The Federal Trade Commission is cracking down an international micropayment scam that stole almost $10 million from users' credit and debit cards by lifting sometimes just pennies at a time.
The FTC shut down phony merchant accounts used by the scammers, while putting a kibosh on at least 14 money mules who were helping to funnel money stolen from compromised credit and debit cars to phony merchant accounts set up by an international cyber gang.
During the scam, the cyber thieves skimmed off micro-payments from compromised credit and debit cards and channeled the funds to bogus organizations created by the attackers.
Altogether, the fraudsters took anywhere from $0.25 to $9 per transaction, which remained undetected by antifraud software as well as by the theft victims who perhaps didn't feel inclined to dispute a low sum with their credit card companies. The fraudsters usually only made one transaction per card.
Altogether, the thieves charged a total of $9.5 million from a total of 1.35 million compromised cards over a period of four years starting in 2006. However, only about 10 percent of the fraudulent charges were ever reported or contested, according to the FTC.
The years-long scam, first reported by IDG News Service, achieved success, in part, because the attackers were able to funnel the money into more than 100 phony organizations that had names similar to legitimate businesses. To add to the legitimacy, the merchant accounts were backed by real federal tax ID numbers, which enabled the scammers to trick credit card processors to granting the phony merchant accounts access to users' credit card accounts.
The scammers also purchased domain names for the front companies, and set up phone numbers and virtual office addresses through services such as Regus. Some of the bogus merchant account names included Adele Services, Centrum Group, Image Company, Mark Silver, Data Services, Search Services and Union Green, among others.
According to IDG New Service, the scammers also set up fake retail Web sites, and handed over names and social security numbers of ID theft victims when probed by credit card processors about company executives.
Once approved by the card processors, the fake companies were able to access the stolen credit and debit card accounts.
According to court documents from the U.S. District Court for the Northern District of Illinois, scammers recruited what are known as money mules -- contract cyber laborers recruited to move money from one place to another -- via a spam campaign that posted an ad for a U.S.-based financial manager at an international financial services company.
The money mules then opened numerous bank accounts and about 100 fake LLCs for the scammers, which were subsequently used as a repository to dump the stolen money. The money mules then transferred the stolen money from the business accounts into accounts Eastern European accounts in Bulgaria, Cyprus, Estonia and Lithuania.
Thus far, the FTC has been unable to track down the masterminds behind the scam, but has identified some of the money mules.