Scammers Actually Got Away With Millions Of Microtransactions Scam

from the office-space dept

Tue, Jun 29th 2010 4:06pm — Mike Masnick

It's the idea that's been put forth in various movies over time: what if computer hackers could just take a tiny amount off of millions of transactions -- transactions so small that most people wouldn't notice or care. And yet, we hadn't really heard of it actually working anywhere... until now. The FTC has apparently shut down one such scam, though it was an operation since 2006. The details of how it was set up are pretty convoluted, and help explain, in part, why this sort of scam isn't quite as easy as the movies make it out to be. Also, by "micro" charges, we're not talking fractions of pennies, but charges between $0.25 and $9 -- enough that they could get away with this for four years without too much of an outcry. In fact, apparently only 6% of the charges were contested. Yes, out of 1.35 million fraudulent charges, only 78,724 people noticed and complained.

Wired digs into the details of how this was set up, which highlights the complexity of the operation:

According to court documents filed (.pdf) in the U.S. District Court for the Northern District of Illinois, the scammers -- identified only as "John Does" in the complaint -- recruited money mules through a spam campaign that sought to hire a U.S.-based financial manager for an international financial services company.

Mules who responded to the ad and were chosen for the task opened multiple bank accounts and about 100 limited liability companies for the scammers, which were then used to make the fraudulent charges and launder money to bank accounts in Cyprus and several east European countries, including Estonia and Lithuania.

Front companies set up by the mules included Albion Group, API Trade, ARA Auto Parts Trading, Data Services, New York Enterprizes, and SMI Imports, among others.

The scammers then purchased domain names and set up phone numbers and virtual office addresses for the front companies through services such as Regus. They used this information -- along with federal tax I.D. numbers stolen from legitimate companies with similar names -- to apply for more than 100 merchant accounts with credit card processors, such as First Data.

According to IDG,
They used another legitimate virtual business service -- United World Telecom's CallMe800 -- to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.
Once approved by the card processors, the front companies were able to charge consumer credit and debit cards. Money charged to the cards was directed into the bank accounts set up by the money mules, who then transferred it to accounts overseas.

The charges showed up on consumer credit and debit card statements with a merchant name and toll-free phone number. But consumers who called the numbers to question the charges generally encountered an automated voicemail recording saying the number had been disconnected or instructing them to leave a detailed message. The calls, of course, were never returned.

See? A bit more complex than just taking a fraction of a penny off of each transaction. But, as the IDG report notes, if you're looking to set up an online scam, here's a blueprint.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fraud, microtransactions, scams

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 29 Jun 2010 @ 4:17pm

It could get a lot easier if the plans for "The National Strategy for Trusted Identities in Cyberspace" get in place.

http://www.nstic.ideascale.com/
[ link to this | view in thread ]
Anonymous Coward, 29 Jun 2010 @ 4:24pm

Evolution working for economic systems as predicted. Congrats to the scammers for out-thinking the financial industry. I give a little cheer when these things are pulled off.
[ link to this | view in thread ]
Bill W (profile), 29 Jun 2010 @ 4:59pm

I balanace my cards religiously
I've been adamant about balancing my CC statements every month. I would have been one of the 78,000 who contested I think.
[ link to this | view in thread ]
:Lobo Santo (profile), 29 Jun 2010 @ 5:05pm

Re: Der Shaften
Me too. It's nice to know the bank aren't the only ones giving people the shaft.
[ link to this | view in thread ]
Anonymous Coward, 29 Jun 2010 @ 5:26pm

So what, they took my quarter. Not like i have money after the last year.

gg
[ link to this | view in thread ]
Anonymous Coward, 29 Jun 2010 @ 6:26pm

Re:
I think the scamers are a lot less harmful to people, at least they take a quarter, those liars in power take our homes, jobs, privacy and freedoms.
[ link to this | view in thread ]
Anonymous Coward, 29 Jun 2010 @ 6:33pm

its about time
working at a bank, I see these things come swarms and flavors of the month, & they can pass for years before people notice, because the look like real purchases... but so many people give out their numbers all willy nille, or/and never look at their statements, and somehow blame others when it goes on for month or years... a lot of these "companies" are in the wrong, what I am really saying is consumers are just as much in the wrong for not paying attention, whats the term... Willful Negligence & Due diligence; & sometimes its not always so easy to notice.
[ link to this | view in thread ]
Perry K (profile), 29 Jun 2010 @ 8:47pm

really
"And yet, we hadn't really heard of it actually working anywhere... until now."

