Explained: Re-shipment scams (work at home) and what they do when theyhave your credit-card info

Discussion in 'Spyware' started by Some Guy, Jul 12, 2005.

  1. Some Guy

    Some Guy Guest

    Long story, some human-interest junk, some interesting technical

    Cross-posted to relavent news groups.


    See also:

    International scam: An inside look at a Nigerian reshipping ring



    Details: How a reshipment gets done

    USA TODAY examined a paper trail of e-mails, letters, credit card
    statements, packing receipts and mailing labels that Karl kept of his
    work as a mule and pieced together this account of an illegal

    April 18. Someone from a bogus Web site at the center of the scam,
    kflogistics.biz, tests a $1 charge on iWon.com, a prize-giveaway Web
    page, using a Bank One Visa credit card number stolen from Brian
    Spoutz, a 48-year-old San Jose, Calif., software salesman. A Visa
    investigator notified him about the compromised card in May, Spoutz

    April 20. Kflogistics.biz uses Spoutz's Visa card to place an order at
    Newegg.com for a $2,607 digital camera and extra memory. It directs
    shipment of two separate parcels to a home in Gilroy, Calif.

    April 22. FedEx attempts to deliver the parcels, but the reshipper in
    Gilroy has gotten cold feet and rejects the delivery. Using FedEx's
    online tracking, Michael Birman of kflogistics.biz notes the failed
    delivery, contacts FedEx and redirects delivery to Karl in Grass
    Valley, Calif. Birman then alerts Karl via e-mail to watch for the two

    April 23. Birman goes to USPS.com. Using a hot credit card number,
    Birman purchases a $48 Global Express Mail shipping label addressed to
    Roman Radeckiy in Moscow, then downloads the new label as a JPEG image
    file. Birman attaches the JPEG file to an e-mail to Karl, instructing
    Karl to combine the two parcels into one box, affix the label and mail
    to Radeckiy.

    April 24. FedEx delivers the parcels to Karl in Grass Valley.

    April 27. Karl prints out the JPEG label. Karl repacks the camera and
    memory into one box, affixes the printed JPEG label and completes the

    "The operation was amazing," says Karl. "It was highly coordinated."


    Cybercrooks lure citizens into international crime

    Posted 7/10/2005 11:08 PM Updated 7/11/2005 4:58 AM

    By Byron Acohido and Jon Swartz, USA TODAY

    GRASS VALLEY, Calif. — To Karl, a 38-year-old former cabdriver hoping
    for a career in real estate sales, the help-wanted ad radiated hope.
    The ad sought "correspondence managers" willing to receive parcels at
    home, then reship them overseas. The pay: $24 a package.

    Karl applied at kflogistics.biz, a fraudulent Web site imitating a
    legitimate site.

    He quickly received an e-mail notifying him he had landed the job,
    followed by instructions on how to take receipt of digital cameras and
    laptop computers, affix new labels and "reship" the items overseas.
    Easy enough.

    Within weeks, he had sent off six packages, including digital cameras
    and computer parts, to various addresses in Russia. Little did Karl
    know he had become an unwitting recruit in a growing scheme to assist
    online criminals, the latest wrinkle in digital fraud that costs
    businesses hundreds of millions of dollars a year.

    Before long, Karl began to feel like Sydney Bristow from the TV show
    Alias, who wrangles her way through dealings with the Eastern European
    underworld. (Fearing possible retaliation, Karl asked that his real
    name not be used for this article.)

    One day, a $4,358 electronic deposit appeared out of nowhere in Karl's
    online bank account, followed by e-mail instructions to keep a small
    amount as pay and wire the rest to Moscow. Then he began receiving
    account statements intended for online banking customers from across
    the USA. Someone had changed the billing addresses for stolen credit
    cards and bank account numbers to his residence in Grass Valley.

    One of the letters was intended for 28-year-old Ryan Sesker of Des
    Moines, letting him know that his credit limit had been raised to
    $5,000 - a request he never made. Around the same time, a USA TODAY
    investigation found, someone accessed Sesker's online banking account
    and extracted $4,300.

    "I thought I could work a few hours a day and make a couple hundred
    bucks, not get sucked into something out of Alias," Karl said later,
    sipping a cup of steamed milk in a sleepy cafe.

    What Karl had become, in fact, was a "mule."

    Karl and other ordinary citizens are being widely recruited by
    international crime groups to serve as unwitting collaborators -
    referred to as mules - in Internet scams to convert stolen personal
    and financial data into tangible goods and cash. Cybercriminals order
    merchandise online with stolen credit cards and ship the goods
    overseas - before either the credit card owner or the online merchant
    catches on. The goods then are typically sold on the black market.

