Digital Laundry: How Credit Card Thieves Use Free-to-Play Apps to Launder their Ill-Gotten Gains

Digital Laundry: How Credit Card Thieves Use Free-to-Play Apps to Launder their Ill-Gotten Gains

Are you into online games or purchasing apps on the App Store? If so, you must have heard about or even encountered money-laundering.  Before we take a closer look at it, read through these insightful thoughts on the matter:

 

Bob Diachenko, Head of communications, MacKeeper Security:

"If you have ever played a free-to-play game, you know that most of them require resources of one type or another to play. Whether it be gems, gold, power-ups, or other, these resources are required to advance within the game, making them critical to the gameplay. Manually gathering the free resources is a slow process, and one can play a game for months working to move up levels.

 

This is where the game makers make their money. They sell resources through “In-App Purchases” to help people play the game and speed up the gameplay. The lure of speeding up your play is a strong incentive to spend money on resources, and many spend to play. This has turned free-to-play games into a multi-billion dollar industry."

 

The resources have value after purchase. When bought, you can still trade them, adding to the gameplay. Also, you can transfer the game from one account to another. Because of this, reselling resources gathered or bought and games built to advanced levels becomes possible. Selling these to third-party markets lets the above-mentioned illicit activity take place.

 

Alexander Kernishniuk, Communications director, MacKeeper:

"Money laundering through the Apple AppStore or Google Play isn’t a new idea and has been done before.  In 2011 the Danish part of the Apple App Store was flooded with expensive suspicious applications. More than 20 out of 25 of the most downloaded applications were from China. The price of the apps ranged from $50-$100. For example, one of them, “LettersTeach,” was intended for children learning English letters, yet it cost nearly $78.  This pointed to money laundering then; however, what we encountered now is much more sophisticated."

What did we find?

Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password / login required) along with a large number of credit card numbers and personal information inside.

 

As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.

 

It appeared to be a group of malicious actors with a complex automated system utilizing free-to-play apps, third party game and resource resale websites, and Facebook to launder money from stolen credit cards.

 

In one of the tables we found links to Facebook accounts. From those accounts we found links to a Facebook page in Vietnamese advertising a special “tool”, which was also only a few months old.

 

We have detailed the evidence of this active, automated system in a report sent to DOJ. According to our estimation, system processed approximately 20,000 stolen credit cards in just 1.5 months (from the end of April 2018 to mid June 2018).

 

Here is a simplified view of our findings (click to enlarge):

What is the scale?

The credit card thieves we found are currently targeting just three games; two by the game maker Supercell - Clash of Clans and Clash Royale, and one by Kabam - Marvel Contest of Champions.

 

Below you can see that that just with these three games, there are over 250 million aggregate users, generating approximately $330 million USD a year in revenue. These three games also have a very active third-party market, utilizing sites like g2g.com to buy and sell resources and games. All of which makes these a good choice to blend in for a little money laundering.

 

It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.

AppOffered byAndroid UsersReleaseMetacritic scoreIn-app Products price per itemDaily revenue $

Yearly revenue

()

Clash of ClansSupercell100 000 000+201274/100$0.99 - $99.99 per item684 002250M
Clash RoyaleSupercell100 000 000+201686/100$0.99 - $99.99 per item153 15056M
Marvel Contest of ChampionsKabam50 000 000+201476/100$0.99 - $99.99 per item64 29623.5M

Why is it possible?

It is easy to automatically create accounts on a large scale.

 

Apple only requires a valid e-mail address, a password, a date of birth, and three security questions to create an Apple ID.  E-mail accounts are also very easy to create with a few providers requiring little in the way of verification. Combined, the carders were able to automate the account creation process, as you’ll see, allowing them to create accounts on a large scale.

  • Some of the larger email services are making it a little more difficult to create accounts on a large scale by requiring phone verification.  While this is not full-proof, due to the availability of free VoIP burner numbers, this extra step would make it more difficult to create these accounts in quantity.
  • Apple does attempt to validate the credit card by charging and then refunding $1, interestingly, they must not perform much in the way of credit card verification because we saw that many were processed with an incorrect name and address.  Perhaps verification is minimal due to the low dollar amount of the charge, but a stricter credit card verification would make it a bit more difficult for the carders.

With the account creation process automated, the malicious actors then took the process further, automatically changing cards until a valid one is found, automatically buying games and resources, automatically posting the games and resources for sale, working with a digital wallet for order processing, and managing multiple Apple devices to distribute the load.

