Fraudsters exploit any site that offers opening a vendor account
Fraudsters are continually coming up with new and interesting ways to steal money from innocent victims, which doesn’t really come as much of a surprise, does it? There’s already a wide range of methods in place that are tried and proven. For example, a fraudster might use a social engineering scam to trick a victim’s family and friends into wiring cash to a bank account supposedly on the victim’s behalf, not knowing that cash is going straight into the hacker’s pocket. Or, a hacker might use a phishing attack to gain access to a victim’s bank account and make fraudulent money transfers on their behalf. But stealing money through a vendor account is one newer method that appears to offer quicker and more direct “cashout” opportunities than others.
What’s a vendor account?
By vendor account, I’m referring to an account on any website or service where someone can receive money. Here are a few examples:
- A crowd funding site like rally.org
- A site like eventbrite.com that allows users to set up events and sell tickets for them
- A site such as teespring.com where users can design and sell t-shirts
It doesn’t matter what you can sell on these sites—any site that allows you to set up an account and sell something is interesting to fraudsters. Actual merchant accounts, which allow users to process credit cards online for items they’re selling, are also a hugely sought-after commodity in the underground.
Why are these sites are such a target to cybercriminals?
The reason sites that support vendor accounts are so popular to fraudsters is that they give fraudsters a more direct route to obtaining cash from stolen credit card credentials. If we look at a more traditional method for using stolen credit cards to get cash, the benefit here becomes instantly visible.
One of the most popular items traded in the underground is the compromised credit card. At any given time, millions upon millions of compromised cards from all over the world are being traded and sold in the underground, often through automatic sites that basically act as ATMs of stolen credentials. The way to cash out credit cards, or turn stolen credit card credentials into real cash, is by carding—using a compromised credit card to fraudulently purchase something like a cool new tablet or a fancy new smart-watch. This item gets shipped to an address where the fraudster can accept the package, and is then sold for cash (or used by the fraudster, saving him the money he would’ve spent purchasing it legitimately).
With vendor accounts, fraudsters can cash out credit cards much quicker. Here’s how it works:
- The fraudster opens an account at a site that supports vendor accounts. For this example, we’ll use a site where a person can design and sell t-shirts.
- Next, he links a bank account to the vendor account he just created. This is the bank account that will receive the money “earned” by “selling” the t-shirts.
- Now, the fraudster creates some t-shirt designs and “puts them up for sale.”
- This step is crucial! The fraudster will now change his IP address using a proxy server in order to appear as though he’s someone else. This allows him to select one of his own t-shirt designs and start purchasing shirts using compromised credit cards he purchased in the underground.
- The site charges these compromised cards and credits the fraudster’s vendor account.
- If everything goes smoothly and the fraud isn’t detected, the site sends the money “earned” from the sold t-shirts to the bank account from step #2.
Pretty easy, right? Using a vendor account to cash out stolen credit cards purchased in the underground offers fraudsters a simple way to get cash in-hand, quick.
If you’re wondering whether vendor sites don’t look out for these types of schemes, the answer is that they do, of course. But there are plenty of tutorials and guides available in the underground that show fraudsters exactly how they need operate on each site to ensure that they don’t get caught.
Keep an eye on your credit cards!
The ease with which a fraudster can use stolen credit card credentials to obtain cash makes it all the more important to keep an eye on your financials. If you see an unfamiliar transaction on any site that supports vendor accounts, there’s a good chance your credit card information has been stolen. We’d even bet this is more often the case than a mere mistake on the site’s part.