    Mules serve two main functions: They help keep goods flowing through a
    tightly run distribution system, and they insulate their employers
    from police detection.

    To document what such a mule goes through, USA TODAY spent five months
    pursuing leads from law enforcement officials, tech security experts
    and Internet underground operatives. The probe uncovered fresh
    evidence detailing how organized crime groups, such as the one that
    enlisted Karl, operate quietly at the far end of the cybercrime

    Savvy thieves often keep such rip-offs below $5,000 to avoid detection
    from bank monitors and the FBI. But cumulatively, the thefts reach
    into the hundreds of millions of dollars.

    While e-mail phishers, hackers and insider thieves grab notoriety for
    stealing personal and financial data, these reshipping groups put the
    stolen IDs to use. Security consultant eFunds estimates that
    reshipping rings set up nearly 44,000 post office boxes and
    residential addresses in the USA as package-handling points in 2004,
    up from 5,000 in 2003. And they show no signs of slowing down.

    The dark side of e-commerce

    Consumer-level financial fraud has been around since thieves first
    thought to filch blank checks from mailboxes. The Internet has taken
    it to a new level, not yet fully understood by the general public. By
    many measures, 2005 is shaping up as a watershed year for e-commerce -
    and cybercrime.

    E-commerce has become so accessible and feature-rich that consumers
    take it for granted. Banks have made it easy to execute virtually any
    banking transaction online - from changing a billing address to
    transferring large sums to another account. And the Web makes it
    simple to ship and track parcels.

    Amazon.com alone, celebrating its 10th anniversary, expects to
    approach revenue of $9 billion this year. And online transactions
    overall topped $132 billion in 2004, up 39% from 2003 and 154% from
    2002, according to VeriSign, the top manager of Internet domain names.

    No one really knows how much of the estimated $150 billion worth of
    online transactions this year will be fraudulent, but losses pegged to
    reshipping scams were estimated at $700 million in 2004, up from $500
    million in 2003, according to eFunds.

    The Internet was never envisioned as a secure transactions network, so
    criminals are exploiting its convenience features. Cybercrime has
    morphed into two broad areas of specialization:

    - Hackers, insider thieves and phishing con artists focus on pilfering
    personal and financial data, such as names, addresses, birth dates,
    mothers' maiden names, driver's license numbers, credit card numbers,
    Social Security numbers, log-ons, passwords and personal
    identification numbers.

    - The ID thieves, in turn, supply the stolen data to crime
    organizations. They use the names and account numbers to fleece online
    merchants and banks with the help of unwitting mules.

    "Any of these job postings that get consumers to receive and forward
    packages and/or money are bogus," says Barry Mew, a U.S. postal
    inspector in California.

    Consumers who report false charges typically are reimbursed by the
    banks. But some are drawn into messy identity-theft scams. Law
    enforcement can't keep up, for a variety of reasons.

    The FBI has led sting operations to knock out reshipping gangs in
    Romania and Nigeria. But cabals such as the one that recruited Karl
    thrive in Eastern Europe, Brazil and, most recently, the Philippines.
    They remain mostly out of law enforcement's reach.

    With e-commerce at record levels, the risk of you or someone you know
    getting defrauded online is rising.

    "The fear is if we don't get on top of this and protect the consumer
    better, we'll see more account skimming and deeper kinds of identity
    thefts happen," says George Tubin, senior analyst at banking
    consultant TowerGroup. "The feeling is we're one big headline away
    from catastrophe."

    Luring recruits

    Karl is a case in point.

    The 16-line classified advertisement that appeared April 5 in The
    Union in Grass Valley beckoned like a life preserver: "Look at this!
    WORK at Home! Correspondence manager vacancies. MAIL PACKAGES from
    home without leaving your current job. Easy! Ship parcels from our
    clients. Get Paid $24 per parcel! Info:

    To Karl, the prospect of getting paid to reship packages from home in
    his spare time seemed like a godsend. He had dabbled in online
    marketing and was studying to get his real estate license. Someday he
    hoped to start a small business with his father-in-law and a friend.
    This could tide him over.

    TheUnion's records show the ad was ordered and paid for online, using
    a credit card with a Milford, Mich., billing address. Chauna Renaud,
    classified ads manager, says that no one from The Union spoke to the
    buyer, who paid $427.97, and that no victim has sought to refute the

    Detective Bill Netherby of the Nevada County Sheriff's Office says the
    ad almost certainly was paid for with a stolen credit card number.

