ReasonLabs researchers detail the activities of one of the largest fraudulent online credit card schemes active today. The sophisticated scam has reportedly siphoned tens of millions of USD from credit cards since its launch in 2019. Excerpts
The fraudster’s strategy includes operating a massive fake network of dating and adult websites with functional customer support capabilities. Once the sites are live, the scammers coerce payment providers to gain the ability to accept credit card payments. At this point, the fraudsters search the darknet and acquire thousands of stolen credit cards and charge them to their fake website’s services.
We estimate it has amassed tens of millions of dollars in fraud from tens of thousands of families and individuals. We estimate it is operated by a crime syndicate and found evidence that it originated in Russia. The infrastructure is built on top of Amazon Web Services and uses GoDaddy to circulate hundreds of domains.
First, this scam isn’t surprising however the sophistication is brazened. Real companies can run virtually so it isn’t hard to imagen fake companies running virtually. From front-end user interfaces, backend customer support, payment providers, etc. gives this swindle all the ingredients of legitimacy.
Secondly, is the more “human” element, as in there were most likely legit people giving crooks their credit card information seeking hookups.
The type of domains used to lure susceptible victims, preys on human emotion. This emotional extortion or blackmail of victims works both ways, first the lure having something the victim desires, then the guilt, shame, or embarrassment that prevents them from reporting the fraud. This may be why the con artists have been able to operate for so long without being caught.
This has an impact at several levels. The monetary theft from the victims, the credit card companies that pay for the charges that are challenged and won, plus, the time and money both parties expend disputing the fraudulent charges.
Lastly, I can imagine the emotional toll on victims and their families. As mentioned, the person that made the charge has been embarrassed and is trying to hide that the charge. Or, in the case of using a stolen card, the distrust created by a spouse or partner questioning why a charge like that is on their statement.
Consumers should always monitor their credit reports and setup notifications with the credit card companies to be notified via text anytime a charge is made to their card.
Credit Card scams have been around forever in a number of iterations, with this newer iteration having been a simple variation on old tricks. Typically, criminals will improve just enough to continue to acquire massive profit on minimal effort (thus a great ROI). This network of scamming websites appears to have the watermark of some modicum of sophistication though, with even a potential degree of automation due to the re-use of multiple assets with throw away domain names.
An interesting aspect of this is of course the social engineering vector of being “caught” doing something wrong or illicit. Dating sites, adult sites, and other services have social stigmas associated with them that puts the victim in a questionable light. This questionable light also makes it more likely that a victim will try to resolve it themselves versus calling up a customer service representative and trying to resolve it.
In the past, scams like this existed for subscription services for things like SMS / Text messages, Youtube channels, and other vectors which allowed criminals to rake in steady streams of cash that flew under the radar. For example, individuals would use YouTube voting on viral videos to encourage users to “vote” which would enroll them in an SMS service that would charge an enrollment fee monthly. The hope being that the user wouldn’t notice because their credit card was on auto draft from the provider. With the duration working in favor of the attacker because the claim would look illegitimate due to “using the service” for longer periods of time, thus providers not wanting to eat the cost. As outlined in the article, there are some things the scammers are doing to appear legitimate, even if the scoring (using a system like Vantiv) has flagged it as suspect.
Review of one’s finances and credit card statements is always advised as a stalwart approach against these sorts of scams. Some companies (like Capital One) are excellent about notifying customers if there are anomalies or deltas in their standard bills. Lastly, using ephemeral card services (or virtual card in some circles) can prevent these sorts of attacks as well since the card is not static like a traditional credit card.