As one can imagine, this store does not let customers pay for purchases with credit cards ; rather, customers can "add money" to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin . Litecoin . WebMoney and PerfectMoney . as well as the more traditional wire transfers via Western Union and MoneyGram .
With my source's newly registered account funded via wire transfer to the tune of USD $ 450, it was time to go shopping. My source was not prepared to buy up all of the available cards that match his institution's BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.
Continue reading →
An Anti-Fraud Service for Fraudsters
Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also "test buys" from security researchers, law enforcement and other meddlers.
One anti-fraud measure commonly used in e-commerce is the address verification service (AVS), which seeks to verify the address of a person claiming to own a credit card. Some business employ additional "geo-IP" checks, which try to determine the geographical location of Website visitors based on their Internet addresses, and then match that with the billing address provided by the customer.
The trouble with these services is that they can get pricey in a hurry, and they're often sold by the very companies that spammers are trying to outsmart. Enter services like Fraudcheck [dot] cc . This service, run by an established spammer on a semi-private cybercrime forum, performs a multitude of checks on each transaction, apparently drawing on accounts from different, legitimate anti-fraud services. It accepts payment solely via WebMoney . a virtual currency that is popular in Russia and Eastern Europe.
Fraudcheck [dot] cc resells bundles of anti-fraud services from legitimate providers like MaxMind.
This fraudster-friendly antifraud service does the following analysis:
- Queries the geo-IP location from four distinct sources;
- Calculates the billing ZIP code distance from the customer's geo-IP coordinates;
- Checks the customer's Internet address against lists of known proxies that are used to mask an Internet user's true location, and assigns a "risk score" of zero to 4.2 (the higher the number, the greater the certainty that the purchase was made via a proxy ).
- Generates a "fraud score" from 0-100 to rate the riskiness of the transaction (100 being the riskiest)
The bulk of the fraud checks appear to be conducted through [hijacked?] Accounts at MaxMind. com . a Waltham, Mass. company that screens more than 45 million online transactions per month for 7,000 companies. MaxMind sells a suite of legitimate anti-fraud solutions, including two specifically called out in the screen shot above (minFraud and GeoIP).
As detailed in this white paper (PDF), MaxMind's minFraud service checks for a number of potential risk factors, such as whether the customer is using a free Webmail account, or there is a mismatch in the shipping and billing address. It also looks to see whether the customer is paying with a card from a known bank. Failure to identify a "bank identification number" (BIN) - the first six digits of any card - may indicate the customer is paying with a prepaid card and thus trying to mask their identity or location.
Based on the combined results of these tests, MaxMind's service will assign a "fraud score" from 0 to 100, indicating the service's best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it's not clear why the service assigned such a high fraud score (96.84) to the transaction in question - perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.
Continue reading →
Experian Sold Consumer Data to ID Theft Service
An identity theft service that sold Social Security and drivers license numbers - as well as bank account and credit card data on millions of Americans - purchased much of its data from Experian . one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.
Superget. info home page
In November 2011, this publication ran a story about an underground service called Superget. info. a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans. Registration was free, and accounts were funded via WebMoney and other virtual currencies that are popular in the cybercriminal underground.
Each SSN search on Superget. info returned consumer records that were marked with a set of varying and mysterious two - and three-letter "sourceid:" identifiers, including "TH," "MV," and "NCO," among others. I asked readers who may have a clue about the meaning or source of those abbreviations to contact me. In the weeks following that post, I heard from many readers who had guesses and ideas, but none who seemed to have conclusive information.
That changed in the past week. An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he'd gone back and reviewed my previous stories on this topic, and that he ' d identified the source of the data being resold by Superget. info. The reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch. com.
Contacted about the reader's claim, US Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures . a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.
Founded in 2001, Court Ventures described itself as a firm that "aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources." Cached, historic copies of courtventures. com are available through archive. org.
THE ROLE OF EXPERIAN
In March 2012 Court Ventures was purchased by Costa Mesa, Calif.-based Experian . one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget. info had gained access to Experian's databases by posing as a US - based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget. info were based in Vietnam.
Martin said he first learned of the ID theft service after hearing from a US Secret Service agent who called and said the law enforcement agency was investigating Experian and had obtained a grand jury subpoena against the company.
The "sourceid" abbreviations pointed toward Court Ventures.
While the private investigator ruse may have gotten the fraudsters past Experian and / or CourtVentures 'screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget. info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.
