Join us to hear the story of Chirag Patel, a former Choice Hotels employee who socially engineered reward points and credit card numbers from several of their franchised hotels. This is eCrimeBytes.com S 2 Ep 8-2 – Socially Engineered Reward Points With Chirag Patel – Act 2: The Hack.
For the background, please check out the prior acts:
Socially Engineered Reward Points With Chirag Patel – Act 1: Drugs And Spyware
Sources:
- https://www.justice.gov/usao-az/pr/hacker-sentenced-51-months-prison-stealing-customer-credit-card-numbers
- https://www.courtlistener.com/docket/63158296/united-states-v-patel/
- https://www.12news.com/article/news/crime/hacker-sentenced-stealing-hundreds-credit-card-numbers-arizona/75-81cac896-cb60-4923-83eb-d9af670475bd
Transcript:
00:00:10:00 – 00:00:11:25
Keith
Hey, welcome back to eCrimeBytes.
00:00:11:25 – 00:00:41:07
Keith
This is season two, episode eight. We are doing socially engineered reward points with Chirag Patel, who works or at least worked at a hotel chain called Choice Hotels, which is a very large hotel chain. And we set you up with some background on what key loggers were. And we talked a little bit about social engineering, and we got almost to the point of telling you what the hack was.
00:00:41:07 – 00:00:45:17
Keith
And this is the point in our episode where we actually do tell you what the heck is so
00:00:45:17 – 00:01:03:16
Keith
I’ve basically put this hack into about six bullets and I’ll read them for you and then I’ll try to go back and address anything. So the very first step and I’ll say Chirag Patel and conspirators, and if I forget to say conspirators
00:01:03:16 – 00:01:17:13
Keith
most of these things imply him and his conspirators. You will see that he was caught. Not necessarily the conspirators were, but in almost every document that I’ve read, it has conspirators.
00:01:17:13 – 00:01:40:05
Keith
So Chirag Patel and his conspirators would call hotel front desk, just the phone number, the normal person phone number, and pretend to be an I.T. employee. So this quote unquote, I.T. employee would then convince the front desk staff who’s probably not computers is probably not their biggest thing that they have to worry about at their hotel.
00:01:40:05 – 00:02:01:18
Keith
This fake IT person says, Hey, I need remote access to your computer. We’re going to talk a little bit more about remote access later. But let’s just assume at this point, the front desk worker, who’s probably not a computer person first and foremost, probably believed this I.T. person and gave them remote access
00:02:01:18 – 00:02:07:13
Keith
from there, the I.T. person and I use air quotes because they weren’t it was Chirag Patel.
00:02:07:13 – 00:02:37:13
Keith
And this conspirators would install a keylogger that would save what is typed at the keyboard. This is important because in the next step, Patel and his coconspirators can then see all the logging credentials for all the important people at that hotel branch. One of the most important people at hotel branches is this position called General Manager and general manager had access to this database of loyalty rewards.
00:02:37:16 – 00:03:04:14
Keith
That database also had partial credit card numbers and you go, Oh, thank God he only had access to reward numbers and partial credit card numbers. No, no. Patel because he had usernames and passwords, also had access to this e-commerce provider that they just they call shift4 like the number four. It’s all kind of put together where it’s a shift4
00:03:04:14 – 00:03:19:09
Keith
and from the best I can tell this is the service that the hackers were able to go in and get credit card data from the full credit card data from not just partial credit card numbers that you would see in a loyalty database.
00:03:19:09 – 00:03:32:02
Keith
So that’s an important distinction. And when I saw that name shift4, I was like, Who is this? I’ve never heard of them before. So I went to their website and I put an image of their website for our video viewers out here. Now.
00:03:32:02 – 00:03:44:08
Keith
And it’s a very simplistic website, futuristic looking but simplistic that says Experience the future of commerce, accept payments everywhere with shift4, end to end commerce solution.
