Thursday, May 19, 2022
  • Webinar on Demand: See RiskLens Enterprise Top Risk Reporting in Action
  • Steganography in Cybersecurity: A Growing Attack Vector
  • Adversarial Perturbation to Defeat Automated Captcha Solvers
  • Security BSides Sofia 2022 – Sergey Kostov’s ‘How To Collect Linux Malware’
  • Analyzing a WooCommerce Credit Card Skimmer

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Events
    • Upcoming Events
    • Upcoming Webinars
    • On-Demand Events
    • On-Demand Webinars
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library
  • Related Sites
    • Techstrong Group
    • Container Journal
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About Us

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Security Bloggers Network 

Home » Security Bloggers Network » How Cybercriminals Monetize E-Commerce Fraud

SBN

How Cybercriminals Monetize E-Commerce Fraud

by Shape Security on June 11, 2018

E-commerce fraud has grown to the point where it’s a now a bigger drain on retail profits than shoplifting or inventory shrinkage. Based on the information we’ve gathered defending many of the largest retailers, banks and airlines in the world against cyber crime, there are three attack modes that carry particularly high risks for retailers:

  • Account takeover (credential stuffing)
  • Fake account creation
  • Gift card cracking

Ecommerce chargeback costs for retailers, the biggest financial hit associated with account takeovers, have now reached $40 billion per year. Fake account creation and gift card cracking, while less well documented, also result in substantial losses.

Cybersecurity Live - Boston

All three of these attack modes rely on compromised authentication credentials and their rapid monetization. Credential theft carried out on the scale that’s common today requires considerable time and effort, not to mention technical skill. Why do cyber crime organizations persist? One of our customers, Starbucks Director of InfoSec Mike Hughes, has a simple answer. “The risk is so low, and the reward is so high.”

He’s right. The take for a successful bank robbery runs between $5,000 and $7,000 at best. In 2016 there were eight deaths associated with bank robberies. Seven of them were the perpetrator. The same amount of money could be obtained by cracking between 100 and 150 gift cards (at an average value of about $45 per card), and the risk of being caught, much less killed, is almost zero.

Here’s a closer look at how cyber crime organizations monetize the results of their three favorite attacks.

Account Takeover

The bad actors who engage in credential stuffing to gain control of credit card accounts don’t always monetize those compromised accounts directly. In one common theft chain model, they sell the card information to brokers, who add value by sorting them geographically, determining credit limits and even purchase histories in some cases.

These brokers in turn sell the cards to so-called “carders,” typically in lots of one hundred or one thousand.  The carders may use the compromised cards to make high value purchases, most often electronics such as flat screen TVs or smart phones. In this case, the  goods are usually shipped to a new address where “mules” aggregate the illegitimate purchases and ship them overseas to be sold at perhaps 50 percent of their market value.

In a variant of this scheme, carders create fake physical cards which they supply to mules who actually make in-store purchases, although this method obviously carries more risk than CNP transactions. Carders may also engage in refund fraud.

Fake Account Creation

Creating fake accounts, also known as synthetic fraud, is a growing problem now that chip-bearing EMV credit cards are gaining traction. Creating fake accounts at scale requires automation or low-wage workers often referred to as “mechanical Turks,” but the rewards can be high. One monetization scheme cashes in on new-account promotions, whose value can be substantial, particularly when a cyber crime organization is dealing with hundreds of fake cards at any given time.

Another scheme is a long game, where fake cards are used to make small purchases and paid off every month until their credit limits grow. Fraudsters can then max out the fake card on high-value items, running up a bill they will never pay.

Gift Card Cracking

There are several monetization options for compromised gift cards. Cards can simply be sold for cash via legitimate card exchange sites that may offer rates as high as 60 percent of a card’s value. Other sites enable cyber crime organizations to auction off cards to the highest bidder.

The worst case scenario is when a gift card is connected to another account, such as a credit card account. In this case, fraudsters can use the gift card to drain the connected account.

Beyond monetization, gift cards have two other functions. It’s not uncommon for fraudsters to transfer money from a stolen credit card to a gift card before spending it, because this makes the transaction harder to tracer.  Gift cards are also a very convenient vehicle for money laundering.

The Bottom Line Is the Bottom Line

Cyber criminal organizations, like legitimate businesses, have a strong focus on the bottom line. They engage in account takeover, fake account creation and gift card cracking because these activities are extremely lucrative. As long as they can continue to reap huge profits, they will pose a continuing threat.

To learn more about the mechanics of these attacks, and how they can be stopped in their tracks before any loss occurs, watch our newest webinar, The 3 Most Expensive Types of eCommerce Fraud.

