·
Reveals step up in sophistication
with Russian language e-learning courses, allowing aspiring criminals to make $12k
in monthly earnings
·
A snapshot of just two of the most
popular criminal forums finds 1.2 million
card holder details are on sale
Dubai, UAE, July 20, 2017 – Digital Shadows, the
industry leader in digital risk management, today reveals the findings of an in-depth
study carried out by its team of multilingual analysts assessing the
changing habits and tactics of organized credit card fraud gangs. It points
to increased sophistication of a professional ecosystem as fraudsters seek to
up-skill themselves and novice would-be cyber criminals.
By analyzing hundreds of criminal forums, Digital Shadows discovered a new
trend in the form of remote learning ‘schools’. Available to Russian
speakers only, these six-week courses comprise 20 lectures with five expert
instructors. The course includes webinars, detailed notes and course material.
In exchange for RUB 45,000 ($745) (plus $200 for course fees), aspiring
cyber criminals have the potential to make $12k a month, based on a
standard 40-hour working week. Given the average Russian monthly wage is less
than $700 a month[2]
it means cybercriminals could make nearly 17x more than a ‘legitimate’ job.
Interestingly, a criminal ‘code’ appears to exist on many of the
Russian-origin carding forums, whereby no Russian card details are permitted
for sale.
Social engineering is given a heavy emphasis in the courses. Advice is given on how to manipulate people through
knowledge of their local area in order to build rapport with the target and
trick them into exposing information (such as PIN numbers), usually over the
phone. As the instructor puts it “that’s why I always advise to watch the news
because with such incidents, it is possible to play beautifully.”
“The card companies have developed sophisticated anti-fraud measures and
high quality training like this can be seen as a reaction to this”, said Rick
Holland, VP Strategy at Digital Shadows. “Unfortunately, it’s a sign that criminals continually seek
to lower barriers to entry, which then put more criminals into the ecosystem
and cost card brands, retailers and consumers. However, the benefit is that
the criminals are increasingly exposing their methods, which means that credit
card companies, merchants and customers can learn from them and adjust their
defenses accordingly.”
The
research found that credit card criminals fall into four main groups
(with some overlapping between each)
·
Payment Card Data Harvesters - do the ‘dirty work’ in terms of harvesting the payment card
information. This is done through intercepting card holder’s information
whether this be through point of sale malware, skimming devices, phishing,
breached databases, or through operating botnets
·
Distributors – are the ‘middle men’ who typically make the most money. While the
criminals who harvest may use the card data themselves, they also sell it on to
others who will package, repackage and sell on the card information
·
Fraudsters - run the most risk in terms of getting caught by law enforcement or
being conned by fellow criminals. Once fraudsters have acquired payment card
information from their distributor, the fraud can happen. These individuals
tend to be less technical and attract a lower calibre of cybercriminal, often
relying on online guides and courses to learn the latest techniques
·
Monetization - There are many different roles within
the stage, including those who have been duped into operating drop addresses
and those involved in the reselling of fraudulently acquired goods.
Rick
Holland, VP Strategy at Digital Shadows continues: “This
ecosystem is highly complex and international. At each stage, it creates victims
– from the card industry that loses $24 billion a year to
consumers who are frequently duped into revealing their card details. One of
the key themes that stood out for us is the level of ‘social engineering’
criminals are now using. Aggressive and manipulative phone calls to victims to
reveal PIN numbers is just one example of this.”
Digital
Shadows offers the following five tips for consumers:
1.
Don’t be part of a cashing out scam. Be wary of job postings offering well-paid jobs to re-ship goods, often
offering to work from home. Fraudsters go to great lengths to make these
companies look legitimate.
2.
Protect your PIN. Never share your PIN over email of phone, no matter who says they are
calling.
3.
Be picky about who you shop with. If shopping somewhere new, ensure the shop uses 3D Secure.
4.
Take care when booking travel and hotels. Offers that appear too good to be true often are. Act with caution if
using a travel agent you have not previously used; this is a common scam for
fraudsters.
5.
Check your statements carefully. Check your bank statements carefully for irregular purchases - even
those that appear in a nearby location and for small amounts. Alert the bank if
you suspect fraudulent activity.
Digital
Shadows offers the following five tips for merchants:
1. Learn about latest techniques. Criminals
will do what they can to avoid friction. If certain banks have better
anti-fraud measures, the instructors recommend avoiding them. Understand what
makes carding difficult. 3D secure, for example is an additional layer of
security deployed by Visa and Mastercard, is proven to be a real obstacle for
criminals.
2. Make security as important as
user experience. There
must always be a balance between security and user experience, but online
merchants should be aware that criminals are turning to mobile apps to commit
payment card fraud as it provides them with less obstacles.
3. Monitor for mentions of cardable
sites. Criminals
share lists of cardable sites; if your company name crops up, it’s a good
indication that you are experiencing fraud. Companies can search with the help
of Google Alerts or open source web crawlers like Scrapy to look for mentions
of their brands.
4. Train your staff and your
customers. Remember
that the most advanced methods all involved social engineering.
5. Don’t be part of the problem. Cashing out
is only one small part of the fraud; the harvesting of credit card information
is required first. Protect your customers’ credit card information by storing
the information securely and ensuring payment software is patched.
Digital
Shadows offers the following five tips for card providers:
1.
Detect
phishing with DNS Twist. Proactively monitor for permutations on your
domain name, which could help you to detect any criminal seeking to harvest
information from your customers.
2.
Understand threats against your
customers. Monitor
the activity of banking trojans, such as Trickbot, to identify patterns in
their targeting and techniques used to gain access to your customers’
computers.
3. Monitor for AVC shops for BINs
and IINs. Monitor
for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs)
that are offered for sale. In many cases, it is possible to free text search
and filter by BIN numbers.
4. Monitor IRC checking channels. Monitor IRC
checking channels for BINs and IINs that are indicative of a criminal testing
an individuals’ card.
5. Benchmark
yourself against peers. Understand which
card providers fraudsters recommend not using, and use this to
understand where your company stacks up.