"The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased" Court Ventures, Martin said. "Why did not they question cash wires coming in every month? Experian portrays themselves as the databreach experts, and they sell identity theft protection services. How this could go on without them detecting it I do not know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed US businesses, not to someone overseas. "
Experian declined multiple requests for an interview. But in a written statement provided to KrebsOnSecurity, Experian acknowledged the broad outlines of Martin's story and said it had worked with the Secret Service to bring a Vietnamese national to justice in connection with the online ID theft service. Their statement is as follows:
"Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo . the alleged perpetrator, to justice. Experian's credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time. "
Continue reading →
Styx Crypt Makers Push DDoS, Anti-Antivirus Services
I recently published a piece that examined the role of several Ukrainian men likely responsible for making and marketing the Styx Pack malware exploit kit. Today's post will show how this same enterprise is linked to a DDoS protection scheme and a sprawling cybercrook-friendly malware scanning service that is bundled with Styx-Crypt.
Anonymous antivirus scanning service - captain-checker. com - bundled with Styx.
As I noted in a graphic accompanying a July 8 analysis of Styx. the $ 3,000 exploit pack includes a built-in antivirus scanning service that employs at least 17 antivirus products. The scanning service is "anonymous," in that it alerts Styx customers whenever one of the antivirus tool detects their malware as such, but the service also prevents the antivirus products from reporting home about the new malware detections.
When Styx customers click on one of these malware scanning reports from within the Styx pack panel itself, the full scanning results are displayed in a new browser window at the domain Captain-checker [dot] com (see screenshot above). The Styx panel that I examined earlier this month was based at the Internet address 220.127.116.11 , and
Was reachable only by appending the port number 10665 to the numeric address. At first, I thought this might be a standard port used by Styx installations but that turns out not to be the case, according to interviews with other researchers. I did not realize it at the time, but now I'm thinking it's likely that the panel I examined was actually one run by the Styx Pack curators themselves.
I discovered that although captain-checker [dot] com is hosted at another address (18.104.22.168), it also had this 10665 port open. I noticed then that captain-checker shares that server with 12 other Web sites. All of those sites also respond on port 10665, each revealing a captain-checker login page. Among the 12 is Uptimer [dot] biz . one of two sites that led to the identity of Alexander "Nazar" Nazarenko - one of the main marketers and sellers of Styx pack.
Not only are all of these sites on the same server, an Nmap scan of these systems shows that they all are on the same Windows workgroup - "Reality7." This dovetails nicely with the other domain that I noted in that July 10 story as tied to Nazarenko - Reality7solutions [dot] com .
Many of the other domains on the server (see graphic to the left) use some variation of the word "wizard," and share a Google Analytics code, UA-19307857 . According to SameID. net. this code is embedded in the homepage for at least 38 different Web sites.
In my previous story on Nazarenko and his Styx Pack business partner - Max "Ikar" Gavryuk - I noted that both men were advertising "Reality Guard," a service to help protect clients from distributed denial - of-service (DDoS) attacks designed to knock sites offline. I had a closer look at their site - Reality-guard [dot] com - and learned several interesting things: For starters, the site also responds with a captain-checker [dot] com login page when you append ": 10665" to the domain name. It also is on a Microsoft Windows workgroup called "Reality7". Finally, the reality-guard [dot] com home page includes an icon for virtual currency Webmoney that when hovered over pops up Nazar's Webmoney account (someone changed the name on this account from "Nazar" to "Lives" within hours after my July 10 story on the Styx Pack purveyors).
Continue reading →
Who's Behind The Styx-Crypt Exploit Pack?
Earlier this week I wrote about the Styx Pack. an extremely sophisticated and increasingly popular crimeware kit that is being sold to help miscreants booby-trap compromised Web sites with malware. Today, I'll be following a trail of breadcrumbs that leads back to central Ukraine and to a trio of friends who appear to be responsible for marketing (if not also making) this crimeware-as-a-service.
As I noted in Monday's story, what's remarkable about Styx is that while most exploit kits are sold on private and semi-private underground forums, Styx has been marketed and sold via a regular Web site: styx-crypt [dot] com. The peddlers of this service took down their site just hours after my story ran, but versions of the site cached by archive. org hold some important clues about who's responsible for selling this product.
At the bottom of the archived styx-crypt homepage. we can see two clickable banners for an account at virtual currency Webmoney to which potential customers of Styx will need to send money in order to purchase a license for the software. The Webmoney account # 268711559579 belongs to a Webmoney Purse number Z268711559579. Follow that link and you'll see that the registered username attached to that purse is " Ikar. "If we look closer we can see that Ikar's Webmoney purse is connected to another purse at Webmoney account 317426476957, which is this purse belonging to a user named " Nazar . "( Update: July 11, 10:14 pm: Both Ikar and Nazar changed the names on their Webmoney accounts after this story ran. Thankfully, archive. org cached the old data. The links to the purses above have been changed accordingly.)
