[Fraud Series: Topic 4] Fraudsters are no longer showing site loyalty

I’ve been analyzing the online behavior patterns of criminals for about 4 years now. When I first started, the criminals were clearly “specialists” targeting a particular vertical market with their organized crime operations, e.g., online gaming, Internet dating, eCommerce, or financial institutions. They would craft their schemes to specifically exploit a victim Web site until they got caught. Then, they would simply shift their focus over to the next Web site with similar vulnerabilities in that same vertical market.

However, more recently I’ve been noticing fraud rings crossing over vertical markets and perpetrating their crimes/scams simultaneously upon multiple Web sites. I’ve seen, for example, criminals who have been committing Internet dating scams now moving into other vertical markets like eCommerce. In one case, a fraudster was buying “items” at an online jewelry site using a stolen credit card. Simultaneously, he/she was creating accounts on an Internet dating site, paying for their subscription using a stolen credit card.

Conclusively, fraudsters are “diversifying” their operations and committing various forms of fraud across a spectrum of vertical markets in order to increase their return on investment. However, I do still see the “old school” fraudsters sticking it out within the same vertical and focusing their efforts to try and overcome deployed fraud prevention tools within that vertical market.

My advice is simply this: don’t limit yourself to fraud strategies specific to one vertical market. The most effective fraud strategies today are the ones that leverage fraud intelligence collected from across the Internet, not just a subset community.

[Fraud Series: Topic 3] Credit Card Phone Scam

This isn’t an online fraud, per se, but since both ANI/MIN/CLID spoofing and credit card frauds are current topics of discussion, I thought you’d find this interesting (if only for your own personal protection). The following is an example of both a credit card scams to collect from me all of my key credit card information so the criminal could use my card to purchase stuff online, via ANI/MIN/CLID spoofing (making the caller-ID be some other number) .

I just received a phone call on my cell phone (from a Voice Response Unit-VRU) with a caller-ID number of 321-504-7429. The recorded message said…

“This is your final notice to lower the interest rates on your credit card…blah blah blah…please select 1 to lower your rates now…blah blah blah”. I hung up, as should you!

Notes/Warning Signs:

1. There was no indication for which bank it was calling me (I actually have 3 credit cards from 3 different banks).
2. There was no authentication for who the credit card actually belongs to e.g. they might have said my name so I know it’s me their looking for.
3. They called my work cell phone, which was likely taken off my business card picked up from one of our show booth tables. I NEVER use my business cell phone for credit card accounts.
4. After I hung up I dialed the number back, and as expected it said, “The number you are trying to reach has been disconnected and is no longer in service.”

[Fraud Series: Topic 2] Stolen Credit Cards

There isn’t much I can add to the discussion on the topic of criminals using stolen credit cards to make purchases online. I could talk about various methods used to catch them. However, this week what I thought would be interesting is to comment on the relationship developing between “Easy Identity Theft” and the fraudulent usage of credit cards.

Like many Americans, I used to think that the only way a criminal could use someone’s credit was to steal the plastic card, or at minimum steal the numbers and CVV off of it, to make fraudulent purchases. But now, as I discussed last week, I know that this is not the only use case. In fact, more and more people are starting to fall prey to criminals acquiring their personal information and then applying for credit cards on their behalf. In this scenario, the victim may or may not receive the invoice for the credit card. If they do, they are left with protesting and deactivating this account, if not it could go completely undetected and have lasting consequences.

This is one of the most common uses of identity theft and potentially has the most adverse impact, because unlike a fraudulent charge to your credit card, which most often is credited back to your account, a fraudulent credit application may go undetected and can negatively impact your credit rating for years.

Next blog [Fraud Series: Topic 3] Advanced Fee Frauds

[Fraud Series: Topic 1] Easy Identity Theft

I used to think it was very difficult to steal "good" identity information. But after a little research, I have learned it's really very easy!

CASE 1: Criminals simply drive into any community that re-cycles and pick up the bags left at curbside. This is nice, clean, paper (no smelly garbage mixed in it). The criminals instantly get the "victims" address (it's on the envelopes) , and all they need to do now is search through the papers for names, telephone numbers, bank account #'s, social security #'s...you name it, it's in there!

CASE 2: Criminals go to any domain name registrar (like www.godaddy.com) and purchase a seemingly legitimate URL, something like "www.californiarefinance.org". And if they're not a programmer, then they'll simply go visit an existing bank's web-sites and copy their pages. Using a tool like Adobe's DreamWeaver they can quickly build a "fake" web-site for their fake business. Now they're ready to apply at a search engine, pay top dollar for the best home mortgage refinance search terms, such as:"refinance", "mortgages" etc. to link to their new domain name. Finally, real victims come willingly to visit their web-site. The victim enters page after page of personally identifiable information, which is then immediately stored in a database. The victim might be told they will receive an email notification regarding the status of their application (but they either never get the email, or the email simply says, "I'm sorry, your application has been declined."). Either way, the criminal now has the victims very good identity info.

In both of the above cases, the criminal can use your information and apply directly online for credit cards, on your behalf.

Next week's [Fraud Series: Topic 2] Stolen Credit Cards.