COMMENT
A
study from Digital Shadows into credit card fraud
points to increased sophistication of a professional
ecosystem as fraudsters seek to upskill themselves
and novice would-be cybercriminals.
By analysing hundreds of criminal forums, Digital Shadows
discovered a new trend in the form of remote learning
‘schools’. Available to Russian speakers only, these six-week
courses comprise 20 lectures with five expert instructors.
The course includes webinars, detailed notes and course
material. In exchange for RUB 45,000 ($745) (plus $200
for course fees), aspiring cybercriminals have the potential
to make $12k a month, based on a standard 40-hour
working week. Given the average Russian monthly wage
is less than $700 a month, it means cybercriminals could
make nearly 17x more than a ‘legitimate’ job.
Interestingly, a criminal ‘code’ appears to exist on many of
the Russian-origin carding forums, whereby no Russian card
details are permitted for sale. The criminals are going after a
potentially lucrative market. In just two of the most popular
‘carding’ forums, nearly 1.2 million card holder details are
on sale for an average of $6 each. However, prices do vary
depending on the level of security associated with the
card and cardholder. The least expensive cards are those
requiring further authentication to ‘cash out’. The main
obstacle to this is the PIN of the cardholder, which can be
tricky and time-consuming to find out.
Social engineering is given a heavy emphasis in the
courses. Advice is given on how to manipulate people
through knowledge of their local area in order to build
rapport with the target and trick them into exposing
information (such as PIN numbers) usually over the phone.
As the instructor puts it: “that’s why I always advise
watching the news.”
Rick Holland, VP Strategy at Digital Shadows, says: “The
card companies have developed sophisticated anti-fraud
measures and high quality training like this can be seen
as a reaction to this.
“Unfortunately, it’s a sign that criminals continually seek
to lower barriers to entry, which then put more criminals
into the ecosystem and cost card brands, retailers and
consumers. However, the benefit is that the criminals are
increasingly exposing their methods, which means that
credit card companies, merchants and customers can learn
from them and adjust their defences accordingly.”
The research found that credit card criminals fall into four
main groups (with some overlapping between each):
• Payment card data harvesters – do the ‘dirty work’ in
terms of harvesting the payment card information. This
is done through intercepting card holder’s information,
www.intelligentcio.com
INTELLIGENTCIO
23