Credit Karma is a San Francisco-based company founded in early 2007 by Kenneth Lin. The company provides customers with free Credit Scores. Given its historical DNS data, web hosting records, and internet traffic, the company has, at various points in time, engaged in extended periods of revenue generation. It has done so through ad-fraud, revenue generation through identity theft, and the selling of American and British financial data to a Chinese conglomerate.

Currently, it remains unclear if the top leadership of Credit Karma is aware of this and whether or not these are insider attacks or cybercriminals with such extensive backdoors planted that they come and go as needed.

SMUGGLING OF DATA TO THE CHINESE HNA GROUP

Credit Karma had for years, until a few months ago, set up their architecture so that multiple VPN tunnels existed between their network, smuggling locations abroad, and the Chinese HNA group.

The most obvious and biggest such link is between https://openvpn.creditkarma.com and a server in Tunisia, which in turn bounces traffic to one of the largest Chinese conglomerates, https://hnagroup.com.

The HNA Group has had a colorful history over the past few years, including their former CEO engaging in a bitter battle with Chinese Communist Party leadership, ultimately fleeing to New York City, and then accusing both himself and various co-executives of having worked as spies for the Ministry of State Security. The Ministry, or MSS, it should be noted is something like the CIA of China.

The seal of the Ministry of State Security.

See the below screenshot from https://spyse.com for the Tunisian VPN tunnel.


You can see openvpn.creditkarma.com resolves to an IP address over 10,000 other DNS records also resolve to. Every single one in turn points to the HNA Group. Think of this box as a major traffic switching station for data bound for China.

Ad Fraud and Unexplainable Subdomains:

The domain name for Credit Karma's website is creditkarma.com. Additionally (along with most sites today), it has subdomains. Examples of these include https://blog.creditkarma.com and https://engineering.creditkarma.com. Except for the world’s largest companies (and certain niche types of sites like DNS registrars, WordPress hosts, etc.), sites today should have no more than 100 subdomains.

Each subdomain represents another configuration that must be maintained, often another server that needs to be managed, and always another SSL/TLS certificate to safeguard (wildcard certs are a bad idea), so the amount needs to be minimized.

Credit Karma currently has over 4,000 subdomains. 95% of these subdomains are bizarre, nonsensical, and frequently pornographic strings of words tied together. Examples include:

What is the purpose of all of those bizarre subdomains?

Likely they exist to produce large amounts of fraudulent clicks and internet traffic to pretend that ads were served to real humans behind a computer. Brands and companies wanting to advertise pay in the aggregate tens and even hundreds of millions of dollars for such clicks, and the profit can be enormous. We talked to several journalists as well as experts on ad fraud before, during, and after the writing of this article. Every individual agreed that it was suspicious and unexplainable. All also agreed that Credit Karma has been suspected of ad fraud for some time due to their level of spending, the general failure of other firms in their area, and other odd behavior.

Some general points:

  1. Having thousands of different subdomains allows Credit Karma to spread the traffic around to different endpoints. If all the “fake ads” were served on a single site, this would be quickly caught by  Ad Networks (such as Google) and their algorithms. Distribution across nearly 4,000 sites makes such fraud harder to spot.
  2. The bizarre subdomains are a naming convention that often refers to actual sites or at least indicates something a human operator is meant to read. Think of them as a tagging schema. Sometimes these sites are real businesses, other times they are real sites (in the sense they exist), but fraudulent/front companies. Why this is done and what purpose it serves will be elaborated on in the next section. One example is that a certain set of numbered subdomains are /16 CIDRs for various European cable providers. Others reference locations in Taiwan for the ISP HiNet.
  3. Based on the number of subdomains that have been taken out, multiplied by numbers one would typically see in a well-managed bot-net/ad fraud set-up, we can assume the Ad Fraud earns Credit Karma no less than $250 Million a year.

Ironically, for more information on what is happening here, the best paper is from Tsinghua University, the location of a very famous APT. It is also from where Credit Karma drew most of its early board members and engineer executives during its first few years.

A Well Heeled Work Force:

Here we begin a small inventory of the current staff of Credit Karma. When we looked at all currently 1,000 or so employees + alumni, we wound up documenting over 190 individuals who had attended a school in China rated "Medium" or above in danger by the Australian China University Defense Tracker Tool: