Account Takeover Ransomware

The Critical Need to Protect Critical Infrastructure: Spotlight on Utilities

Critical infrastructure is what keeps countries running – from transportation to energy to manufacturing, these sectors are vital to a nation’s economy and national security. Protecting these organizations is a great responsibility as the consequences for negative impacts or outages can put public safety and health at risk.

CISA describes critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The Nation’s critical infrastructure provides the essential services that underpin American society.”

The State of Securing Critical Infrastructure Sectors

In the U.S., the mission of the Cybersecurity and Infrastructure Security Agency (CISA) includes collaborating with businesses, communities, and government at every level to make the nation’s critical infrastructure more secure, functioning, and resilient to defend against today’s threats as well as those “just over the horizon.”

CISA recently put out an advisory regarding malware targeting the energy sector, deployed by advanced persistent threat groups (APTs) intent on disrupting key infrastructure. The agency provided recommendations on how organizations can protect their data, networks and devices. Included in the guidance was changing passwords on a regular schedule and monitoring systems to identify potential threat actors. While CISA already has security standards in place, its latest recommendations reinforce the need for heightened security for critical infrastructure sectors to prevent bad actors from disrupting service and potentially threatening national security.

Recently, the U.S. government has strengthened its stance on cyber incident reporting laws and passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which puts stricter guidance on reporting cybersecurity incidents and disclosing ransomware payments to the government. Other key aspects of the legislation include the creation of a Joint Ransomware Taskforce and a Cyber Incidence Reporting Council to increase cybersecurity efforts across public and private sectors.

The current state of global affairs also illuminates the need for securing critical infrastructure, with public and private organizations working together to monitor potential threats. For example, as potential attacks on critical infrastructure become more of a concern for state and local CISOs, the Commonwealth of Virginia is partnering with private sector enterprises on enhanced threat intelligence and monitoring of its energy grid as the threat of cyberattacks looms.

Spotlight On Utilities

From coast to coast, local governments are being attacked, causing significant impacts on utilities.

In Florida, a threat actor breached a city’s water treatment system and adjusted chemical levels to such a degree that the public could have been harmed. Luckily, the fraudulent and dangerous adjustment was caught and changed before any damage was done. Ultimately, the investigation concluded that a computer at the plant visited a contractor’s website that had been injected with malicious code which siphoned data including the operating system, browser type, and other kinds of information used by malware to impersonate legitimate web activity.

After the highly publicized attack in Florida, three other water treatment plant breaches in Maine, Nevada, and California came to light. Previously unreported, the attacks were included in an advisory by CISA, the FBI, National Security Agency (NSA) and the Environmental Protection Agency (EPA) about how bad actors took over the plants’ supervisory control and data acquisition systems (SCADA). The agencies warned water treatment plant leaders to be vigilant for suspicious activity and to prevent fraudulent logins by enabling multi-factor authentication (MFA) on devices with remote access to facilities.

And in March, the Brownsville Public Utilities Board (BPUB), which provides water and power to Brownsville, Texas, announced that its systems were impacted by a data security incident in which it was listed as a victim of the LockBit ransomware known for gaining access to systems via phishing emails. The attack caused a delay in showing accurate balances in customer accounts.

Attacks can not only impact operations, but also the systems that support the utility companies. For example, a ransomware attack on Baltimore city government systems disrupted customer service options including water bill payment, creating not only an organizational headache, but also causing confusion and frustration for citizens.

Unfortunately, there is a seemingly endless stream of news stories of state and local organizations that find themselves scrambling to pick up the pieces after a breach – leaving no doubt that the number of attacks on utilities (and critical infrastructure as a whole) is a major (and ongoing) concern.

How To Protect Critical Infrastructure Against Cyberattacks

CISA reported that 14 of 16 critical infrastructure sectors were hit with ransomware in 2021. It called for essential mitigations, including:

  • Restricting RDP unless operationally necessary, and if so, requiring MFA “to mitigate credential theft and reuse”
  • Reviewing the security posture of third-party vendors
  • User training to limit clicking on suspicious links and and opening suspicious attachments
  • The use of strong, unique, and safely stored passwords

On this last point, it truly is simple bad habits like employees maintaining poor password hygiene that make organizations vulnerable to ransomware attacks and the account takeovers that often precede them.

Because despite most organizations having strong password policies in place, SpyCloud’s analysis of exposed data tied to Fortune 1000 companies found that 64% of employees are reusing passwords. Critical infrastructure companies topped the list of industries with poor password hygiene; we identified four critical infrastructure industries where company names are one of the top 3-5 most popular passwords:

  • Aerospace & defense
  • Chemicals
  • Energy
  • Industrials

It’s too soon to forget that one of the worst cyberattacks in history stemmed (in part, at least) to the use of a company name in a critical password.

Weak passwords make enterprises susceptible to ATO and ransomware, and with the stakes so high with critical infrastructure, ensuring strong password hygiene is of the utmost importance. However, keeping tabs on employees’ account security poses a substantial burden for security and IT teams.

SpyCloud’s expertise is in recapturing compromised data from the criminal underground – data from breaches, malware-infected devices, and other covert sources that no other provider has access to – and transforming that data into actionable insights for organizations to protect themselves from cyberattacks.

In our Ransomware Defense Survey of enterprises late last year, 79% of security leaders agree that news of major attacks like the one on Colonial Pipeline (which stemmed from 1 compromised password) have “significantly elevated” their organization’s concerns about weak or stolen credentials. The magnitude of the problem is huge, but there is increasing recognition of one key way to prevent ransomware: remediating credentials that have been exposed through data breaches and malware infections.

With access to exposed data from the criminal underground, SpyCloud provides the critical difference in proactively protecting infrastructure and national security. This information levels the playing field against cybercriminals who are determined to wreak havoc on the services we rely on the most.

Learn more insights about the threat of exposed employee data on critical infrastructure organizations in SpyCloud’s 2022 Fortune 1000 Identity Exposure Report.
Account Takeover Cybersecurity Research Fraud Prevention

Shining a Light on the Identity Exposure of Fortune 1000 and FTSE 100 Enterprises

Organizations around the world are ready to put the pandemic behind them, but as we know, it fundamentally changed much about our world. The momentum that propelled the digital age forward during that time meant workplaces went hybrid and employees juggled a growing number of logins. What hasn’t changed is employees’ bad passwords habits – and the crimeware tools explosion that continues to reward cybercriminals while leaving organizations more exposed.

For the third year in a row, SpyCloud has analyzed our entire database of more than 200 billion assets recaptured from the criminal underground to understand the scope of exposure among the world’s largest and most sophisticated organizations: the Fortune 1000 and London’s FTSE 100 organizations (and their subsidiaries). Our two separate 2022 reports uncovered that bad cyber hygiene crosses cultural and geographic borders.

