Archives

September 29th, 2012 | Category: Security

Got hacked?

The other day I decided to get started with my long due tax returns. When browsing some of my bank statements, I noticed three recurrent monthly payments that I could not recognize. More bizarre was the fact that their where issued in USD, while the account is labeled in Euros. They showed as follows:

I looked up the names, and the second one took me to a bland website that looked like a customer service frontend. There was a chat window, which I use for my inquiry. Here is a cut-and-paste of the transcript.

Please wait for a site operator to respond.

You are now chatting with ‘Lisa’

Lisa: Thank you for contacting Customer Support. How may I provide you with excellent service today?

you: I am trying to identity the origin of a recurrent charge on my account. I have no idea what is wejoinnow.com

Lisa: If you found our website through a charge on your bank statement, an account was created online to one of the websites we handle the customer service for. I would be happy to look up the account and can do so with either the email address used to sign up or the first 12-digits of the credit card number being charged.

you: 12 digits are:
you: ************

Lisa: Thank you for the information… please stay with me on live chat while I pull up your record.
Lisa: I have your record now… please hold while I get the subscription details
Lisa: Our records indicate there is an active membership you are able to access at anytime with the following log in information…
Lisa: User Name: victor94109
Lisa: Password: dls415

you: membership for what?

Lisa: http://www.[adult_site_1].com

you: WHAT?

Lisa: http://www.[adult_site_2].com
Lisa: http://www.[adult_site_3].com

you: I’ve been hacked.

Lisa: How can I assist you with that?

you: How do I cancel these charges? I have 3 recurrent charges related to these adult sites I never gave any kind of authorization for.

Lisa: I can cancel the accounts for you to stop further charges

you: Yes please.

Lisa: Please hold while I process your request…
Lisa: I have successfully cancelled your Premier Passport membership on www.[adult_site_1].com , www.[adult_site_2].com and www.[adult_site_3].com .  You will no longer be billed after the cancellation.
Lisa: Confirmation # of the cancellation is ex3510

you: For these 3 charges?

Lisa: yes

you: All 3 are now cancelled?

Lisa: that is correct

you: Ok.
you: Now, I want to block the usage of that VISA card, which obviously has been compromised.

Lisa: Everything has been cancelled now and your card has been blocked in our system so it won’t be used to sign up to any of the website we handle

you: Thanks

Lisa: You’re welcome
Lisa: Is there anything else I can help you with?

you: Is that possible to have a transcript of this session sent to an email?

Lisa: At the Exit Survey, you will be asked if you wish a Chat Transcript be emailed to you.  Please click “yes” and enter your email address.

you: Ok thanks. Thanks again.

Right after that exchange I called the bank to cancel the credit card. Oh well. This is was not the first time I had my credit card number stolen. But usually, I am quick to spot the problem. In that case, this was an account that I barely use. Which also means that I hardly use the credit card attached to it.  But it’s simple for anybody to copy the card and its security card anywhere you make a payment. Not mentioning the sites where you can buy thousands of valid credit card credentials for a few bucks.

The interesting part was the user ID. I looked it up, and it showed up as a user ID for Habbo, a children’s game site owned by Finnish company Sulake Corporation. The user ID was specifically linked to the Brazilian version of the portal. Habbo is a social network aimed at teenagers, and has been under attack for being the playfield of sexual predators. Sadly consistent with the usage of my stolen credit card number…

The three companies payments were made to all use the same IP address, with servers located near LA. The three adult sites also share the same IP, and are located in Toronto, Canada.

Three payments from three different companies for three identical contents? Looks like my thief got scammed…

 

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>