    The scheme pushed by companies such as kflogistics.biz put a new twist
    to an old ruse.

    Merchants have long been wary of shipping expensive goods overseas.
    But thieves know that once an online transaction is approved,
    shipments inside the USA receive scant scrutiny, especially during
    high-traffic times such as Christmas and other gift-giving holidays,
    says Julie Fergerson, vice president of eFunds and co-chair of the
    Merchant Risk Council, an industry group battling online fraud.

    So they've taken to recruiting U.S.-based citizens, whose homes
    function as drop points.

    There likely are dozens of such reshipping operations in existence,
    though no one has precise figures. In its investigation, USA TODAY
    with the help of law enforcement officials, postal inspectors and
    computer security experts identified 21, most with polished Web sites
    and slick online job-application programs. Reshipping groups appear to
    be using stolen credit cards to finance most of their operations.

    USA TODAY's investigation also found that reshipping groups recruit
    mules on popular employment Web sites, such as Monster.com and
    CareerBuilder.com, order goods from e-merchants large and small, and
    even pay for shipping via online services designed to streamline
    credit card transactions. FBI Supervisory Special Agent Dale Miskell,
    a cybercrime specialist, and other fraud inspectors confirmed USA
    TODAY's findings.

    A reshipping group going by the name U.S. Mail Service last February,
    for instance, used a credit card to pay $97 for a three-month ad on
    Jobfinder.com. Jobfinder CEO David Lizmi could not confirm that a
    stolen card number was used. But fraud inspectors say reshipping
    groups routinely pay for ads with stolen account numbers. Lizmi says
    he pulled the ad after receiving a complaint. U.S. Mail Service never
    contacted him for a refund, and no one has stepped forward to dispute
    the payment. Someone using the name Anna Davis and describing herself
    as a manager at U.S. Mail Service did not respond to questions from
    USA TODAY in e-mail messages.

    Monster.com and CareerBuilder.com say they deploy teams to screen ads,
    investigate complaints and educate customers about scams. But
    reshippers are adept at skirting such defenses by changing names and
    Web sites every few months. "They are so good at sneaking things
    through," says Michele Pearl, vice president of compliance at

    "Nothing can be done to prevent this type of ad from happening,"
    contends Lizmi. "I would have to hire 20 people to contact every
    company individually and vouch for their ID."

    Cheap and easy Web sites

    Mule recruiters typically direct job applicants to well-crafted
    company Web sites. Web site domain names can be purchased for $6 a
    month; space on computer servers to collect data from job applicants,
    $15 a month. As long as the credit card payment gets approved, no
    questions are asked.

    "Registering a domain name and putting up a Web site to perpetrate
    these schemes is easy and cheap," says Joe Stewart, an analyst at
    Lurhq, which provides computer security for businesses.

    "Just fill in the information, use a credit card to pay, and you're up
    and running in less than half an hour," says Stewart.

    Kflogistics.biz, for instance, registered its domain name and launched
    its Web site last April, around the time the Grass Valley newspaper
    published the help-wanted ad.

    The site almost certainly has been operating under other names. A
    similar package-reshipping recruiter, westernforce.biz, for a time
    used the same Internet protocol address as kflogistics.biz. "So
    they've moved on to a different name, but I bet it's the same people,"
    Stewart says.

    The name kflogistics.biz, in fact, imitates an existing Web site,
    kflogistics.com, registered by a legitimate El Paso freight-forwarding
    company. The copycat Web site lists someone calling himself Michael
    Birman as the registrant, with a New York mailing address and phone
    number. The last two letters of Birman's listed e-mail address
    indicate kflogistics.biz has a Russian base.

    Attempts to contact Birman and kflogistics.biz were unsuccessful. Most
    Web site registration data are "almost certainly bogus," says Stewart.
    "It would be stupid for them to use real information. There's no need

    Hungry job applicants

    Recruiters are being drawn to a U.S. job market teeming with
    unemployed and underemployed able-bodied citizens hungry to earn extra
    income, says Paul Krenn, a spokesman for the United States Postal
    Inspection Service.

    "This crime is driven by desperate people looking for jobs," Krenn
    says. "Most of them don't ask questions."

    Irene Rodriquez, 38, a longtime bulk-mail handler from San Jose,
    Calif., regularly surfed employment Web sites, such as Monster.com and
    CareerBuilder.com, partly owned by Gannett, USA TODAY's parent,
    looking for opportunities to earn extra income. Hoping to pay for her
    daughter's senior prom gown, Rodriquez last February responded to a
    U.S. Mail Service pitch she spotted on Jobfinder.com. U.S. Mail
    offered $30 to $50 per reshipped package.

