Thursday, February 18, 2021

Mystery Shoppers Challenge Gift Card Warnings

 Have you ever seen those spam messages claiming they have a great job for you as a Mystery Shopper?  After seizing a check from a client (and then shredding it) a local bank let us check out the scam!  In this scam, a company claiming to be "Private Mart Auditors" says they have been contracted by WalMart to try to identify stores that are violating their policies by refusing to sell Gift Cards!  The project claims to actually be a partnership with the gift card companies themselves and the major retailers who sell them.


The criminals know that many companies have trained their personnel that if someone comes in and says "I'd like to buy $2,000 worth of Gift Cards!" they should ask probing questions to try to save someone from being scammed.  Some companies even have big signs on their registers, check-cashing terminals and gift card sales racks warning about scammers.  When we reviewed our Mystery Shopper instructions, we were told to validate our check by visiting their website ==> verifycheckatmet[.]org or verifycheckatbictoin[.]org.  (The instructions actually provide both URLs.)

What we learned at the website is that Wal-Mart's Audit Team had contracted our new employer to conduct an audit.  We were selected because some of the stores in our area were discouraging people from purchasing gift cards, despite the "Federal Reserve Global Campaign on Securities on Mobile Payments" requiring stores to encourage Gift Card purchases!


We wanted to proceed cautiously, so we validated each of the facts in our instructions just as they requested.  A few red flags came up, but these were easily explained by our new supervisor, Paul Newton.  Paul sends and receives texts from 574-777-6314 and uses the gmail account paulnewt005@gmail.com.  




First question -- why was this package, which claims to be from GNT Solutions at 5201 Thurman Way in Sacramento, California, being mailed through the US Postal Service from the Orlando, Florida area?

Second question -- if they are in Sacramento OR Orlando, why is the routing number on their check used exclusively for TD Bank branches in Maine?

Fortunately, we had an easy way to validate that OUR check was legitimate.  If we clicked the "Verify Cheque" button on the website, we could enter our name and check number.  If it was a valid check that had been issued by the company, it would instruct us to Proceed with Deposit.  If it was NOT a valid check it would tell us so, and instruct us what to do next.  So, we carefully entered our information: 

And ... we were in luck!  The check was totally valid!

According to our instructions, here's what we needed to do next:

1. Cash check or deposit at your Bank, then text your supervisor immediately via 574-777-6314 to receive further instructions.

2. Deduct your Salary $350 while you withdraw $2000 for your assignment.

3. Locate any 2 Wal-Mart stores near you.

4. Visit the first store and purchase 3 Wal-Mart gift card worth $400 each.

5. After purchasing the 3 cards successfully scratch each of the cards to reveal its code, take CLEAR pictures and send to your Supervisor on 574-777-6314.

6. Proceed to the second Wal-Mart store to purchase 2 cards worth $400 each, scratch each & take pictures to be sent to your supervisor.

7. With the help of your supervisor answer questions from the WAL-CARD AUDITORIA EVALUATION FORM then take a picture & sent to your assigned grading personnel via email to paulnewt005@gmail.com 

8. Keep the cards safely as they will be used for your second assignment provided you meet the pass mark otherwise you will be mailng them back to an address to be provided by your supervisor.

9. We encourage giving back to the society as such the moment result is sent to email, you are to purchase a Cashier's Check worth $30 at your bank in the name KIDNEY FOUNDATION. After purchase text your supervisor for further instructions on the purchased Cashier's check.

If we pass our "grade" we might be able to become a Permanent Contract employee, where we would earn $450 per assignment and do 3-4 assignments each week!  If we do well with that, we might become a "WAL-CARD-AUDITORIA CONTRACT" employee!  Then we would earn $600 per assignment and could do MORE than four assignments a week!

Now, if you are an unemployed person due to Covid and someone gives you a clear path to earning $150,000 per year, might you be tempted?  Other than our Check, here are the instructions and the PMA Evaluation Form that were also in our US Postal Service Priority Mail package.  (Click for full-size)


The Website - and possibly related scams!

