Credit-card fraud gangs, which are cashing in on $24 billion a year, are now offering online e-learning courses for would-be criminals looking to get in on the action.
Digital Shadows has found several Russian-language online training courses, pointing to the increasing sophistication of the professional ecosystem as fraudsters seek to up-skill themselves and would-be cybercriminals.
These remote learning “schools”, available to Russian speakers only, offer six-week courses comprising 20 lectures with five expert instructors. The curriculum includes webinars, detailed notes and other course materials. In exchange for RUB 45,000 ($745) (plus $200 for course fees), aspiring cybercriminals have the potential to make $12,000 a month, based on a standard 40-hour working week. Given the average Russian monthly wage is less than $700 a month, it means cybercriminals could make nearly 17 times more than a legitimate job.
“The criminals are going after a potentially lucrative market,” Digital Shadows noted in its research. “In just two of the most popular ‘carding’ forums, nearly 1.2 million cardholder details are on sale for an average of $6 each. However, prices do vary dependent on the level of security associated with the card and cardholder. The least expensive cards are those requiring further authentication to ‘cash out’. The main obstacle to this is the PIN of the cardholder, which can be tricky and time-consuming to find out. Therefore, there exist automated services which call cardholders in the Middle East in an attempt to scam their details using social engineering techniques.”
It’s no surprise then that social engineering is given a heavy emphasis in the courses. Advice is given on how to manipulate people through knowledge of their local area in order to build rapport with the target and trick them into exposing information (such as PIN numbers), usually over the phone. As the instructor puts it: “that’s why I always advise to watch the news because with such incidents, it is possible to play beautifully.”
Interestingly, a criminal ‘code’ appears to exist on many of the Russian-origin carding forums, whereby no Russian card details are permitted for sale.
“The card companies have developed sophisticated anti-fraud measures and high-quality training like this can be seen as a reaction to this,” said Rick Holland, vice president of strategy at Digital Shadows. “Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defenses accordingly.”
The research found that credit card criminals fall into four main groups (with some overlapping between each):
Payment Card Data Harvesters – These do the dirty work in terms of harvesting the payment card information. This is done through intercepting cardholder’s information, either through point of sale malware, skimming devices, phishing, breached databases or the use of botnets.
Distributors – These are the middle men who typically make the most money. While the criminals who harvest may use the card data themselves, they also sell it on to others who will package, repackage and sell the card information.
Fraudsters – This group runs the most risk in terms of getting caught by law enforcement or being conned by fellow criminals. Once fraudsters have acquired payment card information from their distributor, the fraud can happen. These individuals tend to be less technical and attract a lower caliber of cybercriminal, often relying on online guides and courses to learn the latest techniques.
Monetization - There are many different roles within the stage, including those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods.
“This ecosystem is highly complex and international,” Holland said. “At each stage, it creates victims – from the card industry that loses $24 billion a year to consumers who are frequently duped into revealing their card details. One of the key themes that stood out for us is the level of social engineering criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this.”