Explained: Re-shipment scams (work at home) and what they do when they have your credit-c...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Long story, some human-interest junk, some interesting technical

Cross-posted to relavent news groups.


See also:

International scam: An inside look at a Nigerian reshipping ring



Details:  How a reshipment gets done  
USA TODAY examined a paper trail of e-mails, letters, credit card
statements, packing receipts and mailing labels that Karl kept of his
work as a mule and pieced together this account of an illegal

April 18. Someone from a bogus Web site at the center of the scam,
kflogistics.biz, tests a $1 charge on iWon.com, a prize-giveaway Web
page, using a Bank One Visa credit card number stolen from Brian
Spoutz, a 48-year-old San Jose, Calif., software salesman. A Visa
investigator notified him about the compromised card in May, Spoutz

April 20. Kflogistics.biz uses Spoutz's Visa card to place an order at
Newegg.com for a $2,607 digital camera and extra memory. It directs
shipment of two separate parcels to a home in Gilroy, Calif.

April 22. FedEx attempts to deliver the parcels, but the reshipper in
Gilroy has gotten cold feet and rejects the delivery. Using FedEx's
online tracking, Michael Birman of kflogistics.biz notes the failed
delivery, contacts FedEx and redirects delivery to Karl in Grass
Valley, Calif. Birman then alerts Karl via e-mail to watch for the two

April 23. Birman goes to USPS.com. Using a hot credit card number,
Birman purchases a $48 Global Express Mail shipping label addressed to
Roman Radeckiy in Moscow, then downloads the new label as a JPEG image
file. Birman attaches the JPEG file to an e-mail to Karl, instructing
Karl to combine the two parcels into one box, affix the label and mail
to Radeckiy.

April 24. FedEx delivers the parcels to Karl in Grass Valley.

April 27. Karl prints out the JPEG label. Karl repacks the camera and
memory into one box, affixes the printed JPEG label and completes the

"The operation was amazing," says Karl. "It was highly coordinated."

Cybercrooks lure citizens into international crime

Posted 7/10/2005 11:08 PM     Updated 7/11/2005 4:58 AM

By Byron Acohido and Jon Swartz, USA TODAY

GRASS VALLEY, Calif. To Karl, a 38-year-old former cabdriver hoping
for a career in real estate sales, the help-wanted ad radiated hope.
The ad sought "correspondence managers" willing to receive parcels at
home, then reship them overseas. The pay: $24 a package.

Karl applied at kflogistics.biz, a fraudulent Web site imitating a
legitimate site.

He quickly received an e-mail notifying him he had landed the job,
followed by instructions on how to take receipt of digital cameras and
laptop computers, affix new labels and "reship" the items overseas.
Easy enough.

Within weeks, he had sent off six packages, including digital cameras
and computer parts, to various addresses in Russia. Little did Karl
know he had become an unwitting recruit in a growing scheme to assist
online criminals, the latest wrinkle in digital fraud that costs
businesses hundreds of millions of dollars a year.

Before long, Karl began to feel like Sydney Bristow from the TV show
Alias, who wrangles her way through dealings with the Eastern European
underworld. (Fearing possible retaliation, Karl asked that his real
name not be used for this article.)

One day, a $4,358 electronic deposit appeared out of nowhere in Karl's
online bank account, followed by e-mail instructions to keep a small
amount as pay and wire the rest to Moscow. Then he began receiving
account statements intended for online banking customers from across
the USA. Someone had changed the billing addresses for stolen credit
cards and bank account numbers to his residence in Grass Valley.

One of the letters was intended for 28-year-old Ryan Sesker of Des
Moines, letting him know that his credit limit had been raised to
$5,000 - a request he never made. Around the same time, a USA TODAY
investigation found, someone accessed Sesker's online banking account
and extracted $4,300.

"I thought I could work a few hours a day and make a couple hundred
bucks, not get sucked into something out of Alias," Karl said later,
sipping a cup of steamed milk in a sleepy cafe.

What Karl had become, in fact, was a "mule."

Karl and other ordinary citizens are being widely recruited by
international crime groups to serve as unwitting collaborators -
referred to as mules - in Internet scams to convert stolen personal
and financial data into tangible goods and cash. Cybercriminals order
merchandise online with stolen credit cards and ship the goods
overseas - before either the credit card owner or the online merchant
catches on. The goods then are typically sold on the black market.

