Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Study-up on Credit Card Fraud

Credit Card Fraud

Credit Card Fraud

Credit card fraud has been big business for quite some time with losses expected to reach $24 billion by 2018. There are two types of credit card fraud – physical card fraud which involves the cloning of credit cards and Card Not Present (CNP) fraud, when the card is used online and over the phone. While the Europay, Mastercard and Visa (EMV) chip technology has made physical card fraud more difficult, online card spending is expected to double by 2021 and business will likely continue to boom for fraudsters.

We all know that cybercriminals don’t operate alone. Benefitting from a rich ecosystem that provides supporting infrastructure, malware and money services, even less sophisticated actors can turn a profit. Lately we’ve seen an influx of extremely professional online tutorials designed to educate bad actors on the latest fraud tactics and tools. Complete with webinars, instructors and reading material, these online courses also provide insights that defenders can use to protect against this increasingly popular threat. Here is just a glimpse into what students can learn from one class that costs nearly $1,000 and is conducted in Russian, targeting fraudsters in that geography.

How to find shops that sell credit card details. Alphabay, one of the largest marketplaces for illicit goods, was recently shut down, but a Google search returns almost 25,000 results of other shops that traffic in credit card information. Many of the sites are scams so choosing a “reputable” one can be difficult. In the course, students are pointed to six carding sites in particular and advised to look for shops with capabilities that allow them to check and see if the card is still in use and has a worthwhile balance.

How to socially engineer individuals. A week-long lecture series focuses on how to build local knowledge and rapport with the target. Fraudsters aren’t blindly putting card numbers into retail sites hoping to make a purchase. They are being trained to learn the target’s surrounding and processes to make more money in more ways and evade detection.

How to cash out. Fraudsters are coached on three main ways to make a profit – direct purchase, agent fraud and through the use of drops and middlemen. For direct purchase they target sites that are “card-able,” meaning susceptible to fraudulent purchases as a result of lax security controls. Agent fraud involves impersonating an agent, for example from an airline or hotel, making a reservation in the cardholder’s name, and then changing the reservation name once the card is authorized. The use of drops and middlemen includes a range of techniques that involve duping individuals and legitimate delivery companies to reship stolen goods and counterfeit money to safe addresses. 

Given this information what can payment card companies, merchants and consumers do to better protect themselves? The list is long, but here are three tips for each.

Payment Card Companies:

1. Proactively monitor for permutations on your domain name, which could help you to detect any criminal seeking to harvest information from your customers.

Advertisement. Scroll to continue reading.

2. Understand banking trojans, like Trickbot, and how they are targeting and possibly gaining access to your customers’ computers.

3. Monitor carding sites for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs) that are offered for sale. In many cases it is possible to free text search and filter by BIN.

Merchants:

1. Consider using 3D Secure as an additional layer of security which has proven to be a real obstacle for criminals and is deployed by Visa and Mastercard.

2. Don’t sacrifice security for user experience. Criminals are turning to mobile apps to commit payment card fraud as they can be less secure.

3. Monitor for mentions of your company on cardable sites with the help of Google Alerts or open source web crawlers like Scrapy.

Consumers:

1. If shopping somewhere new, ensure the shop uses 3D Secure.

2. Use caution when using a travel agent you haven’t used before – don’t fall prey to an offer that’s too good to be true.

3. Don’t be part of a cashing-out scam. Be wary of job postings offering well-paid jobs to re-ship goods, often offering to work from home

As the opportunity for payment card fraud grows, it’s safe to assume that more cybercriminals will take advantage of new, sophisticated online courses to get a piece of the pie. Even as you put additional precautions in place, remember that attackers continue to innovate and update their training regularly. However you can teach fraudsters a few lessons as well, by continuously monitoring for nefarious activity and staying apprised of the latest security measures.

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.