Digital Shadows, the industry leader in digital risk management, revealed its findings on the changing habits and tactics of organized credit card fraud gangs, discovering a new trend in the form of remote learning “schools.”
According to a press release, these schools — available to Russian speakers only — offer six-week courses comprised of 20 lectures with five expert instructors. The course includes webinars, detailed notes and course material. In exchange for RUB 45,000 ($745) (plus $200 for course fees), aspiring cyber criminals have the potential to make $12,000 a month, based on a standard 40-hour working week.
Some of the advice given in the courses include how to manipulate people through knowledge of their local area in order to build rapport and trick targets into exposing information (such as PIN numbers), usually over the phone.
Given that the average Russian monthly wage is less than $700 a month, cyber criminals could make nearly 17 times more than a legitimate job. And these criminals are going after a potentially lucrative market. In just two of the most popular ‘carding’ forums, 1.2 million cardholder details are on sale for an average of $6 each, with prices varying dependent on the level of security associated with the card and cardholder.
“The card companies have developed sophisticated anti-fraud measures, and high-quality training like this can be seen as a reaction to this,” said Rick Holland, VP Strategy at Digital Shadows. “Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defenses accordingly.”
The research found that credit card criminals fall into four main groups: payment card data harvesters that do the “dirty work” in terms of harvesting the card information through point-of-sale malware, skimming devices, phishing, breached databases or through operating botnets; distributors that act as the “middle men” who typically make the most money; fraudsters who acquire the payment card information from the distributor; and monetization, which include those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods.
“This ecosystem is highly complex and international,” Holland said. “At each stage, it creates victims – from the card industry that loses $24 billion a year, to consumers who are frequently duped into revealing their card details. One of the key themes that stood out for us is the level of ‘social engineering’ criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this.”
Digital Shadows recommends that consumers protect themselves from fraud by being careful of job postings offering well-paid jobs to re-ship goods, often offering to work from home; never sharing your PIN over email or phone; ensuring any place new that you shop with uses 3D Secure; and checking your statements carefully.