We found some of the same patterns on both sides of the pond. Let’s take a look at some of the key findings across Fortune 1000 and FTSE 100 employees.

Rampant Password Reuse is a Shared Problem

Among both Fortune 1000 and FTSE 100 companies, we found a 64% average password reuse rate. (We calculated this rate separately for each dataset by taking the number of employees using the same exposed plaintext password across multiple sites, then dividing it by the number of all employees with exposed passwords.)

This rate is 4 points higher than the 60% reuse rate across our entire database – and a reminder why old exposures are just as damaging as new ones. For months and even years, cybercriminals can leverage these leaked credentials to launch ransomware attacks and perpetrate fraud schemes. Which explains why CISOs, in particular, are growing more concerned about the high password recycling rates among their employees.

Graphic of 64% password reuse rate

Exposure From Data Breaches is Growing by Double Digits

One of the key data points we look at is the number of breach assets we’ve recaptured, which tells us the magnitude of the corporate exposure. A breach asset is an individual piece of data tied to a user that has been exposed in a breach, such as their password, phone number, or even credit rating. Cybercriminals use these bits of information in phishing and social engineering schemes to gain access into the corporate network or in fraud schemes to take over accounts and impersonate employees.

We can tie 687.23 million breach assets directly to Fortune 1000 employees and 51 million breach assets to employees of FTSE 100 companies and their subsidiaries. Each of these numbers represents double-digit growth from the previous year (26% and 29%, respectively).

We also found a staggering number of corporate email addresses and plaintext passwords in our dataset – 27.36 million pairs of credentials associated with Fortune 1000 employees and 2.75 million credential pairs associated with FTSE 100 and subsidiary employees. 

Cybersecurity experts often warn that cybercriminals’ techniques grow more sophisticated every year. While that’s true, the staggering exposure numbers indicate that malicious actors don’t need sophisticated techniques to breach corporations – why bother when they have such a bountiful cache of compromised logins.

The Financial Sector Leads the Way in PII Exposure 

Human behavior and criminal activity are not beholden to a certain geographical region, and unfortunately financial companies are giving cybercriminals equally rich opportunities to steal sensitive data and gain corporate access – thanks to their employees’ growing PII exposure.

Among Fortune 1000 companies, the financial industry has the highest PII asset exposure. The 70.78 million PII assets tied to financial companies comprise nearly 18% of the entire PII exposure of the Fortune 1000. On the other side of the pond, financials’ slice of the pie is even bigger – with the nearly 6.13 million PII assets tied to financial sector employees comprising almost 22% of total FTSE 100 PII exposure numbers.

The implications of these findings are concerning. Consumers trust financial companies with a lot of their PII and financial data, and guarding this information is a difficult task when your employees themselves have so much of their PII widely available to malicious actors who can use this information to craft detailed, credible spear phishing messages or answer security questions to reset MFA.

The More They’re Different, the More They’re the Same

We’d be remiss not to note that we did see some cultural differences reflected in our analysis. When it comes to their passwords, some Fortune 1000 employees’ favorites include variations of a certain four-letter word that’s not fit for print (which is ironic as it’s particularly popular among media companies). Their UK counterparts may be too polite, as that word doesn’t make it onto their most popular passwords list. 

What FTSE 100 employees do have an affinity for, apparently, is their royals. Their #1 password? George. (For those not up on the latest royal gossip, the adorable 8-year-old Prince George is the firstborn of The Duke and Duchess of Cambridge, otherwise known as Prince William and wife Kate).

Despite those differences, we discovered that people’s habits are people’s habits wherever they live and work. “Password” and “123456” remain equally beloved passwords on both sides. And the use of their company’s name in their passwords is out of control among both Fortune 1000 and FTSE 100 employees. This is one of the worst shortcuts employees can take – and one of the first things criminals check for when trying to guess or crack passwords with their automated tools.

The Dangers of Malware Infections

Another trend worth mentioning in both reports is the growing number malware infections among these employees and the consumers of their companies, as data siphoned from infostealer malware is both extreme and highly valuable on the underground. We found nearly 70,000 infected employees of Fortune 1000 companies, and over 9,500 from the FTSE 100. 

Malware infections pose severe risk for companies because they continuously expose data as long as the device is not remediated. Beyond account credentials, we’re talking browser history, autocomplete data, web session cookies, screenshots, system information, and more.

While the risks of an infection on a company-owned device are obvious, an infected system at home has the potential to expose work login credentials and data — and they typically aren’t monitored by corporate security.

Final Thoughts

The trends in our reports tells us that digital identity exposure is a growing, serious problem across the globe. The most effective way of protecting your enterprise from the risks posed by exposed employee data is by protecting employees from themselves – using technology to turn recaptured data from the criminal underground to your advantage. This is especially important since hybrid remote work now is commonplace and the lines between personal and work lives continue to blur.

For more details on our findings, download the 2022 Fortune 1000 Identity Exposure Report and the 2022 London FTSE Identity Exposure Report.
Fraud Prevention

Too Much, Too Little, or Just Right: How to Spot the Signs of Synthetic Identity Fraud

Synthetic identity fraud is a steadily growing risk that proves costly. The financial services industry has been hit hard, with institutions enduring $20 billion in synthetic identity losses. And with Forbes rating synthetic identity fraud as a top five cybersecurity trend to watch in 2022, it’s high time to address this threat.

Let’s dig into synthetic identity fraud, telltale signs to identify it, and how you (and your business) can detect and avoid this activity.

What Is Synthetic Identity Fraud?

Fraudsters create synthetic identities by piecing together personal information from multiple sources. These identities are a Frankenstein-like mixture of stolen or made-up Social Security Numbers combined with various addresses, names, phone numbers and a date of birth. Once they’ve created these synthetic identities, fraudsters can open new accounts, apply for credit, make big purchases, or do anything else that might establish these identities as real consumers.

It may take months or even years for a bad actor to build up their credit line based on the synthetic identity. Once they’ve reached a high enough credit limit to make large dollar purchases, they max out the credit line, stop making payments, and abandon the account. Enterprises become the victim as they attempt to recover funds in collections, only to find there is no one to contact for payment. The fraudster will move on to other synthetic identities to repeat this pattern. 

Organizations striving to increase legitimate account openings struggle to proactively detect indicators of synthetic identities which is critical to avoiding regulatory fines from excessive fraud and money laundering attacks.

Top Signs of Synthetic Identity Fraud

The key to identifying synthetic identity fraud lies in all of the details fraudsters patch together to create their fake profiles. Here are key signs to look for to spot false identities:

Not enough information:
Just about everyone has appeared in one – or more likely – multiple data breaches at some point in their life. Analysis of SpyCloud’s data shows that the average person, if exposed in one data breach, will be included in 8-10 others, and 3-4 of those could be within a given year. These breaches expose, at minimum, an email address but often expose what criminals call “fullz” – a whole profile of personally identifiable information (PII) for an individual.

