
Credit card thieves using free-to-play apps to launder their ill-gotten gains - 0xbxd
https://kromtech.com/blog/security-center/digital-laundry
======
aphextron
My pet conspiracy theory: The vast majority of the CS:GO economy is a massive
money laundering operation for the Russian government. You have skins for an
AK47 selling for $40,000. Does anyone seriously think that's legit?

~~~
wruza
I’m not sure what parties you suppose to make a deal through that scheme, but
for those who don’t know: in Russia no money laundering is required. You
simply never get ‘source of funds’ questions even when buying something
enormously expensive. Just don’t put it to the bank, unless you want to lose
10% (maximum no-brainer) on converting back.

This misconception is also shared among many russian folks who use term
‘laundering’ when actually they speak about tax theft or just theft through
fake middleware companies who convert it to cash and that’s it.

~~~
macleginn
As was suggested below, what you mas actually want to do is inject untraceable
money into a foreign financial system in order to use it later for some
nefarious purpose.

------
nemild
I'd be interested to know which version of MongoDB this was.

This "no auth" was a default choice for MongoDB through at least 2013 (in this
case, it helped to find nefarious actions).

For more background, I wrote a three-part MongoDB[1]. These are the notes on
auth behavior from the interview with MongoDB's CTO:

> \- Defaults: I feel like it’s playing with fire to set bad defaults in a
> database - with numerous data breaches due to 10gen’s early decisions on
> authentication, remote login, and encryption (see for example,
> [https://snyk.io/blog/mongodb-hack-and-secure-
> defaults/](https://snyk.io/blog/mongodb-hack-and-secure-defaults/) ). For
> auth, Eliot argues that developers need to take responsibility for exposing
> MongoDB on public servers - and that the SLA for a self-hosted instance is
> different than a managed instance (at minimum, I have issues with users
> having their data exposed to the world through no fault of their own). He
> disagreed with 10gen’s decision to turn on auth by default in later self-
> hosted versions once MongoDB ignored remote connections by default (but
> thought this was the right choice for the managed Atlas service). (But
> before 2014, the default behavior was no auth - and accepting all remote
> connections, see [https://snyk.io/blog/mongodb-hack-and-secure-
> defaults/](https://snyk.io/blog/mongodb-hack-and-secure-defaults/) ; Eliot
> notes that this took a while because changing the default would have caused
> issues for existing customers)

(
[https://news.ycombinator.com/item?id=14804765](https://news.ycombinator.com/item?id=14804765)
)

[1] [https://www.nemil.com/mongo/](https://www.nemil.com/mongo/)

~~~
Joeri
_For auth, Eliot argues that developers need to take responsibility for
exposing MongoDB on public servers_

That’s like selling a car without preinstalled seat belts and then saying it
is the responsibility of the driver if they take it on the road like that.
It’s technically true, but it’s sort of missing the point.

~~~
nemild
I made the same seat belt point to him, and here's the section with his
response:

> I do have concerns when 10gen explicitly targets junior developers ... What
> [Eliot, MongoDB CTO] says makes sense say 20 years ago, but with 25% of new
> software engineers coming from coding bootcamps with non-engineering
> backgrounds, I worry that defaults matter ever more in dev tools (and even
> seasoned engineers may mess this up, if they’re coming from a database with
> different defaults). We discussed analogies like seat belt lights versus the
> responsibility of passengers to know better. He also argued that waiting to
> get all this right - not just auth - would impact database innovation, while
> I think there’s a balance that gets us a lot of the low hanging fruit (like
> security).

[https://news.ycombinator.com/item?id=14804765](https://news.ycombinator.com/item?id=14804765)

~~~
acdha
> with 25% of new software engineers coming from coding bootcamps with non-
> engineering backgrounds

This is unnecessarily elitist: I’ve seen no difference in security awareness
based on anything other than specializing in security, and even then it can be
surprisingly blinkered.

~~~
nemild
That's fair. I was mostly reflecting on the time that most bootcamps spend on
a student (2-3 months) relative to other programs.

But I agree that no matter the program, security best practices are rarely
taught.

~~~
acdha
Agreed — I often feel like we’re in the period where the germ theory of
disease is known but it’s still a battle to get doctors to wash their hands.

------
jsnell
Given how off many of the details are in this article, I don't know that the
authors have a very deep understanding of the f2p game economy. So it's hard
to trust anything beyond "f2p games are used with stolen credit cards" part.
Which is true, but not exactly news.

Most importantly they keep harping on about how Supercell should be doing more
to ban accounts that tranfer illicit gems between accounts, or how each gem
should have an individual hash so that it could be tracked to the source, etc.
Well, given that gems are not and never have been transferrable between
accounts in those games, having it be a bannable offense would have no effect
at all. And the chain of ownership is always going to be exactly one step
long.

(Yes, any game that makes the premium currency or items transferrable is
inviting a lot of abuse. It's not just stolen credit cards, it'll also be
account hijacks since they'd be very lucrative. Just drain all the victims
items before they can recover the account. Optionally you can also buy more
items with the victim's already registered CC at the same time. So if a game
does support these kinds of transfers, it's good to be deeply suspicious about
the motives of the creators. But afaik it's simply not the case for any of the
Supercell games that this article talks about.)

And then that table showing the scale of the problem is pretty bizarre. The
stated revenue numbers must be off by around a factor of 5. I thought for a
moment it was talking about the scale of the abuse they've deteted. But then
that'd mean the scammers are using 100M Google accounts to wash 20k credit
cards/month. That's too absurd to be true.

------
Y_Y
Of course the game makers aren't going to filter it, it makes them an
"unwitting" benficiary of money laundering. It's not like their overt business
purpose is any better.

