Most of the ATM skimming attacks written about on this blog conclude with security personnel intervening before the thieves manage to recover their skimmers along with the stolen card data and PINs. However, an increasingly common form of ATM fraud — physical destruction — costs banks plenty, even when crooks walk away with nothing but bruised egos and sore limbs.

An ATM technician and KrebsOnSecurity reader shared photos of a recent attack in which three would-be robbers went to town on a wall-mounted cash machine with crowbars and hammers.

According to the technician, the burglars ruined a $13,000 cash acceptor, a $5,000 check scanner, a $900 monitor, and a $700 card reader, among many other pricey items. Hardly any part of the machine escaped damage.

The carnage from this incident looks like something out of a bad Transformers movie.

For all their work, the closest that the crooks got to the money was chipping the safe hinge.

The thieves in this case clearly didn’t have the right tools for the job. The real pros come armed with thermal tools to cut into the thick metal parts, as described in a recent update from the European ATM Security Team (EAST). As shown in the images below, the crooks draped flame-retardant cloth around the ATM while they set to work cutting into the cash machine with a gas-powered torch.

In December 2014, I wrote about a spike in attacks on ATMs in Europe in which thieves attempt to blast open the cash machines with explosive gas. Since then, Bloomberg Business has published “Boom,” a detailed look at the growth of explosive gas attacks on ATMs since 2013.

In October 2014, KrebsOnSecurity examined a novel “replay” attack that sought to exploit implementation weaknesses at U.S. financial institutions that were in the process of transitioning to more secure chip-based credit and debit cards. Today’s post looks at one service offered in the cybercrime underground to help thieves perpetrate this type of fraud.

Several U.S. financial institutions last year reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the October 2014 breach at Home Depot. The affected banks were puzzled by the attacks because the fraudulent transactions were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question hadn’t yet begun sending customers chip-enabled cards.

Fraud experts said the most likely explanation for the activity was that crooks were pushing regular magnetic stripe transactions through the card network as chip card purchases using a technique known as a “replay” attack. According to one bank interviewed at the time, MasterCard officials explained that the thieves were likely in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real chip-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account data on-the-fly.

Recently, KrebsOnSecurity encountered a fraudster in a popular cybercrime forum selling a fairly sophisticated software-as-a-service package to do just that. The seller, a hacker who reportedly specializes in selling skimming products to help thieves steal card data from ATMs and point-of-sale devices, calls his product “Revolution” and offers to provide buyers with a list of U.S. financial institutions that have not fully or properly implemented systems for accepting and validating chip-card transactions.

First, a bit of background on chip-based cards is in order. Chip cards are synonymous with a standard called EMV (short for Europay, MasterCard and Visa), a global payment system that has already been adopted by every other G20 nation as a more secure alternative to cards that simply store account holder data on a card’s magnetic stripe. EMV cards contain a secure microchip that is designed to make the cards very difficult and expensive to counterfeit.

There are several checks that banks can use to validate the authenticity of chip card transactions. The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal “counter” mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

It appears that the Evolution software is designed to target banks that are in the process of architecting their payment networks to handle EMV transactions, but that nevertheless aren’t yet properly checking the EMV cryptogram and/or counter for these transactions. It also seems that some banks have inexplicably lowered their fraud controls on EMV transactions, even though they are not yet taking advantage of the added security protections offered by chip-based cards.

“The reason I think they bother to fake EMV transactions is that they know the EMV card issuing banks relax their fraud controls on them and don’t have it implemented properly and therefore they do not properly check the dynamic EMV data,” said Avivah Litan, a fraud analyst with Gartner Inc.

That’s precisely what the fraudster selling Evolution points out in his somewhat awkwardly-worded sales thread for his product, which he said relies on Java card software capable of writing to chip and mag-stripe based cards.  Java Card refers to a software technology that allows Java-based applications (applets) to be run securely on smart cards and similar small memory footprint devices. Java Card is the tiniest of Java platforms targeted for embedded devices, and was originally developed for the purpose of securing sensitive information stored on smart cards.

“The good news is that USA is shifting to EMV,” he writes. “ This software works with Java cards work with static EMV security not with dynamic. Static means the [counter] remains the same every transaction. The thing to add is that I will provide from a lot of banks that uses static some of them that has been tested on it after purchase. Imagine how many banks using STATIC!“

This same fraudster appears to be the operator of an online store called “Last Carding,” which sells stolen credit cards and includes a number of tutorials on how to conduct card fraud. The crook running this site says he’s online twice a day, but that he takes Sundays off. Interestingly, the clock on his Web store says he operates on Central America time (-06:00 GMT).