Financial institutions rely on historical evidence to validate that an account being opened or a credit application being submitted is legitimate in order to avoid potential financial losses. Uncirculated or newly created consumer emails that have never been exposed on the criminal underground can easily bypass fraud solutions with no negative history. But they should be flagged as suspicious with the potential to be part of a synthetic identity.

Too much information:
Consumers having multiple identifiers like several email addresses, a few past physical addresses, and an old phone number are not uncommon, and can be viewed as a part of a timeline of a digital identity’s lifecycle.

What causes concern is when someone can be associated with not just three email addresses but 30, and not just a mobile and home phone number but 10 phone numbers. This could be an indication that a criminal is using many different emails and burner phones, instead of a reasonable number of email addresses and phone numbers. Same goes for social security numbers (SSN) – an identifier that should be one constant number for an individual.

Too much (or inconsistent) information is just as suspicious as not enough when it comes to detecting constructed identities.

How SpyCloud Identity Risk Engine Detects Synthetic Identity Fraud

Synthetic identity fraud isn’t going anywhere and is on the rise. As criminal tactics continue to evolve, it remains one of the hardest types of fraud for organizations and their anti-fraud solutions to detect. SpyCloud Identity Risk Engine is designed to do exactly this.

What separates Identity Risk Engine from other solutions is that its user risk analysis is based on information that is not available anywhere else – data that otherwise only fraudsters have access to and share. SpyCloud rapidly recaptures data from the criminal underground, and then links billions of assets from data breaches, malware-infected devices, and other underground sources to individuals across their multiple online personas. This enables the solution to detect anomalies within a user’s information that indicate you’re dealing with a synthetic identity.

When used at entry points vulnerable to fraud in a customer account lifecycle, this API-delivered solution can be queried with as little input as an email address or phone number and provide actionable fraud risk assessments without revealing PII. The real-time or off-line/out-of-band delivery of the service delivers a risk score and is supported by reason codes, key risk indicators, and security behavioral information such as password reuse percentages, malware infections, unique counts of emails, phone numbers and name included in the digital identity, along with breach type, recency, and severity to aid in confidently distinguishing real consumers from bad actors.

Identity Risk Engine can serve as a complement to your control framework or can be built into an existing risk engine to help organizations illuminate stolen or constructed identities, as well as predict account takeover, detect malware-infected users, and defend against account new account fraud. SpyCloud helps you stay ahead of criminals, protecting your organization from avoidable, devastating fraudulent attacks that can stem from tactics including synthetic identity fraud.

Learn how you can use recaptured data to prevent synthetic identity fraud with SpyCloud Identity Risk Engine – request a demo today.
Account Takeover Compliance Password Security

Keeping Up with Compliance: New PCI DSS 4.0 Authentication Standards and What They Mean for You

The Payment Card Industry (PCI) Security Standards Council recently released its Data Security Standards (DSS) version 4.0, which is “a global standard that provides a baseline of technical and operational requirements designated to protect payment data.”

Version 3 of the standards was released six years ago, and while there have been updates along the way, a lot has changed in the industry from a technology and security perspective; hence the need for a full version update of the standards.

Any organization that accepts, transmits or stores any cardholder data falls within the purview of PCI, and must comply with the new standards within the proper transition period. The previous version (PCI DSS v3.2.1) will be retired on March 31, 2024, and some new requirements from v4.0 will go into effect on March 31, 2025.

No matter the timing, awareness of these updates and how they apply to your organization is important to ensure both regulatory compliance and secure transactions for your customers.

What’s New in PCI DSS v4.0?

The newest version of the PCI DSS standards are designed to meet the continually changing needs of the payments industry, especially when it comes to protecting and securing transactions. As the industry evolves, so do security threats, and the updated standards are meant to enhance current security measures.

Two intriguing updated requirements – #2 and #8 – are ones we want to shed light on in particular.

Requirement 2 concerns applying secure configurations to all system components. Acknowledging that bad actors use well-known “default passwords” to easily compromise systems, the new standards now require organizations to have security standards that will “help reduce the potential attack surface.” PCI states that changing default passwords and removing unnecessary software can address this vulnerability.

With regard to Requirement 8, PCI updated the standard to help identify users and authenticate access to system components. This requirement is meant to protect against attacks by requiring strong authentication factors and providing updated guidance on password complexity. Now, the standards body’s minimum requirements for passwords/passphrases are 12+ characters (up from 7 in previous versions), including both alphabetic and numeric characters. Service providers that use passwords as consumers’ only authentication factor are also advised to update passwords every 90 days.

However, 90-day password rotation is something we at SpyCloud hoped would fade away years ago since it’s actually beneficial to criminals. When forced to create a new password every three months, human behavior defaults to reusing passwords or similar variations of the same password, which creates vulnerabilities that criminals are waiting to exploit. Therefore this requirement is one that we can’t say we agree with.

Recognizing the industry’s move to the cloud, PCI DSS v4 puts more emphasis on multi-factor authentication (MFA) and lifecycle management to incorporate additional layers of security to online payments. Key updates include requiring MFA for all accounts that have access to cardholder information, comparing prospective passwords to the list of known bad passwords, and reviewing access privileges at least once every six months.

Also of note with the updated requirements is the repeated reference to malware and malicious actors. PCI specifically states the updates were made “to address emerging threats and technologies and enable innovative methods to combat new threats.” The updated standards require the use of anti-malware solutions on all systems that are at risk from it; a critical step in protecting cardholder data from hard-to-detect threats.

PCI says it best: “Criminals never sleep. Ongoing security is crucial to protect payment data.” Learn how to better protect your customers from ATO and fraud with SpyCloud: request a demo today.

Enhance Payment Security with SpyCloud

At SpyCloud, we understand the importance of password security when it comes to online accounts and transactions. Our 2022 Annual Identity Exposure Report, in which we analyze the more than 15 billion credentials and PII assets recaptured from the criminal underground in 2021, uncovered a 64% password reuse rate for users with more than one password exposed in the last year.

When your consumers reuse passwords, they become easy targets for cybercriminals. Since reused passwords have been the leading vector in cyberattacks in the last few years, the PCI DSS updated guidelines putting more stringent requirements around password length and security is something we can get behind.

Account takeover (ATO) is a common form of fraud in which criminals use stolen credentials to gain illegitimate access to a victim’s accounts, often using credentials that have been exposed in previous data breaches. When consumers use weak or compromised passwords, criminals jump at the chance to take over their accounts and steal funds, drain loyalty accounts, and make fraudulent purchases. These activities can not only damage your brand and your bottom line, but also put you at risk for noncompliance with PCI DSS v4.0.