Mules serve two main functions: They help keep goods flowing through a
tightly run distribution system, and they insulate their employers
from police detection.

To document what such a mule goes through, USA TODAY spent five months
pursuing leads from law enforcement officials, tech security experts
and Internet underground operatives. The probe uncovered fresh
evidence detailing how organized crime groups, such as the one that
enlisted Karl, operate quietly at the far end of the cybercrime

Savvy thieves often keep such rip-offs below $5,000 to avoid detection
from bank monitors and the FBI. But cumulatively, the thefts reach
into the hundreds of millions of dollars.

While e-mail phishers, hackers and insider thieves grab notoriety for
stealing personal and financial data, these reshipping groups put the
stolen IDs to use. Security consultant eFunds estimates that
reshipping rings set up nearly 44,000 post office boxes and
residential addresses in the USA as package-handling points in 2004,
up from 5,000 in 2003. And they show no signs of slowing down.

The dark side of e-commerce

Consumer-level financial fraud has been around since thieves first
thought to filch blank checks from mailboxes. The Internet has taken
it to a new level, not yet fully understood by the general public. By
many measures, 2005 is shaping up as a watershed year for e-commerce -
and cybercrime.

E-commerce has become so accessible and feature-rich that consumers
take it for granted. Banks have made it easy to execute virtually any
banking transaction online - from changing a billing address to
transferring large sums to another account. And the Web makes it
simple to ship and track parcels.

Amazon.com alone, celebrating its 10th anniversary, expects to
approach revenue of $9 billion this year. And online transactions
overall topped $132 billion in 2004, up 39% from 2003 and 154% from
2002, according to VeriSign, the top manager of Internet domain names.

No one really knows how much of the estimated $150 billion worth of
online transactions this year will be fraudulent, but losses pegged to
reshipping scams were estimated at $700 million in 2004, up from $500
million in 2003, according to eFunds.

The Internet was never envisioned as a secure transactions network, so
criminals are exploiting its convenience features. Cybercrime has
morphed into two broad areas of specialization:

- Hackers, insider thieves and phishing con artists focus on pilfering
personal and financial data, such as names, addresses, birth dates,
mothers' maiden names, driver's license numbers, credit card numbers,
Social Security numbers, log-ons, passwords and personal
identification numbers.

- The ID thieves, in turn, supply the stolen data to crime
organizations. They use the names and account numbers to fleece online
merchants and banks with the help of unwitting mules.

"Any of these job postings that get consumers to receive and forward
packages and/or money are bogus," says Barry Mew, a U.S. postal
inspector in California.

Consumers who report false charges typically are reimbursed by the
banks. But some are drawn into messy identity-theft scams. Law
enforcement can't keep up, for a variety of reasons.

The FBI has led sting operations to knock out reshipping gangs in
Romania and Nigeria. But cabals such as the one that recruited Karl
thrive in Eastern Europe, Brazil and, most recently, the Philippines.
They remain mostly out of law enforcement's reach.

With e-commerce at record levels, the risk of you or someone you know
getting defrauded online is rising.

"The fear is if we don't get on top of this and protect the consumer
better, we'll see more account skimming and deeper kinds of identity
thefts happen," says George Tubin, senior analyst at banking
consultant TowerGroup. "The feeling is we're one big headline away
from catastrophe."

Luring recruits

Karl is a case in point.

The 16-line classified advertisement that appeared April 5 in The
Union in Grass Valley beckoned like a life preserver: "Look at this!
WORK at Home! Correspondence manager vacancies. MAIL PACKAGES from
home without leaving your current job. Easy! Ship parcels from our
clients. Get Paid $24 per parcel! Info:
http://kflogistics.biz/vacancies.asp.htm ."

To Karl, the prospect of getting paid to reship packages from home in
his spare time seemed like a godsend. He had dabbled in online
marketing and was studying to get his real estate license. Someday he
hoped to start a small business with his father-in-law and a friend.
This could tide him over.

TheUnion's records show the ad was ordered and paid for online, using
a credit card with a Milford, Mich., billing address. Chauna Renaud,
classified ads manager, says that no one from The Union spoke to the
buyer, who paid $427.97, and that no victim has sought to refute the

Detective Bill Netherby of the Nevada County Sheriff's Office says the
ad almost certainly was paid for with a stolen credit card number.

