The crooks specialize now, from malware coders to mules
Published Jan. 26, 2015 for CreditCards.com
By Karen Haywood Queen
You open your credit card bill and see a bogus charge. Yep, you were hacked. You’re not alone – but most likely, neither was the criminal who used your card.
Card fraud is a staggeringly big business: A Federal Reserve payments study released in July 2014 found more than 28 million unauthorized transactions on credit, debit and prepaid cards, totaling $4 billion in fraudulent charges. Behind those numbers are multiple layers of criminals.
“A lot of people assume that the hacker is the person who steals the credit card number and uses it — a single person,” says Jeff Foresman, information security compliance lead with Rook Security in Indianapolis. “But the concept of some guy sitting in his basement doing all this is not valid anymore.”
Until 2003, most online crimes were isolated vandalism — “anti-social self-expression using high-tech means,” according to a 2013 report from Kaspersky Lab. By contrast, today’s cybercrime is a sophisticated, widespread business meant to make money illegally, the report says.
While a few rogues still steal information and use it themselves, most credit card fraudsters are part of a large underworld industry.
Organized crime, much of it based in Eastern Europe and Russia, helps bankroll the criminals involved, says Loc Nguyen, chief marketing officer at data security company Feedzai Inc., in San Mateo, California. An IT specialist working for organized crime gangs in Eastern Europe can make 10 times what he’d make in a legitimate job — or more.
“These are not high school kids — these are highly organized, well-funded organizations,” says Nguyen. “The business of hacking has gone from a mischievous activity conducted by hobbyist developers to an occupation of paid professionals working closely with organized criminals. Just like any company, they have specialists, people who write the code, people who run the equivalent of e-commerce sites and people who buy the card numbers. They have upper management and an endless supply of workers.”
There are multiple ways to get your credit card information and there are different types of criminals who specialize in each. Once they have your info, numerous players stand ready to use it for their profit. The whole industry includes malware writers, several types of thieves who use card skimmers, operators of websites selling card data, credit card counterfeiters and end users: people who buy and shop with stolen credit cards. (To get a taste of life on the lower rungs of this criminal enterprise, check out “‘A day in the life of a common credit card crook.”)
Sound complicated? This guide breaks down the eight professions and their job descriptions.
- Malware writers
Malware authors write the software code that remotely hacks into major databanks to get stored credit card numbers, Nguyen says. Many are young men who are either from Eastern Europe and Russia, or who have connections to people in those areas, he says. Some malware writers are part of organized crime rings, others are freelancers selling code with no idea of who uses it, says Jay Jacobs, managing principal and co-author of the 2014 Verizon Data Breach Investigations Report.
“Someone will create the malware, then they sell it for hackers to use to steal credit card data,” Rook Security’s Foresman says.
The code writers evolve quickly to stay ahead of the good guys. After the 2008 arrest of master hacker Albert Gonzalez for, among other things, stealing credit card information from clothing retailer TJ Maxx, malware writers changed their focus from major companies to smaller businesses, says Jay Jacobs, managing principal and co-author of the 2014 Verizon Data Breach Investigations Report. They began using devices or small programs known as keystroke loggers to capture information typed into the systems of small businesses whose point-of-sale terminals are often open directly to the Internet via third party servers, Jacobs says.
Now the focus is back on major retailers and businesses using programs called RAM scrapers that take payment card information from the merchant’s point-of-sale system while it’s still being processed inside the terminal, Jacobs says.
Because the terminals at large businesses are not directly connected to the Internet, the criminals must work their way through the company’s system to find a part that is connected to the Internet so they can get the stolen data out. That can take time, but the payoff is potentially huge. “Rather than focusing on 10 victims and getting a little data from each, there’s a shift back to multiple weeks targeting a lot of data from one large victim,” Jacobs says.
- Phishers and spoofers
Some malware coders specialize in creating phishing emails designed to get you to give up your personal information. Others perform these duties in addition to writing other kinds of code, Nguyen says.
These phishing fraudsters may work with or separately from spoofers — criminals who create websites that are designed to look like the real thing but are instead run by criminals seeking your personal information, Nguyen says.
“They may have hacked into a database to get your email address ,” he says. That’s why you should be concerned about email hacks such as the one discovered at Home Depot.
Besides targeting consumers, phishers also often target nontechnical employees of banks or retailers that handle a lot of consumer data. The “From” address is spoofed to make it look like it has come from a trusted insider.
- Shady clerks and wait staff
The same guy that’s serving your food may be dishing out your credit card number to an organized crime ring. Gangsters sometimes score credit card information by putting employees of legitimate businesses on their payroll, Jacobs says. “They’ll approach an employee — at a restaurant, hotel, retail chain or anywhere that handles credit cards — and bribe them” to skim customers’ credit card numbers when they swipe the credit cards, he says. “The employee is paid by the number of cards they’re able to skim.”
