In this post, we get insights from Beth O’Brien, Principal Product Marketing Manager, RSA, The Security Division of EMC. She will present “The Dark Web: Coming to a Retailer Near You” at the North America Community Meeting in Las Vegas.
Can you talk a little bit about the current credit card fraud market? How has it changed in recent years?
Beth O'Brien: Today there is a surplus of inventory available for sale in the underground. Massive data breaches at large retailers have resulted in stolen credit cards flooding the market. In fact, our FraudAction Intelligence team recovers an average of over 500,000 compromised cards per month. That number can spiral to 1.5-million in a single month if there has been a big data breach. Just as in the legitimate economy supply and demand is a force – the plethora of cards in the underground is driving down prices and a credit card number along with CVV code and expiration date can be had for as little as $3.
The easy availability of stolen card data is one of the factors driving the industrialization of fraud – fraudsters are using tactics deployed by legitimate businesses in an effort to stand out from the competition and gain new customers. Money back guarantees, “try before you buy,” volume discounts and even free customer service are now commonplace in the underground economy. There are even tutorials available to teach “newbies” how to card.
Another thing we are seeing here in the US is more fraud moving into the online channel as a result of EMV with the introduction of chip and signature cards. Chip cards make card cloning, or putting card details onto the magnetic stripe of a blank card, significantly more difficult (although not impossible, as RSA’s FraudAction Intelligence team found EMV counterfeiting software for sale in the underground late last year). Fraudsters are therefore shifting their focus online.
What are some emerging ways criminals are getting their hands on credit card data?
Beth O'Brien: Fraudsters continue to leverage phishing, which is fairly easy, can target massive numbers of email addresses and still works.
SMiShing, or phishing using mobile text messages, is another tactic, along with rogue mobile apps. Rogue apps mimic the look and feel of actual apps and are used to steal credit card data as well as credentials.
They also deploy Point of Sale (POS) malware to capture credit card data from the terminal itself. POS malware was the source of many of the major data breaches at retail outlets.
Surprisingly, we found fraudsters openly marketing their offerings on social media. RSA discussed this rapidly emerging trend in a recent research report. We studied over 500 fraud-dedicated groups active on social media with more than 220,000 members worldwide. In just a short time, we identified over 15,000 active credit cards being traded in the open and found 53% of all activities and posts were related to credit card theft, cash-out methods or other carding services.
Why do hackers continue to use basic attacks like phishing? How are these attacks evolving?
Beth O'Brien: Hackers continue to use basic phishing for one reason: it still works—humans will forever be an easy target. In Q2 2016, RSA identified over 515,000 unique phishing attacks globally, which accounts for more volume than all of 2015. Q2 phishing attacks saw an 115% rise over the previous quarter and a whopping 308% rise over the same time period last year.
I wouldn’t say phishing has evolved much. Rather attackers have a plethora of resources available to gather better information on their targets, which has resulted in more effective attacks. They also use generally available tools to monitor the effectiveness of their attacks. For example, many phishing-as-a-service offerings in the Dark Web use well-known URL shortening services to display attack success results to their fraudster “customers.”
Why is social media a popular avenue for fraudsters?
Beth O'Brien: Fraudsters leverage social media to connect with other like-minded individuals for the same reason legitimate businesses do – it is familiar and user friendly, they reach a broader audience of like-minded people (targeted marketing if you will) and it is a turnkey solution that offers support, development, hosting and, ironically, security.
Of course, there are other reasons that legitimate businesses wouldn’t consider including no identity verification, lax enforcement of the terms of service and the ability to create an isolated community.
In your presentation you will go over some ways merchants can take to limit fraud- can you provide a couple examples?
Beth O'Brien: Merchants should look beyond transaction details when deciding whether to accept a payment. Fraudsters are clever and have gotten increasingly better at making fraudulent transactions look legitimate. The more information you have at hand (such as what the cardholder/fraudster was doing over the rest of the session) the more informed your decision becomes.
They should also leverage threat intelligence. This goes back to making the most informed decision. So, for example, you may want to manually review an order being sent to the address of a suspected shipping mule, or know if the IP address related to placing an order has been marked as having generated a confirmed fraudulent order.
Finally, risk-based multifactor authentication is imperative in today’s online environment where account takeover is on the rise. The exchange of account credentials is accelerating in the Dark Web. Over a recent three-month period, the RSA FraudAction and Cyber Intelligence team detected over 93,000 compromised accounts in the underground. Using risk-based authentication to protect your customer’s data without impacting their online experience is just a smart business decision.
Want to learn more about phishing? Check out this resource guide: