Sunday, December 23, 2018

Alert Traffic Patrolman Unveils Romanian Skimming Ring



Clinton, Mississippi doesn't sound like the kind of place where an international skimming operation would be operating.  With a population of barely 25,000, the town in southwest Mississippi does have one thing that helped - an alert police dispatcher.

Cheatham County, Tennessee, on the west side of Nashville, also doesn't seem like a cyber crime Metropolis.  But they also had something critical to this type of police work.  An alert traffic cop, Cheatham County Deputy Paul Ivy.


Clinton is more than a six hour drive from where a Cheatham County Sheriff's deputy pulled over a suspicious vehicle on December 12th as they were about to pull on to Interstate 40 headed west.  The deputy had seen the 2005 Chevy Trailblazer parked at a Shell gas station and noticed a temporary license tag displayed in an unreadable manner behind a tinted windshield.   The driver, Forrest Beard, showed the officer a Mississippi drivers license which came back as suspended.  Beard's story of the two other occupants of the car, "Mike" who had met at a party four months ago, and another man who he had only known for a couple weeks seemed odd.  He consented to a vehicle search, which revealed "a large amount of money", a credit card terminal, two laptops, credit card skimmers, and a stack of 159 Walmart gift cards.  Most of the materials were hidden in Nike shoe boxes.

Vehicle search items discovered
Labels added to the photo by Security Researcher Silas Cutler

The other two men in the car had unusual forms of identification for Kingston Springs, Tennessee.  George Zica was from Romania, according to his passport.

George Zica (Cheatham County Sheriff's Office)
Madalin Palanga (Cheatham County Sheriff's Office)
Madalin "Mike" Palanga was also from Romania, but the id he was carrying was a counterfeit Czech Republic identity card in the name of Vaclav Kubisov.



The officer contacted the Secret Service, and they ended up keeping the vehicle, the money, the computers, and all three men's cell phones.  On Wednesday, December 19th, a judge posted a bail order for the men, and Madalin bonded out for $74,999, although he is wearing a GPS-tracking ankle bracelet, before a hold order was received from Mississippi, preventing the other two men from doing the same.

Further investigation revealed that the men had been tied to skimming cases across middle Tennessee, but also in North Carolina and South Carolina, but Mississippi added one critical piece of evidence, courtesy of ATM footage from Regions Bank.  On Tuesday, Regions Bank employees contacted the Clinton, Mississippi police to let them know they had "trapped" some cards in the local Regions ATM.  When Regions receives fraud reports indicating one of their accounts has been compromised, their policy is to capture any ATM card put into one of their ATMs that uses that account information.

In this case, the captured cards were both Walmart gift cards.  In this case, the Skimmers were "Verifone" terminal overlays, commonly found in many gas stations and convenience stores at the counter.  After criminals modify the keypad by installing a skimmer, a device placed in front of the card slot makes a copy of the magnetic stripe, while the fake keypad overlay captures the PIN number when the customer puts in their four digit code.  The information can be retrieved wirelessly from a vehicle in the parking lot.



(Video from Andy Cordan, WKRN TV News)

In Clinton, Mississippi, over $13,000 in fraudulent ATM charges had been reported recently, with most of the stolen card data being tracked to customers in the Memphis, Tennessee area.

Regions Bank provided ATM Surveillance camera footage to the Clinton police.  An alert police dispatcher who was reviewing the material started comparing the image to other recent credit card crimes in the South East and determined that the man in the ATM footage was George Zica, who was arrested later that week in Tennessee as described above.  (The timestamp on the video is confusing.)



Saturday, December 22, 2018

126 Arrests: The Emergence of India's Cyber Crime Detectives Fighting Call Center Scams

The Times of India reports that police have raided a call center in Noida Sector 63 where hundreds of fraud calls were placed every day to Americans and Canadians resulting in the theft of $50,000 per day.

 The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).

Times of India photo 


Noida police have been cooperating very well with international authorities, as well as Microsoft, leading to more than 200 people arrested in Noida and "scores" of fake call centers shut down, including four in Sector 63.  (In a case just last month, another call center was said to have stolen from 300 victims, after using online job sites Shine.com and VintechJobs.com to recruit young money seekers by having them work conducting the scams. )

In the current scam, callers already had possession of the victim's Social Security Number and full name.  This information was used to add authority to their request, which got really shady really fast.  The victim was instructed to purchase Apple iTunes Gift Cards, or Google Play Gift Cards, scratch the numbers, and read them to the call center employee.  The money was laundered through a variety of businesses in China and India before cashing out to bank accounts belonging to Pahuja and Ashija.