Of course we also wanted to look into that website!  We used the Zetalytics Zonecruncher tool to check it out.  The domain name was registered at Public Domain Registrar, which wasn't shocking.  The last APWG report showed that with the exception of cyber criminal's FAVORITE Registrar NameCheap, PDR has recently been the second most common Registrar for BEC attacks, and this scam is definitely related, as we'll see.

APWG 4th Quarter 2020 Report

It is hosted at 67.220.184.146, and its nameservers, ns5.doveserver.com and ns6.doveserver.com are also located on 67.220.184.146 and .147.

ZoneCruncher data

One of my favorite things about ZoneCruncher's data is that it shows the "Start of Authority" record.  In this case it is telling us that the reseller to which this IP address space is assigned is "csf@smartweb.com.ng" 

One of the most common West African scams, besides the shipping of counterfeit checks, is various "delivery" scams.  These started with the earliest Nigerian Prince scams, but more frequently today involve a package of value (a box of diamonds, for example) that a soldier finds overseas and wants to ship to you to sell and split the profits.  Other times it is a "pet delivery" scam, where you anticipate having a pet shipped to you and the pet gets caught up in shipping.  As anticipated, we had plenty of these on this IP address.

One of the things that all of these sites have in common is a "TRACK Your Package" option.  This is where the scammers match pre-assigned tracking numbers to various conditions which require your payment to break a shipment free.  Pets may be "quarantine hold in customs" or valuables may be "inspection hold in customs."  Your scammer will send the website address with a tracking number so that you can look up "proof" of the situation.
  • https://regalcourierservice[.]com/track/
  • http://cargoexpedite[.]com/tracking.php
  • https://submarinecourierservice[.]com/track-your-shipment.php
  • https://www.safecargoeslogistics[.]com/?page_id=3731
Often you can find many websites with identical content but a different company name. Also a red flag.  For example:

http://ftcouriercompany[.]com/about.html (hosted on "our" IP address)
http://logitrex[.]net/about.html (hosted on 104.194.9.169, which leads to a whole new cluster of badness: 
==> https://wpsdelivery[.]com/
==> https://nexaglobalexp[.]com/tracking.html 
==> https://aimsair-ways[.]com/

But then we hit a gold mine!  The complete Soldier Romance Scam Support site!  (but that's the next blog post ...)









The Complete Soldier Romance Scam Support Site

 Yesterday we were reviewing a Work From Home "Mystery Shopper" scam, and ended by pointing out some of the scam shipping companies hosted on the same IP address.  But still on our same IP address, we hit a gold mine!  The complete Romance Scam with an Imaginary Soldier support site!  The webpage is: usmdept.com ... you know? the US Military Department?


This website has EVERYTHING an imaginary soldier might need in order to extract funds from his Romance Scam victim!

Let's start with the basics.  Do you love your soldier? At great risk to themselves, you can have a care package deployed, even into a combat zone!  If you REALLY love your soldier, you'll choose the $1700 Premium Care Package. (but if you're cheap, the $800 Mini Care package and the $1200 Airbourne Care Package are also available.)  What? He didn't get it? Do you have a Tracking Number? It's probably been held up in customs ...

https://usmdept.com/care-package/

Next, you'll want to chat with your soldier, right?  Because he is deployed on a Top Secret Mission, that's only possible if you purchase a Communication Permit.  You can buy Communication Permit cards ranging from the "Military Small Card" for $680 all the way up to the "Military Large Global Card" for $1150!


Of course, what you REALLY want is to have your soldier boyfriend or girlfriend come home and visit you, right?  Fortunately, there are several leave options available, including 3-week, 4-week, 2-month, and 6-month (Honeymoon Leave) durations.  "The above leave Duration are made available for you to choose and after you choose we would tell you the fee involved. ... The reasons of payment for emergency leave Application is to assist the USA military authority in replacement expenses and supporting of troops coming to take over duties for anyone going on emergency leave ... ensuring that our troops are protected and allowed to judiciously make use of their times for reasons they have applied and paid for."

