Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they don’t speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multi-lingual men and women who can be hired to close the deal.

Some of these call centers are Web-based, allowing customers to upload information about their targets to a service that initiates the call to a bank, credit provider, shipping company or dating scam victim (for more on the role played by call centers in dating schemes, see last week’s story, Fraudsters Automate Russian Dating Scams). Other call centers require customers to supply information about the target and the needed service via Jabber instant message. This post focuses on Web-based call services.

In the call service pictured below, we can see one user ordering a $250 radio-controlled toy Ford Mustang as a gift for someone’s kid for the holidays. The customer of the call service specifies the American Express card account to be used for the transaction, and requests that the order be expedited to a reshipping mule who will forward the goods to Russia. The status of the transaction indicates that this particular order was successfully placed on Jan. 7, 2016.

One of the cybercrime underground’s oldest call center services — CallMeBaby — serves a variety of swindles but specializes in helping criminals cash out dating scams. It charges $10 for each call in English, and $12 for calls in German, French, Italian, Spanish, Portuguese and Polish. Here’s an ad for the four-year-old service, which features an illustration of a blonde woman chatting with President Obama:

CallMeBaby advertises the availability of a male and female to impersonate anyone in the above-supported languages, and operates between the hours of 17:00 to 03:00 Moscow time (business hours in America).

The CallMeBaby Web-based service, pictured below, includes a “urgent” button where paying customers in a special hurry can expedite calls for an extra fee. “Sparta,” the nickname of the cybercrook who runs the service, warns customers that if the call service has to make a second call to complete the transaction because of insufficient information provided by the customer, that customer will be charged twice.

“If you call the bank it can take up to 40 minutes (during rush hour, getting bank statements sometimes takes a long time),” Sparta says in an ad for his service. “But we will do everything to make your call as quick as possible.”

Crooked call services, like other dodgy online businesses, rely on catchy advertisements and graphic designs to differentiate themselves from other services and to attract new customers. The sketch below — shown from concept to completed product — was commissioned by a call center operator and intercepted after being posted to a file-sharing site online. The image depicts a female call service employee successfully tricking an American Express customer service person into approving a fraudulent transaction.

Criminal call centers would seem to be a terrific opportunity for voice biometrics technology, an anti-fraud solution which focuses on building unique voice fingerprints of known criminals and applying special anti-fraud screening to future calls from individuals who match those voice profiles.

Cybercrime takes many forms, but one of the more insidious and perhaps less obvious manifestations is warranty fraud. This scheme involves con artists who assume the identity of a consumer, complain that a given product has ceased to operate as expected, and demand that the retailer replace the article in question. Such claims turn into a loss for targeted merchants when the scammer hacks an unwitting customer’s account and replaces the customer’s email address with his own address and demands that the retailer ship him a brand new device.

Fitness tracking giant FitBit recently found itself the target of such fraud in the last few months of 2015, when the company noticed large caches of data from customer accounts being posted to Pastebin. To the untrained eye, such data might seem at first glance to indicate that FitBit had experienced a breach that exposed their user account data. Included in the data dumps posted to Pastebin were details about the make and model number of each user’s fitness tracker, as well as information about the last time the user had synced the device.

But a more nuanced look at the information posted to Pastebin and other public data dump sites indicates that FitBit is just the latest victim of customer account takeovers powered by breaches at other e-commerce providers.

I reached out to FitBit about this and the company’s security chief Marc Bown said the data appears to coming from a couple of sources: Customer computers that have been compromised by password-stealing malware, and customers who re-use the same credentials across a broad swath of sites online.

“They’re mainly interested in the premium devices,” Bown said, referring to the most expensive devices that FitBit sells — such as the Surge, which retails for about $250. “Those are the ones that we’re seeing are most targeted for warranty fraud.”

Bown the fraudsters will log in to the customer’s account and change the email address and on the customer’s account. The scammers then call FitBit’s customer service folks, claim that their device has stopped working, and demand a replacement.