 Go to Tweet
Noida police are advancing in their Cyber Crime skills!

As more and more cyber crime enterprises spring up in India, the assistance of their new Centers for Cyber Crime Investigation thtat are becoming more critical to stopping fraud against Americans:

We applaud the Center for Cyber Crime Investigation in Noida


The US Embassy was quick to acknowledge the support of the newest cyber crime partners of the United States after their action at the end of November:

US Embassy to India thanks the Noida and Gurgaon Police for their help!
Another recent Times of India story from November 30, 2018, "Bogus Call Centres and Pop-up Virus Alerts - a Global Cyber Con Spun up in NCR" [NCR = National Capital Region] had more details of this trend, including this graphic:


That's at least 50 call centers shutdown just in these two regions, but with this weeks' 126 arrests being the culmination of an on-going investigation, receiving data from both the FBI and Microsoft.

Local news of India reported the names of some of the gang members held in the November 29-30th action in their story नोएडा: बड़ी कंपनियों में नौकरी दिलाने के नाम पर करते थे धोखाधड़ी, 8 गिरफ्तार (Noida: Fraud, 8 arrested for giving fake jobs in the name of big companies).

Sontosh Gupta, who was the ring leader, was previously employed by an online job site, but then created his own site,  vintechjobs (dot) com, which he used to attract call center employees, many of whom were duped into serving as his scammer army without ever being compensated for their work!

Others arrested then included Mohan Kumar, Paritosh Kumar, Jitendra Kumar, Victor, Himanshu, Ashish Jawla, and Jaswinder.

During that same two day raid, police swept through at least sixteen other call centers, according to this New York Times story, "That Virus Alert on Your Computer? Scammers in India May Be Behind It"
Ajay Pal Sharma, the senior superintendent of police, told the NYT that 50 of his officers swept through eight different call centers in Gautam Budh Nagar as part of the case.  Microsoft's Digital Crimes Unit told the Times that with 1.2 million people generating $28 Billion in India working for call centers, it isn't hard to disguise the shady callers among the legitimate businesses.

The problem is not unique to Delhi and the National Capital Region suburbs that are the current focus.  Back in July, Mumbai was in the headlines, as a massive IRS-imitating Call Center ring was broken up with the help of more great cyber crime investigators from India:

Madan Ballal, Thane Crime Branch, outside Mumbai
Police Inspector Madan Ballal had his story told as the focus of an article in Narratively, "This Indian Cop Took Down a Massive IRS Call-Center Scam".

Much more investigating and arresting needs to be done, but it is a great sign that the problem is now receiving help from an emerging new generation of Indian Cybercrime Detectives!



Saturday, December 15, 2018

Bogus Bomb Threats Demand Bitcoin Disrupt Businesses

Bogus bomb threats created a scare across the country. A quick note here that I'll dive into more deeply next week. The big question at this time -- with MANY of the IP addresses found in email headers originating from Moscow, Russia, is this "Russian influence" designed to disrupt American commerce? or is this just a spammer looking for a new way to make money?

IF YOU HAVE SAMPLES OF THE EMAIL, PLEASE REPORT THEM

The more emails we have to analyze, the better our understanding of this threat will be.  While reporting to the FBI's IC3.gov is a great idea, and highly encouraged, that hides the details from security researchers such as myself.  One great place to report any type of fraudulent bitcoin activity is "BitCoinAbuse.com".  If you decide to report there, please extract the sending IP address and the email Subject from your spam and include them as part of the report.  We can cluster on both of those things. (Including the bitcoin address used is a given.)

Extracts taken from BitCoinAbuse.com follow below. You can read the original reports yourselves here:

(If you have a sample of one of these emails, please consider filling out a BitCoinAbuse.com/report - but please make sure to include the SENDING IP ADDRESS from the email headers!)

Email Bodies contain Spam-template randomization

Here are extracts from many of the spam messages. Note for example the [man | mercenary | recruited person] and [tronitrotoluene | Hexogen | Tetryl] substitutions. Or the [suspicious | unnatural | strange] [activity | behavior] or the [power the device | device will be blown up | power the bomb]. This is very characteristic spam behavior.

