November marks the beginning of the holiday shopping season. Consumers are making their shopping lists. Retailers are gearing up for the rush of shoppers. And hackers are honing their skills and using new tools to take advantage of the spike in online transactions. A 2018 survey (PDF) by RetailMeNot shows that consumers are expected to spend an average of $803 holiday shopping during Black Friday weekend, up from an average of $743 last year, with Black Friday and Cyber Monday projected to be the top two desktop and mobile shopping days of the year. While 67 percent of shoppers will go to department stores, 60 percent plan to shop with online-only retailers.
As consumers spend more money online, the opportunities for fraud increase and so does the level of sophistication threat actors employ to conduct card fraud. Many tactics are aimed at Card Not Present (CNP) fraud, when the card is used online and over the phone and the Europay, Mastercard and Visa (EMV) chip technology has no mitigating effects.
One of the latest examples is Magecart, a toolkit of malicious software that was recently used to infect the websites of some clients of Shopper Approved, a customer review plug-in that hundreds of e-commerce sites use to collect reviews and help increase sales. When the plug-in was installed on payment pages of websites, Magecart could embed malware into the plug-in and capture shoppers’ payment card data. Fortunately, the incident was discovered before the holiday shopping season was in full swing, mitigating the potential for widespread payment card skimming. However, that the malware is being used by various groups reinforces the fact that cybercriminals don’t operate in a vacuum.
As I’ve written about before, a rich ecosystem exists that provides supporting infrastructure, malware and money services. Professional online tutorials that include webinars, instructors and reading materials are also available to give actors who are less sophisticated everything they need to profit from credit card fraud. These types of courses were traditionally advertised across a wide range of marketplaces and forums. However, with the takedowns of AlphaBay and Hansa marketplaces in 2017, cybercriminals are incorporating other platforms to publicize their services as they gear up for the holidays.
Our Russian-language specialists have unearthed sellers of courses now hosting free lecture videos on Telegram and then using these to further promote their cybercrime services. For example, holding a botnet-related lecture and then advertising their new “University of Cybersecurity and Anonymity” program complete with a dedicated website that looks extremely professional and on par with many legitimate online education sites. They also offer a minute-long video advertisement which has been played over 5,000 times on mainstream video sharing platforms. The course costs about $1,100, payable in Bitcoin and offers much more than basic carding (payment card fraud) techniques, including lectures and workshops on currency laundering, cash withdrawal schemes, social engineering, botnet creation and use of exploits.
At the lower end of the scale, self-paced and generic tutorials are available for as little as $1. There is also a bartering system whereby actors offer free carding tutorials in exchange for positive reviews on various platforms. Students can expect to be upsold more advanced tutorials and carding services.
This trend is worrying as more amateur actors have access to the training they need to embark on a cybercriminal career. The steady drumbeat of Magecart, intensified by the fact that groups are escalating their use of the malware and becoming more adept, adds to the growing security concerns among businesses that conduct commerce online. However, with this information there are many steps that payment card companies, merchants and consumers can take to better protect themselves. Here are just a few tips.
Monitor: Payment card companies should monitor for permutations of their domain name which could indicate criminals seeking to harvest information from customers. They should also monitor carding sites for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs) that are offered for sale. Merchants should monitor for mentions of their company name on “cardable” sites which indicate their sites have been identified to have lax security controls and thus easier targets. Google Alerts and open source web crawlers like Scrapy can help.
Strengthen security: Merchants should consider using 3D Secure as an additional layer of security which has proven to be a real obstacle for criminals and is deployed by Visa and Mastercard. They should also remove third-party code from payment pages whenever possible to avoid incidents such as Shoppers Advantage.
Be smart: Knowledge of the trends and techniques being advertised in carding courses gives payment card companies and merchants valuable insights into methods being used and how to increase the friction at every stage of the cybercriminal process. Consumers can also be savvier – transacting with known retailers and, if shopping somewhere new, ensuring the merchant uses 3D Secure. And as always, be wary of offers that seem to go to be true as they probably are.
As we continue to gear up for an increase in shopping this holiday season, remember that attackers continue to innovate and update their training and skills regularly. Fortunately, monitoring for malicious activity, staying apprised of the latest security measures and being aware of hackers’ latest tactics, techniques and procedures (TTPs), can help all parties mitigate digital risk associated with CNP transactions.