I was driving a few weeks ago en route to an entirely unplugged weekend -- my first since 1987 -- when my cell phone rang. It was a woman from the fraud department at my bank. She wanted to know whether I was really in Larnaca, Cyprus, racking up $462 in charges for virtual goods on a social network/dating site called Badoo. No, I said, I was not in Larnaca, and I'd never heard of Badoo. Please terminate that card with extreme prejudice.
It had finally happened to me -- I'd been scammed by credit card thieves. Naturally, it had to happen when I was completely out of pocket, technology-wise. I spent my unplugged weekend fretting about how else I might have gotten reamed. As soon as I returned to civilization, though, I jumped onto the InterWebs to learn more about my thief.
[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or tales from the trenches. Send your story to firstname.lastname@example.org. If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. ]
With help from Badoo's fraud department, I learned that my scammer was "Katya," an alleged 28-year-old female interested in older men or, at least, older men's bank accounts. Katya had several profiles on Badoo, as it turns out, based in locations like Greece and Chile. (As I write this, one of those profiles is still live on the site.)
Her IP address routed to Atomintersoft.com, an anonymizing proxy service based in Moscow. Her registration email addresses were for a Russian news site (km.ru) that also operated a "dating" site, whose search criteria included how much you were willing to pay for each "date." She had a Yahoo email address (olympickatya) and a Skype number, both of which appeared to be dead by the time I tried them. Obviously Katya was a dummy account operated by Russian cyber crooks -- lovely.
The fraud expert informed me that my card was used to buy Badoo credits, which are required in order to unlock certain features, like the ability to chat with someone or to request photos. Katya used my card to buy points in several countries, apparently to make her profile accessible internationally.
She probably then used her Badoo "superpowers" to lure unsuspecting users to a porn site or a site that distributes malware, or she duped them into signing up for expensive SMS services, or possibly all three. There was no way to know for sure.
How did "Katya" get my card number? I still don't have a definitive answer, but there are really only a handful of possibilities.
- I got swiped. Someone could have double-swiped my card in a restaurant, or I might have used a dodgy ATM that stole my number as it doled out twenties. But if that was the case, how the heck did my number end up overseas? I did travel in France late last year; if somebody stole my credit card info back then, why wait until March to use it?
- I got crammed. I could have ordered something online from what I thought was a legitimate source, only to have bogus charges surreptitiously added later. I pored over my bank statements and found no weird charges or new low-rent venues that were likely to cram me. I'm nixing that theory too.
- I got infected. This is the most likely cause -- some piece of malicious code wormed its way onto my computer and stole my credit card information. Checking my security logs, I discovered that Norton Internet Security had detected and blocked a Blackhole Toolkit Website attack on my system about two days before my card was first used. At least, Norton thinks it blocked the intruder. I'm not so sure.
Kevin Haley, a director for Symantec's Security Response team, says the Blackhole Toolkit attacks about 100,000 PCs every day. Its primary purpose is to steal logons and/or display fake antivirus software alerts to dupe people into spending $50 on a useless program. Now that I think about it, I remember one of those bogus AV window popping up recently. I thought it was a spammy website -- guess it was a little more serious.
Haley says credit card numbers sell on the Internet black market for anywhere from 7 cents to $100 a pop. The really expensive ones are for banks with poor fraud-detection schemes, because that allows the scammers to rack up more charges. Fortunately, my bank isn't among that group. If it had been, who knows what damage I'd suffer at the hands of Katya?
I've learned my lesson, though. I'm going to keep a much closer watch on my security logs from now on, as well as my bank records. I'm going to scan my system (or use Norton Power Eraser) whenever I get even a whiff of something that smells foul. And I'm never unplugging for that long again. It's just too dangerous.
This article, "No one ever expects the Russian credit card scam," was originally published at InfoWorld.com. Track the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter. For the latest business technology news, follow InfoWorld.com on Twitter.