*** This is a Security Bloggers Network syndicated blog from Shape Security Blog authored by Shape Security. Read the original post at: https://blog.shapesecurity.com/2018/06/12/how-cybercriminals-monetize-e-commerce-fraud/

June 11, 2018June 11, 2018 Shape Security account takeover, automated attacks, botnets, Bots, credential stuffing, Security Trends
  • ← Monday, June 11: Dtex, Insider Threat in the News — DOJ Makes $21M BEC Bust, Insider Error Caused 3 of 7 Breaches Reported in California Last Week
  • Women in Information Security: Avi →

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Most Read on the Boulevard

How Encryption Helps Restore Cloud Security Integrity
Do You Want Secure Supply Chains? SHOW ME THE MONEY
CISA, Int’l Cybersecurity Bodies Issue Advisory to MSPs
Privacy As Enabling Technology
5 Ways K8s Apps Are Vulnerable to Supply Chain Attacks
X-Cart Skimmer with DOM-based Obfuscation
Four ways to combat the cybersecurity skills gap
LogicHub Security Roundup: May 2022
What is Test Automation Pyramid? How To Use It in Agile Software Development?
Three new API exploits causes GitLab data privacy and availability issues

Upcoming Webinars

Mon 23

Defending Against Emerging Ransomware Threats

May 23 @ 1:00 pm - 2:00 pm
Thu 26

Challenges and Opportunities for Improving Secure Coding Practices

May 26 @ 3:00 pm - 4:00 pm
Tue 31

Leveraging a Cloud Data Platform to Respond to Cybersecurity Events

May 31 @ 11:00 am - 12:00 pm
Jun 01

The 2022 Guide to API Security

June 1 @ 11:00 am - 12:00 pm
Jun 01

Security From Code to Cloud and Back to Code

June 1 @ 1:00 pm - 2:00 pm
Jun 08

Beyond Unification: How CNAP Should Reduce Cloud Security Risk

June 8 @ 11:00 am - 12:00 pm
Jun 08

When Less Is More: Full Life Cycle Serverless Security

June 8 @ 1:00 pm - 2:00 pm
Jun 15

Top 5 Reasons Why Effective SDLC Security Controls Are So Difficult

June 15 @ 1:00 pm - 2:00 pm

More Webinars

Download Free eBook

The Dangers of Open Source Software and Best Practices for Securing Code

Industry Spotlight

Establishing a Root of Trust in Embedded Linux and IoT
Cybersecurity Endpoint Industry Spotlight IoT & ICS Security Security Boulevard (Original) Vulnerabilities 

Establishing a Root of Trust in Embedded Linux and IoT

April 18, 2022 Anita Buehrle | Apr 18 Comments Off on Establishing a Root of Trust in Embedded Linux and IoT
Attorney-Client Privilege and Email Privacy
Cybersecurity Data Security Identity & Access Industry Spotlight Network Security Security Boulevard (Original) 

Attorney-Client Privilege and Email Privacy

April 7, 2022 Mark Rasch | Apr 07 Comments Off on Attorney-Client Privilege and Email Privacy
How MSPs can Fill the Cybersecurity Skills Gap
Cybersecurity Endpoint Industry Spotlight Network Security Security Awareness Security Boulevard (Original) 

How MSPs can Fill the Cybersecurity Skills Gap

February 17, 2022 Mike Adler | Feb 17 Comments Off on How MSPs can Fill the Cybersecurity Skills Gap

Top Stories

‘Incompetent’ Tesla Lets Hackers Steal Cars — via Bluetooth
Analytics & Intelligence Application Security Cybersecurity DevOps Endpoint Featured Governance, Risk & Compliance Identity & Access Incident Response IoT & ICS Security Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

‘Incompetent’ Tesla Lets Hackers Steal Cars — via Bluetooth

May 19, 2022 Richi Jennings | 6 hours ago 0
Conti Ransomware Gang Threatens Costa Rica’s Government
Cybersecurity Data Security Featured Governance, Risk & Compliance Malware News Security Boulevard (Original) Spotlight Threat Intelligence Vulnerabilities 

Conti Ransomware Gang Threatens Costa Rica’s Government

May 19, 2022 Nathan Eddy | 11 hours ago 0
Strata Identity Proposes Standard to Simplify Identity Management
Cybersecurity Featured Identity & Access News Security Boulevard (Original) Spotlight 

Strata Identity Proposes Standard to Simplify Identity Management

May 18, 2022 Michael Vizard | Yesterday 0

Security Humor

XKCD 'Health Data'

XKCD ‘Health Data’

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Container Journal
  • DevOps.com
  • Techstrong Research
  • Techstrong TV
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
  • Digital Anarchist
Powered by Techstrong Group
Copyright © 2022 Techstrong Group Inc. All rights reserved.