London and San Francisco, July, 19, 2017 – Digital Shadows, the industry leader in digital risk management, today reveals the findings of an in-depth study carried out by its team of multilingual analysts assessing the changing habits and tactics of organized credit card fraud gangs. It points to increased sophistication of a professional ecosystem as fraudsters seek to up-skill themselves and novice would-be cyber criminals.
By analyzing hundreds of criminal forums, Digital Shadows discovered a new trend in the form of remote learning ‘schools’. Available to Russian speakers only, these six-week courses comprise 20 lectures with five expert instructors. The course includes webinars, detailed notes and course material. In exchange for RUB 45,000 ($745) (plus $200 for course fees), aspiring cyber criminals have the potential to make $12k a month, based on a standard 40-hour working week. Given the average Russian monthly wage is less than $700 a month it means cybercriminals could make nearly 17x more than a ‘legitimate’ job.
Interestingly, a criminal ‘code’ appears to exist on many of the Russian-origin carding forums, whereby no Russian card details are permitted for sale.
The criminals are going after a potentially lucrative market. In just two of the most popular ‘carding’ forums 1.2 million card holder details are on sale for an average of $6 each. However, prices do vary dependent on the level of security associated with the card and cardholder. The least expensive cards are those requiring further authentication to ‘cash out’. The main obstacle to this is the PIN of the cardholder, which can be tricky and time-consuming to find out. Therefore, there exist automated services which call cardholders in an attempt to scam their details using social engineering techniques.
Social engineering is given a heavy emphasis in the courses. Advice is given on how to manipulate people through knowledge of their local area in order to build rapport with the target and trick them into exposing information (such as PIN numbers), usually over the phone. As the instructor puts it “that’s why I always advise to watch the news because with such incidents, it is possible to play beautifully.”
“The card companies have developed sophisticated anti-fraud measures and high-quality training like this can be seen as a reaction to this”, said Rick Holland, VP Strategy at Digital Shadows. “Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defenses accordingly.”
The research found that credit card criminals fall into four main groups (with some overlapping between each)
Rick Holland, VP Strategy at Digital Shadows continues: “This ecosystem is highly complex and international. At each stage, it creates victims – from the card industry that loses $24 billion a year to consumers who are frequently duped into revealing their card details. One of the key themes that stood out for us is the level of ‘social engineering’ criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this.”
Digital Shadows offers the following five tips for consumers:
Digital Shadows offers the following five tips for merchants:
Digital Shadows offers the following five tips for card providers:
You can learn more about Digital Shadows’ deep and dark web intelligence in this datasheet.
To learn more, download the full report: Inside Online Carding Courses Designed For Cybercriminals.
ABOUT DIGITAL SHADOWS
Digital Shadows monitors and manages an organization’s digital risk across the widest range of data sources within the open, deep, and dark web to protect an organization’s business, brand, and reputation. The Digital Shadows SearchLight™ service combines scalable data analytics with human intelligence analysts to manage and mitigate risks of an organization’s brand exposure, VIP exposure, cyber threat, data loss, infrastructure exposure, physical threat, and third party risk, and create an up-to-the minute view of an organization’s digital risk with tailored threat intelligence. The company is jointly headquartered in London and San Francisco. For more information, visit www.digitalshadows.com.