Digital Shadows revealed the findings of a detailed study that delved into the changing habits and tactics of organised credit card fraud gangs.
In short, there has been a significant step up in sophistication of the cybercriminal underworld with a professional ecosystem now providing e-learning courses allowing aspiring criminals to make USD$12k in monthly earnings.
The digital risk management provider analysed hundreds of criminal forums to uncover a new trend in the form of remote learning ‘schools’.
These six week courses are available to Russian speakers only and comprise of 20 lectures with five expert instructors.
Digital Shadows assert the course includes webinars, detailed notes and course material. In exchange for RUB 45,000, which equates to around USD$745 plus $200 for course fees, aspiring cyber criminals have the potential to make $12k a month, based on a standard 40-hour working week.
This is significant amount in any country, but given the average monthly wage in Russia is less than $700 it means cybercriminals could make nearly 17x more than a ‘legitimate’ job.
According to Digital Shadows, the criminals are pursuing a potentially lucrative market as the company discovered in just two of the most popular ‘carding’ forums nearly 1.2 million card holder details on sale for an average of $6 each.
However, prices do vary dependent on the level of security associated with the card and cardholder. The least expensive cards are those requiring further authentication to ‘cash out’.
Social engineering is one of the heavily focused factors in the courses, with advice given on how to manipulate people through knowledge of their local area in order to build rapport and trick targets into exposing information, usually over the phone.
“The card companies have developed sophisticated anti-fraud measures and high quality training like this can be seen as a reaction to this,” says Rick Holland, VP Strategy at Digital Shadows.
“Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defences accordingly.”
Using the findings from the research, Digital Shadows were able to determine that credit card criminals fall into four main groups:
- Payment Card Data Harvesters – The ones who do the dirty work in terms of harvesting payment card information.
- Distributors – The ‘middle men’ who typically make the most money by repackaging and selling card information.
- Fraudsters – The ones who act on the purchased information and consequently the most at risk in terms of getting caught by law enforcement or being conned by fellow criminals.
- Monetisation – Those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods.
“This ecosystem is highly complex and international. At each stage, it creates victims – from the card industry that loses $24 billion a year to consumers who are frequently duped into revealing their card details,” says Holland.
“One of the key themes that stood out for us is the level of ‘social engineering’ criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this.”