Both Ikar and Nazar are nicknames that were used in Styx sales threads on several underground forums, including damagelab [dot] org, secnull [dot] cc and antichat [dot] ru. In these threads, Ikar used the contact address " Ikar @ core. im ", while Nazar listed" Nazar @ hush. ai ". Both addresses are associated with forum accounts named "Ikar" and "Renzor" (for examples, see this cached, Google-Translated page from Renzor's account on antichat. Ru, and this cached page from secnull [dot] cc). Nazar's address is linked to a "Max Lighter" profile on Facebook, but not much more information is available on that profile.
Ikar @ core. im does not appear to be connected to anything special, but Nazar's address was used as the point - of-contact in registering two very interesting domains: Reality7solutions. com and Uptimer. biz . Looking at the familiar wormhole-like squiggly at the top of reality7solutions. com. I noticed it was very similar to the rotating icon (youtube. Com video) used by the Styx pack.
Reality7solutions. com's homepage lists an address in the United States for a company called EPAM Systems. which according to the business directory maintained by Hoovers is a public company that specializes in IT outsourcing. Hoovers says the company provides "software development and other IT services to US and European customers primarily from development centers in Russia, Belarus, Hungary, Ukraine, Kazakhstan and Poland."
The ICQ number listed on the homepage of reality7solutions. com belongs to a Website design professional from Khmelnitsky, Ukraine named Stanislav Shangin. If we look at Schangin's personal page where he lists all of the Web sites he's been hired to create. we can see he designed both styx-crypt [dot] com and reality7solutions. com. among dozens of other sites. Shangin did not respond to requests for comment.
Continue reading →
Underweb Payments, Post-Liberty Reserve
Following the US government 's seizure this week of virtual currency Liberty Reserve . denizens of the cybercrime underground collectively have been progressing through the classic stages of grief. from denial to anger and bargaining, and now grudging acceptance that any funds they had stashed in the e - currency system are likely gone forever. Over the past few days, the top discussion on many cybercrime forums has been which virtual currency will be the safest bet going forward?
As I mentioned in an appearance today on NPR's show On Point. the predictable refrain from many in the underground community has been that the demise of Costa Rica-based Liberty Reserve - and of eGold. eBullion. StormPay and a host of other virtual currencies before it - is the death knell of centrally-managed e-currencies. Just as the entertainment industry's crackdown on music file-sharing network Napster in the late 1990s spawned a plethora of decentralized peer-to-peer (P2P) file-sharing networks, the argument goes, so too does the US government's action against centrally-managed digital currencies herald the ascendancy of P2P currencies - particularly Bitcoin.
Fluctuation in BTC values. Source: Bitcoincharts. com
This knee-jerk reaction is understandable, given that private crime forums are now replete with postings from members who reported losing tens of thousands of LR dollars this week. But as some of the more seasoned and reasoned members of these communities point out, there are several aspects of Bitcoin that make it especially unsuited for everyday criminal commerce.
For one thing, Bitcoin's conversion rate fluctuates far too wildly for communities accustomed to virtual currencies that are tied to the US Dollar: In both Liberty Reserve and WebMoney - a digital currency founded in Russia - one LR or WMZ (the "Z" designation is added to all purses kept in US currency) has always equaled $ 1 USD.
The following hypothetical scenario, outlined by one member of an exclusive crime forum, illustrates how Bitcoin's price volatility could turn an otherwise simple transaction into an ugly mess for both parties.
"Say I pay you $ 1k today for a project, and its late, and you decide to withdraw tomorrow. You wake up and the $ 1k I just sent you in Bitcoins is now worth just $ 600. It's not yet stable to be used in such a way. "
Another forum member agreed: "BTC on large scale or saving big amounts is a mess because the price changes. Maybe it's only good cashing out, "noting WebMoney now allows users to convert Bitcoins into a new unit called WMX.
Others compared Bitcoin to a fashionable high-yield investment program (HYIP), a Ponzi-scheme investment scam that promises unsustainably high return on investment by paying previous investors with the money invested by new investors. As the US government's complaint alleges, dozens of HYIP schemes had a significant amount of funds wrapped up in Liberty Reserve.
"Bitcoin is a trendy HYIP. There are far more stable and attractive currencies to invest in, if you are willing to take the risk, "wrote" Off-Sho. re, "a bulletproof hosting provider I profiled in an interview earlier this month. "In the legit 'real products' area, which I represent, a very small niche of businesses are willing to accept this form of payment. I understand the drug dealers on Tor sites. since this is pretty much the only thing they can receive without concerns about their identities, but if you sell anything illegal, WMZ should be the choice. "
What's more, MtGox - Bitcoin's biggest exchanger and the primary method that users get money into and out of the P2P currency - today posted a note saying that it will now be requiring ID verification from anyone who wants to deposit money with it in order to buy Bitcoins.