With Consumer ATO Prevention, you can match your consumer logins against SpyCloud’s robust database of stolen credentials and reset passwords before criminals can profit from your consumers’ accounts.

We also appreciate PCI DSS v4.0’s focus on malware, as we are seeing an increase in malware logs in our recaptured data. Information pilfered by malware-infected devices is shared in small criminal circles, private chat groups, and also posted on underground web forums. SpyCloud is able to recover this data and deliver malware intelligence to enterprises – automated feeds of infected victims’ usernames, URLs, passwords, and session cookies. This helps consumers and organizations protect themselves before criminals can leverage their stolen data for ATO, identity theft, and online fraud.

The increase in online transactions over the last few years lent itself to an explosion in online fraud, resulting in a 140% increase in the volume of fraud attacks last year compared to pre-pandemic levels. To combat this, the evolution of compliance standards to take into account the impacts of exposed passwords and other information can help protect enterprises and consumers alike. 

Proper password hygiene is paramount to a successful individual and organizational security program. To learn more about how it plays into ATO and what you can do to combat it, check out Account Takeover 101
Account Takeover Fraud Prevention Password Security

What To Do If My Password Was Found in a Data Breach

What should you do if your password is stolen? At SpyCloud, that’s something we think about a lot.

SpyCloud maintains the largest and most up-to-date collection of recaptured data from breaches, malware-infected devices, and other underground sources. A portion of these credentials are found in the same combo lists that criminals are using today in successful credential stuffing attacks. Others are from sources that only SpyCloud has obtained access to that help thwart account takeover (ATO) and prevent fraud before the assets are available as commodities on the criminal underground. Should your credentials ever appear in our datasets, we recommend you take immediate action to protect yourself.

But how do you know if your data has been exposed? Check your exposure here – simply enter your email address and we can tell you how many times your credentials have been found in third-party data breaches recaptured by SpyCloud on the criminal underground, as well as how recently your data was exposed.

Four Steps to Take After Your Password is Stolen

In terms of remediation, your first order of business is to change your exposed password. But that’s not all you need to do in order to contain the damage. Failure to act quickly may result in the compromise of additional accounts, especially if you reuse passwords. Even if you don’t reuse passwords, your compromised information may be enough for criminals to pivot off of to then target other accounts. We suggest following this checklist to protect yourself from potential future attacks.

Here is what to do when your password is stolen:

  1. Change the compromised password immediately. We highly recommend the use of a long, complex password containing random letters, numbers and special characters.
  2. Change all variations of the compromised password on any of your accounts and never use it again. It’s not enough to monitor other accounts using the same or a similar password for suspicious activity. 
  3. Enable multi-factor authentication (MFA) for all of your accounts where MFA is an option.
  4. Implement a password manager so all of your passwords are unique and easily managed. It’s common for people to have more than 100 online accounts, each requiring their own unique password. Most password managers auto-generate complex passwords. Any password that is easy to remember is also easy to guess – this is why the strongest passwords are generated automatically using a password manager.

Top Tips for Stronger Passwords

Password hygiene seems like a simple concept, but SpyCloud research shows a 64% password reuse rate for users with more than one password exposed in the last year. To avoid your password being compromised, follow our recommendations for stronger passwords and stronger account protection overall:

    • Choose a complex, 16+ character password or passphraseOur testing revealed that passwords with 16+ random letters, numbers and characters, regardless of hashing algorithm used, would require centuries to crack.
    • Make passwords unique across accounts – Use a different, complex password for every online account.
    • Don’t mix business logins with personal accounts – Mixing business with pleasure means that a breach of a work site can jeopardize your personal life and vice versa.
    • Use multi-factor authentication (MFA) whenever promptedThough MFA is not unhackable, providing something you know (a password) plus something you are (biometrics) or something you have (smartphone token) will deter most criminals.

The SpyCloud Difference

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

See SpyCloud in action – request a demo today.
Fraud Prevention

Connecting the Dots: Fight Organized Retail Crime (ORC) With Recaptured Data

As criminal tactics evolve, we continue to be amazed at the lengths to which bad actors will go in order to perpetuate fraud. The criminal underground is a busy place (we tracked over 3M illicit products including credentials, gift cards, and other forms of access for sale during the holiday season alone), but now we’ve got our eyes on the collision of the digital and physical worlds in the form of organized retail crime (ORC).

The ecommerce industry continues to be a prime target for fraud, and ORC is becoming more of a headache for retailers. According to surveys from National Retail Federation (NRF), the pandemic has been a contributing factor in the rise of ORC, which costs retailers an average of $700,000 per $1 billion in sales.

Let’s dig into this tactic, how it works, and how you (and your business) can defend against this fraudulent activity.

What is Organized Retail Crime (ORC)? 

Oftentimes, a news story will emerge about what is considered a “smash and grab,” where the perception might be that it’s just a few criminals trying to get some free stolen items. But what some may not realize is that these activities are often executed by a professional crew that has planned the whole process from start to finish, including staking out the store, traveling to the location,  executing the crime and the get away, and ultimately making money off the stolen goods. Law enforcement recognizes these professionals as criminal enterprises.

However, organized retail crime is not limited to seemingly elaborate robberies. As the pandemic brought about more online transactions and opportunities for fraud, criminals are also taking advantage of omni-channel approaches. Other forms of fraud related to ORC include buy online, pick up in store (BOPIS) using card-not-present transactions – where the criminal makes a fraudulent purchase online, then picks up the items in store or at curbside, which can then be resold for profit (perhaps even used as part of triangulation fraud schemes). In 2020, fraudulent BOPIS attempts grew 4x by December compared to January of that year.

It’s also necessary to broaden the term “retail” beyond what consumers might consider typical brick and mortar stores. Think of the transit of goods from distribution center to store – trucks full of pallets can also be stolen and then used in fraudulent schemes as well. Such theft of goods is known in the retail industry and to law enforcement as cargo theft.

Ultimately, a criminals’ main goal is to make money, and organized retail theft is one method of earning for a criminal enterprise. In criminal organizations, everyone involved has the potential to make a profit off the stolen property. Criminals continue to exploit vulnerabilities in person and online.

Barriers and Challenges to Resolving ORC Cases 

When property is stolen, retail employees often start by obtaining a picture of a license plate and a description of the vehicle to share with law enforcement or their internal loss prevention or investigation teams, in hopes of catching the criminals. Large retailers typically have teams that investigate these types of crimes to develop additional evidence, but a license plate provides little information for an investigations team or law enforcement to pursue.

Not having enough or the right information can lead to frustrating dead ends when investigating ORC. Additionally, local law enforcement may be overwhelmed or not have the resources to investigate cases that have a low potential to solve.