“Basically, they start a support case with customer service, but before they do that, they change the email address on the account they hacked to an address that they control, and at that point they are the customer,” Bown said. “For a lot of customers, this ends up creating a pretty negative experience.”

Bown said after several weeks of battling warranty fraud, the company has more or less solved the problem by educating their customer service employees and assigning risk scores to all warranty replacement requests.

“Account takeover is a thing for all online organizations,” Bown said. “If we see an account that was used in a suspicious way, or a large number of login requests for accounts coming from a small group of Internet addresses, we’ll lock the account and have the customer reconfirm specific information.”

E-commerce companies can increase the level of security for user accounts by requiring two-step or two-factor authentication, which usually involves sending a one-time code to the user’s mobile device that needs to be inputted in addition to the customer’s username and password. Bown said FitBit is considering adding this capability to user accounts.

“I’m not sure the type of user who is using the same password at every site is the great target for that,” Bown said. “But we should offer it, and it’s something we plan to offer in 2016 natively.”

Virtually every aspect of cybercrime has been made into a service or plug-and-play product. That includes dating scams — among the oldest and most common of online swindles. Recently, I had a chance to review a package of dating scam emails, instructions, pictures, videos and love letter templates that are sold to scammers in the underground, and was struck by how commoditized this type of fraud has become.

The dating scam package is assembled for and marketed to Russian-speaking hackers, with hundreds of email templates written in English and a variety of European languages. Many of the sample emails read a bit like Mad Libs or choose-your-own-adventure texts, featuring decision templates that include advice for ultimately tricking the mark into wiring money to the scammer.

The romance scam package is designed for fraudsters who prey on lonely men via dating Web sites and small spam campaigns. The vendor of the fraud package advertises a guaranteed response rate of at least 1.2 percent, and states that customers who average 30 scam letters per day can expect to earn roughly $2,000 a week. The proprietor also claims that his method is more than 20% effective within three replies and over 60% effective after eight.

The dating scam package advises customers to stick to a tried-and-true approach. For instance, scammers are urged to include an email from the mother of the girl in the first 10 emails between the scammer and a target. The scammer often pretends to be a young woman in an isolated or desolate region of Russia who is desperate for a new life, and the email from the girl’s supposed mother is intended to add legitimacy to the scheme.

Then there are dozens of pre-fabricated excuses for not talking on the phone, an activity reserved for the final stretch of the scam when the fraudster typically pretends to be stranded at the airport or somewhere else en route to the target’s home town.

“Working with dozens of possible outcomes, they carefully lay out every possible response, including dealing with broke guys who fell in love online,” said Alex Holden, the security expert who intercepted the romance scam package. “If the mark doesn’t have money, the package contains advice for getting him credit, telling the customer to restate his love and discuss credit options.”

Interestingly, although Russia is considered by many to be among the most hostile countries toward homosexuals, the makers of this dating scam package also include advice and templates for targeting gay men.

Also included in the dating scam tutorial is a list of email addresses and pseudonyms favored by anti-scammer vigilantes who try to waste the scammers’ time and otherwise prevent them from conning real victims. In addition, the package bundles several photos and videos of attractive Russian women, some of whom are holding up blank signs onto which the scammer can later Photoshop whatever message he wants.

Holden said that an enterprising fraudster with the right programming skills or the funds to hire a coder could easily automate the scam using bots that are programmed to respond to emails from the targets with content-specific replies.

CALL CENTERS TO CLOSE THE DEAL

The romance scam package urges customers to send at least a dozen emails to establish a rapport and relationship before even mentioning the subject of traveling to meet the target. It is in this critical, final part of the scam that the fraudster is encouraged to take advantage of criminal call centers that staff women who can be hired to play the part of the damsel in distress.

“When you get down to the final stage, there has to be a crisis, some compelling reason why the target should you send the money,” said Holden, founder of Hold Security [full disclosure: Yours Truly is an uncompensated adviser to Holden’s company]. “Usually this is something like the girl is stranded at the airport or needs money to get a travel visa. There has to be some kind of distress situation for this person to be duped into wiring money, which can be anywhere between $200 and $2,000 on average.”