A logo from perfectmoney. com
Perhaps the closest competitor to Liberty Reserve and WebMoney - a Panamanian e-currency known as Perfect Money (or just "PM" to many) - appears to have been busy over the past few days seizing and closing accounts of some of its more active users, according to the dozens of complaints I saw on several different crime forums. Perfect Money also announced on Saturday, May 25 that it would no longer accept new account registrations from US citizens or companies.
For now, it seems the primary beneficiary of the Liberty Reserve takedown will be WebMoney. This virtual currency also has barred US citizens from creating new accounts (it did so in March 2013, in apparent response to the US Treasury Department's new regulations on virtual currencies.) Still, WebMoney has been around for so long - and its logo is about as ubiquitous on Underweb stores as the Visa and MasterCard logos are at legitimate Web storefronts - that most miscreants and n'er-do-wells in the underground already have accounts there.
But not everyone in the underground who got burned by Liberty Reserve is ready to place his trust in yet another virtual currency. The curmudgeon-in-chief on this point is a hacker nicknamed "Ninja," the administrator of Carder. pro - a crime forum with thousands of active members from around the world. Ninja was among the most vocal and prominent doubters that Liberty Reserve had been seized, even after the company's homepage featured seizure warnings from a trio of US federal law enforcement agencies. Ninja so adamantly believed this that, prior to the official press announcements from the US Justice Department on Tuesday, he offered a standing bet of $ 1,000 to any takers on the forum that Liberty Reserve would return. Only two forum members took him up on the wager.
Now, Ninja says, he's ready to pay up, but he's not interested in buying into yet another virtual currency. Instead, he says he's planning to create a new "carding payment system," one that will serve forum members and be housed at Internet servers in North Korea, or perhaps Iran (really, any country that has declared the United States a sworn enemy would do).
Continue reading →
US Government Seizes LibertyReserve. com
Indictment, arrest of virtual currency founder targets alleged "financial hub of the cybercrime world."
US federal law enforcement agencies on Tuesday announced the closure and seizure of Liberty Reserve . an online, virtual currency that the US government alleges acted as "a financial hub of the cyber-crime world" and processed more more than $ 6 billion in criminal proceeds over the past seven years.
After being unreachable for four days, Libertyreserve. com now includes this seizure notice.
The news comes four days after libertyreserve. com inexplicably went offline and newspapers in Costa Rica began reporting the arrest in Spain of the company 's founder Arthur Budovsky , 39-year-old Ukrainian native who moved to Costa Rica to start the business.
According to an indictment (PDF) filed in the US District Court for the Southern District of New York . Budovsky and five alleged co-conspirators designed and operated Liberty Reserve as "a financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking. "
The US government alleges that Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $ 1.4 billion. "Overall, from 2006 to May 2013, Liberty Reserve processed an estimated 55 million separate financial transactions and is believed to have laundered more than $ 6 billion in criminal proceeds," the government's indictment reads. Liberty Reserve "deliberately attracted and maintained a customer base of criminals by making financial activity on Liberty Reserve anonymous and untraceable."
Despite the government's claims, certainly not everyone using Liberty Reserve was involved in shady or criminal activity. As noted by the BBC. many users - principally those outside the United States - simply viewed the currency as cheaper, more secure and private alternative to PayPal . The company charged a one percent fee for each transaction, plus a 75 cent "privacy fee" according to court documents.
"It had allowed users to open accounts and transfer money, only requiring them to provide a name, date of birth and an email address," BBC wrote. "Cash could be put into the service using a credit card, bank wire, postal money order or other money transfer service. It was then "converted" into one of the firm's own currencies - mirroring either the Euro or US dollar - at which point it could be transferred to another account holder who could then extract the funds. "
But according to the Justice Department, one of the ways that Liberty Reserve enabled the use of its services for criminal activity was by offering a shopping cart interface that merchant Web sites could use to accept Liberty Reserve as a form of payment (I've written numerous stories about many such services).
"The 'merchants' who accepted LR currency were overwhelmingly criminal in nature," the government's indictment alleges. "They included, for example, traffickers of stolen credit card data and personal identity information; peddlers of various types of online Ponzi and get-rich-quick schemes; computer hackers for hire; unregulated gambling enterprises; and underground drug-dealing websites. "
A Liberty Reserve shopping cart at an underground shop that sells stolen credit cards.
It remains unclear how much money is still tied up in Liberty Reserve, and whether existing customers will be afforded access to their funds. At a press conference today on the indictments, representatives from the Justice Department said the Liberty Reserve accounts are frozen. In a press release, the agency did not exactly address this question, saying: "If you believe you were a victim of a crime and were defrauded of funds through the use of Liberty Reserve, and you wish to provide information to law enforcement and / or receive notice of future developments in the case or additional information, please contact (888) 238- 0696 or (212) 637-1583. "
Continue reading →