Connecting the Dots with Physical and Digital Elements

Despite the challenges that come with resolving ORC cases, there is hope. Like any crime, criminals will often leave “breadcrumbs” or clues that can be avenues for investigators to delve into as they seek to unmask the bad actors or tie them to other crimes. Given the right tools, these crumbs can be the key to unlock ORC cases.

Consider that there’s a digital footprint for everyone. What if retailers could tie together both physical evidence and digital evidence to build a more solid case around ORC events? What if recaptured data from the criminal underground was used to put the pieces together? For example, while a license plate may not seem like a lot of information to kick off a legitimate case, it could open doors to additional information such as a name associated with an email address, or a social handle that could give more insights and blow the case wide open.

Putting all these pieces together, investigators can gather enough information to help law enforcement drive the case to a successful resolution.

Transform ORC Investigations with SpyCloud

Finding some potential identifying details on the criminals engaging in ORC is the only way to get these cases off the ground and make significant inroads in thwarting these criminals. To do this, retailers need a tool to combat ORC in a more robust way. 

This is where SpyCloud can help. Our recaptured data can yield a lot of artifacts that aid retailers in building profiles on bad actors engaging in ORC. SpyCloud Investigations draws on billions of records recovered from third-party breaches, enabling investigators to piece together digital breadcrumbs to identify those engaging in fraud. This kind of information can aid loss prevention and ORC investigations teams to present a more solid case to law enforcement and ultimately bring criminals to justice. Additionally, this information could identify the vulnerabilities used by the criminals to commit fraud so they can be remediated.

While the ecommerce industry remains a prime target for criminals, protecting against physical and digital acts of fraud is becoming a focus for multiple teams across the organization. From local stores to LP teams to even financial and legal teams, it’s necessary to proactively prevent ORC and other forms of fraud to protect the company’s bottom line and ensure quality consumer experiences.

Contact us for a demo of SpyCloud Investigations to see how your team can effectively combat the criminals perpetrating ORC.
Fraud Prevention

Lessons Learned From the Front Lines in the Fight Against Fraud

Note: The opinion(s) expressed in this panel and blog are those of the individual panelist and not of any organization.

At the Merchant Risk Council (MRC) Vegas 2022 conference, fraud and payment professionals gathered to share best practices and lessons learned through keynote presentations and panel discussions.  

I had the opportunity to moderate the panel Working Smarter: Lessons From the Front Lines in the Fight Against Fraud, which featured the following fraud experts:

    • Dajana Gajic-Fisic, Head of eCommerce Fraud and Risk Management, JD Sports – Finish Line
    • Jordan Harris, Senior Director of Fraud Prevention, iHerb
    • Keith Thompson, Senior Manager, Fraud and Investigations, Leading Outdoor Retailer
Moderator Pete Barker leads a panel discussion between Keith Thompson, Jordan Harris, and Dajana Gajic-Fisic

SpyCloud’s Pete Barker (far left) leads a panel discussion with fraud prevention leaders Keith Thompson, Jordan Harris, and Dajana Gajic-Fisic at the Merchant Risk Council (MRC) Vegas 2022 conference.

We had an engaging conversation about their first-hand experiences combating fraud and the shifts in trends they’ve seen in the fraud space over the last few years. Here are some of the highlights:

Increase in Online Transactions Led to More Fraud and Abuse

As leaders in the fraud space, the panelists provided key insights on trends and experiences they’ve seen recently as a result of the pandemic. While it was no surprise that fraud has increased in tandem with the spike in online traffic and transactions, the level of abuse also increased.

“During the pandemic, we saw a switch from ‘fraud fraud’ to ‘abusive fraud,’” Jordan explained. “Criminals were constantly trying to find exploits, and while ATO is still very popular, refund abuse by far emerged as the number one criminal tactic during the pandemic. It has been quite a journey to figure out how to manage that.”

Dajana also observed an increase in abuse – not only from refund fraud, but also from bot activity which required a shift in mindset in how to combat against that fraud. Keith shared that many organizations experienced an influx of first-time customers during the pandemic, which made it difficult for companies using profiling tools to weed out fraudsters if they’d never seen that customer before.

How Much Customer Friction is Too Much?

The panel observed how fraud departments are leading the way in working with other departments to ensure a seamless customer experience. Dajana noted that while her team is in charge of fraud and risk management, collaborating with customer-facing teams in the organization has been critical because while everyone has their own responsibilities and focus, at the end of the day everyone is working toward the same goal of doing what’s best for customers.

“It’s hard when you’re trying to put mitigation strategies in place; we do get pushback sometimes from other internal teams,” she said. “My team is always working on preventing fraud, but we needed to shift to a mindset that we’re here to help other teams increase revenues at minimal risk. Once we got that mindset, minimizing customer friction naturally became more important to us. Whatever process we put in place, it’s up to us to make sure we bring that revenue and do everything we can to create as little friction as possible.”

For Keith, he starts with zero friction and works backwards at key points in the transaction to flag abnormalities, such as checking card balances or adding credit cards to an eWallet. For example, a customer checking the balance of 15 gift cards isn’t normal, so that may be where introducing some friction becomes necessary to address the abnormal behavior from a fraud prevention perspective.

The Importance of Fraud Prevention Across the Entire Organization

Similar to the previous highlight about working together to minimize friction, collaboration is key in Dajana’s organization, where she instituted monthly digital risk meetings in which merchandising, cybersecurity, IT ops and fraud teams align on key priorities. This practice has helped with promotional launches where fraud screening is a critical component to the success of these events.

Keith echoed the value of collaboration, saying that educating the security team on how fraud happens has been important to getting alignment on how to combat criminals.

“Every team has their own focus areas, and security cares first and foremost about not getting breached. I’ve started educating my cybersecurity counterparts on what fraud is and what it looks like. Showing them step by step how fraud occurs and how we can mitigate it makes it more real to them,” Keith shared.

There’s No Silver Bullet When it Comes to Fraud Prevention

Jordan’s experience has led him to see that when it comes to fraud solutions, rigid rules that may seem cut and dry aren’t necessarily working. Ecommerce organizations need dynamic solutions that help prevent fraud earlier in the transaction process so they can protect against criminals across the entire lifecycle.

“Organizations need to have a robust identity solution that provides a complete picture of your customer the second they come to your site to detect fraudulent activity,” he said. “Having the ability to detect fraud earlier in the process versus just at checkout is crucial – so much can happen in the middle.” 

Dajana agreed, saying early fraud detection can be achieved by taking a holistic approach to monitoring the lifecycle of a transaction, which can only happen with collaboration across teams at different points in the buyer’s digital journey. 

Something that’s not being talked about much in the fraud space? Protecting customers from themselves, Keith said.

“Time and time again, I’ve seen our customers reusing passwords on our site, which leaves them vulnerable to ATO,” he said. “We’re in charge of fraud prevention, but we can also protect our customers unbeknownst to them with the fraud tools we have in place.”