Subjects reported by the NCFTA include:

Subject: Better listen to me
Subject: Bomb is in your building
Subject: Do not panic
Subject: Do not waste your time
Subject: Dont get on my nerves
Subject: I advise you not to call the police
Subject: I've collected some very interesting content about you
Subject: keep calm
Subject: My device is inside your building
Subject: Think about how they can help you
Subject: Think twice
Subject: We can make a deal
Subject: You are my victim
Subject: You are responsible for people
Subject: Your building is under my control
Subject: Your life is in your hands
Subject: Your life can be ruined, concentrate
Subject: You're my victim

(If you have examples of other Subjects, please share them in the comments section)

Hello. There is the bomb (tronitrotoluene) in the building where your company is located. It is constructed under my direction. It has small dimensions and it is hidden very carefully, it is not able to damage the supporting building structure, but you will get many wounded people if it detonates. My recruited person is controlling the situation around the building. If he notices any strange activity or policemen the device will be blown up. I want to propose you a deal. $20'000 is the value for your safety. Pay it to me in BTC and I assure that I have to withdraw my recruited person and the bomb will not explode. But do not try to deceive me- my assurance will become actual only after 3 confirms in blockchain. It is my btc address : 15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM

Good day. My mercenary hid an explosive device (Hexogen) in the building where your business is conducted. It was assembled according to my instructions. It is compact and it is hidden very carefully, it is impossible to damage the structure of the building by this bomb, but in case of its explosion you will get many victims.My mercenary is watching the situation around the building. If he notices any suspicious behavior, panic or cops he will blow up the bomb.I want to propose you a bargain. You transfer me 20'000 usd in BTC and the bomb will not explode, but don't try to deceive me -I guarantee you that I have to withdraw my man only after 3 confirmations in blockchain network. It is my Bitcoin address : 1LrZorkdqzPsg8JaGLwjLwg35viiH1Sv9v You must send bitcoins by the end of the working day.

My mercenary has carried an explosive device (Tetryl) into the building where your company is located. It was assembled under my direction. It can be hidden anywhere because of its small size, it is impossible to destroy the building structure by this explosive device, but if it detonates there will be many victims. My recruited person is watching the situation around the building. If he sees any unusual behavior or policemen he will power the device. I would like to propose you a deal. 20.000 dollars is the cost for your life. Tansfer it to me in BTC and I ensure that I will call off my man and the bomb will not explode. But do not try to fool me- my warranty will become valid only after 3 confirms in blockchain network. Here is my BTC address - 15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM You have to pay me by the end of the working day, if you are late with the payment the device will explode.

Good day. I write you to inform you that my mercenary hid an explosive device (lead azide) in the building where your company is located. My recruited person constructed a bomb under my direction. It can be hidden anywhere because of its small size, it can not damage the supporting building structure, but you will get many victims in case of its explosion. My mercenary keeps the territory under the control. If he notices any unnatural behavior or emergency he will power the bomb. I can call off my man if you make a transfer. 20'000 usd is the price for your safety. Pay it to me in Bitcoin and I guarantee that I will call off my mercenary and the device will not detonate. But do not try to cheat- my assurance will become valid only after 3 confirmations in blockchain.

Good day. There is a bomb (tronitrotoluene) in the building where your company is conducted. My recruited person constructed the explosive device according to my instructions. It can be hidden anywhere because of its small size, it is impossible to destroy the structure of the building by my explosive device, but in case of its explosion you will get many victims. My man keeps the territory under the control. If any unnatural behavior, panic or emergency is noticed the device will be blown up. I can call off my recruited person if you make a transfer. 20'000 usd is the price for your safety. Tansfer it to me in Bitcoin and I ensure that I will withdraw my mercenary and the bomb won't explode. But do not try to deceive me- my warranty will become valid only after 3 confirms in blockchain network. My payment details (Bitcoin address): 1CDs3JXUU6wNmndAF7EFcrJ6GGSYRKXd7w

My man hid a bomb (lead azide) in the building where your business is conducted. It was constructed according to my guide. It is small and it is hidden very well, it is impossible to destroy the supporting building structure by this explosive device, but you will get many victims in the case of its detonation. My mercenary keeps the territory under the control. If any unnatural activityor emergency is noticed the bomb will be blown up. I would like to propose you a deal. You transfer me $20'000 in Bitcoin and explosive will not explode, but do not try to cheat -I warrant you that I will call off my man solely after 3 confirmations in blockchain network.

Hello. There is the bomb (lead azide) in the building where your business is conducted. My man built the explosive device according to my instructions. It is compact and it is hidden very carefully, it is impossible to damage the structure of the building by this explosive device, but if it detonates you will get many victims. I would like to propose you a bargain. 20.000 dollars is the cost for your life. Pay it to me in BTC and I guarantee that I have to call off my man and the device will not explode. But do not try to cheat- my guarantee will become valid only after 3 confirmations in blockchain network.

