Russian Credit Card Fraud Gangs Offering Courses to Would-Be Crooks
Risk management company Digital Shadows has recently uncovered remote learning “schools” offered by cybercriminal gangs. The six-week courses, which are only available to Russian speakers, include webinars, detailed notes, and course materials.
The courses, which cost $745 plus $200 for course fees, are taught over 20 lectures by 5 instructors. Advertisements promise the potential of making $12,000 per month based on a 40-hour work week. Since the average Russian monthly wage is less than $700 per month, this income would be attractive to many.
Digital Shadows also found that there appears to be a “code” among Russian cybercriminals, as many of these groups say that “students” cannot sell Russian credit card details. However, selling non-Russian card details is a lucrative endeavor. On two of the most popular “carding” forums on the Dark Web, Digital Shadows found 1.2 million card holder details.
The average price for credit card information is $6, but prices vary based on the level of security associated with the credit card. The least expensive are those that require additional authentication to “cash out.” Generally, these require a PIN, which can be difficult and time-consuming to discover. To get this information, criminals will call cardholders using social engineering techniques, which these courses teach their students. Instructors tell their students how to manipulate victims by gaining knowledge of the victim’s local area or building rapport. One instructor wrote, “that’s why I always advise to watch the news because with such incidents, it is possible to play beautifully.”
Digital Shadows also found that credit card criminals fall into four main groups:
- Payment Card Data Harvesters steal credit card information through point-of-sale malware, skimming devices, phishing, database breaches, or operating botnets.
- Distributors are middle men who generally make the most money. Unlike harvesters, who generally use the stolen credit card details themselves, distributors will package, repackage, and sell the card information.
- Fraudsters are generally less technical than harvesters and are more likely to be caught by law enforcement. They generally acquire payment card information for a distributor and rely on online courses to learn the latest techniques.
- Monetization actually encompasses many different roles. These individuals are generally tricked into operating drop addresses and are involved in reselling fraudulently acquired goods.
Rick Holland, VP Strategy at Digital Shadows said, “This ecosystem is highly complex and international. At each stage, it creates victims – from the card industry that loses $24 billion a year to consumers who are frequently duped into revealing their card details. One of the key themes that stood out for us is the level of ‘social engineering’ criminals are now using. Aggressive and manipulative phone calls to victims to reveal PIN numbers is just one example of this.”