00:03:44:10 – 00:03:59:11
Keith
And then it’s got buttons for like in-person payments and online payments. And they’ve obviously got some kind of system that looks like customers can log in into because up in the upper right corner you got a logging button and some tutorial type of buttons up there. So
00:03:59:11 – 00:04:09:14
Keith
if you take nothing else away from the shift4 think, if I have access to this, I have access to financial stuff that I probably shouldn’t have access to as an attacker.
00:04:09:14 – 00:04:23:21
Keith
So that’s the background of what we’re dealing with with Chirag Patel and his coconspirators of what realm of data that they have their hands on at this point. So once they have their hands on the data, they got to do something with it, right?
00:04:23:21 – 00:04:52:12
Seth
So if they do so we know that in mid-March of 2019, Chirag and his crew tried to sell some stolen credit card numbers. We know this because they had intercepted some email and with email in this case, as you know, there’s going to be some pretty awesome email addresses. We have one here where Patel, who used the email address bomb in the bush and at gmail dot com.
00:04:52:14 – 00:05:13:22
Seth
I’m not even sure where to go with that exchange. The following email messages inquiring about getting cash from stolen credit cards. And by the way, you would think that like if he was slick enough to imitate an IT professional and remote install key logging, he’d be a little slicker about, you know, essentially looking to commit felonies and doing it via email.
00:05:13:22 – 00:05:24:02
Seth
Patel Hey, I’m a carder newbie, as in n e w b, I have plenty cards we’re missing some adverbs. It’s okay and I get Amex good ones
00:05:24:02 – 00:05:35:15
Seth
Yeah. Can you help me with some cash out? I’ll give you the cards and somebody named ship export 35 says I know a method, but it’s complicated.
00:05:35:17 – 00:05:53:05
Seth
Where do you get your cards and where are you located? I would never respond, by the way, if I was engaged in illegal activity with that information. But regardless, Patel does Alabama. I get him from a hotel system. I got American Express black with I.D. and card.
00:05:53:05 – 00:05:57:16
Seth
What else does he say? Oh, can we get the money off, split the profits?
00:05:57:19 – 00:06:28:15
Seth
So he’s clearly actively this is what you call the crime, which is actively engaging in selling stolen credit card information. So they also law enforcement in April 2019 had seized Patel’s cell phone. We’ll talk about his arrest later. And we know that Patel possessed a cell phone that contained about 35 different login credentials for different general managers accounts tied to at least 22 different locations of choice hotels in at least ten states.
00:06:28:17 – 00:06:49:28
Seth
So he was very, very active in basically raiding Choice Hotel, GM login credentials. And these records were captured from pcTattletale. That’s that first key logging system we saw and learned about and stored within the quote notes section on Patel’s cell phone. He wasn’t really hiding the fact that he was doing this fairly openly. Notoriously.
00:06:49:28 – 00:06:59:27
Keith
No. And he continues. I don’t think he got his buyers because in April, mid April of 2019, he starts looking for more buyers for a stolen credit cards.
00:06:59:27 – 00:07:03:26
Keith
He’s out there, bomb in the bush at gmail.com. Again,
00:07:03:26 – 00:07:07:07
Keith
he is offering credit cards stolen from
00:07:07:07 – 00:07:19:05
Keith
hotels for sale on the Darknet forum called the Pirate Ship, which is a carders forum, meaning when you have stolen credit cards, you usually need somewhere to sell them to somebody else.
00:07:19:05 – 00:07:34:17
Keith
You people a lot of times will have more cards than they’ll ever be able to use. So what they do is they sell them to other people. That’s a carder’s forum. So this is where he’s visiting on the darknet, which is not your normal Internet. You got to use a different browser to get to it,
00:07:34:17 – 00:07:38:05
Keith
he posted. I’ve got a bunch of credit cards, hotel hacked.
00:07:38:08 – 00:07:57:06
Keith
I got there. Oh, he spells as good as Jason Leidel. I got there t h e r e shift four dot com admin log in. So which is that page I showed you earlier, which is the e-commerce that we talked about and that’s where I think they got the credit card information because this is what he’s stating here.
00:07:57:06 – 00:08:01:06
Keith
He says, Message me if you know what to do.