This panel – and MRC 2022 as a whole –  proved that fraud prevention teams are:

  1. Revenue enablers, seeking balance between what will reduce fraud and abuse while increasing revenue, and
  2. Key in fostering collaboration across the business to get ahead of fraud earlier, respond to trends faster, and ensure other teams are educated on the choices they make which affect fraud teams.
Get more insights on how ecommerce companies can proactively fight against fraud in the SpyCloud whitepaper, Reducing Identity Fraud in Ecommerce
Account Takeover Fraud Prevention Malware Multi-Factor Authentication

Dusting for Fingerprints: How New Anti-Detect Browsers Spoof Real Users with Stolen Digital Fingerprints

Modern bot-detection and anti-fraud systems rely on ‘browser fingerprinting’ to detect suspicious or potentially fraudulent traffic. Browser fingerprints are typically generated based on a user’s browser version, operating system, timezone, language settings, screen size, and many other variables. These fingerprints are fairly unique for each user and can be used to identify suspicious behavior, such as when a user’s fingerprint changes suddenly from their last login, which may trigger a security question challenge, captcha, or multi-factor authentication (MFA) prompt. 

However, we’ve observed an emerging criminal tradecraft which targets these fingerprinting anti-fraud technologies and is making use of so-called anti-detection or “anti-detect” browsers combined with stolen digital fingerprints. By spoofing a user’s specific device and cookies, a service will think that the login is coming from the genuine user. In effect, the true user won’t even receive a notification of suspicious activity or that someone else has logged into their account.

The SpyCloud Research team has been studying some of these browsers and how they can be leveraged alongside stolen credentials and cookies to bypass MFA and easily log into targeted accounts. 

Bot Marketplaces at a Glance

Before using an anti-detect browser, more and more criminals are first shopping for stolen digital identities on bot marketplaces. Bots, packages of cookies, and other metadata that can be used for the purpose of browser fingerprinting consist of stolen logins, cookies, and browser fingerprints that are the by-product of infostealer malware such as RedLine, Raccoon, and Vidar. This type of malware is designed to steal cookies, saved browser passwords, credit card numbers, crypto wallets, and system information from a victim’s machine.  

Some of the most popular bot marketplaces in the underground include Genesis, 2easy, and Russian Market. As of February 2022, there were more than 430,000 stolen identities for sale on Genesis Marketplace.

Each of the fingerprints for sale on most underground markets provide all of the login, IP, cookie, and system details necessary to plug in to an anti-detect browser and mimic that victim on various websites with minimal effort.

Figure 1: Screenshot of Genesis Market

Case in point: Genesis Market was allegedly used by criminals in June 2021 to breach Electronic Arts via a purchase made for $10 on the underground site. The purchase of the previously compromised login and cookie allowed the criminal to impersonate the EA employee via their Slack login and trick IT support through social engineering.  

Why Are Criminals So Interested in Cookies?

Device or session cookies are often used by online sites to remember a legitimate user’s device or browser. Especially on financial and ecommerce sites that require MFA every time the account is accessed from a new device, there’s an option to “remember this device” so that the user isn’t hassled each time for a MFA prompt.

An example of a multi-factor authentication prompt after login

Figure 2: MFA prompt example

Criminals know the value of these cookies, and if they’re stolen from an infected user, they can be used to impersonate that user’s trusted device and bypass MFA altogether. In some cases, if the session cookies are still active, a criminal might not even be prompted to log in at all, keeping it invisible to the user that their device is infected.

What Exactly Are Anti-Detect Browsers?

Anti-detect browsers are browsers that make use of code from well-known open-source browsers like Chrome and Firefox and obscure the true digital fingerprint of the criminal’s device. Additionally, they can present false data mimicking a victim, down to the user agent, operating system, screen resolution, fonts, and other information.

Users can configure what metadata is or is not advertised externally such as IP address, user agent strings, headers, screen size, operating system, device name, webRTC and other signatures. More advanced fingerprint signatures include Javascript version, Plugins, Fonts, Mimetype and others.

Popular Anti-Detect Browsers

Let’s take a closer look at some of the more prevalent anti-detect browsers being used by cybercriminals.

Genesis Security and Genesium Browser

Figure 3: Genesis Security and Genesium Browser screenshot

The anti-detect browser provided by Genesis Market, called Genesium Browser, is a Chromium-based browser stripped of any code that would normally be used for advertising purposes. Additionally, there is a Chrome plugin available which provides the same functionality, called Genesis Security Plugin. On the Genesis Market alone, users can find configuration packages for popular services such as Twitter and Spotify. The suite of features offered by the Genesis browser can allow criminals to access victims’ accounts virtually unnoticed. 

Figure 4: Genesium Browser example

Figure 5: Genesis Security example

Linken Sphere

Another popular Chromium-based anti-detect browser, Linken Sphere, utilizes “intelligent timing” to mimic real user behavior. Linken Sphere’s developer, Tenebris, attests that it was created for legitimate purposes such as penetration testing, social media market research, deal-hunters, and privacy-minded users. However, a verified member of the Tenebris team reportedly announced the release of the tool on well-known cybercriminal communities, such as Exploit, Verified, Korovka, and Maza. In fact, Linken Sphere’s current official webpage includes affiliate links to online fraud communities WWH Club and Exploit[.]in for the purpose of advertising positive reviews of the tool. Linken Sphere boasts many next-generation features oriented towards users who seek a solution that is stealthy, usable and secure. 

Figure 6: Linken Sphere screenshot

Linken Sphere operates by default in “off-the-record” (OTR) mode and features automatic updates and AES 256 encryption. The site also does not utilize any Google hidden services and connects to the internet using a suite of various protocols, including HTTP, SOCKS, SSH, TOR, TOR + SSH, and DYNAMIC SOCKS. Each Linken Sphere session creates its own configuration automatically, eliminating the need for users to operate various virtual machines. LinkenSphere also saves browser fingerprints and cookie files after each session ends, which allows the user to operate a saved session without the need to switch back and forth between virtual machines. 

Linken Sphere contains a built-in geolocation database via a license integration with GeoIP2 MaxMind, which allows users to configure custom time zones and locations. The tool’s WebEmulator feature collects needed cookies automatically between sites in the background. 

Linken Sphere also has an associated webpage called “Fake Vision” which paranoid browsers can use to check their OPSEC. The website displays signatures that are detected while using Linken Sphere, allowing users to simulate their real-life exposure and fix any privacy issues before using the browser. 

ANTbrowser and Fraudfox

Other anti-detection browsers such as ANTbrowser leverage Firefox, while browsers like Fraudfox are based upon multiple browsers for enhanced operability. 

Figure 7: Screenshot of ANTDetect’s profile editor interface, in which each profile represents a unique device, allowing users to have an unlimited number of “computers” in one window.