The scheme pushed by companies such as kflogistics.biz put a new twist
to an old ruse.

Merchants have long been wary of shipping expensive goods overseas.
But thieves know that once an online transaction is approved,
shipments inside the USA receive scant scrutiny, especially during
high-traffic times such as Christmas and other gift-giving holidays,
says Julie Fergerson, vice president of eFunds and co-chair of the
Merchant Risk Council, an industry group battling online fraud.

So they've taken to recruiting U.S.-based citizens, whose homes
function as drop points.

There likely are dozens of such reshipping operations in existence,
though no one has precise figures. In its investigation, USA TODAY
with the help of law enforcement officials, postal inspectors and
computer security experts identified 21, most with polished Web sites
and slick online job-application programs. Reshipping groups appear to
be using stolen credit cards to finance most of their operations.

USA TODAY's investigation also found that reshipping groups recruit
mules on popular employment Web sites, such as Monster.com and
CareerBuilder.com, order goods from e-merchants large and small, and
even pay for shipping via online services designed to streamline
credit card transactions. FBI Supervisory Special Agent Dale Miskell,
a cybercrime specialist, and other fraud inspectors confirmed USA
TODAY's findings.

A reshipping group going by the name U.S. Mail Service last February,
for instance, used a credit card to pay $97 for a three-month ad on
Jobfinder.com. Jobfinder CEO David Lizmi could not confirm that a
stolen card number was used. But fraud inspectors say reshipping
groups routinely pay for ads with stolen account numbers. Lizmi says
he pulled the ad after receiving a complaint. U.S. Mail Service never
contacted him for a refund, and no one has stepped forward to dispute
the payment. Someone using the name Anna Davis and describing herself
as a manager at U.S. Mail Service did not respond to questions from
USA TODAY in e-mail messages.

Monster.com and CareerBuilder.com say they deploy teams to screen ads,
investigate complaints and educate customers about scams. But
reshippers are adept at skirting such defenses by changing names and
Web sites every few months. "They are so good at sneaking things
through," says Michele Pearl, vice president of compliance at

"Nothing can be done to prevent this type of ad from happening,"
contends Lizmi. "I would have to hire 20 people to contact every
company individually and vouch for their ID."

Cheap and easy Web sites

Mule recruiters typically direct job applicants to well-crafted
company Web sites. Web site domain names can be purchased for $6 a
month; space on computer servers to collect data from job applicants,
$15 a month. As long as the credit card payment gets approved, no
questions are asked.

"Registering a domain name and putting up a Web site to perpetrate
these schemes is easy and cheap," says Joe Stewart, an analyst at
Lurhq, which provides computer security for businesses.

"Just fill in the information, use a credit card to pay, and you're up
and running in less than half an hour," says Stewart.

Kflogistics.biz, for instance, registered its domain name and launched
its Web site last April, around the time the Grass Valley newspaper
published the help-wanted ad.

The site almost certainly has been operating under other names. A
similar package-reshipping recruiter, westernforce.biz, for a time
used the same Internet protocol address as kflogistics.biz. "So
they've moved on to a different name, but I bet it's the same people,"
Stewart says.

The name kflogistics.biz, in fact, imitates an existing Web site,
kflogistics.com, registered by a legitimate El Paso freight-forwarding
company. The copycat Web site lists someone calling himself Michael
Birman as the registrant, with a New York mailing address and phone
number. The last two letters of Birman's listed e-mail address
tyler052@yandex.ru indicate kflogistics.biz has a Russian base.

Attempts to contact Birman and kflogistics.biz were unsuccessful. Most
Web site registration data are "almost certainly bogus," says Stewart.
"It would be stupid for them to use real information. There's no need

Hungry job applicants

Recruiters are being drawn to a U.S. job market teeming with
unemployed and underemployed able-bodied citizens hungry to earn extra
income, says Paul Krenn, a spokesman for the United States Postal
Inspection Service.

"This crime is driven by desperate people looking for jobs," Krenn
says. "Most of them don't ask questions."

Irene Rodriquez, 38, a longtime bulk-mail handler from San Jose,
Calif., regularly surfed employment Web sites, such as Monster.com and
CareerBuilder.com, partly owned by Gannett, USA TODAY's parent,
looking for opportunities to earn extra income. Hoping to pay for her
daughter's senior prom gown, Rodriquez last February responded to a
U.S. Mail Service pitch she spotted on Jobfinder.com. U.S. Mail
offered $30 to $50 per reshipped package.

