Story image

Digital Shadows discovers credit card crime ring cashing in on $24b a year

25 Jul 2017

Digital Shadows revealed the findings of a detailed study that delved into the changing habits and tactics of organised credit card fraud gangs.

In short, there has been a significant step up in sophistication of the cybercriminal underworld with a professional ecosystem now providing e-learning courses allowing aspiring criminals to make USD$12k in monthly earnings.

The digital risk management provider analysed hundreds of criminal forums to uncover a new trend in the form of remote learning ‘schools’.

These six week courses are available to Russian speakers only and comprise of 20 lectures with five expert instructors.

Digital Shadows assert the course includes webinars, detailed notes and course material. In exchange for RUB 45,000, which equates to around USD$745 plus $200 for course fees, aspiring cyber criminals have the potential to make $12k a month, based on a standard 40-hour working week.

This is significant amount in any country, but given the average monthly wage in Russia is less than $700 it means cybercriminals could make nearly 17x more than a ‘legitimate’ job.

According to Digital Shadows, the criminals are pursuing a potentially lucrative market as the company discovered in just two of the most popular ‘carding’ forums nearly 1.2 million card holder details on sale for an average of $6 each.

However, prices do vary dependent on the level of security associated with the card and cardholder. The least expensive cards are those requiring further authentication to ‘cash out’.

Social engineering is one of the heavily focused factors in the courses, with advice given on how to manipulate people through knowledge of their local area in order to build rapport and trick targets into exposing information, usually over the phone.

“The card companies have developed sophisticated anti-fraud measures and high quality training like this can be seen as a reaction to this,” says Rick Holland, VP Strategy at Digital Shadows.

“Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defences accordingly.”

Using the findings from the research, Digital Shadows were able to determine that credit card criminals fall into four main groups:

  • Payment Card Data Harvesters – The ones who do the dirty work in terms of harvesting payment card information.
  • Distributors – The ‘middle men’ who typically make the most money by repackaging and selling card information.
  • Fraudsters – The ones who act on the purchased information and consequently the most at risk in terms of getting caught by law enforcement or being conned by fellow criminals.
  • Monetisation – Those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods.

“This ecosystem is highly complex and international. At each stage, it creates victims – from the card industry that loses $24 billion a year to consumers who are frequently duped into revealing their card details,” says Holland.

“One of the key themes that stood out for us is the level of ‘social engineering’ criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this.”

Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.