A money laundering ring leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards and then sells these game premiums on online forums and within gaming communities.
The money laundering operation was unveiled by the US Department of Justice, the investigation started in mid-June when the experts from Kromtech Security discovered a MongoDB database exposed online. The database was containing information related to carders’ activities, the database contained 150,833 unique cards records (card number, expiration date, and CCV)
“Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password/login required) along with a large number of credit card numbers and personal information inside.” reads the blog post published by Kromtech Security.
“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”
The activity of the criminal gang behind the operation is simple as effective. Crooks used a special tool to create iOS accounts using valid emails accounts, then they associated with the accounts the stolen payment cards. Most of the created accounts are specific to users located in Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.
The group then made the jailbreaking of iOS devices to install various games, create in-game accounts, and use them to purchase game features or premiums.
The cash out was made later when crooks re-sold the game features or premiums online for real money.
Experts found credit cards belong to 19 different banks, they speculated they were probably bought on the specific carder markets where they were offered in groups of 10k, 20k, 30k.
The list of mobile games used by the cybercriminals includes popular apps such as Clash of Clans and Clash Royale developed by Supercell, and Marvel Contest of Champions developed by Kabam.
The three apps have a gaming community of over 250 million users and generate approximately $330 million USD a year in revenue. Associated third-party markets are very active, websites like g2g.com to allow gamers to buy and sell resources and games, a great opportunity for crooks involved in money laundering.
“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.” reported Kromtech Security.
|App||Offered by||Android Users||Release||Metacritic score||In-app Products price per item||Daily revenue $||
|Clash of Clans||Supercell||100 000 000+||2012||74/100||$0.99 – $99.99 per item||684 002||250M|
|Clash Royale||Supercell||100 000 000+||2016||86/100||$0.99 – $99.99 per item||153 150||56M|
|Marvel Contest of Champions||Kabam||50 000 000+||2014||76/100||$0.99 – $99.99 per item||64 296||23.5M|
The experts also found that the Apple was employing lax credit card verification process when users add payment card data to iOS accounts, advantaging fraudulent activities. The experts noticed that cards with improper names and addresses were approved by Apple, for this reason, they notified their discovery to Apple.
The experts also highlighted that game makers do not implement necessary measures to prevent such kind of abuses. For example, the game makers do not control the interaction of tools like Racoonbot with Supercell games that are used to automate the premium feature buying operations.
“Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans. It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”. This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards. It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.” continues the analysis.
“iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/“