Some of the things I've been thinking about and trying to connect:

• Not Kevin's informaton at StrangelyPerfect.tv  showing many negative option scams set up companies in the UK (details here)
• The recent Trend Micro paper detailing a cybercrime hub operating out of Estonia which extends into Europe and the United States (pdf available here)
• The potential significance of hidden negative option "bizop kit" victims alleging the presence of  trojan horses on the CDs they received in the mail
• The economic relationship between Estonia and The Isle of Man

AGAIN – these are very loosely connected thoughts…or maybe not even connected at all…in fact I don't even present any possible conclusions

Today I was asking Lynndel Edgington of Eagle Research Associates about a comment Not Kevin made over at StrangelyPerfect.tv:

"Setting up a UK Ltd company at Companies House is very easy and no they don’t ask for proof of id or anything. You only need to register for Vat if/when your turnover exceeds a certain amount, so that comes after registration (if at all).
There are however quite strict regulations about your obligations as a Director, filing accounts on time etc. See:
http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1073870537

Not sure how these companies would get their stuff from Companies House if they are using false addresses, filing accounts for all those companies would be a nightmare too (if done properly) – which is another reason it’s odd that there are so many of them which just multiplies the work and could make it very confusing! Perhaps they are not planning to stick around long enough to bother with legalities like filing accounts!? (Allegedly) (You can be in business for around 18 months I think before your first years accounts are due)."

I suggest you read the full discussion here to get the full context.

As Lynndel pointed out, Not Kevin really answered his own question:

(Lynndel): "They don't plan on being around long enough to worry about reports/accounts are due.  This is get in quick, get the cash and get out before the authorities come calling.  The only ones who get caught are those who get greedy and try to milk it longer than they should.  They forget they can wait a couple of months, and then do it all over with a new name and a slightly different look and do it all over again."

Seemingly related to all of this is the fascinating research recently performed by Griffith University's Professor Jason Sharman

Which appears to indicate that the U.S. and the U.K. themselves may be the "dirtiest tax havens" which is fascinating as Sharman concludes:

""The United States, Great Britain and other OECD states have chosen not to comply with the international standards which they have been largely responsible for putting in place."

According to Switzerland's Le Temps Newspaper:

"With a small budget, and using classified ads that proliferate on the Internet or in the press, this professor of the Center for Governance and Public Policy at Griffith University (Australia) made bids to set up shell companies in 22 countries — some labeled as tax havens; others are very respectable members of the OECD."

The following are excerpted from Jason Sharman's presentation of his key findings of his recent study:

Summary of the research

"The research involved electronically soliciting offers of anonymous corporate vehicles from 45 different corporate service providers in 22 different countries, and collating the various responses. Anonymous shell companies in isolation can sometimes be useful in disguising financial crime, but generally depend on associated bank accounts. And so the next step was trying to set up bank accounts linked to these shell companies. To the extent that the shell companies are anonymous (that is, where the beneficial owner remains unknown), the bank account will also be de facto anonymous. Seventeen of the 45 attempts to solicit anonymous corporate vehicles met with success. Of these, 13 of 17 successful approaches were to service providers in OECD countries (seven in the UK, four in the United States, one in Spain, and one in Canada). This compared with only four service providers of 28 willing to provide anonymous shell companies in countries often identified as ‘tax havens’
(Hong Kong, Singapore, Belize and Uruguay)."

Interesting details from Jason Sharman's research:

• "In 2009, the author was able to create a Nevada company and then open an account at one of America’s most prominent banks with
  only a scanned copy of a driver’s licence." 
• "the author purchased an anonymous England and Wales company for GBP515, incorporated within a day"
• The Economist highlighted the following amazing finding from Sharman's study:
  • "One example was Britain, where in 45 minutes on the internet he formed a company without providing identification, was issued with bearer shares (which have been almost universally outlawed because they confer completely anonymous ownership) as well as nominee directors and a secretary. All was achieved at a cost of £515.95 ($753)."

Constantly changing names as a keystone to a "business model"

This isn't really anything new, but I really enjoyed the wording the authors of the Trend Micro Cybercrime Hub report used to describe it:"The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. This does not cause much harm to the operation as a whole, however, as the same cybercriminal just continues its business under a new name. In fact, constantly changing names is part of the company’s business model"

The potential significance of hidden negative option "bizop kit" victims alleging the presence of viruses and/or trojan horses on the CD-Roms they received in the mail

There were several comments made on various sites that the bizop kit CDs contained trojan horses, which can be used to steal data or as the Trend Micro paper reveals –  hijack Google queries and even seamlessly replace advertisements on legitimate sites.

Of course a trojan horse would always be a concern, but imagine if the cybercriminal organization behind the planting of trojan horses operated out of a country where credit card fraud and internet-based financial fraud were ongoing concerns.

I have no idea if any of the allegations about the trojans were true or how pervasive the allegations were.

According to the U.S. Department of State's information on Estonia:

"Credit card fraud is an ongoing concern, as is Internet-based financial fraud and “Internet dating” fraud.  Travelers should take precautions to safeguard their credit cards and report any suspected unauthorized transaction to the credit card company immediately.  Racially motivated verbal harassment and, on occasion, physical assault of Americans and other nationals of non-Caucasian ethnicity has occurred.   If an incident occurs, it should be reported to the police and to the Embassy."