Under the old military system, if a soldier refused to take a deployment to an area where they may be killed, they were just kicked out.  Good News!  "This policy has been mauled and we've been directed by the Department of Defense to bring forth the Deployment Declination option. ... Unfortunately, a deployed soldier is ineligible to apply ... Only a loved one, family, child, fiance, sibling, or close friend is eligible to apply." 



But wait, you thought that would be free?  "after the DOD spending weeks, even months, preparing for the mission, putting everything in place, setting all up having you in mind, the wasted resources and finances already made, because of this a fee is attached for the declination form to be processed and accepted." Just email support@usamilitarysupport.com to get the process started.



The real goal of having an Imaginary Soldier Boyfriend or Girlfriend is marriage though, right?  Good News!  That is TOTALLY OK with the US Military Department of Scammers!

Although, "There are also rules on who can receive a military ID card and military benefits. To receive a military ID card and benefits, including health care, a military spouse must be legally married to the service member. The military does not recognize common law marriage or engagements.  Registering a spouse for benefits has its fee."  Just click "Contact Us" and the scammers will gladly walk you through the process of getting a MILITARY Marriage License, based entirely on how much money they think you might have, of course.



Although it should not be necessary, if you really need your Imaginary Soldier to resign from the military, that is possible as well.  Doing so, however, "attracts a one time fee, which will be needed to process the request."  As with declination of deployment, "only a loved one ... is eligible to apply."


While this is the first time that *I* saw a site like this, as usual, FireFly and the experts at ScamSurvivors.com had already seen the pattern.  A great post there which talks about a previous or similar version of this site from August 2020 is here on her forum ==> Article: US Military Welfare - usamilitarywelfare.com


Friday, February 12, 2021

Phone Company Insiders Helped Global Sim-Swapping Gang Steal Millions in Cryptocurrency

 This week law enforcement agencies around the world made press releases about the arrest of SIM Swapping criminals.  The UK's National Crime Agency says "eight men have been arrested in England and Scotland as part of an investigation into a series of SIM swapping attacks, in which criminals illegally gained access to the phones of high-profile victims in the US.  They say these attacks targeted "numerous victims throughout 2020, including well-known influencers, sports stars, musicians, and their families."  NCA credits the US Secret Service, Homeland Security Investigations, the FBI, and the Santa Clara California District Attorney's Office for helping to uncover the network.

Paul Creffield, head of operations in the NCA's National Cyber Crime Unit and Assistant Director Michael D'Ambrosio were quoted in the NCA's press release, "Brits arrested for sim swapping attacks on US celebs" on February 9th.  The @NCA_UK Twitter thread shared the additional details that the men were between the ages of 18 and 26.

https://twitter.com/NCA_UK/status/1359232883118981133


Meanwhile, a 10FEB2021 press release from Europol proclaimed "Ten hackers arrested for string of sim-swapping attacks against celebrities." The EU report says that 8 criminals were arrrested on 09FEB2021 (presumably those in the UK) with earlier arrests of one criminal in Malta and one in Belgium of members "belonging to the same criminal network."  

A SIM, or Subscriber Identity Module, is the little chip that goes inside a phone and ties that phone to a particular account at a particular mobile provider.  If the phone provider believes you have a new phone, they can tell their system, this is the new SIM number that should be linked to your account.  They don't actually need to know what model of phone it is, or where in the world it is.  If your account says your phone number is assigned to a new SIM, your phone stops ringing and the new phone starts.

The group used SIM swapping to intercept SMS messages intended for the true owner of the phone and route those messages to a phone controlled by the criminals.  This allowed them to access many apps and ask for password resets, which often confirm the request is intended for the correct user by sending a "Two Factor Authentication" request in the form of an SMS message.  Some crypto currency exchanges use an even stronger method, of requiring confirmation both by an SMS to the phone and by email. Unfortunately, if the criminals have SIM-swapped the phone, they also may have used it to gain control of the email used by the victim as well!  

Europol correctly describes the primary method of SIM-swapping when they say in the press release above, "This is typically achieved by the criminals exploiting phone service providers to do the swap on their behalf, either via a corrupt insider or using social engineering techniques."