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank routing and account number that received the $8,936 phony refund filed in his name.

Earlier this month I wrote about Antidetect, a commercial tool designed to help thieves evade fraud detection schemes employed by many e-commerce companies. That piece walked readers through a sales video for Antidetect showing the software being used to buy products online with stolen credit cards. Today, we’ll take a closer look at clues to a possible real-life identity of this tool’s creator.

The author of Antidetect uses the nickname “Byte Catcher,” and advertises on several crime forums that he can be reached at the ICQ address 737084, and at the jabber instant messaging handles “byte.catcher@xmpp.ru” and “byte.catcher@0nl1ne.at”. His software is for sale at antidetect[dot]net and antidetect[dot]org.

Searching on that ICQ number turns up a post on a Russian forum from 2006, wherein a fifth-year computer science student posting under the name “pavelvladimirovich” says he is looking for a job and that he can be reached at the following contact points:

ICQ: 737084

Skype name: pavelvladimirovich1

email: gpvx@yandex.ru

According to a reverse WHOIS lookup ordered from Domaintools.com, that email address is the same one used to register the aforementioned antidetect[dot]org, as well as antifraud[dot]biz and hwidspoofer[dot]com (HWID is short for hardware identification, a common method that software makers use to ensure a given program license can only be used on one computer).

These were quite recent registrations (mid-2014), but that gpvx@yandex.ru email also was used to register domains in 2007, including allfreelance[dot]org and a domain called casinohackers[dot]com. Interestingly, one of the main uses that Byte Catcher advertises for his Antidetect software is to help beat fraud detection mechanisms used by online casinos. As we can see from this page at archive.org, a subsection of casinohackers.com was at one time dedicated to advertising Antidetect Patch — a version that comes with its own virtual machine.

That ICQ number is tied to a user named “collisionsoftware” at the Russian cybercrime forum antichat[dot]ru, in which the seller is advertising software that routes the user’s Internet connection through hacked PCs. He directs interested buyers to the web site cn[dot]viamk[dot]com, which is no longer online. But an archived version of that page at archive.org shows the same “collision” name and the words “freelance team.” The contact form on this site also lists the above-referenced ICQ number and email gpvx@yandex.ru, and even includes a résumé of the site’s owner.

Another domain connected to that antichat profile is cnsoft[dot]ru, the now defunct domain for Collision Software, which bills itself as a firm that can be hired to write software. The homepage lists the same ICQ number (737084).

The ICQ.com profile page for that number includes links to accounts on Russian fraud forums that are all named “Mysterious Killer.” In one of those accounts, on the fraud forum exploit[dot]in, Mysterious Killer lists the same Jabber and ICQ addresses, and offers a variety of services, including a tool to mass-check PayPal account credentials, as well as a full instructional course on click-fraud.

Both antifraud[dot]biz and allfreelance[dot]org were originally registered by an individual in Kaliningrad, Russia named Pavel V. Golub. Note that this name matches the initials in the email address gpvx@yandex.ru. KrebsOnSecurity has yet to receive a response to inquiries sent to that email and to the above-referenced Skype profile. Update, 1:05 p.m.: Pavel replied to my email, denying that he produced the video selling his software. “My software was cracked few years ago and then it as spreaded, selled by other people,” he wrote. Meanwhile, someone has started deleting photos and other items linked in this story.

Original story:

A little searching turns up this profile on Russian social networking giant Odnoklassniki.ru for one Pavel Golub, a 29-year-old male from Koenig, Russia. Written in Russian as “Кениг,” this is Russian slang for Kaliningrad and refers to the city’s previous German name.

One of Pavel’s five friends on Odnoklassniki is 27-year-old Vera Golub, also of Kaliningrad. A search of “Vera Golub, Kaliningrad” on vkontakte.com — Russia’s version of Facebook — reveals a vk.com group in Kaliningrad about artificial fingernails that has two contacts: Vera Ivanova (referred to as “master” in this group), and Pavel Vladimirovich (listed as “husband”).

The Vkontakte profile linked to Pavel’s name on that group has been deleted, but “Vera Ivanova” is the same face as Vera Golub from Pavel’s Odnoklassniki profile.

A profile of one of Vera’s friends – one Natalia Kulikova – shows some photos of Pavel from 2009, where he’s tagged as “Pavel Vladimirovich” and with the link to Pavel’s deleted Vkontakte profile.  Also, it shows his previous car, which appears to be a Mitsubishi Galant.

