Black Friday and Cyber Monday weekends mean good business to both retailers and online skimmers. It’s the time of the year when shoppers will empty their bank accounts on Amazon. On the other side, some reports suggest that shoppers could possibly have them swiped clean by criminals in underground markets. What many don’t know is that their stolen card data will be used to make “generous” donations to charity originations, an antic used by cyber criminals to verify the value of the card according to researchers at PhishLabs.
Over the years, underground online markets have grown in size and sophistication such that stolen cards data is now traded in a similar model, just like you would list products on mainstream online store such as eBay or Amazon.
Like in any good business, underground carders must devise ways to boost the value of their products in a bid to undercut competitors. One of the strategies is to introduce a card verification system that guarantees the buyer that there is cash in stolen card and the cardholder’s account is yet to be frozen. Such a move would double the value of a stolen card data says experts.
PhishLabs discovered an interactive bot that allows criminals to automatically verify the card data saving them the hassle of manually verify each card, which would significantly increase the risk of being detected. The bot sits in a chat room, automatically picking up messages containing card data, and making small random donations to a charity organization and other nonprofit organization as a way of testing whether the cards are functional.
The bot agent interacts as a user on an IRC (Internet Relay Chat) channel, as explained in the post, the card verification function is handled through private messages between a moderator, the criminal service’s customer, and the bot’s own “user” ID on the same chat channel.
“PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division) has uncovered an underground service that allows cybercriminals to use an interactive chat bot to automate the verification of stolen payment card data. The bot is a script programmed to login to an online chat channel and monitor it for messages containing data such as credit card numbers, cardholder names, and expiration dates using a special input syntax. ” says Don Jackson, director of threat intelligence at PhishLabs in a blogpost.
“When cybercriminals join the online channel and chats, the bot uses the data provided to input and run transactions against the websites of charities and other non-profits in order to verify that the card data is correct and the account is active,” “The bot then reports the results and any transaction details back the crook.”
Charities organization are an ideal target for cybercriminals because their sites have fewer security features in order to make it easy for the donors to make their donations in a few clicks. In particular, charity sites lack CAPTCHAs and other verification features that would thwart bot-like transactions. It is also unlikely that a charity organization would reject donations, this makes them a good testing ground for criminals.
“These websites seem to have fraud detection profiles that result in a relatively low number of declined transactions for valid card data,” notes Jackson. “The ability to verify small amounts from many different types of cards issued in many different countries seems to work more reliably for the criminals than, for example, retailer websites.”
Detecting fraudulent transactions depend on how fast the victim is able to notice peculiar numerous small transactions made within a short time interval. The hallmark of this clandestine operation is small amounts ranging from $1 to $5.Ideally, donors would make their donation in whole numbers, but since the bot is automated, operators should look out for patterns of small donations in partial dollar amounts such as $2.09 or $3.58 .
“Operators of websites that may have been targets for abuse can also look for the same pattern in the amounts paid, especially in bursts of transactions each separated by some short period of time usually in the range of a few seconds to a couple of minutes,” says Jackson adding that victims should also be suspicious when there is a mismatch between the geological location of the senders IP address and the billing address of the cardholder.
Meanwhile preventing the exploitation of this nature would require targeted organizations to shore up authentication procedures in their sites. More importantly, prevent automated submission of card data by introducing a feature such as Randomized URL’s and requesting for email address and payment verification from potential donors. Other anti –bot measures include introducing CAPTCHAs or requiring visitors to create a simple account before making donations.
This case demonstrates the continuos evolution of criminal activities in online underground markets, recently experts at IntelCrawler discovered a payment gateway application dubbed Voxis Platform, which can send batches of stolen card charges to multiple gateway processors automating their returns before acquiring banks can catch any illegal activity.
This kind of applications are in demand by the market especially in this moment because the large payment card data breaches at U.S. retailers like Target and Home Depot have flooded the underground market with stolen credit card data that criminals desire to quickly monetize.
Tha Voxis Platform is an excellent instrument to emulate the human behavior and avoid the detection of anti-fraud systems the are triggered when specific fraud patterns are recognized. In every online transaction we distinguish the following roles the buyer, the seller and the payment gateway. The seller will receive money from transactions if it has a merchant account registered with the payment gateway.
Cyber criminals are using every method to run the highest possible number of fraudulent charges in the shortest time, the monitoring of their TTPs is strategic to cybercrime prevention.
Written by: Ali Qamar, Founder/Chief Editor at SecurityGladiators.com and edited by Pierluigi Paganini
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at SecurityGladiators.com, an ultimate source for worldwide security awareness having supreme mission of making the internet more safe, secure, aware and reliable. Follow Ali on Twitter @AliQammar57
(Security Affairs – stolen card data, underground)