How do Phone Company Insiders enable these scams? In a case that was curiously released to the public simultaneously with those above, we get a US-based example.

The simultaneous announcement by the FBI of charges against a Verizon Customer Service employee, Stephen DeFiore of Brandon, Florida is curiously timed, given that his charges thus far were based on crimes from 2018.  According to Stephen's LinkedIn, he worked from 2014 to 2017 as a Verizon Customer Service Rep in  Rochester, New York, and afterwards in Bradon, Florida:



On February 8, 2021, the US Attorney in the Eastern District of Louisiana announced charges against Stephen Daniel Defiore "for his role in a SIM Swap scam that targeted at least nineteen people, including a New Orleans-area physician."  It goes on to say "From August 2017 until November 2018, DEFIORE worked as a sales representative for Phone Company A. In that capacity, DEFIORE had access to the accounts of Phone Company A's customers, including the ability to switch the subscriber identification module (SIM) card linked to a customer's phone number to a different phone number.  Between October 20, 2018 and November 9, 2018, DEFIORE accepted multiple bribes, typically in the amount of approximately $500 per day, to perform SIM swaps of Phone Company A customers identified by a co-conspirator."

DEFIORE would receive a message telling him a customer's phone number, their four-digit PIN, and a SIM card number to which the phone number was to be swapped.  Defiore received his payments via CashApp to his account: $Beefy123.  H

The New Orleans doctor lost his Binance, Bittrex, Coinbase, Gemini, Poloniex, ItBit, and Neo Wallet accounts.  In this case, Defiore swapped his SIM card address to one that was actually in an Apple iPhone 8 with the IMEI (Interrnationa Mobile Equipment Identity number) 356703087816582, which was in the possession of Richard Li. 

His co-conspirator in the US, Richard Li, was actually charged by the Department of Justice on 09JUN2020.  Li is why the UK case mentions California, rather than Louisiana or Florida.  Richard Yuan Li was a 20 year old college student in San Diego, California, living in a dorm room in Argo Hall on the campus of UCSD (The University of California San Diego). He registered the cell phone to which the SIM swap occurred using his own "me.com" email address, which began with "ryli" (Richard Yuan Li).

According to the charges against Li, he participated in at least 28 SIM swaps between 11OCT2018 and 06DEC2018. In the case of the Louisiana doctor, even after the doctor regained his cell phone, he was contacted by Li who said he had accessed nude photos on the doctor's gmail account that was also linked to the phone and that he demanded 100 Bitcoins or he would release the photos.

My favorite photo of the US SIM swapper.  (Sorry, couldn't resist!)  Master criminal? Or dumb kid who happened to work at a phone store and couldn't resist the temptation of $500 per day.  You decide.


This case would not be the first linking UK criminals with US Phone company employees.  In 2019, a hacking group calling itself "The Community" paid bribes to three phone company employees, Jarratt White and Robert Jack, both 22 year-olds working at phone stores in Tucson, Arizona, and Fendley Joseph, a 28 year-old in Murrietta, California, to carry out SIM swaps for their group.  Ireland-based hacker Conor Freeman, aged 20, was charged in that case for seven SIM-swaps that led to the theft of $2,416,352 worth of cryptocurrency.  It is unknown at this time if the current cases are further work of "The Community" or its former members.  The Community wasn't a place online, just the name of their group.  Most of their members were participants on the OG Users forum. For example Jarratt White, who worked at an AT&T store, used the handle ".O." on Telegram and received payments via LocalBitcoins and PayPal, where his email "jarrattw@gmail.com" was linked.  AT&T confirmed that WHITE had performed 29 unauthorized SIM swaps.  Robert JACK, also an AT&T contractor who worked in their store in Tucson, also performed 12 SIM swap.  Fendley JOSEPH worked at a Verizon store in Murrietta and also communicated with The Community members via Telegram. He was also identified by his PayPal account where he received $3,500 in bribes (fendleyvzw@gmail.com) 

Ireland's Conor Freeman was ultimately not extradited to the US, although he was arrested by the Garda at his home in Glenageary Court, Dun Laoghaire in May 2019, based on the US charges.  The failure to extradite was another example of the US Attorney's boasts of maximum sentence backfiring.  They often will make public threats at the time of arrest such as "if the maximum sentence is given, they will face 108 years in prison!"  Then when the actual sentence is handed out, they get six years.  Or two.  The threat, however, is enough that European courts say "what a cruel and unusual sentence!" and argue that sentencing a SIM swapper to a greater sentence than a rapist or murdered is ludicrous.  





