You Study Fraudsters But Fraudsters Study You

I recently came across an interesting post on one of the many underground criminal websites I monitor daily. It is advice intended for fraud managers but posted for fraudsters to read so they might understand what fraud managers are taught to look for in their work. It is intended in particular for “carders,” fraudsters who use stolen credit card information in card-not-present transactions on merchant websites. In other words, fraudsters read what the good guys are looking for to stop fraud and adjust their techniques accordingly. Below are the introduction and snippets from the original post alongside what adjustments fraudsters are making to counteract them.

Fraud is always related to a purposeful intent committed by a human being utilizing techniques of deception and trickery. Fraudsters are constantly one step ahead of the game, therefore risk managers must keep up with the most recent fraud patterns. We have collected five crucial scam elements that fraud managers should be aware of.

Fraudsters use VPNs or bad proxies

Fraudsters commit the primary error of using a VPN (virtual private network) or a bad proxy server connection throughout a transaction. They use these tools to mask their residential Internet Protocol (IP) address, resulting in an anonymous connection. Not all VPN or proxy users are dishonest clients; therefore, several other determinants must be taken into consideration when analyzing a suspicious situation.

VPNs and proxies aren’t so simple to catch

No experienced fraudster is going to commit fraud using only a VPN.  An experienced fraudster uses a VPN as just the starting point.  This way, if their proxy goes haywire on them all the merchant will see is the IP address of their VPN not the fraudster’s real IP address.  Fraudsters configure the VPN so that if it drops connection, all traffic stops and they won’t be revealed. What about the proxy server?  Fraudsters are always searching for good proxy providers.  They know the quality of the proxy often determines the success of an order.  One of the most favored, luxsocks, provides secure Socks5 proxies with a risk and fraud score for as little as $.30 each.  Luxsocks provides thousands of residential, secure, clean proxies which can provide an IP address within 5 miles of the cardholder.  These proxies cannot be identified as such by merchants and security companies if the fraudster uses them correctly.

Fraudsters use email addresses with no history

Another major mistake that fraudsters tend to make is the use of an e-mail address that is rated to be risky. This means that the e-mail address in use lacks any related social media profiles, may be disposable or is blacklisted. Online customers tend to buy products using their personal e-mail address. This means that the address will be registered to at least a couple of social media websites and will most probably not be disposable [Editor’s Note: This refers to addresses from free email providers such as Hotmail, Yahoo or Gmail among others]. In the case of corporate email addresses, checking the creation date of the e-mail address and verifying the domain are also relevant factors.

Aged email addresses can be bought 

For years, fraudsters have known that the quality of the email address often determines whether a fraud will be successful or not.  Companies like Emailage are doing an excellent job of looking at email address creation and traffic and are quite good at pinpointing fraudulent email addresses.  Of course, criminals know this and are adapting their techniques accordingly.  We are now seeing a market of aged email addresses and fraudsters are beginning to rely on a variety of account takeover (ATO) methods to work around companies like Emailage.

Aged, paid, domain addresses are the email addresses most preferred by fraudsters.  Why?  Because the email address will look like a legitimate email address that has been in use for many years. The next-most preferred email addresses are those  with the .edu domain.  These email addresses are valued by fraudsters because  having an .edu email means some verification has taken place to ensure the person who owns the email address is the real person with that name. Last comes free email addresses like Hotmail, Yahoo, Gmail, etc.  All these types of email addresses are assigned a fraud risk score.  By using one of the preferred email addresses, a fraudster lowers the risk score and increases the success of the fraud.

Carders buy expensive products

Fraudulent users are likely to buy expensive electronic items that can easily be resold later. Solid state drives (SSD) and Apple products are generally of high demand in the carding community as they have a high resale value. Vouchers and gift cards are also among the most common digital products to be carded as they can easily be resold for digital currency on the darknet markets. Fraud managers should keep an eye out for these types of goods popping up on the transaction lists.

Expensive products or lazy payday

Yep,  fraudsters love expensive products,  especially Apple items.  Apple-branded products can easily and quickly be resold for 80% of retail value.  Fraudsters love it.  Of course, merchants know all this and the highest level of security surrounds these types of high-value items.  It has become hard for a beginning carder to steal those items with any degree of success.

The solution?  Fraudsters have started looking for other items which don’t have high security but resell quickly.  Yeti coolers, camping gear, pool filters and small appliances all fit the bill.  Yes, electronics and high-ticket items are still preferred, but most experienced fraudsters understand that these days there are a variety of goods they can steal much easier than Apple products.  Of course, they still look for relatively expensive items.  Why?  Because for a fraudster to set up his own drop spot and get his ass out of bed to go and pick up the item means it must be worth his time to find the drop, order the items, get out of bed, go to the drop, pick up the item and risk being arrested.  He isn’t going to do all that for $300.

The solution?  Fraudsters post lower ticket items for sale on eBay or Craigslist.  When someone wants to buy,  the carder has the item shipped directly to the buyer.  The item may only net the fraudster a couple hundred dollars, but the fraudster doesn’t have to worry about drops, arrest, or anything else.  He can sell 20 items a day for $200 each and net tens of thousands of dollars monthly. Sometimes mid-range products can be less work and more money for fraudsters.

Carders spend too little time on merchants’ websites

Ordinary consumers tend to browse online throughout their shopping experience. They read reviews, check alternatives before placing the order. On the other hand, fraudulent users know what they want and specifically place a single item in their shopping cart that is later going to be chargebacked to the merchant. Time spent on the website is certainly an important factor to watch out for when monitoring for fraudsters.

Carders are spending more time on websites

It used to be that a carder could go to a website, find the most expensive item, buy it, and be done.  It took all of three to four minutes to steal from a store.  The problem is that real shoppers don’t behave like that.  Real shoppers look around, compare items, and spend a good amount of time on a site before buying.  As such, merchants and security companies now flag those impulse-looking purchases as potential fraud.  Fraudsters understand this.  Many carders now “age cookies”.  They go to the target site and look around.  They compare items.  They put a few items in the shopping cart and remove some.  They leave the site for a while, come back, look some more, etc..  It may take a couple of hours, it may take a couple of days.  But carders have gotten very good at mimicking the actions of a real customer.

Carders tend to commit a series of small transactions

After having bought or stolen a fresh list of credit card information, dishonest users must make sure that their cards are functioning. Generally, they validate this by conducting several low value transactions with different cards after one another. The low fees usually don’t trigger chargebacks from the legit account holders as these transactions are not conspicuous. It is best to watch out for numerous low fee transactions taking place in a sequence.

Experienced carders don’t make tiny purchases

Newbies might engage in that behavior to validate the card before buying something big, but experienced fraudsters have known since carding began that a small charge followed by a larger one often kills the card.  You really don’t see this from experienced crooks.

Fraud is a game that requires constant learning

As you can see, some guy gets the info that is intended for fraud managers and shares it within a community of fraudsters.  They then change their behavior to avoid the attention of fraud managers on the lookout for specific types of behavior. This type of learning is common among organized fraudsters. Good fraudsters research all they can on security techniques and continue to adapt to become better criminals.

The lesson of the day is that the information you share to prevent fraud can also be the information that is  shared by fraudsters to help commit fraud. Does that mean you shouldn’t share info?  Not at all,  but it does mean you need to be careful with the information you share and how you use it.

Tagged with:
Posted in:
Author: Brett Johnson