~~~
gruez
AFAIK for card not present transactions, if a chargeback occurs, the merchant
pays for the refund, plus a chargeback fee of ~$25. So unless the credit card
victims are particularly clueless, this shouldn't be profitable for the
merchant.

~~~
bsder
I suspect that none of the Free To Play games _ever_ get that kind of
chargeback fee given the sheer volume of money they process.

The credit card companies probably trip over themselves to give phenomenal
offers to be the processor for them.

In addition, who really cares about a chargeback for an online game? Since
there is no physical thing that transacted, simply reversing the transaction
is quite straightforward.

~~~
swish_bob
Chargeback fees are the card clearing services way of discouraging
chargebacks/disputes. They charge everybody them. The large banks put way more
money through them than you're talking about, and they have fairly high write-
off levels just because it's not worth raising a dispute unless you're damn
sure the other party will be hit with the costs.

A significant amount of the time when you call your provider about a dispute
(fraud or non-fraud), they will just pay out of their own pocket rather than
raise it with Visa/Mastercard/whomever, it's just not worth the risk of being
hit with the fees. (Unless they decide it's your fault, in which case they'll
tell you to suck it up.)

(I am a developer on the disputes platform for a major bank)

~~~
gruez
>A significant amount of the time when you call your provider about a dispute
(fraud or non-fraud), they will just pay out of their own pocket rather than
raise it with Visa/Mastercard/whomever

Are you talking about when a customer calls their bank, or when a merchant
calls their payment processor? I thought when a chargeback occurs, only the
merchant side gets hit with fees?

------
tlavoie
Anyone else wondering if the criminals read Neal Stephenson's novel, Reamde,
as a how-to guide?

------
justboxing
> "Money laundering through the Apple AppStore or Google Play isn’t a new idea
> and has been done before. In the 2011 the Danish part of the Apple App Store
> was flooded with expensive suspicious applications. More than 20 out of 25
> of the most downloaded applications were from China. The price of the apps
> ranged from $50-$100. For example, one of them “LettersTeach”, was intended
> for children who are learning English letters, yet it cost nearly $78. This
> pointed to money laundering then, however, what we encountered now is much
> more sophisticated.

I don't understand how the laundering part works. There was a similar link
posted to an overpriced book on amazon yesterday on HN, which also alluded to
money laundering.

So if I understand correctly, the person(s) who want to launder their ill-
gotten cash publish an app with an outrageous price, and then by the same app
with their ill-gotten money, thereby turning it legitimate (buy way of the app
company)?

If yes, then how much money could you possibly launder this way? Won't
purchase of the same app a 100 times (if that's even possible) raise
suspicion? And even then you've only managed to launder 50 - 100 x 100 = max
of 10,000 USD. This is peanuts for the real money launders who would be
dealing with millions of $ monthly.

~~~
ww520
The laundering part is easy. A guy has $1M need to clean up. Release a $1000
app under account A. Buy the app 1000 times with account B, C, D, ... Account
A earns legit money.

~~~
dlhavema
What about the 30% comission the app stores take?

What's the going rate for money laundering? :P

~~~
westpfelia
Nothing wrong with losing a little bit of money to make a lot of money. Even
Pablo Escobar had to write off 10% of all his money due to rats eating it. I
feel like these people are ok with giving Google/Apple a 30% cut if it means a
platform is provided for them to make the other 70%

~~~
justboxing
> Even Pablo Escobar had to write off 10% of all his money due to rats eating
> it.

I didn't think this was true, but your statement checks out. Wow!

> "Pablo was earning so much that each year we would write off 10% of the
> money because the rats would eat it in storage or it would be damaged by
> water or lost," Escobar wrote.

Source: [http://www.businessinsider.com/pablo-escobar-and-rubber-
band...](http://www.businessinsider.com/pablo-escobar-and-rubber-bands-2015-9)

------
GlitchMr
"They chose email providers with little to no protection against automated
account creation."

To be specific, go2.pl, o2.pl, prokonto.pl and tlen.pl are the exact same mail
provider - in fact, those domains are aliases for each other after
registering. This means that by registering a single time, they get four
usable e-mail addresses. Interestingly, the same provider also provides a
functionality to get more aliases if you want, but it doesn't seem like
criminals used this functionality (the aliases cannot be in those four
domains, rather they can be in another list of 18 domains).

~~~
r00fus
Doesn't fastmail offer the same feature? I remember at least a dozen aliases
when I used them a decade ago.

------
wuliwong
I'm a little unclear on how they found this database and why it was left
without security. It sounds like there is some well known vulnerabilities with
older versions of Mongo and these people did some security audits where they
found this particular database. Is the explanation for why this database was
left vulnerable just a mistake on the part of the money launderers?

~~~
shakna
MongoDB's defaults have no real authentication.

------
duxup
In the lower right they note selling an AppleID with some game currency on it.

Is that of any use to a given gamer, a whole new AppleID?

------
mr_tristan
I wonder if we'll ever know where these tools originated from.

Does the US DOJ have a history of halting this sort of fraud yet?

------
mtkd
Original article:

[https://kromtech.com/blog/security-center/digital-
laundry](https://kromtech.com/blog/security-center/digital-laundry)

~~~
sctb
Thank you, we've updated the link from
[https://www.bleepingcomputer.com/news/security/open-
mongodb-...](https://www.bleepingcomputer.com/news/security/open-mongodb-
database-exposes-mobile-games-money-laundering-operation/).

