In March Alexsandr Bernik of Roseville, California, was sentenced to 70 months in prison for running a similar scam. He put tens of thousands of charges on Amex accounts, each ranging from $9 to $15. Neither federal authorities nor American Express would explain how Bernik obtained his card numbers.
Bernik made his charges on behalf of a fictional corporation called Lexbay Ltd., but in the FTC case, the scammers would mimic legitimate companies -- taking real federal tax I.D. numbers and then setting up fake businesses with nearly identical names that appeared to be located nearby. In a move that apparently tricked credit card processors into granting it a merchant account, Adele Services, for example, was set up to mimic a legitimate Bronx, New York group called Adele Organization.
When the scammers tried to register merchant accounts with credit card processors, the processors would do some investigating, but using tricks like these, the scammers were always one step ahead.
In fact, the FTC's description of their operation reads like a textbook on how to set up a fake virtual corporation in the Internet age.
The criminals used a range of legitimate business services to make it appear to credit card processors as though they were legitimate U.S. companies, even though the scammers may have never set foot in the U.S.
For example, using a company called Regus, they were able to give their fictional companies addresses that were very close to the companies whose tax IDs they were stealing. Regus lets companies operate "virtual offices" out of a number of prestigious addresses throughout the U.S. -- the Chrysler Building in New York for example -- forwarding mail for as little as US$59 per month.
Mail sent to Regus locations was then forwarded to another company, called Earth Class Mail, which scans correspondence and uses the Internet to deliver it to customers in pdf format.
They used another legitimate virtual business service -- United World Telecom's CallMe800 -- to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.
When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.
One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data. The scammers also set up bogus accounts with Elavon and BBVA Compass.
Sign up for Computerworld eNewsletters.