How Do Cybercriminals Learn the Tricks of the Trade? They Go to School
If you saw an ad that promised you "a new profession, a new source of income, a completely different quality of life," you might take notice. If it then promised to "show you how to earn money in an interesting, intellectual and amicable way, and find progressive friends and community," that might be the icing on the cake to get you to sign up.
But what if that advertisement was for a legitimate $945 online course to teach you the very not legitimate profession of carding, stealing credit card information and using it to commit credit card fraud?
This is big business, to the tune of a projected $24 billion in 2018, predicts Digital Shadows, a digital risk management firm.
Carding is the act of committing payment card fraud, either through physical card fraud or Card Not Present (CNP) fraud. In the former, carders steal physical card information, put it onto cloned cards and use those cards to buy things. CNP fraud occurs when a customer makes a purchase but the merchant doesn't actually see the card, such as in an online or over-the-phone purchase. Criminals steal that card information and use it to purchase items, which they then resell at lower prices for clean money.
Thanks to the introduction of EMV technology, physical card fraud has gone down, but CNP fraud is booming. The Identity Theft Resource Center and CyberScout have reported that in the U.S., data breaches have hit a record high of 791 for the first six months of the year and are on track to reach 1,500, a 37 percent increase over 2016. The rise of online shopping also contributes to more opportunity to commit crime.
But how does one even get into the carding racket? Increasingly, wannabe cybercriminals go to school.
Online guides and courses are becoming prevalent in criminal online forums and teach people how to become part of the broader chain of card payment fraud. These courses and guides teach the latest techniques and tools for cyberfraud, from finding good targets, to problems within the trade.
They can be as simple as buying a cheap online guide, to one that Digital Shadows studied, a Russian-based six-week class involving lectures, webinars, Q&A sessions, notes and course materials. Cheap guides are buyer-beware--they can have bad or outdated information. The Russian course, Digital Shadows found, has retraining options to keep up on new practices.
After finishing a course, a student is prepared to take on one or more of the different roles within the chain of cyberfraud. These jobs have unique characteristics, but they all rely on each other, and so card payment fraud can become a highly networked system.
Card fraud starts with card data harvesters who do the work of actually stealing credit card numbers. This information goes to a distributor who packages, repackages and sells card information. Then fraudsters purchase that card information and use to buy goods fraudulently. Those purchases are then monetized for cash. Monetization often involves social engineering to convince people to receive or reship stolen goods in a way that looks legitimate. Social engineering also comes into play in hotel and airline fraud, when criminals dupe agents to change the name on a reservation so they can take advantage of it
"The card companies have developed sophisticated anti-fraud measures and high-quality training like this can be seen as a reaction to this," said Rick Holland, VP Strategy at Digital Shadows, in a statement. "Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem and cost card brands, retailers and consumers. However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defenses accordingly.”