Credit Karma is a San Francisco-based company founded in early 2007 by Kenneth Lin. The company provides customers with free Credit Scores. Given its historical DNS data, web hosting records, and internet traffic, the company has, at various points in time, engaged in extended periods of revenue generation. It has done so through ad-fraud, revenue generation through identity theft, and the selling of American and British financial data to a Chinese conglomerate.

Currently, it remains unclear if the top leadership of Credit Karma is aware of this and whether or not these are insider attacks or cybercriminals with such extensive backdoors planted that they come and go as needed.

PART 1: Go

AD FRAUD

The domain name for Credit Karma's website is https://creditkarma.com. Additionally (along with most sites today), it has subdomains. Examples of these include https://blog.creditkarma.com and https://engineering.creditkarma.com. Except for the world’s largest companies (and certain niche types of sites like DNS registrars, WordPress hosts, etc.), sites today should have no more than 100 subdomains.

Each subdomain represents another configuration that must be maintained, often another server that needs to be managed, and always another SSL/TLS certificate to safeguard (wildcard certs are a bad idea), so the amount needs to be minimized.

Credit Karma currently has over 4,000 subdomains. 95% of these subdomains are bizarre, nonsensical, and frequently pornographic strings of words tied together. Examples include:

  • lesbianerotica.mail59-www.widget.creditkarma.com
  • holocaustadmin.mobile.widget.creditkarma.com/
  • europewest-hvfcu.widget.creditkarma.com
  • accountskimptonhotels.widget.creditkarma.com
  • direct-ghcpi.autowereldcom.widget.creditkarma.com
  • fairyparadise-com.bcuqa-www.widget.creditkarma.com

A competitor to Credit Karma is Credit Sesame. By comparison, they have 82~ subdomains. They are as follows, each representing a very standard naming convention for subdomains:

  • admin.creditsesame.com
  • app.creditsesame.com
  • track.creditsesame.com
  • csmapi.creditsesame.com
  • inbound-api-preprod.creditsesame.com
  • preprod2.creditsesame.com
  • Marketing.creditsesame.com

What is the purpose of all of these bizarre subdomains?

They exist to produce large amounts of fraudulent clicks and internet traffic to pretend that ads were served to real humans behind a computer. Brands and companies wanting to advertise pay in the aggregate tens and even hundreds of millions of dollars for such clicks, and the profit can be enormous. Some general points:

  1. Having thousands of different subdomains allows Credit Karma to spread the traffic around to different endpoints. If all the “fake ads” were served on a single site, this would be quickly caught by  Ad Networks (such as Google) and their algorithms. Distribution across nearly 4,000 sites makes such fraud becomes harder to spot.
  2. The bizarre subdomains are a naming convention that often refers to actual sites or at least indicates something a human operator is meant to read. Think of them as a tagging schema. Sometimes these sites are real businesses, other times they are real sites (in the sense they exist), but fraudulent/front companies. Why this is done and what purpose it serves will be elaborated on in the next section. One example is that a certain set of numbered subdomains are /16 CIDRs for various European cable providers.
  3. Based on the number of subdomains that have been taken out, multiplied by numbers one would typically see in a well-managed bot-net/ad fraud set-up, we can assume the Ad Fraud earns Credit Karma no less than $250 Million a year.

Ironically, for more information on what is happening here, the best paper is from Tsinghua University, the location of a very famous APT. It is also from where Credit Karma drew most of its early board members and engineer executives during its first few years). See: https://faculty.sites.uci.edu/zhouli/files/2018/09/ccs17.pdf

SMUGGLING OF DATA TO THE CHINESE HNA GROUP

There are numerous data points in how the network architecture of Credit Karma has structured that point to multiple VPN tunnels existing between their ASNs and Networks and various Chinese companies.

The most obvious and biggest such link is between https://openvpn.creditkarma.com and a server in Tunisia, which in turn bounces traffic to one of the largest Chinese conglomerates, https://hnagroup.com.

See the below screenshot from https://spyse.com:


You can see openvpn.creditkarma.com resolves to an IP address over 10,000 other DNS records also resolve to. Besides the fact that CreditKarma does no business with Tunisia, *all* those DNS records, involves pointing traffic to hnagroup.com.

What you are looking at here is an “internet within an internet.” Much like in a game of Go, Chinese hackers and exploitation specialists are placing pieces all across the board, seemingly unconnected and without a clear pattern. Now, as we reach what I would term “the end of the beginning” of this part of history, we observe the final goal of the CCP emerging. We draw ever closer to the time where the party reveals what it always was.

PART 2: Hedge Fund

PART 3: Red Orchestra