Protecting your organisation from fraud has grown increasingly difficult as cybercriminals have adopted new tactics.

Dark web marketplaces are used by a wide assortment of people for many reasons. Some look to buy small amounts of illegal drugs; others represent large-scale cybercriminal operations that distribute and provide customer support for various malware, hacking tools, and other illicit services. However, dark web and other cybercriminal markets are perhaps most associated with one thing: fraud.

According to an analysis of SurfWatch Labs’ dark web threat intelligence data, dark web markets and cybercriminal forums have continued to evolve and offer innovative new services each year, but throughout it all, fraud has remained as the backbone that props up a significant portion of cybercrime.

National headlines regarding massive payment card breaches have skewed public perception of the dark web. When payment card data is stolen, it often makes its way to cybercriminal markets where it can be freely bought, sold, and traded among malicious actors with relative anonymity. That type of payment card fraud is a significant concern for many organizations, but it is only one slice of a much larger pie that makes up all fraudulent activity.

In this article, we will look at the different types of fraud that commonly occur on the dark web and other cybercriminal markets, how the fraud landscape has shifted as digital services have grown and new protections have been incorporated, and lastly, what businesses can do to help reduce your impact against these malicious actors and keep yourself and your customers safe.

Fraud’s Many Flavors

As the digital footprints of organizations’ expand with new customer-friendly features and new paid online services, the fraud footprint for malicious actors to exploit has also expanded - dramatically. Rather than targeting payment card information directly, malicious actors are frequently taking advantage of the growing number of online accounts that can be exploited to generate a profit.

SurfWatch Labs’ data shows that the “account fraud” tag is associated with more than one-quarter (25.2%) of all the fraud-related activity observed on the dark web so far this year. That includes a wide variety of different accounts that can be accessed with stolen customer credentials, including:

• Online accounts for banking and financial services
• Online store accounts, as both buyers and sellers
• Accounts tied to monthly subscriptions or other recurring services
• Accounts related to the growing number of digital cryptocurrencies

Malicious actors are taking advantage of the growing number of these accounts, many of which are protected by relatively weak credentials. More traditional tried-and-true types of fraud also continues to thrive including, identity theft, wire fraud, point-of-sale supply chains, and more. For example:

• Counterfeit-related fraud, such as counterfeit currency and counterfeit documents that can aid in identity theft (e.g. driver’s licenses and passports), accounted for 24.9% of the observed dark web fraud activity.
• Credit card fraud and wire transfer fraud accounted for 16.7% and 11.7% of the activity.
• Fraud involving both physical gift cards and electronic gift cards accounted for 12.8% of the activity.

The shift in fraudulent activity includes several trends including the danger of the growing number of weak or already compromised credentials, the expanding number of consumer accounts that can potentially be monetized by malicious actors, and the continued evolution of point-of-sale fraud as new protections are put in place.

Indirect Fraud on the Rise

The increasing number of digital services and methods of payment tied to customers’ accounts has also provided new ways for malicious actors to commit fraudulent activity – without having to directly access payment card or bank account information. For example, malicious actors can commit fraudulent activity by:

Directly selling compromised credentials for services at a fraction of the cost, including streaming services such as Netflix and HBO Now, subscriptions to adult sites, and other compromised accounts tied to paid services.

Hijacking consumer accounts tied to payment information, including ride-sharing services such as Uber or retailers that have reloadable cards or apps, which may allow malicious actors to either receive services using other customers’ information or use that information to purchase goods that can later be resold.

Hijacking trustworthy seller accounts, including users of platforms such as Amazon and eBay in order to redirect payments for legitimate sales or to list items below market value to generate sales without ever intending to ship those items to the buyers.

Cashing in reward points for hotels, airlines, and other loyalty programs to receive free or discounted goods and services, some of which may be later resold.

Cracking gift cards with tools that brute force check possible variations or by taking advantage of weaknesses in the gift card process such as sequential numbering.

