[July 19, 2017] |
|
Digital Shadows Lifts the Lid on Credit Card Fraud Gangs Cashing In on $24 Billion a Year
Digital Shadows, the industry leader in digital risk management, today
reveals the findings of an in-depth study carried out by its team of
multilingual analysts assessing the changing habits and tactics of
organized credit card fraud gangs. It points to increased sophistication
of a professional ecosystem as fraudsters seek to up-skill themselves
and novice would-be cyber criminals.
By analyzing hundreds of criminal forums, Digital Shadows discovered a
new trend in the form of remote learning 'schools'. Available to Russian
speakers only, these six-week courses comprise 20 lectures with five
expert instructors. The course includes webinars, detailed notes and
course material. In exchange for RUB 45,000 ($745) (plus $200 for course
fees), aspiring cyber criminals have the potential to make $12k a month,
based on a standard 40-hour working week. Given the average Russian
monthly wage is less than $700 a month[2] it means
cybercriminals could make nearly 17x more than a 'legitimate' job.
Interestingly, a criminal 'code' appears to exist on many of the
Russian-origin carding forums, whereby no Russian card details are
permitted for sale.
The criminals are going after a potentially lucrative market. In just
two of the most popular 'carding' forums 1.2 million card holder details
are on sale for an average of $6 each. However, prices do vary dependent
on the level of security associated with the card and cardholder. The
least expensive cards are those requiring further authentication to
'cash out'. The main obstacle to this is the PIN of the cardholder,
which can be tricky and time-consuming to find out. Therefore, there
exist automated services which call cardholders in an attempt to scam
their details using social engineering techniques.
Social engineering is given a heavy emphasis in the courses. Advice is
given on how to manipulate people through knowledge of their local area
in order to build rapport with the target and trick them into exposing
information (such as PIN numbers), usually over the phone. As the
instructor puts it "that's why I always advise to watch the news because
with such incidents, it is possible to play beautifully."
"The card companies have developed sophisticated anti-fraud measures and
high-quality training like this can be seen as a reaction to this," said
Rick Holland, VP Strategy at Digital Shadows. "Unfortunately, it's a
sign that criminals continually seek to lower barriers to entry, which
then put more criminals into the ecosystem and cost card brands,
retailers and consumers. However, the benefit is that the criminals are
increasingly exposing their methods, which means that credit card
companies, merchants and customers can learn from them and adjust their
defenses accordingly."
The research found that credit card criminals fall into four main groups
(with some overlapping between each)
-
Payment Card Data Harvesters - do the 'dirty work' in terms of
harvesting the payment card information. This is done through
intercepting card holder's information whether this be through point
of sale malware, skimming devices, phishing, breached databases, or
through operating botnets
-
Distributors - are the 'middle men' who typically make the most
money. While the criminals who harvest may use the card data
themselves, they also sell it on to others who will package,
repackage, and sell on the card information
-
Fraudsters - run the most risk in terms of getting caught by
law enforcement or being conned by fellow criminals. Once fraudsters
have acquired payment card information from their distribtor, the
fraud can happen. These individuals tend to be less technical and
attract a lower calibre of cybercriminal, often relying on online
guides and courses to learn the latest techniques
-
Monetization - There are many different roles within the stage,
including those who have been duped into operating drop addresses and
those involved in the reselling of fraudulently acquired goods
Rick Holland, VP Strategy at Digital Shadows continues: "This ecosystem
is highly complex and international. At each stage, it creates victims -
from the card industry that loses $24 billion a year to consumers[1]
who are frequently duped into revealing their card details. One of the
key themes that stood out for us is the level of 'social engineering'
criminals are now using. Aggressive and manipulative phone calls to
victims to reveal PIN numbers is just one example of this."
Digital Shadows offers the following five tips for consumers:
-
Don't be part of a cashing out scam. Be wary of job postings
offering well-paid jobs to re-ship goods, often offering to work from
home. Fraudsters go to great lengths to make these companies look
legitimate.
-
Protect your PIN. Never share your PIN over email or phone, no
matter who says they are calling.
-
Be picky about who you shop with. If shopping somewhere new,
ensure the shop uses 3D Secure.
-
Take care when booking travel and hotels. Offers that appear
too good to be true often are. Act with caution if using a travel
agent you have not previously used; this is a common scam for
fraudsters.
-
Check your statements carefully. Check your bank statements
carefully for irregular purchases - even those that appear in a nearby
location and for small amounts. Alert the bank if you suspect
fraudulent activity.
Digital Shadows offers the following five tips for merchants:
-
Learn about latest techniques. Criminals will do what they can
to avoid friction. If certain banks have better anti-fraud measures,
the instructors recommend avoiding them. Understand what makes carding
difficult. 3D secure, for example is an additional layer of security
deployed by Visa and Mastercard, is proven to be a real obstacle for
criminals.
-
Make security as important as user experience. There must
always be a balance between security and user experience, but online
merchants should be aware that criminals are turning to mobile apps to
commit payment card fraud as it provides them with less obstacles.
-
Monitor for mentions of cardable sites. Criminals share lists
of cardable sites; if your company name crops up, it's a good
indication that you are experiencing fraud. Companies can search with
the help of Google (News - Alert) Alerts or open source web crawlers like Scrapy to
look for mentions of their brands.
-
Train your staff and your customers. Remember that the most
advanced methods all involve social engineering.
-
Don't be part of the problem. Cashing out is only one small
part of the fraud; the harvesting of credit card information is
required first. Protect your customers' credit card information by
storing the information securely and ensuring payment software is
patched.
Digital Shadows offers the following five tips for card providers:
-
Detect phishing with DNS Twist. Proactively monitor for
permutations on your domain name, which could help you to detect any
criminal seeking to harvest information from your customers.
-
Understand threats against your customers. Monitor the activity
of banking trojans, such as Trickbot, to identify patterns in their
targeting and techniques used to gain access to your customers'
computers.
-
Monitor for AVC shops for BINs and IINs. Monitor for Bank
Identification Numbers (BINs) and Issuer Identification Numbers (IINs)
that are offered for sale. In many cases, it is possible to free text
search and filter by BIN numbers.
-
Monitor IRC checking channels. Monitor IRC checking channels
for BINs and IINs that are indicative of a criminal testing an
individuals' card.
-
Benchmark yourself against peers. Understand which card
providers fraudsters recommend not using, and use this to
understand where your company stacks up.
You can learn more about Digital Shadows' deep and dark web intelligence
in this datasheet.
ABOUT DIGITAL SHADOWS
Digital Shadows monitors and manages an organization's digital risk
across the widest range of data sources within the open, deep, and dark
web to protect an organization's business, brand, and reputation. The
Digital Shadows SearchLight™ service combines scalable data analytics
with human intelligence analysts to manage and mitigate risks of an
organization's brand exposure, VIP exposure, cyber threat, data loss,
infrastructure exposure, physical threat, and third party risk, and
create an up-to-the minute view of an organization's digital risk with
tailored threat intelligence. The company is jointly headquartered in
London and San Francisco. For more information, visit: www.digitalshadows.com
[1] https://www.javelinstrategy.com/press-release/point-sale-card-fraud-predicted-decrease-card-not-present-and-new-account-fraud
[2] https://tradingeconomics.com/russia/wages
View source version on businesswire.com: http://www.businesswire.com/news/home/20170719005958/en/
[ Back To TMCnet.com's Homepage ]
|