Maritza Dominguez has seen some impressive attempts at payment fraud in her 18 months as trust and security lead at Patreon, a site that allows online artists and web content creators to get paid by running membership businesses for their fans. The scheme she uncovered this summer proved to be one of the most impressive to date, not only for its innovation but for its sheer complexity.
In a multi-account takeover scheme, fraudsters would take over a content creator’s account, then take over dozens of patrons’ accounts, which they would use to make fraudulent pledges using stolen credit card data. The fraudsters would then create a PayPal account, change the artist’s payment method to the account and then cash out. “It takes a lot of skill” to pull off a fraud like this one, Dominguez says.
She was tipped off when a patron noticed his account showed a pledge that he didn’t make. A day or two later, a creator notified Patreon that his account information had been changed. “We realized the patron had made a pledge to that creator’s account, and then noticed that all the IPs were the same between these two and a bunch of other accounts,” Dominguez says. “It took a lot of investigative work.”
Patreon has since moved to a machine learning platform that helps them root out malicious behavior, but the reality of today’s credit and payment card fraud is clear. It’s hard to stay ahead of the constant barrage of new and innovative fraud tactics being pumping out by bad actors worldwide, security experts say. While hacking tactics have evolved, such as last year’s Magecart, which injected JavaScript code into ecommerce sites running exploiting older, un-updated shopping cart software, the latest version of fraudster capitalizes on false identities and deception to commit elaborate money laundering schemes or establish online resale shops for stolen credit cards.
E-commerce fraud attack rates spiked more than 30 percent in 2016 over the prior year, according to Experian. The credit reporting agency attributes the rise in part to the switch to EMV (Europay, Mastercard and Visa) chips in credit cards, which reduced counterfeit card fraud at the point of sale, but has driven fraudsters online with account takeover and card-not-present schemes. Account takeovers similar to the one experienced at Patreon rose 31 percent in 2016, according to a report by Javelin Strategy & Research.
“Fraudsters never rest, and when one area is closed, they adapt and find new approaches,” said Al Pascual, senior VP, research director and head of fraud and security at Javelin, in a statement.
Fraud and security experts offer a sampling of today’s biggest credit and payment card fraud tactics and tips on how to prevent them.
Account takeovers
Online account takeovers, where hackers steal passwords instead of credit cards, and then log onto other more lucrative sites where even more money is at stake, cost consumers $2.3 billion in 2016, a 61 percent increase from 2015, according to Javelin.
[Related: Thousands of online shops compromised for credit card theft]
“They log in and instead of stealing one card they steal 10 cards in your eWallet,” says Andras Cser, VP and principal analyst in risk and compliance at research firm Forrester. Account takeovers tend to be complex, with vulnerabilities traced back to lax passwords and authentication, Cser says. Preventing account takeovers require solutions such as longer passwords, two-factor authentication or authentication that takes into consideration the device being used, the user’s country of origin and time of day. “If you’re logging in from your own desktop at your normal place of work on a Tuesday morning local business time, it’s a much lower risk event than someone logging in on a new device in the middle of the night from Eastern Europe and masquerading as a U.S. user,” Cser says.
Machine-learning tools have shown promise in detecting anomalies in user behavior that can help detect payment fraud. In addition to a rules-based approach to detection, “you should also be collecting data points in terms of user behavior… to go from a defensive position to an offensive position where you learn from behavior patterns of both good and bad users,” says Kevin Lee, trust and safety architect Sift Science, a fraud detection provider. Small and mid-size firms could benefit from third-party providers to handle this type of fraud detection for them, he adds.
Magecart Part 2
The fraudsters who created the Magecart shopping cart software exploit in 2016 are at it again. Digital threat management firm RiskIQ tracked activity in the first half of 2017 showing how the actors behind it are cashing in by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S. that foreign entities hire through online job postings for “transport agents.”
