I was driving a few weeks ago en route to an entirely unplugged weekend -- my first since 1987 -- when my cell phone rang. It was a woman from the fraud department at my bank. She wanted to know whether I was really in Larnaca, Cyprus, racking up $462 in charges for virtual goods on a social network/dating site called Badoo. No, I said, I was not in Larnaca, and I'd never heard of Badoo. Please terminate that card with extreme prejudice.
It had finally happened to me -- I'd been scammed by credit card thieves. Naturally, it had to happen when I was completely out of pocket, technology-wise. I spent my unplugged weekend fretting about how else I might have gotten reamed. As soon as I returned to civilization, though, I jumped onto the InterWebs to learn more about my thief.
[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or tales from the trenches. Send your story to firstname.lastname@example.org. If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. ]
With help from Badoo's fraud department, I learned that my scammer was "Katya," an alleged 28-year-old female interested in older men or, at least, older men's bank accounts. Katya had several profiles on Badoo, as it turns out, based in locations like Greece and Chile. (As I write this, one of those profiles is still live on the site.)
Her IP address routed to Atomintersoft.com, an anonymizing proxy service based in Moscow. Her registration email addresses were for a Russian news site (km.ru) that also operated a "dating" site, whose search criteria included how much you were willing to pay for each "date." She had a Yahoo email address (olympickatya) and a Skype number, both of which appeared to be dead by the time I tried them. Obviously Katya was a dummy account operated by Russian cyber crooks -- lovely.
The fraud expert informed me that my card was used to buy Badoo credits, which are required in order to unlock certain features, like the ability to chat with someone or to request photos. Katya used my card to buy points in several countries, apparently to make her profile accessible internationally.
She probably then used her Badoo "superpowers" to lure unsuspecting users to a porn site or a site that distributes malware, or she duped them into signing up for expensive SMS services, or possibly all three. There was no way to know for sure.
How did "Katya" get my card number? I still don't have a definitive answer, but there are really only a handful of possibilities.