Really, you have never heard of what basically amounts to a crude variation of a "salami attack" Mike. I'll leave it to interested readers to find the pertinent examples. This technique has been around for a lot of years in different forms.
[ link to this | view in thread ]
zegota (profile), 29 Jun 2010 @ 9:26pm

Re: really
It's worth noting that if you hear about the scam, it almost certainly hasn't worked, since the criminals have been caught.
[ link to this | view in thread ]
zegota (profile), 29 Jun 2010 @ 9:28pm

Re: I balanace my cards religiously
I certainly wouldn't have. If I saw a $5 charge, I'm not sure I would have even gone to the trouble of protesting it, unless it reoccurred -- I likely would have written it off as a charge I didn't remember. If it was something like $.25, I definitely wouldn't have bothered. Kind of a smart move -- taking tiny amounts from multiple people a single time rather than the same person/place a single time. Obviously not smart enough, though.
[ link to this | view in thread ]
bob, 29 Jun 2010 @ 9:51pm

Re: Re: really and again to many RE:'s
I bet they haven't caught all the bad guys.
It's easy to get the mules, but I bet there is a happy Cypriot sitting at a cafe whit a big smile on his face.
[ link to this | view in thread ]
Skeptical Cynic (profile), 29 Jun 2010 @ 10:35pm

The 414's did that a long time ago.
Although most of the details were never released to the press or general public. The 414's had been doing just that in banks all over the country during the years of 1982 and 1983. The operation that got them caught was when one of the members that was new to the group got greedy and tried to steal a larger amount of money.

All the members were questioned by the FBI myself included (imagine being 13 years old and that happening) and in the end the FBI took all the money that was left and returned it to the banks and brokerages it had been taken from. We were all required to sign an agreement stating to avoid being prosecuted we were not to reveal the details of how we took the money or that we had even taken any money. The FBI and the Federal Reserve were worried that if the news got out people would lose confidence in our banking system. Plus in the grand scheme the amount of money the 414's had taken was nothing. (Statute of limitations has long run out so no I am not worried I am violating the agreement.)

The 414's scam involved rounding. It doesn't work this way anymore but back then banks would calculate interest daily and only when a certain threshold was reached would the interest then be credited to the account. When that trigger was hit there was always a fraction of a penny left over. For example (this is way simplified) say you have $100 in the bank and the interest you earned is 1.234 cents per day. The bank would credit your account with the 1 cent of interest and keep the .234 of a cent back rounding down. At the end of a certain period the bank would say that over 5 days you should have earned 6.17 cents in interest but you could see that you would have only earned 5 cents based on rounding so they would then credit your account the extra cent still leaving .17 of a cent out. Well this leftover amount is always hanging around. The 414's exploited this and would go in to a bank for 28 days (less than the audit cycle) skimming the rounding off of every 5th interest transaction on an account. Doesn't sound like much but if you do the math you can see with 10s of thousands of accounts it will add up fast.

I was never involved in the scam and only learned about it from the older members, but I do know it happened.

So yes this type of scam is old and new again.
[ link to this | view in thread ]
Skeptical Cynic (profile), 29 Jun 2010 @ 10:45pm

Re: The 414's did that a long time ago.
I know replying to my own comment is stupid, but I forgot to add one thought.

Anyone in the banking industry back then can attest all the changes that took place in financial institutions and how they dealt with electronic transactions in late 83 and early 84.
[ link to this | view in thread ]
PRMan, 30 Jun 2010 @ 4:26am

Re:
"Evolution working for economic systems as predicted."

Seems more like a very intelligent (although devious) design.
[ link to this | view in thread ]
senshikaze (profile), 30 Jun 2010 @ 5:01am

if you are within a large company in their IT department with little or no security, writing a script to do the pennies on the dollar trick wouldn't be impossible. you would still need to know alot about software, databases and covering your tracks. but it would be possible.

If you worked in medical, and if you could scalp a hospital discharge list for large surgeries, sending a fake bill for 20$ to all patient would net you a large sum quickly. Say it was from "East Central Radiology" or something and most (99%) patients would just pay it. when you get bills in the excess of $200,000, most people will just pay the $20. buy some cheap office space and have it sent there, wouldn't even look bad.
[ link to this | view in thread ]
mattarse (profile), 30 Jun 2010 @ 8:36am

Re: Re: I balanace my cards religiously
I think if it was as small as .25 I would be more likely to notice it and ask - I seldom charge small amounts.
[ link to this | view in thread ]
Anonymous Coward, 30 Jun 2010 @ 8:50am

Re: The 414's did that a long time ago.
Were you in Superman 2?
[ link to this | view in thread ]
Skeptical Cynic (profile), 30 Jun 2010 @ 10:07am

Re: Re: The 414's did that a long time ago.
No but I may have played him on TV.

I just happened to be in a DEC Vax user group run at AC/Delco around 82 and met a member of the 414's he asked me if I wanted to be in the group. Never really did anything except a couple of university hacks, but I was a great kiss ass so the elders liked me and taught me stuff. In Wisconsin around 80-85 DEC Vax systems were the higher level computer class computers. So anyone involved in computers around then in WI used and abused DEC Vax servers.
[ link to this | view in thread ]
Anonymous Coward, 30 Jun 2010 @ 12:08pm

I just call the credit card company, even if the amount is .10 cents. Why? Because I understand how fraud works, and a little dip here and there might indicate someone is testing the waters, making sure the cc number is legitimate before they try a larger transaction.

It also helps to sign up for email and/or text-messaging alerts. I'm not as concerned about unauthorized credit card charges, because until the bill comes, it's not really my problem, but I do keep close tabs on transactions done with my bank accounts and debit cards. I caught a Paypal scam within seconds of it starting because I received email notification about several very small random transactions that were being charged to my Paypal account on a Sunday.
[ link to this | view in thread ]