How the Grinch Carded Your Customers
This year, credit card fraud is down even though millennials are scoring more deals online.
Here’s what that means for your organization.

How the Grinch Carded Your Customers
December 18, 2018 Nate Pruitt
How the Grinch Carded your Customers

December has come once again and cyber security teams across large retailers know what that means: more online fraud. Online retail sales this year increased drastically with Cyber Monday bringing in an unprecedented $7.9 billion. But as retailers rejoice, cybercriminals are readying their exploits, performing reconnaissance, and fine-tuning their methods. The threat level had already been increasing steadily ahead of the 2017 holiday, which saw a 57.5 percent increase in attempted cyber attacks on retailers. That’s an additional increase on top of the 21.5 percent increase observed after 2016.

The threat level for cyber attacks during the 2018 holiday shopping season is–once again–set at an all-time high. Mass migrations of the retail market from in-store shopping experiences to the convenience of online shopping from are only encouraging innovations in fraudster tradecraft. An influx of young consumers has entered the marketplace. Just as retailers have taken notice and offered more online deals, the retail fraud community has adjusted its game plan accordingly. Here’s how retailers can reposition themselves to defend against fraud losses this year–and avoid holiday bargains of the unintended kind.

New Victims, New Tradecraft

The way we shop is changing. In 2018, approximately 31% of consumers were projected to shop on Cyber Monday, which represents a 4% increase from last year. Black Friday turnout, however, remained constant at last year’s projected 44% turnout rate. In-store shopping was projected to decrease from last year, with eleven percent of Millennials planning to shop exclusively online compared to just 7% of non-Millennials.The in-store “doorbuster” style Black Friday affairs have given way to Cyber Monday deals and mass closures of the brick-and-mortar retailers of yesteryear have been closing rapidly. Cybercriminals have adjusted their tactics, techniques and procedures (TTP’s) accordingly.

One may guess that this adjustment would, in turn, cause an increase in the card-not-present credit card fraud often found in online transactions. This type of credit card fraud utilizes “fullz” (information required to validate one’s identity enough to make a successful credit card purchase) along with a stolen credit card number and CVV code. But the opposite has actually shown to be the case. Last year, credit card fraud fell by 42% during last year’s holiday shopping weekend. That’s a 17% decrease from 2016’s holiday shopping season, which is significant considering that credit card fraud comprised 59% of all fraud. This may be due to the ubiquity of the EMV chip in credit cards, which make carrying out physical credit card fraud more difficult. But in making online credit card fraud more difficult, EMV chips have raised the value of fullz. The chip combats fraud because it contains a cryptographic key which verifies the legitimacy of the card via the generation of a one-time code. This one-time code, unlike a CVV, is ephemeral, and therefore can’t be used again and again across multiple transactions. SpyCloud recently published content on the evolution of fullz thanks to security measures like EMV in our blog post The New Identity Crisis.

As more shoppers move online so too have criminals. The exchange below shows a credit card fraud method on the dark web forum Dread in the “Fraud” SubDread. You can read more about Dread and other dark web communities in our blog The New Dark Markets.

How the Grinch Carded Your Customers -2

Online credit card fraud method posted to the Dread dark web forum.

This fraud method was posted just before Thanksgiving. It is designed specifically to target retailers. The method first advising using a clean socks5 proxy or SSH to hide the originating IP address and other identifying information while carding. The guide explains how fraudsters can social engineer passcodes for verification purchase verifications if the website displays “VBV” or “MCSC” on its website. VBV stands for “Verified by Visa” while MCSC stands for “Mastercard SecureCode.” Both are mechanisms designed to actually keep fraudsters from successfully carding online by allowing cardholders to use a one-time code to verify their purchases if anything seems off. A new device or location, for example, might tip off a possible fraud alert just like an in-store transaction in a far-away location would. The author of this guide advises that VBV and MCSC can be bypassed if the fraudster has the cardholder’s SSN and can use it to change the phone number that the secure codes are sent to. In this way, the fraudster receives the secure code meant to be received by the cardholder to ensure a successful transaction.