My man has carried the explosive device (tronitrotoluene) into the building where your business is conducted. My recruited person constructed the bomb according to my guide. It can be hidden anywhere because of its small size, it can not destroy the supporting building structure, but in the case of its detonation there will be many wounded people. My man is controlling the situation around the building. If any unnatural activity, panic or policeman is noticed the device will be blown up.
I write you to inform you that my recruited person carried the explosive device (Tetryl) into the building where your business is located. It is assembled according to my instructions. It can be hidden anywhere because of its small size, it is impossible to destroy the building structure by this bomb, but in case of its explosion there will be many victims. My man is controlling the situation around the building. If he sees any suspicious activity, panic or emergency the device will be exploded. I can withdraw my mercenary if you make a transfer. You transfer me 20.000 dollars in Bitcoin and the device will not detonate, but don't try to fool me -I ensure you that I will withdraw my recruited person only after 3 confirmations in blockchain. Here is my BTC address - 161JE4rHfvygXUVLya8N2WFptjwon2172t


These were EVERYWHERE - NOT targeted

Dozens of law enforcement agencies tweeted about these threats being received in their local area.  If you are aware of such "official" tweets, please leave a link to the Twitter Status report in the comments section below. 

Even AFTER it was well known that these were hoaxes, many law enforcement agencies continued to respond with full bomb squad roll-outs.  Given the history in Oklahoma City, this was especially understandable there, but wasted a tremendous amount of resources as they responded to AT LEAST thirteen threats just in that city!

Here are a few examples, and then a longer list in Table form:


https://twitter.com/HsvPolice/status/1073310129284661254

https://twitter.com/PelhamPoliceAL/status/1073323648436658176

https://twitter.com/TulsaPolice/status/1073309200967761923

https://twitter.com/houstonpolice/status/1073320693507506177
Each entry in the table below is an "official" Tweet indicating local law enforcement responded to a bomb threat in that area.  If your local is not listed, please search for "official" notices for your area and share them in our comments section.  Thanks!

Calgary, Alberta, CA
Calgary, Alberta, CA
Winnipeg, Manitoba, CA
London, Ontario, CA
Toronto, Ontario, CA
Anniston, Alabama
Pelham, Alabama
Anchorage, Alaska
Phoenix, Arizona
Bakerfield, California
Chico, California
Chino, California
Garden Grove, California
Los Angeles, California
San Francisco, California
San Francisco, California
Santa Rosa, California
Ottawa, Canada
Aurora, Colorado
Fort Collins, Colorado
Danbury, Connecticut
Wallingford, Connecticut
Ocala, Florida
Sanford, Florida
Tampa, Florida
Atlanta, Georgia
Dekalb County, Georgia
Valdosta, Georgia
Honolulu, Hawaii
Chicago, Illinois
Chicago, Illinois
Indianapolis, Indiana
Cedar Rapids, Iowa
Wichita, Kansas
Wichita, Kansas
Lexington, Kentucky
Portland, Maine
Frederick, Maryland
Salisbury, Maryland
Boston, Massachusetts
Salisbury, Massachusetts
Massachusetts State Police
Detroit, Michigan
Grand Blanc, Michigan
Grand Rapids, Michigan
Long Beach, Mississippi
Raleigh, NC
Lincoln, Nebraska
Lincoln, Nebraska
Omaha, Nebraska
Linden, New Jersey
Buffalo, New York
Buffalo, New York
Buffalo, New York
New York, New York
Niagara Falls, New York
Rochester, New York
Boone, North Carolina
Boone, North Carolina
UNC Raleigh, North Carolina
Cleveland, Ohio
Columbus, Ohio
Bexley, Ohio (Capital University)
Oklahoma City, Oklahoma
Oklahoma City, Oklahoma
Tulsa, Oklahoma
Erie, Pennsylvania
Lancaster, Pennsylvania
Memphis, Tennessee
Beaumont, Texas
El Paso, Texas
Fricso, Texas
Houston, Texas
Lubbock, Texas
Rosenberg, Texas
St. George, Utah
St. George, Utah
Chesterfield County, Virginia
Hampton Roads, Virginia
Bellevue, Washington
Massachusetts States Police
Michigan State Police
Michigan State Police
Notre Dame University
Washington DC