Inside Online Carding Courses Designed for Cybercriminals Card fraud more sophisticated than ever, and what you can do about it Executive Summary Payment card fraud costs banks and merchants billions every year. As consumers spend more and more money online, the opportunities for fraud increase; experts project a loss of $24 billion to payment card fraud by the end of 2018.1 Payment card fraudsters do not operate in a vacuum, instead relying on a sophisticated ecosystem and support network that provides a wide range of credit card details, fraud tools and online tutorials. This paper looks at one recent online course designed for bad actors in order to shed light on the latest fraud tactics and tools, allowing consumers, merchants and credit card companies to better understand the threat and make it harder for the fraudsters. Table of Contents Executive Summary................................................................................................... 2 Payment card fraud is big business – and it’s getting even bigger....................... 3 Fraudsters are only one part of a broader ecosystem........................................... 4 Stage 1: Learn the latest techniques......................................................................... 6 Stage 2: Buy payment cards from a reputable site.................................................. 8 Stage 3: Commit payment card fraud and cash out................................................ 10 Fraudsters score big................................................................................................ 12 A knowledge of carding trends helps defenders and consumers too................. 13 Glossary.................................................................................................................... 14 End Notes..................................................................................................................14 2 Payment card fraud is big business – and it’s getting even bigger Payment card fraud has been around as long as the cards themselves, and there are two main approaches: physical card fraud and Card Not Present (CNP) fraud. Physical card fraud entails the cloning of payment cards, which are then used to make purchases. Despite its imperfections, recent research indicates that the increasing adoption of EMV has made physical card fraud more difficult, making CNP fraud more popular.2 CNP fraud occurs when the customer doesn’t physically present the card and uses card details online or over the phone. With consumers spending more and more with their credit cards online, it’s easy to see why CNP fraud is big business. One recent report claims that annual online card spending will double to $6 trillion by 2021.3 All of this offers more opportunities for cybercriminals to make money. This year, Europol coordinated an effort to disrupt an organized crime group that affected more than 130,000 payment cards, resulting in a loss of 8 million Euros. The criminal network established several fake online shops and a shell software company, allowing them to make illicit credit card transactions.4 This is just one technique used by carders; cybercriminals are continuously innovating and devising new techniques to bypass security controls developed by credit card companies and merchants. The combination of increased spending and criminal innovation contributes to a projected loss of $24 billion to credit card fraud in 2018.5 $24 Billion Projected loss to credit card fraud in 2018 Where do the carders learn and hone their skills? Well, just as consumers use online courses, so do cybercriminals. In order to understand carders’ latest tactics and tools, we are highlighting an online course from an exclusive Russian carding forum, complete with webinars, instructors and reading material. While tutorials and guides have existed for many years, the online course was on a scale and level of professionalism we have not seen before. We will glean insights from this course so that you can understand the carding ecosystem and the latest techniques used by cyber criminals. In doing so, you as a defender can learn what makes an attractive target, and what causes problems for cybercriminals. This is relevant for financial services organizations; but there are also implications for consumers, e-commerce, hotels, airlines, gaming and retail companies. As this paper will show, carding guides and courses are not a new phenomenon, but the professionalism, reputation and freshness of this course provides useful insights for organizations across a range of industries as well as consumers. 3 Fraudsters are only one part of a broader ecosystem Payment card fraudsters rarely operate by themselves, instead relying on a well-established ecosystem that provides them with payment card information, support services and ways to monetize the fraud. We have identified four key pillars of the carding ecosystem. 1. Payment Card Data Harvesters ‘Harvesters’ do the ‘dirty work’ in terms of harvesting payment card information. This is done through intercepting card holders’ information whether this be through point of sale malware, skimming devices, phishing, breached databases, or through operating botnets. With the control of botnets, criminals can gain access to individuals’ computers and steal their credit card information. In one recent case, a Russian criminal was sentenced to nine years in prison for operating several botnets that were used to steal credit card information. He claimed to have acquired 40,000 credit card details through this technique.6 Criminals who amass large amounts of fresh card details can quickly and easily sell these on to distributers and make good money. In the world of Netflix’s drama, Narcos, these would be the criminals making the goods. 2. Distributors Distributors are the ‘middle men’ who typically make the most money. While the criminals who harvest may use the card data themselves, they also sell it on to others who will package, repackage and sell the card information. This may be done privately or through specific sites that sell the card details, sites that Europol refers to as Automated Vending Carts (AVCs). Seleznev – also known as nCuz, Bulba and Track2 – was a prolific Russian cybercriminal and credit card thief, responsible for 3,700 financial institutions losing more than $169 million.7 Roman Seleznev ran many AVCs before being sentenced to 27 years in prison in April 2017. Criminals running AVCs have the potential to make a large amount of money with a low degree of risk. If the harvesters are the Narcos, the AVC owners are the distributors; reselling the product and taking their cut. 3. Payment Card Fraudsters Fraudsters are the ‘users’ who actually carry out the fraud, using card details to carry out fraudulent transactions to buy goods and services. These individuals run the most risk in terms of getting caught by law enforcement or being conned by fellow criminals. Once fraudsters have acquired payment card information from their distributor, the fraud can happen. These individuals tend to be less technical and attract a lower caliber of cybercriminal, often relying on online guides and courses to learn the latest techniques. There are many approaches to this, but it typically starts by purchasing online goods for consumption or resale. The fraudsters either keep the ill-gotten goods for themselves, or they are monetized by offering the same good for a much-reduced price, such as a luxury watch for 50% off. With the right knowledge and approach, fraudsters have the opportunity to make a significant amount of money, although the risk is higher. They are the ones who make the Narcos rich and fuel the industry; if they weren’t buying credit card details, the demand to drive harvest and distribution would be reduced. 4. Monetization There are many different roles within this stage, including those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods. Purchasing goods with stolen payment cards can be useful, but the payment card fraudsters will need individuals to help them monetize (cash out) these fraudulent purchases. Cashing out is necessary in order to turn carding into a business. Those involved in the cashing-out process are not always aware they are committing a criminal act; a common approach is to have unwitting individuals working for a fictitious organization, reshipping fraudulently-purchased goods as a “Merchandise Manager” or “Junior Packing Coordinator.”8 4 These four areas are not mutually exclusive – a criminal might harvest the card data and commit the fraud. However, the maturity of the carding ecosystem allows actors to become more specialized. Although carding is comprised of these four key pillars, they also rely on many support services including network anonymity providers and reputation services. A great example of this specialization is fraud[.]cat, a service that allows fraudsters to determine the risk of using particular IP addresses (Figure 1). Figure 1: A screenshot of fraud[.]cat, an online service to check the risk score of IP addresses that are used for committing fraud The online course we will cover in this paper focuses on the payment card fraudsters across the three main stages: Buy payment Learn the latest Commit fraud cards from a techniques and cash out reputable site Figure 2: The 3-stage process for payment card fraudsters By understanding what causes these criminals friction at each stage, organizations and consumers can