How the Grinch Carded Your Customers - 3

Stripe’s fraud rules

The guide’s author also advises that some retail websites–like those selling clothes and watches–don’t check risk scores and blacklists, making it easier for criminals hiding behind often contaminated proxy IP’s to make purchases successfully. This also goes for “drop” addresses which have been used once before. The author even suggests going to websites like authorize.net and stripe.com–online payment processors for online business–to check that their rules can be circumvented by the carder. The author advises that shop’s which don’t use Radar’s “all” rule–are “easier to card.”

The method instructs fraudsters that harder-to-targets websites like Amazon.com are best carded with ATO’d accounts with solid order histories ahead of a busy shopping season (such as Cyber Monday). “If the website [sees that the buyer] has order history with them they pass the order without any hesitation.” For these types of purchases, the guide also suggests fraudsters operate from a country-specific IP address and use a private e-mail account instead of a free webmail service. The author even brags that he’s ordered something off of Microsoft.com using someone else’s credit card. “If you can’t manage to get [a private e-mail account]”, he writes, “use some [less-known] domains as I’ve carded Microsoft.com with mail.ru email xD.” The guide goes on to offer additional tips on OPSEC, social engineering banks in order to push transactions, and using fullz to make invoices to card later using legitimate emails. “Card anything you want to card”, he writes, “there is a market for everything from digital activation codes to selling phones or electronics.”

The fraud guide elicited several positive responses, especially from those looking to score Black Friday and Cyber Monday fraud deals.

The question below, posed by a member looking to get his feet wet “especially since [Black Friday and Cyber Monday are coming up]”, asked if it’s easier to card orders during busy shopping periods such as the holidays given the large influx of orders. He also asks if he can just use a burner phone to browse located near the address of the genuine cardholder. The purpose of this is to build up cookies in the browser, making it appear that the fraudster is operating from the genuine cardholder’s device, thus lowering their risk score.

How the Grinch Carded Your Customers - 1

Conversation between the credit card fraud guide’s author and another Dread user.

“Yes”, answers the author. “Use the victims hacked wifi = higher changes else use hacked aged accounts.”

The best offense is a strong defense

Last year we mentioned that twice as many fraud attempts were observed between Thanksgiving Day and December 31, 2016 as were during those same dates in 2015. Specifically, fraud attempts were observed in greatest concentration on Christmas Eve and on Shipment Cut-Off days. This may suggest that criminals were going after last-minute shoppers making purchases. Any organization’s defense against holiday fraud is affected just as much by their countermeasures as it is by their posturing.

As the holidays approach, retailers are laser-focused on revenue. Many organizations enter into a holiday lockdown period–a time when they do not allow changes to their infrastructure to minimize the impact on payment processing systems. While this can ensure stability for incoming revenue, it can also spell trouble during a security incident by limiting the ability to react quickly. Organized cybercrime groups will await the opportunity afforded to them by short-staffed security teams over the holidays. Paired with employee travel and remote work means, this environment makes employees more vulnerable to phishing schemes designed to resemble travel bookings or email confirmations of gift orders. Security teams concerned with physical carding and PoS malware, which criminals may be using more now thanks to the EMV chips, are particularly vulnerable. Short-staffed security teams also make it easier for attackers to breach networks directly and take over both corporate and customer accounts.

Given the high levels sophistication shown by some fraudsters, it’s impossible to thwart every criminal. Preventing and discouraging password re-use among both customers and employees is essential, as is doing research on cyber criminal adaptations in order to out-innovate their methods. Knowing your exposure is also essential. Searching for re-used passwords and previously breached credentials and accounts using a service such as SpyCloud can help you gain awareness of what can be leveraged against you. The fraud method described in this article, for example, could be prevented by adjusting fraud rules (the actor wrote that Radar’s “all” feature makes websites “easy to card”), introducing new security measures and requiring additional verifications. It’s also imperative, however, that countermeasures do not interfere with usability. Just as threat actors develop exploits and discover holes, blue teams and security staff can develop countermeasures that strike a balance between what is secure and what is realistic. Not all fraud can be prevented, but companies should strive to prevent enough online fraud such that it doesn’t interfere with the ease of customer purchases. The right balance will ensure a happier holiday for everyone–except those criminals not on the bleeding edge of threat actor tradecraft.

In fact, markets already exist for the sale of various types of accounts that can be obtained fairly easily through credential stuffing.