In our last blog post, we’ve shown you the marketplace for stolen credentials, now let’s look at the practicalities of committing fraud, and why hijacked user accounts have taken over from stolen credit cards as the most popular fraud tool.
It used to be that the first thing to do with a stolen credit card is to go on a shopping spree but times have changed. Both brick and mortar stores and online retailers are getting increasingly savvy to fraud attempts. How far you can take a stolen credit card depends on whether you have just the number and expiration date, or if you have more information, sometimes not exposed in a data breach, like the CVV number. Fraudsters have a few options:
Buy Digital Goods Online
A safer investment is using them for online transactions or for digital goods, anything that doesn’t involve a physical shipping address. Often, they are used to purchase pseudo-currencies such as credits for Facebook, Xbox Live Points, digital concert tickets etc. And because the dollar value of these purchases is typically low, the transaction often bypasses tougher fraud checks. And of course, those digital goods are resold for real cash.
Buy Physical Goods from an eRetailer or In Store
Some stolen credit cards get stamped onto real cards and, combined with fake IDs, are used to make large purchases in-store. However, with the advent of EMV, this is becoming increasingly difficult to perpetrate.
Merchant are wise to out-of-state and out-of-country shipping, so fraudsters now evade detection using a re-shipping mule. These mules are often an unwitting accomplice thinking they can “triple their income working from home” as detailed by the Craigslist ad or unwitting buyers in a fake eBay auction that ships goods directly to their legitimate address.
The catch to making scams like this work is that the fraudster needs to know the card owners legitimate shipping state in order to avoid being flagged, information that’s not always bundled with their purchased credit card data.
For all your Fraud Needs — the Fullz
The Fullz seems to have it all. Everything from your Mother’s Maiden name to your Social Security Number, residential histories to your first elementary school. Vital if someone wanted to pose as you or looking to steal your identity.
Fullz have the potential for far greater damage; from the fraudulent opening of a new bank account complete with credit card and loan, or to socially engineer a customer support rep into resetting an online password, Fullz have a lot of potential and are long lasting. Worse, once it’s out there, a Fullz can’t just be reset like a password or reissued like a new card.
So, why are they priced so low? The potential for profit high, but it requires time, effort and the repercussions are large. It’s not hard to understand why usernames and passwords are 100x more expensive.
Working Usernames and Passwords
VP and Distinguished Analyst at Gartner, Avivah Litan, said it best:
“Password compromise is the most common way bad guys get into our accounts – whether they are Twitter, bank, credit card, frequent flyer, gaming or other ecommerce accounts. Unlike the situation with banks, there is no legal recourse or money/service back guarantee from other non-regulated providers.”
Hijacking a users’ e-commerce account gives fraudsters everything they need: indirect access to a credit card, shipping details, and all the information they need to execute a simple but devastating fraud under the name of a legitimate customer.
Often, the hacked customer will have to prove themselves innocent of first party fraud, while the fraudster, using an anonymity tool, such as the tor network has disappeared back into the dark web. Having already listed the sale of a stolen item on eBay, it is left to the unwitting shipping mule (chosen because of their proximity to victim) to handle the admin, in return for a nominal fee, while implicating themselves for the crime of handling stolen goods.
As we’ve touched on in our previous article on passwords, one username and password combo acts as a key to unlock other online accounts – the most simple and devastating fraud. It isn’t hard to see why working usernames and passwords are worth $27 compared to $0.25 for a fullz.
The problem that keeps fraud managers awake at night – “How do I know this is the real user?” – is something we’re going to cover in our next post.