Stolen credit card numbers occasionally spill on the dark web for the most mundane reason: People carelessly give them up.
According to investigators with Gemini Advisory, a China-based e-commerce scam seems to be collecting card info not through direct hacks on companies or using pernicious malware to skim data, but with a more straightforward strategy. The fraudsters set up hundreds of ecommerce sites that seem to sell legitimate products but rather capture card numbers available on the dark web, Gemini states.
It ends up being a double-dip for the crooks: Along with vending the card information and other information regarding shoppers in cybercriminal forums, they also collect cash for things that are “faulty, counterfeit, or nonexistent,” Gemini states in a report published Thursday. The dark web earnings have contributed to gains up of $500,000 over the last six months. Still, the complete take is “likely considerably larger,” considering all of the money the scammers probably collected for the counterfeit goods.
Tens of thousands of payment documents in the U.S. and elsewhere have been subjected, Gemini states. The report comes as the corona-virus pandemic has upended retail experiences for much of the planet, and U.S. and European customers are entering into a holiday shopping season that will more online than ever before. It’s also a reminder that while Magecart malware and other card info skimmers get a whole lot of attention from cybersecurity researchers, there is more than one way to steal a credit card number.
An operation such as this requires some infrastructure. To appear as legitimate retailers while hiding their connections to the bigger scam, each of the websites needs an exceptional retailer name and merchant identification number (MID). Finding a MID “requires either a direct partnership with an acquiring bank or a connection with a third party merchant company that operates with a dedicated acquiring bank,” Gemini notes, adding that” almost 200 of the scam websites from the recognized group were connected to the obtaining Chinese bank Jilin Jiutai Rural Commercial Bank Co., Ltd..”
Gemini does not link the lender directly to the scam – it is possible that the relationship was managed through third-party businesses.
Gemini says there are approximately 600 connected web addresses, and the majority of them are enrolled through China’s ename.net. The imitation stores generally use the e-commerce platform OpenCart, since it’s open-source – instead of a platform such as Shopify, which has fraud monitoring and mitigation policies in place. The team also relies on web infrastructure from Cloudflare “to conceal its IP addresses for each of its websites,” the report states.
“This cookie strategy was probably taken to facilitate the rapid deployment of a great number of scam websites,” Gemini states.
The fraudsters also have other practices to lure people in and look legitimate.
“For the average customer, there isn’t any visible link between different sites within the community as each seems to be a different, legitimate store,” Gemini states. “The websites use Google Ads and social networking advertising campaigns to entice customers with offers for goods at a discount below market prices. The websites’ advertisements almost always show that the deals are part of a limited-time sale to pressure potential clients into purchasing anything.”