00:08:01:06 – 00:08:16:03
Keith
I got a, I got a lot of CC no CVV which is that extra security number on the back full address and number $3 apiece. Must order, $300 worth, minimum.
00:08:16:03 – 00:08:17:10
Keith
All right. So
00:08:17:10 – 00:08:25:28
Keith
he’s got these credit cards that he’s stolen, but he’s also got access to a shit ton of reward points through these databases that general managers have access to.
00:08:25:29 – 00:08:31:08
Keith
So around June, mid-June of 2019,
00:08:31:08 – 00:08:48:24
Keith
there’s this customer rewards account that’s associated with the email address bomb in the bush at gmail.com, and it tries to redeem 96,000 fraudulently attained reward points. And you don’t even probably need to know what they cost
00:08:48:24 – 00:08:57:27
Keith
You’re looking at 96,000. That’s a lot of reward points. You probably would have to stay somewhere a lot in order to have 96,000 points.
00:08:57:27 – 00:09:04:28
Keith
And he just has them fraudulently with this just incredible epic email address bomb in the bush.
00:09:04:28 – 00:09:20:07
Keith
And then on the next day, June 19th, an additional 125,000 reward points were then fraudulently transferred to a customer, a rewards account again associated with bomb in the bush email address.
00:09:20:09 – 00:09:22:09
Keith
The very next day, June 20th,
00:09:22:09 – 00:09:44:21
Keith
another set of reward points. This time, 64,000 reward points were redeemed for at least three Walmart gift cards. And at this point, when I’m reading this kind of stuff in the court documents that I’m going, all right, well, how the hell is he trying to get money off here? I saw the Walmart gift cards, and that was kind of smart, right?
00:09:44:21 – 00:10:04:16
Keith
If you can get some kind of gift card where you can get some kind of monetary value, you can usually sell that to somebody or use it for something, and it sort of becomes a reduced figure of whatever the dollar amount was on there. If you had $100 on there, you know, you could sell to somebody for maybe 50 bucks and they would get, you know, 50 bucks extra on there and you would get 50 bucks that they would pay you
00:10:04:16 – 00:10:05:03
Keith
That
00:10:05:03 – 00:10:14:28
Keith
I understood. Patel on the other hand, he he went a different way with some of these reward points. So we’re going to tell you about. So there’s
00:10:14:28 – 00:10:24:02
Keith
there’s another time in September, Seth, with a brand new email address. I’m just going to leave to you to tell our audience about because this one is even better than bomb in the bush.
00:10:24:04 – 00:10:48:15
Seth
It’s yeah, it’s really good. Although it’s not his best. I think there’s another one later that’s even better. So now we’re in September of 2019. And regarding the pcTattletale access, that’s the first key logging tool we learned about. So on that date or about gas man Boss at gmail dot com, my 13 year old wouldn’t be psyched listening to this.
00:10:48:17 – 00:11:17:24
Seth
I got to get him as a listener was another email used by Patel sent an email to pcTattletale requesting duplicate access for the PC tattletale accounts associated with I got Juice Man eight Gmail and another one called Gas 93 City at gmail.com. Another email. He had a lot of emails, all emails. The email from gas Man boss to pcTattletale stated quote, I want duplicates so that it is on both of my pcTattletale accounts.
00:11:17:27 – 00:11:52:11
Seth
All PCs that I have monitoring I would still like to have on that gas 93 city gmail.com, but please make a copy of them say they’re also on I guess other machines so I’m a little confused as to can you do that? I also need to you to copy duplicate. I got juice Man eight So and we learned that keystroke activity from the pcTattletale accounts associated with Patel was recorded on several dates in June of 2019, various states in November and December of 2019, and then February, March and May of 2020, various dates.
00:11:52:14 – 00:12:10:22
Seth
So there was a lot of activity here and a lot of different machines. But we know that because we know that there was a lot of multistate and multiple choice hotels are impacted here. But I’m just wondering how he was able to keep all those different emails straight in terms of which emails were associated with with version of which different type of
00:12:10:22 – 00:12:12:27
Seth
keystroke logging tool.