 

The end result, an automated money laundering tool for credit card thieves.

The buying, selling, and other legit and non-legit ways of increasing resources are well known.  The companies involved do take a stand against the exploitation of their games and do have policies to ban, but they do not quite go far enough. Supercell, the company behind Clash of Clans and Clash Royale, has the following warning on their site.

 

https://supercell.com/en/safe-and-fair-play/

UNAUTHORIZED GEM BUYING/SELLING

Certain websites and individuals might offer cheaper gems/diamonds. Don't be fooled - it's a scam.

Such services request private login data (such as Apple ID, Google Play credentials, etc) in order to access your game account. These vendors will gain access to your account and oftentimes, hijack the account and try selling it to other players.

IMPORTANT: If you release your private information/credentials to 3rd parties, you're permanently placing your game and financial/online security in a high-risk situation.

Consequences of misconduct: Purchasing gems or diamonds from 3rd party vendors can lead to revoked in-app currency and can even get your account permanently banned.

Unfortunately, they are only addressing a small part of the overall problem, they should also target:

  • Scams on “free” resources generators: there are approximately 176 Google results attempting to lure people with unlimited resources for Clash of Clans.   Considering the revenue generated, some of it should be spent towards the monitoring and takedown of such sites.
  • Accounts for sale: the account ID should simply be banned following suspicious payments.  Track the money, perhaps creating unique gem hashes that can be tracked to original account purchase and revoked after purchase if made with a stolen card.
  • Odd gem transfers between accounts: Large transfers between accounts may be a warning flag that the gems were purchased or otherwise acquired from an outside source.

We have not seen many actions to ban such activities on a large scale.  In fact, on related forums we saw only individual users banned who admitted to buying these gems from unofficial shops.

 

The ability to rebind your account an unlimited number of times from Apple ID to Supercell ID and back is considered a feature.  It is useful for legitimate changing of accounts, but it also lends itself to the sale of accounts for profit outside the game maker’s control.

 

Apple ID during and after these transactions are more likely to be completely compromised as most of users have lots of personal info attached to it. That’s why some time is needed after user can encounter ransom cases.

 

Google play buying instructions avoid direct account credentials transferring (but we hadn’t analyzed all marketplaces)

We saw instructions with rebinding crafted Google accounts (with payments) to the Users Supercells ID (credentials of which they should provide)

Detailed MongoDB analysis

Table nameCount of docsContainsInteresting notes
users3Name, username, hashed passwordAccounts were created on 2018-04-24
suppliers9Full name and facebook of responsible person

Starting from 2018-05-20 users were added

 

profiles18

Generate address flag, add_card flag,

Apple ID password(same for bunches of accounts), country, city, state, phone(only first 3 numbers are visible), game, wallet, proxy settings, scenarios in use, gems packages to try and buy

Profile names:

  • indo
  • mauritania_421349
  • mauritania_434061
  • mauritania_458755
  • binh_mauritania_421349
  • binh_mauritania_434061
  • binh_mauritania_458755
  • taoid_mauritana_421349
  • binh_india_463217_24052018
  • taoid_Kuwait
  • indo B
  • Kuwait_483819
  • indo_tao
  • kuwait_o2
  • kuwait_o2_id
  • saudiarabia
  • kuwait_479423
  • kuwait_455880
  • Profiles are used for automated work with the tool
idstores11Name, selected flag 
cardstores10Name, selected flag

Names:

·       indo

·       Indo_support_ton_19052018

·       Kho Card Marin (Bin 434061)

·       Kho Card Marin (Bin 458755)

·       card_india_24052018

·       card_kuwait_26052018

·       card_saudiarabia_11062018

·       card_kuwait_479423

·       card_kuwait_459327

·       card_kuwait_455880

emails13436Email, password, is_used flag, timestamps 
cards150976    

is_used,       is_support flags,

card number,

expiration date, ccv, timestamps      

 
appleids37 645Is_used, has_card flags, email, password, timestamps, owner, serial, is_support, verify_fail flags 
activities899Apple ID, action, target, timestamps 
logs97 431User, action, target, type,timestamps48128 unique targets in logs

Profiles are configured for work in 5 countries:

  • India
  • Indonesia
  • Kuwait
  • Mauritania
  • Saudi Arabia

One of the main questions we had was “Are these cards valid?”

It’s true that many of the cards were used as a payment method with Apple.  Also that Apple verifies them just after adding. It’s a common operation where they charge $1 to the card then refund it to test if it is valid.

