Christmas card

Was Cyber Monday Christmas for Criminals?

Just as families plan, schedule and research year round for the winter festivities, so do criminals. Even though it’s just one or two days of the year, they have to make sure their fraud is perfect. Banks and e-commerce vendors are more susceptible to attacks at busy seasonal times: Christmas and the long weekend running Black Friday to Cyber Monday are the busiest online shopping days of the year.

Thanksgiving Fraud: Success in the Preparation

The windows of opportunity to buy goods with stolen credit cards, evade fraud checks, receive delivery and then re-sell them is so small – just one weekend – that year long preparations are required for the most profitable scam.

The news reports elevated levels of credit card skimming and phishing attacks during the peak holiday times, but at some point those stolen credit cards need to be used for the fraudsters to turn a profit. This is where Cyber Monday comes in and the real effects hit the businesses.

How Much Do I Need?

Fraud departments know risks are higher for goods shipped away from the card-holders address, high-value shopping carts and first time transactions. The problem is that during gift giving season we see a lot of legitimate activity that might otherwise look like fraud.

To make best use of credit cards, scammers work for months and years to create hundreds and thousands of blank user accounts for e-commerce sites, leaving the accounts dormant for months – let them slip under the radar. By planning over a year, their automated account creation doesn’t have to operate over a few seconds– another red-flag for security departments.

Last Minute Panic

As the weekend shopping deals are announced, scammers can choose their deals. Highly fenceable goods, easy to re-sell on eBay immediately. The smartest scammers will already have place “Make money from home” adverts and hired unwitting accomplices to take delivery of, and re-send goods on their behalf. Now all that is left is to enter the credit card details.

Not having enough stolen credit card details would be the fraud equivalent of forgetting how many chairs or ‘good plates’ you actually own. Lucky for them, stolen credit card details are easier than ever to buy online, as reported by Brian Krebs here, here and here.

Timing is everything

Now all that’s left is for the criminals is to launch their order-placing applications.

Whether using a botnet-for-hire or activating malware on infected user’s computers, automated orders are placed and shipped to the unwitting stooges. Not so many identical orders that it might draw attention to them, so the orders will be a variety of saleable goods.

By the end of the weekend, scammers abscond with their wallets festively plump, leaving the washing up to someone else. Identity theft claims, chargebacks and disputes become a post-holiday nightmare for merchants, banks and e-commerce sites.