Traditional Payment Card Theft Continues As EMV Becomes More Widespread

Although other types of fraud have gained popularity in recent years, stolen payment card data continues to be a significant problem for financial organizations. There are significantly fewer breaches involving the direct theft of payment cards when compared to other types of fraud, but the breaches that do occur tend to be far more wide-reaching due to the nature of targeting widely-used payment devices themselves rather than individual consumers.
For example, in May 2017 Sabre Hospitality Solutions confirmed a breach of its SynXis hotel-reservations system, a third-party service that facilitates the booking of hotel reservations. As a result of that one incident, guests of dozens of hotels across numerous brands were impacted. SurfWatch Labs has collected data on hundreds of organizations tied to similar payment card breaches over the past few years, including:

• Retailers such as Home Depot, Kmart, Staples, and Gamestop
• Restaurants such as Wendy’s, Chipotle, Dairy Queen, and Jimmy Johns
• Hotel chains such as InterContinental, Hyatt, Hard Rock, and Starwood
• High-traffic locations such as gift shops, parking lot operators, and car washes
• Third-party payment card processors that service a variety of customers

A 2016 survey from Aite found that 47% of U.S. cardholders reported that they had experienced payment card fraud within the last five years. In addition, the use of physical skimming devices to steal payment card information has continued to rise over the past few years. FICO, which monitors hundreds of thousands of ATMs and other payment card readers in the U.S., reported a 30 percent rise in the number of compromises at ATMs and merchant devices last year – the highest ever observed by the company.

The different types of skimming devices and the techniques used to steal consumers payment card information also continues to evolve. Malicious actors can easily buy different types of skimmers and guides for how to use them on cybercriminal markets. There are a variety of ways that malicious actors can install skimmers and later retrieve the stolen information – ranging from physically removing the device after collecting data to wirelessly transmitting the data via bluetooth or other means.


EMV Adoption May Shift Fraud Patterns

U.S. payment card fraud is made up of 54% in-person fraud, and 46% remote fraud, according to the Federal Reserve Payments Study 2016. In addition, 44% of payment card fraud in the U.S. was tied to counterfeit cards. Countries with more widely adopted EMV chip cards such as Australia, Canada, and the UK, saw at most 8% of their fraud tied to counterfeit cards.

“Reports from leading chip-adopting countries have cited declining counterfeit fraud accompanying rising chip adoption, and a similar effect may be observed in the United States in coming years,” the report stated. “In light of the growing adoption and use of chip cards, efforts to secure remote payments will likely also grow in importance.”

How to Defend Against Fraudulent Activity

While fraud risks are unique to each organization, there are some general best practices that all businesses should keep in mind when it comes to combatting fraud, such as:

Continuous monitoring of malicious actors: Dark web markets, paste sites, social media, and other communication channels are often used to leak stolen data and discuss cyber threats. Organizations should have a way to monitor any leaks or threats that may directly affect their customers, employees, or supply chain. In addition, organizations should stay abreast of any changes in the cybercriminal tactics, techniques, and procedures being used by malicious actors so that they can adapt their cyber defenses.

Discourage the use of weak or already compromised passwords: Consumers have a growing number of accounts that are either tied to financial information or able to be easily monetized by cybercriminals, and consumers’ poor password habits are frequently exploited by malicious actors.

Encourage two-factor authentication: With so much fraud centered on compromised accounts, having an additional layer of authentication can greatly reduce the chances of those accounts being compromised. Organizations may be reluctant to create additional steps in the login process, but there is an expanding number of secondary authentication options available with varying levels of security and usability.

Prioritize and take action against the most impactful threats: In 2014, FICO reported that the average duration of a physically compromised ATM or POS device was 36 days. In 2016, that dropped to just 11 days – and the average number of payment cards affected by a single compromise was cut in half. Implementing training and systems to consistently address the most common and impactful threats facing your organization can have a significant impact in reducing fraud.

The fraud landscape will likely continue to shift in the near future as protections such as EMV and two-factor authentication of sensitive accounts becomes more commonplace. Completely eliminating fraud may be impossible for most organizations, but a combination of cyber threat intelligence and the effective use of resources to address the most relevant aspects of fraud can go a long way towards making fraudulent activity much more difficult to carry out against your customers, employees, and ultimately, your organization.