E-commerce continues to take a bigger bite out of holiday shopping sales, and this year is no exception. In fact, according to a study by Deloitte, 59% of holiday shopping will be done online with expected sales in the range of $144 to $149 billion. Fraudsters are well aware of this and have been preparing all year in a number of ways.
Starting well in advance of the Black Friday sale day that kicks off the holiday shopping season for so many consumers, it is common practice among fraudsters to start advertising their own Black Friday sales and offers in the black market. These ads come in a variety of forms. In some cases, they are looking for mules to assist in performing money transfers or the reshipment of goods. Other ads offer compromised card details for sale. It is not uncommon to see card data sold in bulk as fraudsters look to offload excess inventory. Card details are sold across regions and come in the form of both CVVs (captured online payment card details that are mostly obtained through phishing and malware) and dumps (magnetic stripe/track details that are obtained via ATM or PoS skimming and used for cloning physical cards).
Below is an example of just one of many ads posted by a fraudster in an ICQ fraud group. The price per compromised card depends on the region where the stolen card originates.
ICQ chat rooms are not the only places that fraudsters are advertising their illicit wares. They continue to expand their advertising across social media as well. A comprehensive study of this phenomenon by RSA® showed that more than 50% of fraudulent activity occurring on social media was attributed directly to carding and the sale of compromised cards.
Since the start of 2019, RSA has uncovered more than 26 million unique compromised payment cards and card previews from reliable online fraud stores and other sources. This is a 23% increase from 2018. Other large caches of stolen payment cards have also recently been reported including the infamous BriansClub which was itself hacked and its database of stolen card information leaked to cybersecurity blogger Brian Krebs.
Based on the compromised payment cards recovered by RSA from online credit card stores during the first half of 2019, an in-depth analysis of the data shows that 92% of all compromised payment cards for sale in the black market can be attributed to just 15 countries. Among those countries, 88% of all compromised cards can be attributed to only six countries. The breakdown of compromised payment cards among the top 15 countries follows.
Overall, card demand per country stems from a variety of factors. An obvious one, for example, is the number of people within a specific region who are falling for phishing or malware attacks which fuel the card economy. A more practical one is the number of options available to the fraudster for cashing out the card such as the ability to link the card to various payment services or commit e-commerce fraud. In other words, how easy is it to monetize the card?
During this year's holiday shopping season, it is important for consumers to be extra vigilant. Consumers should be wary of phishing emails or text messages purporting to be from their bank or card issuer. A recent warning from the Cybersecurity and Infrastructure Security Agency (CISA) noted that because consumers are likely to be spending more on high ticket items, they might expect to receive an alert asking to confirm a suspicious transaction. Criminals know this and will take advantage of consumers having their guard down and send messages attempting to redirect them to a phishing site or to download malware.
Consumers would also do well to monitor their credit card and bank statements more frequently for fraudulent activity at this time of year, looking specifically for purchases they did not make. E-commerce fraud is particularly prevalent now, as fraudsters know that merchants and card issuers might relax their standard security protocols during the holiday shopping frenzy in order to increase transaction volume and avoid interruptions to the customer experience.
Black Friday was originally a phrase used to describe the disorder and traffic congestion in shopping areas the day after Thanksgiving. Retailers did not like the negative connotation and tried to spin it into a positive by using the name as an indicator of profitability due to the increased shopping traffic during the holidays. As retailers go into the black (profit) and consumers go into the red (debt), let's make sure it is at our own behest and not the result of a fraudster.
# # #
Machine learning is more than just a buzzword when it comes to fraud detection. It is used widely by card issuers and merchants to detect up to 95 percent of fraud without disrupting users. Learn more about how machine learning is being used to detect payment fraud in the e-book, "RSA Risk Engine: More Fraud Detection, Less Intervention."
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity
Learn more about how machine learning is being used to detect payment fraud in the e-book, “RSA Risk Engine: More Fraud Detection, Less Intervention.”