A search on the phone number “79527997034,” referenced in the WHOIS site registration records for Pavel’s domains — antifraud[dot]biz and hwidspoofer[dot]com — turns up a listing on a popular auto sales Web site wherein the seller (from Kaliningrad) is offering a 2002 Mitsubishi Galant. That same seller sold a 2002 BMW last year.

On one level, it’s amusing that a guy who sells software to help Web criminals evade detection is so easily found on the Internet. Then again, as my Breadcrumbs series demonstrates, many individuals involved in writing malware or selling fraud tools either do not care or don’t take too many precautions to hide their identities — probably because they face so little chance of getting into trouble over their activities as long as they remain in Russia.

The above photo of Pavel in his Mitsubishi isn’t such a clear one. Here are a couple more from Kulikova’s Vkontakte pictures.

Some of the most frank and useful information about how to fight fraud comes directly from the mouths of the crooks themselves. Online cybercrime forums play a critical role here, allowing thieves to compare notes about how to evade new security roadblocks and steer clear of fraud tripwires. And few topics so reliably generate discussion on crime forums around this time of year as tax return fraud, as we’ll see in the conversations highlighted in this post.

As several stories these past few months have noted, those involved in tax refund fraud shifted more of their activities away from the Internal Revenue Service and toward state tax filings. This shift is broadly reflected in discussions on several fraud forums from 2014, in which members lament the apparent introduction of new fraud “filters” by the IRS that reportedly made perpetrating this crime at the federal level more challenging for some scammers.

One outspoken and unrepentant tax fraudster — a ne’er-do-well using the screen name “Peleus” — reported that he had far more luck filing phony returns at the state level last year. Peleus posted the following experience to a popular fraud forum in February 2014:

“Just wanted to share a bit of my results to see if everyone is doing so bad or it just me…Federal this year has been a pain in the ass. I have about 35 applications made for federal with only 2 paid refunds…I started early in January (15-20) on TT [TurboTax] and HR [H&R Block] and made about 35 applications on Federal and State..My stats are as follows:

Federal: 35 applications (less than 10% approval rate) – average per return $2500

State: 35 apps – 15 approved (average per return $1600). State works just as great as last year, their approval rate is nearly 50% and processing time no more than 10 – 12 days.

I know that the IRS has new check filters this year but federals suck big time this year, i only got 2 refunds approved from 35 applications …all my federals are between $2300 – $2600 which is the average refund amount in the US so i wouldn’t raise any flags…I also put a small yearly salary like 25-30k….All this precautions and my results still suck big time compared to last year when i had like 30%- 35% approval rate …what the fuck changed this year? Do they check the EIN from last year’s return so you need his real employer information?”

Several seasoned members of this fraud forum responded that the IRS had indeed become more strict in validating whether the W2 information supplied by the filer had the proper Employer Identification Number (EIN), a unique tax ID number assigned to each company. The fraudsters then proceeded to discuss various ways to mine social networking sites like LinkedIn for victims’ employer information.

GET YER EINs HERE

A sidebar is probably in order here. EINs are not exactly state secrets. Public companies publish their EINs on the first page of their annual 10-K filings with the Securities and Exchange Commission. Still, EINs for millions of small companies here in the United States are not so easy to find, and many small business owners probably treat this information as confidential.

Nevertheless, a number of organizations specialize in selling access to EINs. One of the biggest is Dun & Bradstreet, which, as I detailed in a 2013 exposé, Data Broker Giants Hacked by ID Theft Service, was compromised for six months by a service selling Social Security numbers and other data to identity thieves like Peleus.

Last year, I heard from a source close to the investigation into the Dun & Bradstreet breach who said the thieves responsible made off with more than six million EINs. In December 2014, I asked Dun &Bradstreet about the veracity of this claim, and received a blanket statement that did not address the six million figure, but stressed that EINs are not personally identifiable information and are available to the public.

THE PREPAID MESS

By May of 2014, Peleus reported that he’d more or less worked out the best ways to avoid the IRS’s fraud filters, and was finding great success at the state level. The key, he said, was having the bogus refund sent to a unique prepaid debit card account for each filing. In this case, he found success with Green Dot — a widely-used prepaid card.

“The season is over, and my stats improved A LOT once I used one Greendot for one refund, instead of 1 checking account for 10 refunds,” he wrote.

The prepaid card industry has been an indispensable tool of tax fraudsters for several years, and remains one of the favorite means of cashing out phony refunds — as well as the proceeds from a broad range of other cybercrime activity.

