sb-eu logo
Story image

Digital Shadows discovers credit card crime ring cashing in on $24b a year

25 Jul 2017

Digital Shadows revealed the findings of a detailed study that delved into the changing habits and tactics of organised credit card fraud gangs.

In short, there has been a significant step up in sophistication of the cybercriminal underworld with a professional ecosystem now providing e-learning courses allowing aspiring criminals to make USD$12k in monthly earnings.

The digital risk management provider analysed hundreds of criminal forums to uncover a new trend in the form of remote learning ‘schools’.

These six week courses are available to Russian speakers only and comprise of 20 lectures with five expert instructors.

Digital Shadows assert the course includes webinars, detailed notes and course material. In exchange for RUB 45,000, which equates to around USD$745 plus $200 for course fees, aspiring cyber criminals have the potential to make $12k a month, based on a standard 40-hour working week.

This is significant amount in any country, but given the average monthly wage in Russia is less than $700 it means cybercriminals could make nearly 17x more than a ‘legitimate’ job.

According to Digital Shadows, the criminals are pursuing a potentially lucrative market as the company discovered in just two of the most popular ‘carding’ forums nearly 1.2 million card holder details on sale for an average of $6 each.

However, prices do vary dependent on the level of security associated with the card and cardholder. The least expensive cards are those requiring further authentication to ‘cash out’.

Social engineering is one of the heavily focused factors in the courses, with advice given on how to manipulate people through knowledge of their local area in order to build rapport and trick targets into exposing information, usually over the phone.

“The card companies have developed sophisticated anti-fraud measures and high quality training like this can be seen as a reaction to this,” says Rick Holland, VP Strategy at Digital Shadows.

“Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defences accordingly.”

Using the findings from the research, Digital Shadows were able to determine that credit card criminals fall into four main groups:

  • Payment Card Data Harvesters – The ones who do the dirty work in terms of harvesting payment card information.
  • Distributors – The ‘middle men’ who typically make the most money by repackaging and selling card information.
  • Fraudsters – The ones who act on the purchased information and consequently the most at risk in terms of getting caught by law enforcement or being conned by fellow criminals.
  • Monetisation – Those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods.

“This ecosystem is highly complex and international. At each stage, it creates victims – from the card industry that loses $24 billion a year to consumers who are frequently duped into revealing their card details,” says Holland.

“One of the key themes that stood out for us is the level of ‘social engineering’ criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this.”

Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
Secureworks: Remote working exposes new security vulnerabilities
New vulnerabilities have been exposed as IT teams across the world respond to the ongoing COVID-19 pandemic.More
Story image
BlackBerry, Microsoft enter partnership for Teams integration
"Integrating BlackBerry AtHoc will ensure that any organisation managing critical events using Teams is able to contact, alert, and account for everyone within the organisation directly."More
Story image
Security and operations collaboration key to success post COVID-19
“We are in an ultra-hybrid world with multi-everything, and in order to successfully navigate this landscape, ITOps, DevOps, and SecOps teams need to more closely align."More
Story image
Report: Power utilities increasingly at risk of devastating cyber-attacks
“Utilities’ existing systems are becoming increasingly connected through sensors and networks, and, due to their dispersed nature, are even more difficult to control.”More