“Reshipping is a form of money laundering that enables those actors to go to online stores and purchase high value items like electronics worth several hundred to a thousand dollars per transaction” and have it shipped back to them through the mules for resale, says Darren Spruell, threat researcher at RiskIQ. Spruell believes that the tangible money trail the fraudsters are creating will help financial services firms and law enforcement identify and stop the fraudsters.
Third-party vulnerabilities grow
Magecart appeared in unpatched versions of off-the-shelf shopping cart software from Magento, Powerfront, and OpenCart. By logging consumer keystrokes, Magecart captured large quantities of payment card information from unsuspecting shoppers. This should serve as a warning that other third-party providers to ecommerce sites, such as WordPress or Joomla content management software, are equally vulnerable and should also be scrutinized carefully, Spruell says.
“Any of these big drivers for web technology have become very widespread, so they make very good targets for compromise,” he says. An opportunistic attacker will booby trap the source code on a site, so that when a user types in a credit card number or other personal information, they steal that information. WordPress’s security weaknesses were exposed in February when hackers infiltrated and vandalized up to 1.5 million blog website pages supported by the open source website creation tool.
Identifying a booby trap is somewhat difficult, Spruell says. “There’s no readily accessible notification that it’s happening,” but site owners can monitor what scripts are running on the site. “If you’re on your ecommerce site and suddenly you find that your browser is also being told to connect to another site to access JavaScript, that’s a very good indicator that the site has probably been booby-trapped,” Spruell says. “Or if you find foreign scripts being included in your site, that’s a very good tip-off that this is happening,” he adds.
It’s also important to understand your digital footprint, Spruell says. When ecommerce sites are hosted by a third-party service, the business may not always be aware of who’s running them, where, or whether they’re being updated or maintained properly, he says. “Be conscientious about extending your digital footprint into that shared gray space where you start to lose visibility and control, and the ability to secure it.”
POS malware still a threat
Despite the move toward EMV chip cards, point-of-sale (POS) malware continues to vex merchants’ payment systems, most recently with the discovery of MajikPOS malware in North America, which TrendMicro reported on in March.
[Related: Credit card security has no silver bullet]
According to TrendMicro, MajikPOS operators use a combination of POS malware and remote access Trojans, or RATs, to attack their targets. The bad guys gained access to the victim’s end points through Virtual Network Computing and Remote Desktop Protocol, poorly secured by easy-to-guess username and password combinations. The RATs were installed in the endpoints somewhere between August and November 2016.
If the endpoint catches the bad guys’ interest, they use a combination of VNC, RDP, RAT access, command-line File Transfer Protocol to install MajikPOS by directly downloading the files. MajikPOS then contacts its command-and-control server to register the infected system. MajikPOS checks a range of popular credit cards, and after verifying the credit card’s track data, the information is sent to the C&C server, called the “Magic Panel,” which leads to online shops for the bulk sale of stolen credit cards.
“We’re seeing more of these all-encompassing turnkey services built around stolen credit card data and the malware to use them,” says Jim Walter, senior research scientist at Cylance. “It makes the management side of the data, as well as the packaging and sale of the data, a lot easier. Anyone can go and create their own Majik account in a Majik shop. You don’t need to be an expert on this from Russia anymore, you can just have an account with one of these services.”
The malware can be mitigated through chip-and-pin credit cards with end-to-end encryption, such as EMV cards, but today only half (52 percent) of merchants are enabled to accept chip payments, according to spring 2017 data from payment systems advisory service The Strawhecker Group.
Balance security with the user experience
The constant challenge to curtail payment fraud leaves many businesses struggling to balance security with the user experience. “Creating friction for the [bad guys] and stopping legitimate people from getting in is really difficult,” Dominguez says. “How much friction do you add to still keep you regular customers and keep out the fraudy people?” she asks.
“You shouldn’t secure yourself out of business,” Cser advises, “but continue to monitor things like enrollment rates, click-through rates, conversion rates and abandonment rates on cards. If you implement too many security measures, it’s not all good.”