Crooked call centers like the one pictured in the screen shot above employ male and female con artists who speak a variety of languages. When the call center employees are not being hired to close the deal on a romance scam, very often they are used to assist in bank account takeovers, redirecting packages with shipping companies, or handling fraudulent new credit applications that require phone verification.

Another reason that call centers aren’t used earlier in romance scams: Hiring one is expensive. The call center pictured above charges $10 per call, payable only in Bitcoin.

“If you imagine the cost of doing by phone every part of the scam, it’s rather high, so they do most of the scam via email,” Holden said. “What we tend to see with these dating scams is the scammer will tell the call center operator to be sure to mention special nicknames and to remind him of specific things they talked about in their email correspondence.”

Check back later this week for a more in-depth story about criminal call centers.

You know you’re getting old when you can’t remember your own birthday (a reader tipped me off). Today is the sixth anniversary of this site’s launch! KrebsOnSecurity turns 6! I’m pretty sure that’s like middle age in Internet years.

Absolutely none of this would be possible without you, Dear Reader. You have supported, encouraged and inspired me in too many ways to count these past years. The community that’s sprung up around here has been a joy to watch, and essential to the site’s success. Thank you!

I tried for at least one post per weekday in 2015, and came close, publishing some 206 entries this year (not counting this one). The frequency of new posts suffered a bit from September to November, when I was on the road nearly 24/7 for a series of back-to-back speaking gigs. Fun fact: Since its inception, this site has featured some 1,200 stories that generated more than 62,000 reader comments.

Here’s wishing you all a very happy, healthy, wealthy and safe New Year.  Below are some of the KrebsOnSecurity posts that readers found most popular in 2015 (minus the Ashley Madison and Lizard Squad stuff), along with one or two of my personal favorites in no particular order.

–How I Learned to Stop Worrying and Embrace the Security Freeze — Credit monitoring services offered in the wake of umpteen breaches this year won’t stop ID thieves from stealing your good name.

–What’s in a Boarding Pass Barcode? – Sometimes the stories intended to be written in a “hey-did-you-know” format turn into national news. Who knew?

–How Carders Can Use eBay as a Virtual ATM – “Triangulation fraud” is big business.

–Sign Up at the IRS Before Crooks Do It For You – This story about how ID thieves used the IRS’s own site to steal taxpayer data was published three months before the IRS acknowledged that some 330,000 taxpayers had been impacted.

–Intuit Failed at Know-Your-Customer Basics – Much of the tax refund fraud problem can be traced back to poor or non-existent authentication at online tax preparation firms, like TurboTax.

–Hacker Who Sent Me Heroin Faces Charges in the U.S. – A stranger-than-fiction story about a cybercrime kingpin who tried to frame me for drug possession and failed spectacularly.

–Bluetooth ATM Skimming Series in Mexico – I traveled to Cancun in September to chronicle the work of an ATM skimming gang that was bribing ATM technicians to get access to the insides of the cash machines.

–Gas Theft Gangs Fuel Pump Skimming Scams – It’s truly remarkable how much effort crooks will put into extracting value from stolen credit and debit cards.

–Inside Target Corp., Days After 2013 Breach – I got to look at a confidential, internal penetration test that Target commissioned just days after learning it had lost 40 million credit cards. It wasn’t pretty.

–A Day in the Life of a Stolen Healthcare Record – Healthcare organizations have some serious and difficult security challenges ahead of them. I think that explains the reader interest in this story, coupled with the fact that there are so few stories out there about stolen medical info showing up for sale in the cybercrime underground.

Adobe has shipped a new version of its Flash Player browser plugin to close at least 19 security holes in the program, including one that is already being exploited in active attacks.

The new Flash version, v. 20.0.0.267 for most Mac and Windows users, includes a fix for a vulnerability (CVE-2015-8651) that Adobe says is being used in “limited, targeted attacks.” If you have Flash installed, please update it.

Better yet, get rid of Flash altogether, or at least disable it until and unless you need it. Doing without Flash just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). This link should tell you whether your system has Flash and if so which version of Flash is installed in your browser.