You are here

How the bad guys cash in on stolen credit card data

public://webform/writeforus/profile-pictures/dustin_childs_800x800_formal_seattle.jpg
Dustin Childs, Sr Security Content Developer, Hewlett Packard Enterprise

What do Walmart, Macy’s, eBay, and Saks 5th Avenue all have in common? They all have been targeted by the same reshipper using stolen credit card data that grossed $1.5 million in 2015 alone. These retailers are hardly alone. Data breaches occur so often that many consumers have become numb to them.

Over the last decade, thousands of reported data breaches and fraudulent or compromised payment portals have led to the theft of data concerning hundreds of millions of U.S. credit cards. It’s understandable why so many people are numb to breach notifications. Because the financial institution bears the brunt of a breach's effects by providing replacement cards and credit report monitoring, little more than inconvenience is borne by the consumer.

The process seems pretty straightforward:

  1. The credit card information is taken.
  2. Data is then used for fraudulent purposes.
  3. The financial institution is “alerted” in some manner.
  4. The card is canceled.
  5. A new card, along with some credit monitoring, is provided to the affected customer.

What isn’t generally known is the complex system at step two: Data is then used for fraudulent purposes.

 

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

Follow the cash transactions

Hewlett Packard Enterprise Security Research investigated how criminal enterprises monetize stolen credit card data. We found that it’s as complex a world online as it is in real life, with sophisticated organizations orchestrating the exploitation of stolen data to maximize profit and revenue.

There are definitely multiple ways a stolen credit card number may be used. Our research focused on one method that uses the stolen credit card numbers to purchase goods that are then resold for cash. These reshipping operations account for an estimated 1.6 million credit and debit cards being used for $1.8 billion in fraudulent purchases each year.

Here’s how it works:

 

HPE researchers discovered hierarchical systems, with "bosses," "admins," "drops,"and "stuffers" fulfilling various roles in monetizing the stolen information. Here is the breakdown:

  • Bosses. As in many workplaces, bosses are the key people in establishing the operation. They bring together the various players and draw value from each activity. They also link together the physical and cyber worlds, enabling the translation of stolen information to cash in hand. Bosses make their profits by selling high-demand goods in gray markets. Because they purchased the goods with stolen credit card data, it’s a fairly high profit margin.
  • Admins. A boss can’t be effective without a good admin. Admins create and run websites with a couple of different purposes. The websites serve a dual purpose of maintaining contact with the stuffers and recruiting the drops. Admins take their cut of the profit by creating the website, recruiting new drops, providing fraudulent shipping labels, and selling the goods.
  • Stuffers. Stuffers purchase goods through a legitimate retail site and select a drop to receive the goods. The types of goods purchased run a wide gamut—everything from clothes to electronics to camping gear to rifle scopes. These purchases are made using stolen credit card info. Once the purchase is made, the cost of shipping from the retailer to the drop is included in the purchase. Stuffers take their cut out of the goods purchased, typically as a percentage assigned to each product type.
  • Drops. Once all of the pieces are assembled, the drops are recruited. Drops are people located in countries where transactions are trusted. When stuffers order merchandise, it is shipped to a drop. Our research discovered that the majority of drops were U.S. residents who had been recruited through direct email campaigns. Once recruited, drops are managed through a website and assigned tasks as needed. Drops were also found to be fairly transient people with a history of changing their address. They exist all over the country and in certain European locations as well.

 

Drops don’t actually make any money in this scheme and likely don’t even know they are a small cog in a large, illegal enterprise. They may be promised a base pay plus commission for shipping items or a fee for each item, but after 45 days and no pay, they begin to understand they have been scammed.

Reshippers find it more cost-effective to recruit new drops from among people looking for a work-from-home opportunity rather than actually paying and maintaining the existing drops. This practice has the added benefit of isolating the most exposed part of the operation from the rest of the organization. Drops are exposed to little if any of the true organization.

Once the goods are purchased and shipped to a drop, they are ready to be sent on to Eastern Europe, where they are sold on the gray market for cash. The drops reship merchandise using fraudulent shipping labels or via shipping aggregation companies. Some of these companies, such as Carrier.st, make millions each year.

[ See Guide: Best Practices for GDPR and CCPA Compliance ]

How to avoid becoming a drop

There has been a significant increase in the activity of this type of operation during the last three years, and HPE Security Research expects this trend to continue to grow based upon the level of activity that we observed in our investigation. How do you prevent yourself from becoming a drop? The FBI has posted some advice that includes the following:

  • Don’t pay upfront for a job opportunity.
  • Don’t wire money to a potential employer.
  • Be wary of terms such as “money transfers,” “wiring funds,” “package forwarding,” and “import/export specialist.”

And always remember the adage that if it sounds too good to be true, it probably is. If you are wondering if an opportunity is real, check out www.lookstoogoodtobetrue.com—it’s a fine place to start.

Retailers have a different challenge. Spotting these fraudulent transactions can be difficult, since they often occur soon after a card is compromised but before the issuer is able to deactivate the number. Tracking packages destined for one of the known shipping aggregation companies, combined with the type of product being shipped, can increase fraud-detection capabilities. HPE Security Research advises retailers to monitor for this type of activity and to stay aware of the operational details of scams such as these.

Our report goes into greater detail about all phases of these operations and includes screenshots of the shipping aggregator's websites and example mails to drops. Take a few moments to download and read the report. Understanding how these scams work is the first step in ensuring you never fall for one.

 

[ Join Webinar: Five Steps to Implement a Universal Policy Strategy ]