This post is the second entry in the “Fraudster on the Roof” series. Please remember that the intention of this series is for readers to learn how to better detect fraud, not to improve how they implement it.
Today we look at what it takes to launder money online, specifically through stolen credit cards.
I spend a lot of time thinking about the underground economy. What’s always fascinating to me is that the Web seems to provide a false sense of security to scammers who feel nothing flaunting their illegal services in full view of authorities and anyone that really cares to take a look.
Pastebin.com is a surprising resource here. Point your browser to your favorite search engine and type in the following query:
The thousands of results returned include scammers that are selling everything from card data to bank logins, botnets, paypal accounts and complete online identities.
On stolen credit cards, the price per market and card type averages out to the following:
|United States||American Express||$7.00|
|United States||Visa & Mastercard||$4.50|
|Europe||Visa & Mastercard||$14.50|
|Asia||Visa & Mastercard||$15.00|
From my own reading here, it looks like prices double on average when the card is sold with information on the person that the card belonged to (address, name et cetera).
As I scroll through the services listed on Pastebin, I think about what buyers do with this data and how they really make any serious money. All too often does one hear about ‘data breach here’ and ‘millions of accounts compromised there’ but how does this equate to scammers making money? I’m not talking about scammers that sell the data card by card, I am referring to the scammers that buy it.
Perhaps the simple answer is that with a stolen credit card one could go buy a whole bunch of items from an online market and then resell them. But where would one deliver the goods from the initial purchase to? An entry level scammer may interrupt now and say that you don’t deliver it to yourself, because the goal is to launder the card as quick as you can and make a clean getaway. One way to do this is sell items at a discount on online market A, once these sell then you buy the product through online market B with the stolen card and ship to the buyer from market A. Easy.
It’s a simple scam but scammers are lazy and this sounds like too much work. Mostly in the sense that it takes so long to make it all happen. Money would only slowly trickle in and by the time it starts any meaningful income then the account on A could get closed at any time (buyer reports the seller after the cops come knocking).
Higher earnings can be found by mixing the offline and online world, where scammers take more risk by doing things in person but stand to make greater profit over fewer transactions. To make things happen in the offline world, scammers push the stolen card data they bought online onto a physical card that can be swiped offline.
Admittedly I am not an expert in offline credit card fraud (detection), but from what I have read it’s surprisingly easier to get up to speed here than I thought it would be. A few searches on eBay for the model number of a card writer (“MSR605″) yields a list of auctions with card writers that are ready to roll for less than $150.
Note that the software provided with the writer facilitates pushing track 1/2/3 data onto an offline card. Track 1/2/3 is the credit card data for sale on the underground economy — it is stored on the magnetic stripe of your card
A scammer that is printing his/her own cards can then purchase fairly expensive and hard to track items from offline stores (jewelry) which can then be sold for sale at a discounted rate online. Since the scammer paid nothing for the items that have been purchased, his profit is a function of the resources allocated to buying from offline stores and the effort required to sell online. The disconnect between offline and online, and making sure only to purchase hard to track items, mitigates the risk of the scammer’s online account responsible for sales being reported and his efforts going to waste.
As mentioned earlier, there’s a fair amount more risk involved with this scam, in the sense of getting caught and going to jail. Obviously moving the scam offline means that the scammer has to participate in the physical world that is bound to the same laws of the people that he/she is stealing from. A savvy jewelry clerk could smell a bad deal and call the cops whilst putting on a ruse for the scammer. A card could have been reported as stolen between purchasing the data and printing it to a card, prompting a call to the credit card company when swiping the card.
“keep him busy, cops are on the way”
There’s just too much risk here.
Any competent scammer looking to make real money wouldn’t like this scam, so would either contract this work out (less risk, less reward) or stay away from it completely.
So where to next?
Hustle and Flow
Let’s take a moment to appreciate the relationship of each of the players involved in the scam that we have discussed thus far:
- Scammer – deals with the Market and the Merchant. Has a stolen credit card and intends to use it to steal as much cash as possible (and still make a clean getaway)
- Market – scammer will foster a relationship with the market in order to sell goods to a buyer
- Merchant – sells goods/services to consumers. Scammer will buy goods using a stolen credit and sell them at a discounted price to a buyer through the market. Merchant can also be the market
- Buyer – the party on the other side of the transaction facilitated by the market
If there ever was a conference where all the fraudsters sat down and discussed their strategies, then at one time or another perhaps a more strategic fraudster would present his thoughts on their weakest links in the ecosystem
“Fellow fraudsters, blackhatters and scammers, as many of you are surely aware, we’re being hit left and right with anti-abuse and fraud detection efforts. We’re no longer in the good’ol wild west days of the 90s, and so as much as we have to cover our tracks more than ever before, we must also improvise our methods. Make no mistake about it: knowledge and creativity will be our strongest asset if we want to be successful in the future”
He’d then present something similar to the following:
Now it’s not obvious to think like this. What’s important to remember is that all the fraudster is doing here is eliminating bottlenecks and potential risks in order to optimize his path to profit. So ultimately what the fraudster is saying, is why waste time with merchants and legitimate buyers when the enterprising fraudster can be both!
It’s really simple, deceptively so, but the scam is for the fraudster to be both the buyer and the seller and not have to depend on a merchant for a supply of goods and/or services. By selling to himself at a price that he thinks is about right, he launders the stolen credit card through the market in a manner that is quick and almost risk free.
“That’s good in theory, but where would you apply this idea?”
When you think about a fraudster being both the buyer and the seller, then certain scenarios that used to be quite puzzling suddenly become rather clear.
These markets make for prime targets. Just think about it a little, fraudsters can sell something that cost next to nothing to build (basically it’s just the cost of cycles on their CPU to build an empty app) and the market will happily onboard yet another publisher in their ever increasing app store (now with millions of apps!).
Since the app store takes care of processing the buying and selling of the apps, it’s up to the fraudster only to make sure that each purchase he makes from himself with a stolen card (as many as possible whilst being careful not to raise any alarms) looks legitimate. The app store market will take care of the rest, and voila: credit card(s) laundered.
With this in mind, maybe now you’ll have an answer to the following question next time you are browsing around a very large app store:
“Why on earth would anyone actually pay money for this app? It just doesn’t do anything.”