If there’s one thing you can expect from online criminals, it’s new twists on old schemes. A new report documents an evolution in credit card fraud, demonstrating how organized rings can simply obtain accounts with payment processors to make direct charges to stolen card numbers.
Security firm ReasonLabs documents an organized Russia-based threat actor that has been doing this since 2019. The group creates fake dating websites, supports these websites with customer service pages handled by a legitimate contractor, and uses this veneer of legitimacy to convince payment processors to give them an account. The group then buys stolen credit card numbers from the dark web, and uses this account to make charges directly to these cards.
Complex credit card fraud scheme rooted in a simple concept
The credit card fraud scheme has earned these criminals tens of millions of dollars over the past three years. It’s a very simple idea, but requires some up-front investment and a fairly complex build-out of legitimate-looking businesses using legitimate web services. The gang registers website names with GoDaddy, web hosting with Amazon AWS, and brings in a legitimate contractor to handle customer support requests that come from these fake dating sites.
The gang is also very cautious in how it handles victim credit card numbers. The ultimate goal is to subscribe these victims to one of the fake dating sites, with a recurring monthly fee that is kept fairly small (and with a generic billing ID) in the hopes that the victim simply doesn’t notice the charge for some time. This is one of the oldest credit card fraud schemes, but this approach employs a new mix of elements to improve its outcomes.
Fraudulent dating sites supported by legitimate customer service
The fake dating sites are built from a template, but look professional enough to be legitimate. The group assuages payment processor concerns about the number of different sites they operate by theming each one in a different way, catering to particular niches. Dating sites are also known for having unusually high rates of chargebacks, something that can help mask the attacker’s pattern of credit card fraud activity.
If one actually registers an account with one of these sites, they will quickly find that they are very sparsely populated with dating profiles. The attackers count on payment processors not going that far in their inspection. They also count on payment processors not examining their web traffic, which is very limited and sees almost no visitors coming in from search engines.
The payment processors, at least the ones that this group manages to take in, are looking for a professional-seeming website and (most crucially) a functioning customer service component. Testing the customer service contacts for a response is one of the crucial tests (perhaps the only real test) for processor approval. To this end, the attackers support the fake dating sites with a set of equally fake billing and customer support sites that the dating sites link to. They go so far as to contract out with a legitimate third party service that fields customer requests generated by these sites.
Of course, the attackers have no interest in drawing legitimate traffic to these sites. They just want to get approved by a payment processor to facilitate the real credit card fraud scheme, which involves buying stolen card numbers (mostly leaked in data breaches) from the dark web. Stolen card numbers are first tested with a set of small transactions, then subscribed to one of the dating sites.
But the attackers want to avoid chargebacks, as each dating site can only field a set amount each month before it is cut off (and the payment processor starts asking questions). So they make it easy for credit card fraud victims who notice the charges to “unsubscribe” from the service with a simple web link. They also provide a toll-free phone number through which the victim can cancel the subscription. If the victim walks away without filing a chargeback with their credit card company, the attackers are in the clear.