Cyber crooks now have online courses
dubai — Organised credit card fraud gangs are becoming increasingly sophisticated and are even offering remote learning ‘schools’ in which they teach criminal gangs the skills necessary to operate successfully, according to research by Digital Shadows, a digital risk management company.
According to the research, the programme — available to Russian speakers only — is comprised of six-week courses with 20 lectures from five expert instructors. The courses include webinars, detailed notes and course material, all available for $745 (Dh2,736), plus $200 (Dh734) in fees.
The criminal distance learning programme places a strong emphasis on “social engineering”, such as on how to manipulate unwitting victims through in-depth knowledge of their local area. They develop a rapport with victims and trick them into handing over crucial information — such as PIN numbers — over the phone.”
“That’s why I always advise to watch the news because with
such incidents, it is possible to play beautifully,” one instructor is quoted as saying by Digital Shadows.
With the skills learned in the courses, would-be cyber crooks have the potential to earn incomes as $12,000 (Dh44,077), a month, based on a standard 40-hour working week. Given the average Russian monthly wage of less than $700 (Dh2,571), this means that cyber criminals can earn 17 times more than they would in many “legitimate” professions.
Notably, evidence from Russian-language card trading forums suggests that the criminal organisations appear to be enforcing a sort of criminal “code”, in which the details of Russian credit cards are not for sale.
Credit card fraud is a lucrative market. In just two of the most popular ‘carding’ forums, almost 1.2 million card hold details are up for grabs, each selling for an average of $6 (Dh22). Prices, however, vary according to the level of security associated with a particular card and cardholder. Among the trickiest are cards which require further authentication to ‘cash out’. To do so, some cyber criminals have created automated services which call cardholders in the Middle East and attempt to coax details from them using social engineering techniques.
“The card companies have developed sophisticated anti-fraud measures and high quality training like this can be seen as a reaction to this”, said Rick Holland, VP Strategy at Digital Shadows. “Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defences accordingly.”
According to Digital Shadows, credit card criminals broadly fall into four main groups, with some overlapping between each of them.
The first group, payment card data harvesters, are tasked with intercepting the card holder’s information using a variety of techniques, including point of sale malware, skimming devices, phishing, breached databases, or through the use of botnets. A second group — the distributors — serve as middle men and make the most money. While some may use the card data themselves, some re-sell it to others who package, repackage and sell the information.
Another group, which Digital Shadows has dubbed the “fraudsters”, run the highest risk of getting caught by the authorities or being betrayed or conned by other criminals. Once these fraudsters have acquired card details from a distributor, frauds against victims can occur. This group tends to be less technically savvy, and attracts a lower calibre cyber criminal who often relies solely on online guides and courses to learn the latest techniques.
Lastly, a variety of cyber criminals are involved in the monetisation process, such as those who have been tricked into operating drop addresses and those involved in the re-sale of fraudulently acquired goods.
“This ecosystem is highly complex and international. At each stage, it creates victims — from the card industry that loses $24 billion a year to consumers who are frequently duped into revealing their card details,” Holland added. “One of the key themes that stood out for us is the level of ‘social engineering’ criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this.”
Holland added that “the UAE, like all wealthy and developed countries are at risk of carding gang attacks of the kind this training is designed to encourage.”
“Cybercriminals are looking for the money, and they will go wherever that would take them,” he noted.
To avoid falling victim to card fraudsters, Digital Shadows recommends a number of steps be taken, such as being wary of jobpostings offering goods re-shipping positions that can be done from home, protecting one’s PIN numbers, ensuring to shop at online stories with 3D Secure. Additionally, the company is warning that some fraudsters use fraudulent “travel agents” to learn credit card details. Lastly, bank statements should be checked thoroughly for irregular purchases, even if they appear to be small amounts and in nearby areas.
Merchants, for their part, are being advised to be aware of the latest fraud techniques, implement appropriate security measures, train staff, and monitor for mentions among criminal chatter about “cardable” sites.