Fraudfox, another next-generation brower, offers users a Windows 7 Enterprise-based virtual machine, which it touts is compatible with VMWare Workstation, VMWare Fusion and Virtualbox. 

A FraudFox screenshot that shows various profiles that can be spoofed

Figure 8: FraudFox interface for switching between spoofed browser profiles

According to the FraudFox website, users can “easily move/copy it from one location to another, store it online or on your top secret USB.”

“Our unique engine uses 3 different browsers for achieving the best results. This means that when starting a Chrome based profile, a Chrome browser will be used, while launching one with IE selected, Internet Explorer will launch. This little change gives you a huge difference in your anonymity.”

Figure 9: Screenshot of FraudFox’s user interface

SpyCloud has analyzed additional anti-detect browsers such as Indigo Browser, Multilogin, Ghost Browser, Accovod, Kamaleo and Sw Spy Browse. We have observed hacked residential proxies and botnets being used by these browsers to mimic actual user IP locations.

How Can SpyCloud Help?

As cybercriminals become more savvy with exploiting stolen session cookie data from malware-infected devices, enterprises need more protection than just differentiating a bot from a human – they need comprehensive visibility into infected users so they can mitigate the risk of hijacked sessions.

That’s why we developed SpyCloud Session Identity Protection, which provides early warning of malware-infected consumers to stop session hijacking and fraud from trusted devices. By checking your users against our continuously updated feed of compromised session cookies, you can proactively protect them before criminals are able to leverage stolen browser fingerprints to access their accounts.

Each month, SpyCloud’s security teams recapture thousands of botnet logs and parse out the compromised cookies. From this data, we provide the compromised cookies relevant to your consumer-facing domains via API so you can:

    • Invalidate any active sessions identified by a compromised cookie
    • Identify consumers infected by infostealers (sometimes well before their credentials on your site are even stolen)
    • Protect high-value accounts from attackers leveraging stolen cookies to mimic trusted devices
    • Flag user accounts with known compromised devices for increased scrutiny of future logins/transactions (regardless of cookie expiration time)

Existing anti-fraud solutions offer a fragmented overview of user activity, often designed to determine if a user is a bot or a human. Session Identity Protection is the only solution to expand on standard fraud and browser checks to identify consumers whose session or trusted device cookies have been compromised or collected by malware. 

Learn how you can prevent fraud from compromised web sessions using Session Identity Protection, powered by SpyCloud’s industry-leading malware intelligence.
Account Takeover Cybersecurity Research Data Breaches Fraud Prevention Malware Password Security Ransomware

Top 5 Takeaways from SpyCloud’s Annual Identity Exposure Report

SpyCloud’s 2022 Annual Identity Exposure Report dropped and is chock full of thought-provoking insights.

This year’s report expanded on previous years’ reports in which SpyCloud focused mainly on credential exposures. But as we’re seeing exposed personally identifiable information (PII) put more users at risk of identity fraud, our report sheds light on the kinds of data frequently leaked in breaches and siphoned from malware-infected devices that enable the creation of synthetic identities and other forms of fraud: social security numbers, credit card information, location data, marital status, and income level. So while credentials are a critical component of our recapture efforts, this year we also spotlighted the dangers of exposed PII.

The 2021 findings from our researchers prove that every year, digital identity exposure risk grows by leaps and bounds. The 1.7 billion exposed credentials, the 64% password reuse rate, the 13.8 billion recaptured PII records – all these data points and others show an increase from previous years.

Let’s take a closer look at the key takeaways from the 2022 SpyCloud Annual Identity Exposure Report:

Personally Identifiable Information (PII) – Just What the Fraudster Ordered

We continue to be amazed at the growing amount of PII that is available in the criminal underground. In 2021, SpyCloud recaptured 13.8 billion PII assets, a 200% increase from 4.6 billion the year before. This brings the total in our database to 44.7 billion pieces of PII. From names and social security numbers to birth dates and social media handles, fraudsters have a plethora of information at their fingertips to wreak havoc on enterprises and consumers.

PII recaptured in 2021

PII exposures make it all too easy for cybercriminals to piece together synthetic identities, which in turn are used to perpetuate other fraudulent activities. These activities are on the rise, especially in the financial services and ecommerce industries, with financial institutions alone enduring $20 billion in losses due to synthetic identity fraud in 2020. As losses related to fraud can be crippling, organizations are in dire need of fraud solutions that help identify a legitimate customer versus a criminal.

Eye-Opening Top Password Trends 

Credential pairs (email addresses or user names + passwords) continue to be the most highly sought after and lucrative asset in the criminal underground. And last year alone, we recaptured more than 1.7 billion of them. This year’s report includes password insights that would make any security professional cringe.

Are people still reusing the same password across multiple accounts? Unfortunately, yes – one of the most intriguing insights we gleaned from our analysis was this year’s password reuse rate: we observed a 64% password reuse rate among users exposed in 2+ data breaches last year, a 4-point jump from the prior year.

And are people still really using “password” as their password? Also yes. Despite efforts to encourage widespread education on cyber hygiene, “password” is one of the top three reused passwords of 2021. Make sure none of your passwords are on this list:

top 100 reused passwords of 2021

Are pop culture references still prevalent in passwords? You bet. It was no surprise when our recaptured data revealed millions of passwords incorporating popular topics. A huge pop culture influence on passwords in 2021 came from the Marvel franchise, with Loki, Falcon, and Wanda appearing frequently as keywords in exposed passwords. Political terms, pandemic themes, and sports team names also made appearances.

Popular passwords in the year 2021; keywords include Jeopardy, Mask, Marvel, Virus, Astros, Pandemic, and more.

Malware Data is on the Rise in the Criminal Underground

Not only is malware responsible for the fraud that’s hardest to proactively detect, it also poses the highest exposure severity for both consumers and enterprises. Once devices are infected, keyboard strokes and system information is siphoned, exposing details ranging from login credentials and browser history to geolocation, installed software, autofill info, and even web session cookies. This information can be used for account takeover (ATO), impersonating users with browser or device fingerprints, or bypassing fraud controls (including MFA) completely using stolen cookies.

Malware-siphoned data is becoming quite the hot commodity on the criminal underground. In 2021, we noticed a surge in infostealer (information-stealing malware) logs being distributed and shared on various forums and chat groups. In particular, RedLine Stealer accounted for more than 50% of all infections that we analyzed, followed closely by Raccoon, Vidar, and a handful of other malware families.

To help combat the effects of malware, we have sorted and parsed hundreds of thousands of post-infection bot logs resulting in hundreds of millions of stolen credential records over the last 12 months. This information helps our customers devalue the data faster and contain the potential damage.

Notable Breaches of 2021 Span Industries

From telecom to tech to entertainment, seemingly no industry was immune from breaches last year. In 2021 alone, SpyCloud recaptured data from 755 breaches with the average breach size of 6.7M records.

