Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

School of card knocks: Russophone criminals offered online courses in credit card fraud

Обратите внимание на спину!

Cyber crime lords have come up with a new money-spinner – Russian-language e-learning courses geared towards teaching the skills necessary to rip off consumers and card companies.

Risk management firm Digital Shadows flagged up the course as part of a wider report into trends in underground carding forums. The study, published on Wednesday, reports how remote-learning "schools" offer six-week courses comprising 20 lectures with five expert instructors to would-be carders.

"The course includes webinars, detailed notes and course material," Digital Shadows reports. "In exchange for RUB 45,000 (£575, plus £150 for course fees), aspiring cyber criminals have the potential to make £9,200 a month, based on a standard 40-hour working week. Given the average Russian monthly wage is less than $700 a month it means cyber criminals could make nearly 17x more than a 'legitimate' job."

A criminal "code" appears to exist on many of the Russia-based carding forums, whereby no Russian card details are permitted for sale. This is likely to be for pragmatic as well as "patriotic" reasons – miscreants targeting Russian victims are more likely to be targeted in Russian law enforcement investigations.

A snapshot of just two of the most popular criminal forums uncovered 37,000 UK card holder details on sale for an average of £9.20 each. Many of these cards come without the PIN codes necessary to easily "cash out" compromised accounts. "Automated services" touted on the digital underground offer a means for fraudsters to contract out the task of social engineering marks in order to get these codes, whether over the phone, through email phishing or other trickery geared at fooling victims into handing over sensitive information.

"The card companies have developed sophisticated anti-fraud measures and high-quality training like this can be seen as a reaction to this," said Rick Holland, VP strategy at Digital Shadows. "Unfortunately, it's a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defences accordingly."

Digital Shadows' report was based on an analysis of hundreds of criminal forums by a team of multi-lingual analysts.

The research found that credit card criminals fall into four main groups (with some overlap):

  • Payment card data harvesters: These guys do the "dirty work" of harvesting the payment card information. This is done through intercepting card holders' information whether through point-of-sale malware, skimming devices, phishing, breached databases, or malware.
  • Distributors: "Middle men" who typically make the most money. While the harvesters may use the card data themselves, they also sell it on to others who will package, repackage, and sell on card information.
  • Fraudsters: Run the most risk in terms of getting caught by law enforcement or being conned by fellow criminals. Once fraudsters have acquired payment card information from their distributor, the fraud can occur. These individuals tend to be less technically sophisticated, attracting wannabe cybercrooks who rely on online guides and courses.
  • Monetisation: There are many different roles within the stage, including those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods, acting as "fences" for stolen goods or (at the dumber end of the scale) mules.

Digital Shadows' Holland adds: "This ecosystem is highly complex and international. At each stage, it creates victims – from the card industry that loses $24bn a year to consumers who are frequently duped into revealing their card details. One of the key themes that stood out for us is the level of 'social engineering' criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this."

More on Digital Shadows' research, which provides further details on the latest tricks of carding fraudsters, as well as advice to consumers and card providers, can be found here. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like