The economic relationship between Estonia and The Isle of Man

This is significantly outside my scope of expertise so I could be completely grasping at straws here or someone may look at it and wonder why I'm stating the obvious:

• Estonia is a country where credit card fraud and internet-based financial fraud are ongoing concerns
• Isle of Man (IOM) is a self-governing British Crown Dependency where offshore banking is a key sector of the economy and according to the IOM government is developing a global reputation for a diverse array of niche, quality sectors including:
  • High-tech manufacturing
  • E-Business
  • E-Gaming
  • Ship and super yacht management
  • Aircraft registration
  • Agricultural and fisheries produce
  • Film and television production
  • Space commerce
  • Entrepreneur/trading gateway
• In it's most recently "report card" on the Isle of Man's observance of AML/CFT (Anti-Money Laundering and Combating the Financing of Terrorism) the IMF expressed concerns about Customer Due Diligence (CDD) measures (see item 30 here), where one of the observations is:
  • "It was not evident to the assessors in all cases that the financial institutions were taking fully into account the increased risk of dealing on such a scale with nonresident non face-to-face business, and the assessors noted an uneven level of controls in practice in some institutions when relying on third parties to have properly conducted CDD measures."
• The recent agreement between the IOM government and the Estonian government:
  • "The agreement between the two governments is based on the model published by the Organisation for Economic Co-operation and Development (OECD). In addition to this agreement signalling that the Isle of Man and Estonia wish to develop their bilateral economic relations, the DTA will also act to prevent tax evasion, and delivers the OECD’s agreed international standard on tax transparency and exchange of information."

At this point I still have no idea if there are any real connections between all of this data

Acting United States Attorney Julia C. Dudley announced today that Dereck Lorenzo Dunston, age 40, of Evington, Virginia was sentenced in the United States District Court for the Western District of Virginia in Lynchburg after previously pleading guilty to a variety of fraud charges related to a credit card mastering scheme that operated throughout the Western District of Virginia.

Dunston, Steve Black and Ronald Edward Black, age 26, were charged in a 25-count indictment in February of 2008 with various counts related to credit card fraud. In July, all three men pled guilty to one count of conspiracy to commit mail fraud, wire fraud, bank fraud, identity theft and credit card fraud, one count of bank fraud and one count of aggravated identity theft.

Today in District Court, Dunston was sentenced to 42 months of Federal incarceration. Steve and Ronald Black are scheduled to be sentenced later this month.

“This fraud was as wide-ranging and complex as the geography of the Western District itself. These individuals operated throughout the District, making it difficult for law enforcement to track their fraudulent activities,” Acting United States Attorney Julia C. Dudley said today. “However, thanks to the tireless work of the men and women who investigated these crimes, the fraud was discovered and this defendant has been brought to justice.”

The fraud perpetrated by Black, Black and Dunston involved taking legitimate access device, or credit card, account numbers and encoding them onto counterfeit access devices. The owners of the legitimate account numbers were unaware their information was being placed onto counterfeit devices.

In order to obtain counterfeit cards, Black, Black and Dunston either traveled to New York to pick-up counterfeit access devices personally or had them mailed to a variety of addresses within the Western District of Virginia.

Throughout the Western District of Virginia, Black, Black and Dunston, who were known as the “Gas Men,” used the counterfeit access devices to purchase goods and services from a variety of local merchants, including: 7-eleven, Amoco Oil, Exxon Mobil, Kroger, Sheetz, Shell Oil and Wilco Hess. Specifically, the fraudulent charges were made at locations in Altavista, Bedford, Forest, Harrisonburg, Lynchburg, Madison Heights, Roanoke and Salem.

Black, Black or Dunston would meet individuals at a Lynchburg area car wash and either follow or ride with those individuals to local gas stations. Once there, one or all of the defendants would utilize the pay-at-the pump feature and swipe a counterfeit access device as payment for the gasoline or merchandise just purchased. The defendants would then receive a cash payment for approximately half of the cost of the merchandise or gasoline charged to the counterfeit access devices. The proceeds of the transactions would then be split by Black, Black and Dunston.

As of January 2008, Capital One, the credit card company that had been defrauded the most, had more than 500 accounts compromised that accounted for more than 3,000 fraudulent transactions and over $131,000 in fraudulent charges to be made.

In the most egregious cases, the Sheetz store located at 14480 Wards Road in Lynchburg, received 1,198 fraudulent transactions in the six-month period between April and September of 2007. There were 620 fraudulent transactions made at the Wilco store located at 37332 Campbell Avenue in Lynchburg.

When arrested, Dunston was found to be in possession of eight counterfeit access devices on his person. Authorities found another 155 fraudulent access devices in various locations throughout his residence. Law enforcement officials also found an additional 50 counterfeit gift cards in a United States Postal Service 2-day priority mail envelope addressed to “Mr. Black” at Ronald Black’s home address. A total of 213 counterfeit access devices were found that day that represented a total of twenty different financial institutions from the United States and overseas.

The investigation of this case was begun by the Lynchburg Police Department and handled by the Central Virginia Computer Crimes Task Force, the Federal Bureau of Investigation, the United States Secret Service, the Virginia State Police, the Amherst County Sheriff’s Office, the Campbell County Sheriff’s Office and the Longwood University Police Department. Assistant United States Attorney Charlene R. Day is prosecuting the case for the United States.