00:12:12:29 – 00:12:17:22
Keith
Yeah, who knows? He probably has some sort of criminal book his his ledger.
00:12:17:22 – 00:12:18:11
Keith
So
00:12:18:11 – 00:12:36:13
Keith
in the summer of 2019. So this is after that string of reward points I told you about earlier that was back in June. So this is December. Now, there was approximately 15,000 dollars worth of stolen reward points redeemed by four customer reward accounts associated with Patel
00:12:36:13 – 00:12:39:26
Keith
And May 13th of 2020,
00:12:39:29 – 00:13:11:19
Keith
Patel then tries to use these stolen credit card numbers. So he goes on a messaging service, which is it’s called Telegram. It’s an encrypted messaging application. And he starts asking questions and discussing with people whether or not the zip code with the credit card is needed when you use it, when you use it credit card. So for instance, if you’re used to maybe getting gas at a pump and you put your credit card number in, at least a lot of the gas pumps in my area will say, what’s your zip code?
00:13:11:19 – 00:13:27:14
Keith
And then you put in your zip code and then it authorizes your credit card in order to pump X amount dollars of gas. This is what I believe he’s asking questions about, is if you need that zip code in order to use credit cards like I just described to you,
00:13:27:14 – 00:13:35:22
Keith
he’s saying this in even in addition to what we usually have to have, which is the expiration date and the credit card verification number.
00:13:35:22 – 00:13:36:06
Keith
Now,
00:13:36:06 – 00:14:07:14
Keith
about a week later, May 25th, 2020, there’s more stolen rewards points in this and this is where I just kind of giggle to myself reading these notes. This is an official court document, but it the official court documents make notes about the notes that Patel was making on reservations with stolen reward points. And the notes, in my opinion, just kind of get funnier as time moves out because he starts out May 25th and there’s some hacked accounts that were made.
00:14:07:17 – 00:14:16:18
Keith
There’s some reward account, a reward points that were deposited in these hacked accounts. There were 50,000 reward points each.
00:14:16:18 – 00:14:36:04
Keith
So about a week or so later, reward points for one of the accounts was used to book a hotel room in Tuscaloosa, Alabama. Now, the notes section of this reservation says Chirag Patel will be a guest checking in. And I thought, all right, well,
00:14:36:04 – 00:14:39:03
Keith
That’s how he’s trying to get his money off here.
00:14:39:03 – 00:14:58:18
Keith
he’s going to book hotel stays in other people’s names. But then apparently check in himself and use the stay. I was like, all right, that’s kind of clever. A few days later, he then does another very similar fraudulent hotel reservation. And this time everything’s the same except the date.
00:14:58:18 – 00:15:02:23
Keith
And now the note says Room is booked for Chirag. Patel.
00:15:02:23 – 00:15:22:09
Keith
With that, I’m going to pause because we came to the natural transition in the case of where the hotel finds out that something bad has happened and spyware is detected. So I’m going to guarantee you we’ve read you a couple of notes so far and they’ve been pretty tame because it looks like he’s just trying out a scheme.
00:15:22:09 – 00:15:42:08
Keith
But his notes get a little funnier later on and we’re going to get into it in Act three, spyware detected. So if you liked anything in any of these acts so far, please like and subscribe whatever application you’re on, because we try to spread this out to social media, to YouTube, to audio only podcasting apps and so forth.
00:15:42:10 – 00:16:04:21
Keith
So please do like us and subscribe there. Reshare us if you think there’s content in here your friends would like. And if you haven’t, visit our website to know where our social media is and so forth, go to eCrimeBytes spelled e c r i m e b y as in yellow milk t e s dot com.
00:16:04:23 – 00:16:10:26
Keith
And at that website across tap, we’ve got all our social media links there and you can check us out
00:16:10:26 – 00:16:20:06
Keith
And with that please do come back for Act three spyware detected in Chirag Patel and his socially engineered reward points.
Leave a Reply