    "When you see a job listed on a respected Web site, you think it's
    legitimate," says Rodriguez. "I thought this was a legal company."

    About the same time, Lynn Malito, 46, a single mother of two, got laid
    off from her job as a dispatcher for a trucking company in Memphis.
    Malito says she responded to an online ad on Monster.com to handle
    reshipping chores for CNetExpress whose name mimics online media
    company CNet. She considered a similar job offer she found on
    Monster.com from something called TSR Corp.

    Karl, Rodriquez and Malito all ended up working as reshipping mules,
    but they cut off their activities and reported their experiences to
    authorities after becoming suspicious about the work. "It petrified
    me," says Malito. "I thought I was going down, getting arrested, for
    my role in this."

    Only the most egregious mules run the risk of going to jail. As a
    former federal cybercrimes prosecutor, Paul Luehr let go a number of
    mules he had tracked down, "because we could uncover little or no
    evidence of their criminal intent." Luehr, now general counsel at tech
    consultant Stroz Friedberg, says the naive reshippers "thought they
    had a regular job."

    Often the easy tracking ends at the mule's U.S. residence. Once the
    item or cash moves overseas, diplomatic protocols and differing
    cultural priorities can quickly turn the trail cold, says Luehr.

    U.S. and foreign authorities have tracked down and arrested reshipping
    group leaders in Nigeria, Ghana and Romania. But those were
    comparatively small-scale operations.

    "It's like a high-end fencing operation," says John Pironti, a
    security consultant at Unisys who specializes in bank systems. "The
    idea is to move this stuff overseas and remove traceability even

    Goods on the move

    In Karl's case, he cooperated with police and won't be prosecuted. His
    cooperation came after a three-week period in April when Karl
    reshipped half a dozen parcels for kflogistics.biz. He followed e-mail
    instructions from someone who identified himself as Michael Birman,
    the same name listed as the Web site's domain registrant.

    Occasionally, Karl spoke by phone with Birman, who once boasted to
    Karl that he managed a network of 200 people.

    Karl might have continued as a reshipper had Birman paid him $24 a
    parcel as promised. Instead, Birman tried to manipulate Karl into
    deeper activities. Things began to unravel in early May once Karl
    began to press Birman for a paycheck.

    Birman responded by asking Karl if he had an online account at Chase
    Bank, Citibank or Washington Mutual into which kflogistics.biz could
    deposit his pay. Fraud inspectors say this indicates Birman already
    had fraudulent access to a portfolio of online accounts in those banks
    and was maneuvering to sweep Karl's account into the mix.

    Karl balked at first, but after discussing the matter with his bank
    manager, he gave Birman the routing and account numbers for his
    checking account at the Nevada City branch of Bank of America. The
    bank manager, Paul Shelton, promised Karl that he would keep an eye on
    the account.

    Frozen funds

    A few days later, on May 5, an unusual deposit of $4,358 was made into
    Karl's checking account. The funds came from Chase. "It caught my eye
    because it was an electronic credit card transfer," Shelton says.
    "That's not something you see every day."

    That night, Karl was contacted by someone identifying himself as
    George Selembo, financial supervisor for kflogistics.biz. USA TODAY
    located another George Selembo, 55, this one a quality-control
    inspector in Greensburg, Pa., who had once been a victim of ID theft.

    In 2003, a cyberthief electronically transferred $8,000 from Selembo's
    Citibank Visa credit card to an overseas account. An additional $2,500
    was withdrawn from his First Commonwealth bank account. No one was
    ever arrested, though the money was insured. Selembo spent six months
    resolving the matter. "Now you're saying that someone may be posing as
    me?" Selembo said in a phone interview. "Wow!"

    Via e-mail, the supervisor calling himself George Selembo instructed
    Karl to "please withdraw the whole amount" and send $4,011 via Western
    Union to Andrey Jaremchuk in St. Petersburg, Russia. Karl could keep
    the remainder as pay.

    "It set off an alarm. Something was definitely wrong," Karl says. "I
    didn't take any of the money. I knew it was time to call the police."

    Karl reported the matter to the Nevada County Sheriff. Shelton, his
    banker, froze the $4,358. That triggered an acrimonious e-mail from

    "What?!!?? Give me the bank's(sic) manager phone. How long do they
    plan to keep your money frozen???" Selembo said in an e-mail sent to
    Karl the night of Friday May 6.