"When you see a job listed on a respected Web site, you think it's
legitimate," says Rodriguez. "I thought this was a legal company."

About the same time, Lynn Malito, 46, a single mother of two, got laid
off from her job as a dispatcher for a trucking company in Memphis.
Malito says she responded to an online ad on Monster.com to handle
reshipping chores for CNetExpress whose name mimics online media
company CNet. She considered a similar job offer she found on
Monster.com from something called TSR Corp.

Karl, Rodriquez and Malito all ended up working as reshipping mules,
but they cut off their activities and reported their experiences to
authorities after becoming suspicious about the work. "It petrified
me," says Malito. "I thought I was going down, getting arrested, for
my role in this."

Only the most egregious mules run the risk of going to jail. As a
former federal cybercrimes prosecutor, Paul Luehr let go a number of
mules he had tracked down, "because we could uncover little or no
evidence of their criminal intent." Luehr, now general counsel at tech
consultant Stroz Friedberg, says the naive reshippers "thought they
had a regular job."

Often the easy tracking ends at the mule's U.S. residence. Once the
item or cash moves overseas, diplomatic protocols and differing
cultural priorities can quickly turn the trail cold, says Luehr.

U.S. and foreign authorities have tracked down and arrested reshipping
group leaders in Nigeria, Ghana and Romania. But those were
comparatively small-scale operations.

"It's like a high-end fencing operation," says John Pironti, a
security consultant at Unisys who specializes in bank systems. "The
idea is to move this stuff overseas and remove traceability even

Goods on the move

In Karl's case, he cooperated with police and won't be prosecuted. His
cooperation came after a three-week period in April when Karl
reshipped half a dozen parcels for kflogistics.biz. He followed e-mail
instructions from someone who identified himself as Michael Birman,
the same name listed as the Web site's domain registrant.

Occasionally, Karl spoke by phone with Birman, who once boasted to
Karl that he managed a network of 200 people.

Karl might have continued as a reshipper had Birman paid him $24 a
parcel as promised. Instead, Birman tried to manipulate Karl into
deeper activities. Things began to unravel in early May once Karl
began to press Birman for a paycheck.

Birman responded by asking Karl if he had an online account at Chase
Bank, Citibank or Washington Mutual into which kflogistics.biz could
deposit his pay. Fraud inspectors say this indicates Birman already
had fraudulent access to a portfolio of online accounts in those banks
and was maneuvering to sweep Karl's account into the mix.

Karl balked at first, but after discussing the matter with his bank
manager, he gave Birman the routing and account numbers for his
checking account at the Nevada City branch of Bank of America. The
bank manager, Paul Shelton, promised Karl that he would keep an eye on
the account.

Frozen funds

A few days later, on May 5, an unusual deposit of $4,358 was made into
Karl's checking account. The funds came from Chase. "It caught my eye
because it was an electronic credit card transfer," Shelton says.
"That's not something you see every day."

That night, Karl was contacted by someone identifying himself as
George Selembo, financial supervisor for kflogistics.biz. USA TODAY
located another George Selembo, 55, this one a quality-control
inspector in Greensburg, Pa., who had once been a victim of ID theft.

In 2003, a cyberthief electronically transferred $8,000 from Selembo's
Citibank Visa credit card to an overseas account. An additional $2,500
was withdrawn from his First Commonwealth bank account. No one was
ever arrested, though the money was insured. Selembo spent six months
resolving the matter. "Now you're saying that someone may be posing as
me?" Selembo said in a phone interview. "Wow!"

Via e-mail, the supervisor calling himself George Selembo instructed
Karl to "please withdraw the whole amount" and send $4,011 via Western
Union to Andrey Jaremchuk in St. Petersburg, Russia. Karl could keep
the remainder as pay.

"It set off an alarm. Something was definitely wrong," Karl says. "I
didn't take any of the money. I knew it was time to call the police."

Karl reported the matter to the Nevada County Sheriff. Shelton, his
banker, froze the $4,358. That triggered an acrimonious e-mail from

"What?!!?? Give me the bank's(sic) manager phone. How long do they
plan to keep your money frozen???" Selembo said in an e-mail sent to
Karl the night of Friday May 6.