 

But we needed more evidence…

 

It’s unethical, not to mention illegal, to purchase something with found credit card data, so we investigated the data set without third parties. The following is what we found:

  • 150833 unique cards in the database, each with full card number, expiration date, and CCV.
  • Is_used = True 37606 (This was equal to the number of Apple ID accounts in the database)
  • Is_used = False 113370
  • Visa = 149620
  • Mastercard = 1211
  • Year 2023: 34873
  • Year 2022: 34990
  • Year 2021: 34940
  • Year 2021: 34940

 

BIN

Bank

Country

Type

Count

Name from suppliers table

421349CHINA CONSTRUCTION BANK CORPORATIONChinaVisa14000 
423323 ChadVisa87 
424965BANCO PROVINCIA DE TIERRA DEL FUEGOARGENTINAVisa1000 
434026HILLS BANK AND TRUST COMPANYUNITED STATESVisa2 
434061CHINA CONSTRUCTION BANK CORPORATIONChinaVisa10000Kho Card Marin
434062CHINA CONSTRUCTION BANK CORPORATIONChinaVisa1274 
446284CHASE MANHATTAN BANK USA, N.A.UNITED STATESVisa8761 
455880CHINA CONSTRUCTION BANK CORPORATIONChinaVisa20000card_kuwait_455880
458755CHINA CONSTRUCTION BANK CORPORATIONChinaVisa29500Kho Card Marin
459327BANCARD, S.A.PARAGUAYVisa23000card_kuwait_459327
463217VIJAYA BANKINDIAVISA1 
479423GRUPO INTERNACIONAL DE FINANZAS S.A.E.C.A. (GRUPO INTERFISA)PARAGUAYVISA20000card_kuwait
483819CHINA MERCHANTS BANKCHINAVISA12000 
499831BANCO FAMILIAR S.A.E.C.A.PARAGUAYVISA10000 
521983PT. BANK NEGARA INDONESIA (PERSERO) TBK.INDONESIAMASTERCARD94 
528674PT. BANK CIMB NIAGA TBK.INDONESIAMASTERCARD1120 
529721PT. BANK NEGARA INDONESIA (PERSERO) TBK.INDONESIAMASTERCARD35 
536788PT. BANK CIMB NIAGA TBK.INDONESIAMASTERCARD101 

Interesting findings:

  • Cards used [is_used] - 37606
  • Field [add_fail]: bool - 4560 cards that are already blocked
  • [add_success]: 18 072 bool flag that indicates that operation of adding a credit card to account was successful.

So, it appears that they have so far used 37,606 credit cards and at the time of investigation had 18,072 cards verified by Apple (successully added to accounts).

Detailed emails investigation

Emails standalone total count - 13 436

 

They chose email providers with little to no protection against automated account creation.

  • Mail domain
  • Count of mails
  • go2.pl
  • 3391
  • o2.pl
  • 2745
  • prokonto.pl
  • 3391
  • tlen.pl
  • 3391
  • yahoo.com
  • 518

 

Detailed accounts investigation

  • 37 645 emails with passwords and creation date
  • 240 mail domains

Digging further

Instructions were found for a way to automatically play and advance Clash of Clans for profit on one of the game automation forums using Racoonbot.  

 

Supercell states that any kind of automation tools are forbidden and if detected the account gets banned from the system.

 

Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans.  It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”.  This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards.  It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.

 

iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/

Conclusions

Conclusions

  • The tool we found and its users currently work with countries such as Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.
  • We do not know if this was simply because the tool and Facebook page is new and this is just due to initial users, or if operating through these countries provides some kind of additional benefit to the thieves.
  • Credit cards we found belong to 19 different banks.
  • They were probably bought on the carder markets as they were in groups of round numbers, like 10k, 20k, 30k.
  • Apple appears to employ a lax credit card verification process.
  • Cards with improper names and addresses were approved.
  • The large-scale abuse of the creation and verification process of Apple ID is possible because the group uses jailbroken iPhones to distribute the load, along with generated and stolen data.
  • Service providers need to meet today’s realities and properly secure their account creation process from abuse by automated tools.
  • Apple and the e-mail providers used did not do enough to protect against this kind of abuse.
  • Game makers could do a better job of policing their policies along with tracking and pursuing abusers.
  • Apple could do the same.

ABOUT MACKEEPER

 

With MacKeeper, we aim to make using your Mac easier and safer through reliable technology solutions. MacKeeper comes with the essentials to clean up and speed up your Mac and make your online experience more private and secure.

More Related Articles

arrow