Breach collection count 2021, showing that SpyCloud collected 755 breaches with an average size if 6.7 million records each

This year’s report includes highlights from some of the year’s most notable breaches, spanning industries and geographies. While not all breaches make the headlines or get blasted in the media, they nonetheless have significant impacts on enterprises and consumers.

And not all breaches are equal in size: the largest breach included in our report is more than 501 million scraped Facebook user profiles from more than 100 countries that were posted on a hacking forum. At the opposite end of the spectrum, we also note a leak of 137,386 records stolen from a UK weapons marketplace and sold on the criminal underground. While this marketplace breach pales in comparison to the Facebook scraped profiles breach, the bottom line is sensitive data is constantly being leaked, affecting hundreds of millions of people around the world and revealing extremely sensitive information. The results can be even scarier than the breach size might imply.

How the “New Normal” Correlates With the Surge in Fraud and Ransomware

As the pandemic drove consumers and employees online and thrust enterprises and consumers into a  “new normal” way of life, the threat landscape expanded exponentially with increased digital transactions and the need to work from home. More digital identities breeds more opportunities for cybercriminals.

Hit hard during these times were financial institutions and ecommerce organizations. The costs of fighting fraud rose accordingly, and for every $1 of fraud, U.S. financial services spent $4 in 2021, compared to $3.64 in 2020 (and $3.25 in 2019). Fighting fraud also got more expensive for ecommerce merchants, rising from $3.36 in 2020 to $3.60 for every $1 of fraud.

But fraud isn’t the only challenge that resulted from this “new normal” – ransomware also continues to run rampant. In a SpyCloud survey of IT security professionals, 72% reported that their organization was affected by ransomware in the previous 12 months. Nearly one-fifth said they experienced 6 or more ransomware incidents during that time. Just one exposed password is enough to bring a business to its knees with data loss, financial impacts, and hits to brand reputation.


The findings from our researchers prove that the risk from digital identity exposure increases every year. The intertwining of personal and work lives, along with the expanding digital footprint, will continue to accelerate the rates of online fraud. 

We’ve found that the most effective way of protecting your enterprise from ATO, ransomware, and online fraud is to combine human intelligence, technology, and a breadth of recaptured data from the criminal underground to proactively stop fraud before it occurs. Individuals can help fight cyber threats by ensuring their passwords are strong and unique and implement MFA where possible. 

Download the full 2022 Annual Identity Exposure Report for additional insights from the analysis of our recaptured data, including a closer look at government risk, a deeper dive on RedLine Stealer, and more year-over-year trends.
Fraud Prevention

Three’s a Crowd: Breaking Down Triangulation Fraud

We’ve seen cybercriminals get more savvy in their techniques to defraud people and businesses. From ATO to malware, their tactics are not only getting more sophisticated and sneaky, they’re also causing significant financial impact, with losses due to ecommerce fraud reaching an estimated $6.4 billion last year.

Lately, we’ve seen an increase in a different approach fraudsters are taking: triangulation fraud. While triangulation fraud isn’t new, it is something both retailers and consumers should be aware of as online shopping continues to boom. Let’s dig into this tactic, how it works, and how you (and your business) can avoid getting caught up in this activity.

Identifying the Main Players

There are three key players in the triangulation fraud scenario:
  1. The criminal who posts merchandise well below market value on a secondary marketplace such as an auction site.
  2. A customer who purchases the merchandise.
  3. The retailer who receives an order from the criminal paying with a stolen credit card.

How Triangulation Fraud Works

Let’s explore a common example of triangulation fraud.

A legitimate customer wants to buy a product – let’s say an insulated tumbler. They go online and find the item they want for sale on the typical retail site they use, but they decide to look for the product on other sites to see if there is a better price. The customer finds the tumbler on a trusted marketplace site for a cheaper price with free shipping – what a deal! They click ‘buy now’ and place the order, paying via PayPal.

Unbeknownst to the customer, they have actually purchased the product from a cybercriminal running a fake storefront. The fraudster receives their order through the marketplace, then goes to the legitimate retail site and places the order using the customer’s name and shipping address, along with stolen credit card information to pay for the item. The retailer fulfills the order, sending the tumbler to the customer.

In the end, the customer gets their tumbler, and the fraudster banks the money, but this is far from a win-win situation. 

Who Are the Victims?

When it comes to triangulation fraud, there are a few victims involved. First, the customer may seem like an innocent bystander in this situation, but ultimately they were unknowingly involved in fraudulent activity. So while they’re not necessarily to blame, they still got taken advantage of.

But we have to consider another victim and player in this scenario: the owner of the compromised credit card credentials. Their information is being used without their knowledge or consent, and is potentially available on the criminal underground. When they dispute the fraudulent charges made on their account, the retailer will be responsible for that chargeback.

That said, the retailers take on most of the loss in this situation. While the cybercriminal reaps the benefits of making money off these deals, the retailers are left “holding the bag” so to speak, with the financial burden of chargebacks as well as the loss of merchandise.

Tips to Mitigate Triangulation Fraud

If you are a consumer, consider the age-old saying, “If it’s too good to be true, it probably is!” If you come across an item for sale online that you think is a “steal,” it more than likely is. Be wary of goods that could potentially be counterfeit or stolen.

Also, when perusing marketplace sites, be sure to take into account the seller information before making a purchase – is this a seasoned seller with stellar reviews, or is this a new seller with little to no ratings? If it’s the latter, there’s a possibility you could be buying from a fraudster rather than a legitimate seller.

Merchants’ fraud monitoring can identify potential triangulation fraud by identifying:

    • Differences between bill-to and ship-to addresses
    • Device IDs and IP addresses that are not reputable
    • Velocity of orders from one bill-to address to various shipping addresses

The truth is that not all anti-fraud solutions will help mitigate triangulation fraud. The ability to distinguish between legitimate customers versus cybercriminals is the #1 need I hear when talking to my colleagues in ecommerce. 

That’s why we developed SpyCloud Identity Risk Engine. SpyCloud now provides ecommerce companies what no other anti-fraud and identity verification solutions can: actionable, predictive fraud risk assessments based on breach data and malware-stolen credentials, recaptured from the criminal underground – getting us closer to a true 360° view of consumers’ risk.

The ecommerce industry has seen a 140% increase in the volume of fraud attacks last year compared to pre-pandemic levels, and needs a new framework to get ahead of schemes such as triangulation fraud. With the ability to make fast, accurate fraud decisions with a higher degree of confidence using Identity Risk Engine, merchants can better discern legitimate customers from fraudsters, which reduces chargebacks, improves accuracy, and decreases manual reviews.

For more insights on how ecommerce companies can proactively address fraud, download Reducing Identity Fraud in Ecommerce.