CallService.biz Gets a New Website
On April 19th a friend sent me a Facebook link announcing that CallService.biz had been closed. The news was officially announced by the New York FBI on Monday, although the arrests happened on April 15th.
The website, even as of this writing, displays a new homepage that looks something like this:
When the FBI designed to take over the management of the CallService.biz website, they did a little relocation first. For some reason they didn't want to host it in Moscow, I guess. The old location, 188.8.131.52, is the home of such great websites as:
1001russian-bride.com, a fine site for buying your new Russian wife (you can talk to her first for only $5.99 per minute...)
AdmiralSlots.com, a Casino that I'm assured by all of my spam is a great place to play. They have a wonderful affiliate program which will pay you 20% of the deposits your customers sign up. Errr... "Привлекая новых клиентов в наше казино, вы будете получать 20% от всех их депозитов, независимо от выигрыша." Thankfully, they NEVER send spam. "Запрещена реклама с помощью спама и методами, противоречащими действующему законодательству и нормам морали." See?
Tracking the various organizations that have hosted this criminal website sends us through such dark corners of the Internet as Net Access Corporation (NAC) in New Jersey (184.108.40.206), Garant Park Telecom (220.127.116.11) at Moscow State University, and Caravan.ru (18.104.22.168) also in Moscow.
CardingWorld.cc, also mentioned in the Indictment, is hosted at RusTelecom.biz and was registered using a clever gmail account - email@example.com, although originally the owner used the more discrete email - firstname.lastname@example.org or email@example.com.
The Indictment (thanks to ThreatLevel@Wired for providing a copy...saves me a couple bucks on my PACER account), says that Dmitry M. Naskovets (Дмитрий Насковец) resided in the Czech Republic and the Republic of Belarus and that he operated the online business CallService.biz with his co-conspirator, Sergey A. Semashko (Сергей Семашко), and that such business was "an online enterprise designed to help identity thieves profit from stolen financial data."
(Dmitry was arrested in the Czech Republic on April 15th. Sergey was arrested in Belarus the same day, while Lithuanian police seized the cardingworld.cc website related to the case, which was housed at 22.214.171.124, IP space belonging to Elneta, elnet.lt.)
From at least June 2007 up to and including April 2010, Naskovets and Semashko operated CallService.biz. Part of their service was to recruit English and German speakers to pose as authorized account holders in order to conduct or confirm fraudulent transactions on behalf of CallService.biz customers. The website allowed Russian speaking customers to place orders for these services. From the indictment:
Orders consisted of, for example, the name of the bank the user wanted to contact, the stolen account information that the user had illegally obtained, and instructions from the user as to what to say, or the fraudulent transaction that was to be conducted, during a phone call to the bank. NASKOVETS and his co-conspirators would assign an appropriate individual, including one who was the same gender and spoke the same language as the authorized account holder. After the requested call was made, NASKOVETS and his co-conspirators would report the results to the CallService.biz user, who could issue instructions for further telephone calls, if necessary.
The indictment quotes from an advertisement that Semashko placed on another website to advertise their service. That website, CardingWorld.cc, was owned and operated by Semashko. The advertisement claimed that CallService.biz had 'over 2090 people working with it' and had done 'over 5400 confirmation calls' to banks, meaning calls to confirm or conduct fraudulent transactions, as described above."
Charges placed against Naskovets and Semashko include:
Title 18 Section 1343, accusing them of "unlawfully, willfully, and knowingly, having devised and intending to devise a scheme and artifice to defraud, and for obtaining money and property by means of false and fraudulent pretenses, representations, and promises, [that] would and did transmit and cause to be transmitted by means of wire, radio, and television communication in interstate and foreign commerce, writings, signs, signals, pictures, and sounds for the purpose of executing such scheme and artifice."
The charges are supported by Instant Message logs which talk about registering the domain name, and wiring fees as much as $35,000 between the two. Other messages contained details of online purchases, including the victim's name, address, email address, Social Security number, answers to security questions related to their banking account, and other information.
Other charges included violations of:
Title 18 USC Sections 1029(a)(2) (obtaining a thing of value greater than $1000 through use of one or more unauthorized access devices during a one-year period)
Title 18 USC 1029(a)(3) (possessing fifteen or more counterfeit or unauthorized access devices)
Title 18 USC 1029(a)(5) (receiving payment exceeding $1000 in interstate and foreign commerce via access devices issued to another person)
Title 18 USC 1028A(c), 1028A(a)(1) and (2) - possession of credit card numbers and bank account numbers (access devices) belonging to other people and transferring them to co-conspirators who used them to facilitate fraudulent transactions.
The Reaction in the Russian Underground
The reaction to this news has been pretty swift. In the carding forum, http://forum.xakepok.org/, one of the moderators, "Maestro", posted a Russian translation of the FBI press release and warned people that the logs from the Callservice.biz site were in the possession of the FBI and that people should immediately discontinue use of any emails or ICQ programs that they had used on that server.
Over on Web-Hack.ru the criminals are warning one another to be careful ("Будьте осторожны - берегите себя!") , and to keep an eye on this situation - especially if the US manages to extradite the criminal! One of the posters mentions that the press release says the criminal could face 39 1/2 years in prison, but then jokes, "of course he'll get off in 3 years."
The moderators at CarderNews.ru start off their very lengthy column by saying "this is not a news story to read quickly and shake your head and forget...this is an information bomb!" The moderator goes on to say, "first, don't panic. Nobody is going to use the information on these servers to start busing petty thieves", but then he goes on and reminds people that even petty thieves should be using SSL and VPN for their internet traffic. He concludes with "do not panic, and do not forget about your safety" (не поддавайтесь панике и не забывайте о своей безопасности.)
CarderNews then does an interview with "Cesar" a moderator who says he worked on the "technical administration" side of the CardingWorld server. Nothing too informative in the interview. It was clear Cesar was limiting what he was going to say.