Thursday, November 26, 2020

Major Nigerian Phishing and BEC Actors, SSGToolz and CeeCeeBossTMT, Arrested by Nigerian Police and Interpol

 An Interpol headline on November 25, 2020 announces "Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group" however the article does not name the suspects.  The Interpol article says the three are "believed to be members of a wider organized crime group responsible for distributing malware, carrying out phishing campaigns and extensive Business Email Compromise scams."  Interpol's Craig Jones says the year-long investigation was known as "Operation Falcon."

The Nigerian Police actually did a press release about the trio on November 19th.  From that we find photos of the three criminals and more information about their crimes and names. The leader of the trio, Onuegwu Ifeanyi, is known online as SSGToolz.  According to the Nigerian Police, he "specializes in creating, designing, and selling phishing links and hosting malware on websites used by the gang for phishing and hacking purposes.  He collects charges running into several millions of naira from other fraudsters he mentors and improves their phishing capabilities."
Onwuka Emmanuel Chidiebere, also known as Ceeceeboss TMT, graduated from Imo State University and specializes in Business Email Compromise (BEC) and hacking. His laptop had over 50,000 email accounts with passwords harvested from various individuals and businesses worldwide.
CeeCeeBoss TMT recruited the third of the trio, Ikechukwu Ohanedozie, who was known as Dozzy. A medical school student also from Imo State, Dozzy's job was sorting out the email accounts and doing research "to determine financial strengths of prospective victims and pass the information to Ceeceeboss.
SSGToolz was not at all discrete with his work, creating his own domain for his tools, appropriately named ssgtoolz[.]net.  From there we see that he also used the gmail account ssgtoolz@gmail.com, which was associated with the creation of 85 domain names.

Some of these domain names were used to anchor other types of fraud, for example "c-clh[.]com" was confirmed to be hosting malware on 17JUL2020 and 19JUL2020, and as recently as 22SEP2020, which VirusTotal says was detected as Andromeda, Fareit, or Lokibot by various anti-virus vendors.

He also used this domain to host phish, such as "www.hainanbank.com.cn.c-clh[.]com" 

According to the ZoneCruncher tool from Zetalytics, At least 76 domains of his domains were observed resolving in their Passive DNS systems.  Many of them were "look alike" domains, likely used for sending malicious email.  Some xamples of these would include: 

agogpharrna[.]com (the "rn" supposed to look like an "m" to imitate agogpharma) 
iescornputers[.]com (the "rn" supposed to look like an "m" for iescomputers) 
tataintiernational[.]com (an extra "i" to imitate tatainternational) 
owenscorming[.]com (an "m" instead of an "n" for OwensCorning) 

Others seem more targeted as general "technical" phish, such as "server-update-mail-verification[.]com" which he registered 12JUN2019, or "itbackupserver[.]com" registered the same day.


CeeCeeBossTMT liked to boast of his wealth on Instagram, although he gave God Almighty all the thanks for the proceeds of his crime.  He also liked to imply that his hard work in the music studio was somehow the source of his wealth, rather than the millions he stole from innocent victims around the world.


Gotta admit, I'm thinking of finding that green track suit and shoes combo for myself.  What do you think?  Also, can anyone tell me which South African airport that top left shot was taken in?

The "TMT" coincides with his TMT Liquor Store, which he frequently tags in his posts.  TMT Liquor shares their WhatsApp Number, +234 901 069 2587 on their Instagram Bio @tmtliquorstore.

We look forward to hearing more about how these three are tied into the larger infrastructure of cybercrime in Nigeria.  If you have more information, please do reach out!