    On Monday afternoon, May 9, a male caller reached Shelton on the
    phone. The banker doesn't recall how the caller, who spoke with a
    heavy accent, identified himself. The caller claimed to have been
    cheated out of $4,300 by Karl and asked Shelton to return the funds.
    Shelton advised the caller to file a police report - and never heard
    from him again.

    The next day, Karl received a final e-mail from Selembo: "I tried
    calling you a LOT of times. Reached only voicemail. When will you be
    home?" Karl turned the e-mail over to authorities.

    "They made it clear they wanted the money withdrawn," a nervous Karl
    recalls. "It began to freak me out. The tone of the messages was more
    threatening. I just wanted them to leave me alone."

    The $4,358 remains frozen in Karl's Bank of America account pending a
    request from Chase, the bank that made the credit card transfer, for
    its return, says Shelton. "If they don't ask for it back, it's going
    to stay there forever," he says.

    Chase declined interview requests. "Chase in addition to other banks
    and merchants are working with law enforcement and can't comment on
    this because of an ongoing investigation," said spokesman David

    Still useful

    Kflogistics.biz wasn't done with Karl. In late April, he had begun
    receiving letters intended for online banking customers from all
    around the nation. The letters - account statements, notices of credit
    limit increases and discrepancy warnings - kept coming through June,
    long after Karl broke off communications with Birman and Selembo.

    Karl was still useful: They could use his mailing address as a drop
    point for account statements linked to hot accounts. One of the first
    things reshippers usually do upon gaining access to an online account
    is change the billing address, says postal inspector Mew.

    And often, the reshipper will change a billing address to a given
    mule's, then ship goods to that mule to make it seem as if the card
    holder is ordering goods for himself, says Luehr, the former

    One letter Karl received shed light on how the $4,358 credit card
    transfer was executed. The letter, dated May 5, was a notice from
    Chase to Visa card holder Ryan Sesker of Des Moines. Chase notified
    Sesker that his request for a credit limit increase to $5,000 from
    $3,500 had been approved.

    But Sesker never made such a request. In fact, he says, he rarely used
    his Chase Visa card. The last two transactions came in early 2004,
    when he made online purchases of a computer printer and a Valentine's
    Day gift. By March 2005, Sesker had paid the balance down to zero, so
    the account wasn't at the top of his mind.

    Stolen ID pool

    Sesker, who works as a banking loan officer, didn't know his account
    had been broken into until he was contacted by USA TODAY in late May.
    To determine whether an e-mail virus or Web-browser spyware had
    anything to do with the break-in, USA TODAY asked PlumChoice, an
    online computer repair service, to scan Sesker's Windows XP laptop

    Simply opening infected e-mail attachments or clicking on a contagious
    Web site can result in the automatic installation of malicious
    programs that help funnel personal data into the growing pool of
    stolen IDs for sale on the Internet.

    "We didn't find any evidence of software or other types of malicious
    codes that was a cause of his losing the credit card," says Ted Werth,
    president of PlumChoice.

    That meant the breach of Sesker's account most likely stemmed from his
    online purchases, says forensics expert Stewart. An insider thief may
    have extracted account information from the e-merchant's customer
    database and sold Sesker's data on the open market, where
    kflogistics.biz purchased it. Or a cyber-intruder could have cracked
    into the customer database over the Internet, perhaps using a
    technique that probes for weaknesses in e-merchants' shopping-cart

    "Shopping carts interact with customers' databases, so you can inject
    extra commands, like 'Tell me all about the last 50 transactions,' "
    says Stewart.

    Upon notifying Chase of the break-in, Sesker learned someone had not
    only changed his billing address, but also the date of birth and
    mother's maiden name associated with his account. About a week after
    Chase approved the credit limit boost to $5,000, the bank next
    approved an electronic credit card transfer of $4,300 to a different
    account - the same kind of transfer that moved $4,358 from a Chase
    credit card account into Karl's Bank of America checking account.

    Chase declined to tell Sesker whom the funds were transferred to. The
    bank indicated he will not be held responsible and asked him if he
    would like a new Visa credit card number. Sesker declined.

    Had he not noticed the breach for a couple of months, Sesker's credit
    might have become tainted, putting his career as a banking loan
    officer at risk; a clean credit history is a condition of employment
    for loan officers.

    "They probably would have been sending delinquency notices and
    collection letters to the wrong address," says Sesker. "I would never
    have known until the collection agencies tried to track me down."
    Some Guy, Jul 12, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.