In fraud we trust – Say goodbye to the eBay for cybercriminals

An international cybercrime ring that has stolen $530 million has been dismantled, arresting 36 people. Is this all good news?

  Let’s start with the good news: today, after you buy an online gift for your Valentine, you can be less worried about finding a nasty surprise in your bill sponsored by Infraud. The U.S. Department of Justice announced the arrest of 36 people for their relation to the Infraud organization, short for In Fraud We Trust.   The global organization offered a one-stop bazaar that pointed its members to websites to buy stolen personal information.

“Today’s indictment and arrests mark one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice,” said John P. Cronan, Acting Assistant Attorney General of the Justice Department’s Criminal Division. “As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale.” – If you have some time to kill, you can find a copy of the indictment here.

Cronan also said the group stole $530 million globally and that they had intended to defraud a total of $2.2 billion.

The arrests took place in the U.K., U.S., Australia, France, Italy, Kosovo, and Serbia. The government says the founder and top member of Infraud was Svyatoslav Bondarenko, a hacker from Ukraine who used the nicknames “Rector” and “Helkern.” Although Krebs on Security has raised some doubts about whether or not Rector and Helkern are indeed the same person or if someone else is still at large.

The long-running website worked as a bazaar for stolen information where members were pointed at pools of people selling stolen information such as credit card numbers, Social Security numbers, and other data. Infraud was also the place to be for malware, hardware, and other fraud-enabling devices. The online fraud group had nearly 11,000 registered members as of last March.

Infraud is a textbook example of how highly organized these fraud rings are – in case someone still had any doubt. Infraud had a well-defined hierarchy. They also had a set of punishments for members who didn’t follow the rules or who were also members of competitor sites – yes, trafficking with your personal information is a competitive business.

They had administrators at the top controlling the sellers. This is how they kept their reputation of delivering high-quality goods. The next level down were the moderators who provided expert advice and insights to specific topics or regions – like your average sales department of any global company.

Now the bad news: We have to remember that this is one drop in the ocean. As long as a pest has food, a pest continuous to multiply. And as long as our personal information is out there to feed the bad actors, more eBay-like sites like will continue to appear. Javelin Strategy and Research just released a report showing that fraud has hit an all-time high since 2003, and based on the Breach Level Index, over nine billion records have been stolen since 2005.

Same as with pests, targeting organizations and individuals will only do minor harm to an inevitably growing industry. However, if we make this business unprofitable, we will generate an inevitable drop in illicit activities. This shift can be done by authenticating customers using different information that can’t be found from a data breach, in social profiles or by other means. This way fraudsters will find that the personal information they spent so much time and money researching and buying is useless.

Technologies that help companies identify their users based on their behavior, such as passive biometrics, protect customers from fraud and provide a whole new insight into a company’s clients and their habits.

Yes, the Social Security number may be the same, the password, address, and credit card presented may be the correct ones but the inherent behavior of a user – the way they type, move the mouse or navigate on the site, for instance – tells a different story. Passive behavioral biometrics identifies that ‘different story’ and leaves those bad actors posing as genuine users out of the environment before they can commit fraud.

These technologies are the most effective fraud disruptors: Instead of chasing the 11,000 members off a dark website, just let them buy useless data, and they will naturally fade away.

Related to this post: What’s Account Takeover and Why Should I Care?   Authenticating on today’s breached world? Watch our webinar featuring Forrester analyst firm.

Want to read more posts like this? See our full blog here.