On Monday afternoon, May 9, a male caller reached Shelton on the
phone. The banker doesn't recall how the caller, who spoke with a
heavy accent, identified himself. The caller claimed to have been
cheated out of $4,300 by Karl and asked Shelton to return the funds.
Shelton advised the caller to file a police report - and never heard
from him again.

The next day, Karl received a final e-mail from Selembo: "I tried
calling you a LOT of times. Reached only voicemail. When will you be
home?" Karl turned the e-mail over to authorities.

"They made it clear they wanted the money withdrawn," a nervous Karl
recalls. "It began to freak me out. The tone of the messages was more
threatening. I just wanted them to leave me alone."

The $4,358 remains frozen in Karl's Bank of America account pending a
request from Chase, the bank that made the credit card transfer, for
its return, says Shelton. "If they don't ask for it back, it's going
to stay there forever," he says.

Chase declined interview requests. "Chase in addition to other banks
and merchants are working with law enforcement and can't comment on
this because of an ongoing investigation," said spokesman David

Still useful

Kflogistics.biz wasn't done with Karl. In late April, he had begun
receiving letters intended for online banking customers from all
around the nation. The letters - account statements, notices of credit
limit increases and discrepancy warnings - kept coming through June,
long after Karl broke off communications with Birman and Selembo.

Karl was still useful: They could use his mailing address as a drop
point for account statements linked to hot accounts. One of the first
things reshippers usually do upon gaining access to an online account
is change the billing address, says postal inspector Mew.

And often, the reshipper will change a billing address to a given
mule's, then ship goods to that mule to make it seem as if the card
holder is ordering goods for himself, says Luehr, the former

One letter Karl received shed light on how the $4,358 credit card
transfer was executed. The letter, dated May 5, was a notice from
Chase to Visa card holder Ryan Sesker of Des Moines. Chase notified
Sesker that his request for a credit limit increase to $5,000 from
$3,500 had been approved.

But Sesker never made such a request. In fact, he says, he rarely used
his Chase Visa card. The last two transactions came in early 2004,
when he made online purchases of a computer printer and a Valentine's
Day gift. By March 2005, Sesker had paid the balance down to zero, so
the account wasn't at the top of his mind.

Stolen ID pool

Sesker, who works as a banking loan officer, didn't know his account
had been broken into until he was contacted by USA TODAY in late May.
To determine whether an e-mail virus or Web-browser spyware had
anything to do with the break-in, USA TODAY asked PlumChoice, an
online computer repair service, to scan Sesker's Windows XP laptop

Simply opening infected e-mail attachments or clicking on a contagious
Web site can result in the automatic installation of malicious
programs that help funnel personal data into the growing pool of
stolen IDs for sale on the Internet.

"We didn't find any evidence of software or other types of malicious
codes that was a cause of his losing the credit card," says Ted Werth,
president of PlumChoice.

That meant the breach of Sesker's account most likely stemmed from his
online purchases, says forensics expert Stewart. An insider thief may
have extracted account information from the e-merchant's customer
database and sold Sesker's data on the open market, where
kflogistics.biz purchased it. Or a cyber-intruder could have cracked
into the customer database over the Internet, perhaps using a
technique that probes for weaknesses in e-merchants' shopping-cart

"Shopping carts interact with customers' databases, so you can inject
extra commands, like 'Tell me all about the last 50 transactions,' "
says Stewart.

Upon notifying Chase of the break-in, Sesker learned someone had not
only changed his billing address, but also the date of birth and
mother's maiden name associated with his account. About a week after
Chase approved the credit limit boost to $5,000, the bank next
approved an electronic credit card transfer of $4,300 to a different
account - the same kind of transfer that moved $4,358 from a Chase
credit card account into Karl's Bank of America checking account.

Chase declined to tell Sesker whom the funds were transferred to. The
bank indicated he will not be held responsible and asked him if he
would like a new Visa credit card number. Sesker declined.

Had he not noticed the breach for a couple of months, Sesker's credit
might have become tainted, putting his career as a banking loan
officer at risk; a clean credit history is a condition of employment
for loan officers.

"They probably would have been sending delinquency notices and
collection letters to the wrong address," says Sesker. "I would never
have known until the collection agencies tried to track me down."

Site Timeline