Spoiled Rotten Spa Owner Arrested, Charged With Fraud

Woman Made Fraudulent Credit Card Charges, Police Say


APTOS, Calif. -- The former owner of Spoiled Rotten Day Spa in Aptos was arrested Friday after several clients reported several thousand dollars in fraudulent credit card charges paid to the spa appeared on their credit card statements.

One victim reported that his credit card had been fraudulently used four times for a total of $9,600.

Spa owner Sonya Harting, 35, was arrested and charged with credit card fraud.

Police said Harting was evicted on Jan. 5 by the building owner, but continued selling gift certificates for spa services throughout the holiday season.

Anyone who purchased a gift certificate from Spoiled Rotten Day Spa during the month of December that could not be redeemed due to business closure is encouraged to call the Santa Cruz Property Crimes Unit at 454-2311.

Seattle: Capitol Hill credit card fraud wave tied to Broadway Grill

The investigation into more than 100 reported cases of credit card fraud across Capitol Hill has identified a Broadway restaurant as one "point of interest." Like the victims who have had their bank and credit accounts hit for fraudulent charges in the thousands of dollars, Capitol Hill's Broadway Grill is also a victim in this wave as personal and business accounts related to the restaurant have been compromised along with accounts of a not-yet-known number of customers who ate and drank at the popular eatery.

We received the following statement from one of the partners behind the Broadway Grill, Matthew Walsh:

We take this issue very seriously and are working with both the Seattle Police Department as well as the Secret Service to find the people who have done this to everyone and have them stopped.

We have gone above and beyond to make sure that our network is completely secure and that this sort of thing can't happen to any of our customers, there has been no decline in credit/debit card use because of our actions to ensure safety. Not only were our personal accounts compromised but our business savings and operating accounts have also been compromised.

We are a tiny little company trying to manage this huge monster of a restaurant and for someone to swoop in and try to completely wipe our accounts is a really scary thing. I am seriously worried about the future of our business without the support of our community. We have been growing by leaps and bounds since I took over in June, not only in our new menu and food quality but also in our day to day operation. It is my hope that we have touched enough lives over the years to be able to count on our beloved customers for their support and continued patronage in this difficult time.

We do not know yet if Broadway Grill represents the only breached business on the Hill or if investigators have identified others in the area. On Monday, CHS reported that the Secret Service's Electronic Crimes Task Force had identified and "reduced" the threat from what the lead agent called a "point of interest" in the Capitol Hill area.

We have checked with Kroger, the parent company for QFC, about any involvement in the investigation. A QFC spokesperson told CHS he ws not aware of any contact between investigators and either of the Broadway stores. "To my knowledge, we have not been contacted by police. When we are, we will work with them," the spokesperson said earlier this week.

Meanwhile, the situation is widespread enough and people are so wary that large area institutions are dealing with relatively sizable numbers of victims. We talked to Seattle University about a a growing number of Seattle University students and employees who have experience problems with financial accounts in recent days. But Mike Sletten director of public safety for the campus, told us that the cases he is aware of all appear to be part of the Capitol Hill wave. "They all reflect that Capitol Hill theme," Sletten said.

Jennifer Aniston named as victim of salon fraud

The owner of a Beverly Hills beauty salon was arrested on Wednesday on charges of stealing credit card information from Jennifer Aniston, Anne Hathaway and Liv Tyler and running up tens of thousands of fraudulent payments on their accounts.


According to court documents in the case, a witness claimed that Cher, Melanie Griffith and former "Felicity" television star Scott Speedman were also victims of the fraud.

The owner of Chez Gabriela Studio is accused of swindling $214,000 from Tyler alone in a five-month period last year, according to a court affidavit.

The U.S. Attorney's office in Los Angeles said salon owner Maria Gabriella Perez, 51, is accused of making at least $280,000 of fraudulent charges in a one-year period.

Perez is alleged to have used credit card information provided by celebrities and other clients for legitimate services, and later entered the details manually to run up unauthorized charges.

Aniston, Hathaway, Cher, Tyler, Griffith and Speedman were named in the court papers as among those who saw unauthorized charges on their credit cards.

Representatives for Cher, however, told celebrity website TMZ.com that the singer and actress was not a victim and did not know why she had been named in the court papers.

FTC: Scammers Stole Millions Using Micro Charges To Credit Cards

A gang of unknown thieves has stolen nearly $10 million using micro charges made to more than a million credit and debit cards in an elaborate multiyear scam, according to a lawsuit filed by the Federal Trade Commission in March.

Have any of these company names appeared on your bank card statement? The FTC says they were front companies used by scammers to make nearly $10 million in charges to consumer credit and debit card accounts. (FTC v. API Trade, LLC)

The fraudulent charges went unnoticed by the majority of card owners because they were made in small amounts — ranging from 20 cents to $10 — that bypassed fraud detection algorithms, and because the scammers typically made only one fraudulent charge per card.

The sophisticated scam, which was first reported by IDG News Service, began in 2006 and was stifled only recently after the FTC succeeded to shut down merchant accounts the scammers were using and halt the activities of at least 14 money mules who were laundering illegal proceeds for the gang.