At a March 12, 2015 hearing on the tax refund fraud epidemic, Utah State Tax Commission Chairman John Valentine told the U.S. Senate Finance Committee that all of the suspicious returns it has seen so far this year had the direct deposit information changed from the previous year’s bank account to prepaid debit cards — often Green Dot brand debit cards.

“Once the funds are transferred to such cards, they cannot easily be traced or recovered, a perfect vehicle to commit fraud,” Valentine told the panel. “Prepaid debit cards appear to be preferable to fraudsters because the identity thief doesn’t have to bother with banks, credit unions or check-cashing stores that may become suspicious when one person starts bringing in multiple tax refund checks to be cashed or deposited.”

Valentine said one problem his state ran into when trying to isolate filings involving prepaid cards was that there is currently no uniformity in numbering that distinguishes traditional checking and savings accounts from prepaid debit cards.

“For example, a prepaid reloadable debit card sold by Green Dot appears to be linked to a bank account even though the debit card had no actual checking or savings account associated with it,” he said in his prepared remarks (PDF). “A simple fix would be to require a different series, letter or additional numbers to distinguish these cards from cards connected to bank or credit union checking and savings accounts.”

SAFE MONEY & FREQUENT FILERS

Judging from his fraud forum postings, our tax scammer Peleus was having more luck filing bogus refund requests with both the IRS and the states in this year’s tax season, which appears to have started in mid- to late January for phony filers.

Peleus’ 2015 tax tips for fellow fraudsters center around which payment instruments and banks to use and which to avoid like the plague. Peleus said prepaids are great, but getting your phony refunds deposited in a Suntrust account remains the safest option, while certain banks — particularly Wells Fargo — are to be avoided like the plague.

“Wells Fargo is old news and sucks big time,” Peleus wrote in a January 14, 2015 post. “It is one of the strictest banks and I do not recommend it. Try and get Suntrust. If Suntrust works like last year, you should have 5-7 refunds per account easy. They don’t seem to give a fuck.”

Peleus and other fraudsters continue to report strong success filing phony tax refund requests through TurboTax, the largest of the online tax preparation services — with nearly 30 million customers. Peleus urges like-minded crooks to consider asking TurboTax to credit the fraudulent refund amount as an Amazon gift code, which is apparently all the rage this year:

“You don’t even need your own bank accounts, you can use company checking accounts from Google or checking accounts from your older spam,” Peleus enthuses. “Basically, you need just an email to receive the Amazon code. Sure, it’s hard to sell it on eBay or Craigslist, but it works and they never get blocked, so it’s safe money.”

[In case you missed my recent series on how lax security and adherence to “know-your-customer” basics at TurboTax has contributed to the tax fraud epidemic, check out these stories.]

While the states and the IRS are becoming more vigilant about filtering out phony refund requests, the fraudsters are clearly responding by upping the volume of bogus filings. At least, that’s according to our virtual Virgil of the tax underworld:

“People, the secret still stays in numbers, so file as many applications as you can,” Peleus advises his fraudster friends. “No matter how accurate your tax info is, if you fly under the radar with small refunds (e.g. the average US refund was $2400 last year) you will be making money. Stop asking for $9k per refund you should make 3 of 3k, more refunds is better. Next year it will be harder I am sure, but we will all be smarter and fewer.”

ANALYSIS

Given the amount of cyber fraud that is committed with the help of the anonymity afforded to prepaid card users,  the Utah State Tax Commissioner’s suggestion about requiring a unique identifier for prepaid card account numbers seems like a sound one. Certainly, the prepaid card and tax preparation industries can up their game. As I’ve noted in previous stories, both industries probably need more encouragement from federal lawmakers and/or regulators to proactively institute more robust and effective “know-your-customer” policies.

Even so, tax refund fraud is a complex problem, with many core weaknesses contributing to the overall epidemic. Not least of which is that the IRS is required to process refund requests within a very short period of receiving the filing. Very often, the IRS has to make this decision even before companies finish sending out W2 information.

In an August 2014 report to Congress on the tax refund fraud epidemic, the Government Accountability Office said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.

According to a January 2015 GAO report (PDF), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013.  Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

Further reading:

What Tax Fraud Victims Can Do.

All KrebsOnSecurity stories about tax refund fraud.

Update, Mar. 26, 4:56 p.m. ET: A previous version of this story incorrectly stated that Green Dot was managed by GE Money Bank. The latter sold part of its pre-praid business (Wal-Mart Money Card) to Green Dot back in 2013.