How Cybercriminals Monetize E-Commerce Fraud

E-commerce fraud has grown to the point where it’s a now a bigger drain on retail profits than shoplifting or inventory shrinkage. Based on the information we’ve gathered defending many of the largest retailers, banks and airlines in the world against cyber crime, there are three attack modes that carry particularly high risks for retailers:

• Account takeover (credential stuffing)
• Fake account creation
• Gift card cracking

Ecommerce chargeback costs for retailers, the biggest financial hit associated with account takeovers, have now reached $40 billion per year. Fake account creation and gift card cracking, while less well documented, also result in substantial losses.

All three of these attack modes rely on compromised authentication credentials and their rapid monetization. Credential theft carried out on the scale that’s common today requires considerable time and effort, not to mention technical skill. Why do cyber crime organizations persist? One of our customers, Starbucks Director of InfoSec Mike Hughes, has a simple answer. “The risk is so low, and the reward is so high.”

He’s right. The take for a successful bank robbery runs between $5,000 and $7,000 at best. In 2016 there were eight deaths associated with bank robberies. Seven of them were the perpetrator. The same amount of money could be obtained by cracking between 100 and 150 gift cards (at an average value of about $45 per card), and the risk of being caught, much less killed, is almost zero.

Here’s a closer look at how cyber crime organizations monetize the results of their three favorite attacks.

Account Takeover

The bad actors who engage in credential stuffing to gain control of credit card accounts don’t always monetize those compromised accounts directly. In one common theft chain model, they sell the card information to brokers, who add value by sorting them geographically, determining credit limits and even purchase histories in some cases.

These brokers in turn sell the cards to so-called “carders,” typically in lots of one hundred or one thousand. The carders may use the compromised cards to make high value purchases, most often electronics such as flat screen TVs or smart phones. In this case, the goods are usually shipped to a new address where “mules” aggregate the illegitimate purchases and ship them overseas to be sold at perhaps 50 percent of their market value.

In a variant of this scheme, carders create fake physical cards which they supply to mules who actually make in-store purchases, although this method obviously carries more risk than CNP transactions. Carders may also engage in refund fraud.

Fake Account Creation

Creating fake accounts, also known as synthetic fraud, is a growing problem now that chip-bearing EMV credit cards are gaining traction. Creating fake accounts at scale requires automation or low-wage workers often referred to as “mechanical Turks,” but the rewards can be high. One monetization scheme cashes in on new-account promotions, whose value can be substantial, particularly when a cyber crime organization is dealing with hundreds of fake cards at any given time.

Another scheme is a long game, where fake cards are used to make small purchases and paid off every month until their credit limits grow. Fraudsters can then max out the fake card on high-value items, running up a bill they will never pay.

Gift Card Cracking

There are several monetization options for compromised gift cards. Cards can simply be sold for cash via legitimate card exchange sites that may offer rates as high as 60 percent of a card’s value. Other sites enable cyber crime organizations to auction off cards to the highest bidder.

The worst case scenario is when a gift card is connected to another account, such as a credit card account. In this case, fraudsters can use the gift card to drain the connected account.

Beyond monetization, gift cards have two other functions. It’s not uncommon for fraudsters to transfer money from a stolen credit card to a gift card before spending it, because this makes the transaction harder to tracer. Gift cards are also a very convenient vehicle for money laundering.

The Bottom Line Is the Bottom Line

Cyber criminal organizations, like legitimate businesses, have a strong focus on the bottom line. They engage in account takeover, fake account creation and gift card cracking because these activities are extremely lucrative. As long as they can continue to reap huge profits, they will pose a continuing threat.

To learn more about the mechanics of these attacks, and how they can be stopped in their tracks before any loss occurs, watch our newest webinar, The 3 Most Expensive Types of eCommerce Fraud.

Originally published at blog.shapesecurity.com on June 12, 2018.