According to court documents filed (.pdf) in the U.S. District Court for the Northern District of Illinois, the scammers — identified only as “John Does” in the complaint — recruited money mules through a spam campaign that sought to hire a U.S.-based financial manager for an international financial services company.

Mules who responded to the ad and were chosen for the task opened multiple bank accounts and about 100 limited liability companies for the scammers, which were then used to make the fraudulent charges and launder money to bank accounts in Cyprus and several Eastern European countries, including Estonia and Lithuania.

Front companies set up by the mules included Albion Group, API Trade, ARA Auto Parts Trading, Data Services, New York Enterprizes, and SMI Imports, among others.

The scammers then purchased domain names and set up phone numbers and virtual office addresses for the front companies through services such as Regus. They used this information — along with federal tax ID numbers stolen from legitimate companies with similar names — to apply for more than 100 merchant accounts with credit card processors, such as First Data.

According to IDG,

They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

Once approved by the card processors, the front companies were able to charge consumer credit and debit cards. Money charged to the cards was directed into the bank accounts set up by the money mules, who then transferred it to accounts overseas.

The charges showed up on consumer credit and debit card statements with a merchant name and toll-free phone number. But consumers who called the numbers to question the charges generally encountered an automated voicemail recording saying the number had been disconnected or instructing them to leave a detailed message. The calls, of course, were never returned.


More than 1.35 million cards were used to make fraudulent charges, according to IDG, but 90 percent of the charges went uncontested by consumers.

Shops blow signature test

Courtney Dixon was one of the few retailers to check credit card details. Most retailers are failing to make even the most basic checks to prevent credit card fraud, according to an undercover survey.

A Herald on Sunday representative visited 20 Auckland stores this week and at 16 - 80 per cent - made purchases using a card that didn't belong to her.

New Zealand Retailers Association chief executive John Albertson said the results were "very disappointing", particularly during the pre-Christmas rush.

The findings come despite repeated security warnings from banks and credit card companies on the doubling in fraud cases since 2005.

Our representative visited 10 stores in downtown Auckland and 10 at the St Lukes mall. She attempted to make purchases of about $5 using a colleague's National Bank Visa card and made no attempt to copy the signature on the card.

Staff at 16 stores, including some of our top chains, failed to question the conflicting signatures and allowed the purchase.

Most gave the signatures a cursory glance at best, while a few looked suspicious but still let the purchase through.nzherald

Estonians, Russian, Moldovan charged in credit card hack

WASHINGTON — Alleged computer hackers from Estonia, Russia and Moldova have been indicted in a scheme that netted nine million dollars from cash dispensers, the US Justice Department said on Tuesday.

"This investigation has broken the back of one of the most sophisticated computer hacking rings in the world," said acting US attorney Sally Quillian Yates of the Northern District of Georgia.

Sergei Tsurikov, 25, of Tallinn, Estonia, Viktor Pleshchuk, 28, of St. Petersburg, Russia, and Oleg Covelin, 28, of Chisinau, Moldova, have been indicted by a federal grand jury in Atlanta, Georgia, the department said.

It said a fourth person known only as "Hacker 3" was also indicted on charges of hacking into a computer network operated by Atlanta-based credit card processing company RBS WorldPay, part of the Royal Bank of Scotland.

Tsurikov, Pleshchuk, Covelin and "Hacker 3" were charged with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft.

They were accused of compromising the data encryption on payroll debit cards, which are used by some companies to allow employees to withdraw their salaries directly from a cash dispenser, or ATM.  AFP

Arrest in Epic Cyber Swindle

A 28-year-old American, believed by prosecutors to be one of the nation's cybercrime kingpins, was indicted Monday along with two Russian accomplices on charges that they carried out the largest hacking and identity-theft caper in U.S. history.
Federal prosecutors alleged the three masterminded a global scheme to steal data from more than 130 million credit and debit cards by hacking into the computer systems of five major companies, including Hannaford Bros. supermarkets, 7-Eleven and Heartland Payment Systems Inc., a credit-card processing company.
U.S. Secret Service courtesy of wired.com
Photo of Albert Gonzalez released to wired.com by Secret Service
The indictment in federal district court in New Jersey marks the latest and largest in at least five years of crime that has brought its alleged orchestrator, Albert Gonzalez of Miami, in and out of federal grasp. Detained in 2003, Mr. Gonzalez was briefly an informant to the Secret Service before he allegedly returned to commit even bolder crimes.
Authorities have previously alleged that Mr. Gonzalez was the ringleader of a data breach that siphoned off more than 40 million credit-card numbers from TJX Cos. and others in recent years, costing the parent company of the TJ Maxx retail chain about $200 million.
Mr. Gonzalez is in federal custody in Brooklyn, N.Y., awaiting trial for alleged efforts to hack into the network of the national restaurant chain Dave & Buster's Inc. He also faces charges in Boston in the TJX matter.
The alleged thefts in Monday's indictment took place from October 2006 to May 2008.
Wall Street Journal