These employees use small portable skimmers that fit in the palm of the hand and steal your credit card number as they process your payment for the legitimate business, he says.
Working the skimmer scam in person is easier at restaurants where the server takes your card away than at retailers or hotel chains where the employee has to use the skimmer under the counter right in front of you, Jacobs says.
Although many of these workers answer to organized criminals, some work alone, skimming your credit card information for themselves, Jacobs says.
- Skimmer installers
Another brand of criminals mounts hidden skimming equipment anywhere credit cards are swiped. Good targets are unmonitored payment locations, such as gas pumps, vending machines and train ticket kiosks, Jacobs says.
These skimmer installers vary widely in skill and sophistication. Like the shady employee with a skimmer, some operate as part of organized crime gangs and others operate alone.
They may leave a skimmer in one location for a few days, gather a few hundred credit card numbers and then stop collecting data before they get caught. “The longer the skimmers are on there, the more likely they are to get noticed,” Foresman says.
Yesterday’s old-style skimmer installers were often caught when they came back to retrieve the equipment and stolen data. New technology creates wider buffers. Today’s more sophisticated installers use skimmers connected via Bluetooth so they can download stolen data from the safety of the parking lot, the Verizon report says.
Tech savvy fraudsters can also buy skimmers with built-in SIM cards enabling remote configuration, remote data uploading and even tamper alerts that, if triggered, will cache the data and send it out immediately.
Sometimes these skimmers also are paired with cameras or keystroke loggers to capture additional information including your PIN, ZIP code and the card validation code (also called CVV2 or CVC2) that is written but not embossed on your credit card, Foreman says.
- Fake technicians
This con artist looks and acts like a company technician. But beneath the designed-to-fool persona you’ll find a fraudster out to tamper with a legitimate company’s credit card processing machines.
The scenario plays out with someone walking into a store with an authentic-looking work order to replace the old credit card terminal, Foresman says. But this tech guy has no connection to the real processing provider. The new terminal installation comes with an extra feature: a computer chip that copies credit card numbers and sends it out to another online server.
These setups allow fraudsters to get all the magnetic stripe information and PIN numbers from swiped cards, Foresman says. “If I can capture the entire track that’s on the magnetic strip on the back, I can make a new card or overwrite an existing card,” he says.
- Counterfeit credit card manufacturers
These modern day counterfeiters don’t make $20 bills. Instead, they buy stolen credit card numbers and make fake credit cards. All that’s needed are imprint machines, a magnetic card writer and, sometimes, credit card stock — all of which are for sale legally, Nguyen says.
“With less than $1,000 invested, you can have your credit card maker,” he says. “The equipment itself isn’t illegal.”
Sometimes, criminals don’t even need new card stock. Instead, they can take the magnetic stripe data from the stolen cards and overwrite it onto existing credit cards or even onto hotel key cards, Nguyen says.
That’s one reason merchants may ask to see your credit card for a transaction. They want to compare the last four numbers embossed or printed on the front of the card with the last four digits of the account number that the magnetic stripe sends to their system to make sure it matches, he says.
- Data sales websites
The credit card numbers that don’t end up on fake cards often end up on websites offering credit card numbers for sale. Operators of these sites offer thousands of credit card numbers and associated information for sale.
“You can go online and buy 1,000 Visa platinum cards,” Foresman says.
Also for sale are card expiration dates, card validation codes, ZIP codes and PINs, Foresman says. The prices vary from $2 for a single unchecked credit card number to more than $100 for a complete data sets called fullz.
“It’s just like eBay,” Nguyen says. “You go on, put in your search criteria, where you want the card. Do you want MasterCard or Visa? Do you want the PIN and the address? The more valuable the information, the more the fraudsters are willing to pay for it.”
Unattended gas stations and vending machines are more than great places to obtain credit card numbers — they’re also good places to test hot cards and card numbers, he says. If a small purchase goes through, the card is verified.
- Shoppers, mules
At the end of the chain are crooks who buy the fake credit cards or fraudulently obtained card numbers and shop with them, typically for items that then can be resold. They buy big-ticket items at electronics stores such as Apple or major retailers such as Home Depot, Nguyen says.
Grocery stores — because they sell gifts cards that can easily be resold — are another big target. “They want to use cards and get cash out of the system,” he says. “They buy $500 or $1,000 worth of gift cards and go and resell them.”
Spending habits differ by the mode of purchase. Thieves who use the cards in face-to-face transactions tend to spend about $450 in the course of a week, often at supermarkets and home-supply warehouses, according to data compiled by Feedzai.
Those shopping online tend to spend about $900 over five days. They target electronics sellers and discounters, according to Feedzai data. To avoid detection, they have the items shipped somewhere other than their home address, Nguyen says.
Though the latter would seem to be more efficient, it’s all a matter of taste if you’re a criminal. In-person crooks prefer not to have to deal with e-commerce hassles such as fake shipping addresses or proxy servers. “To each their own,” says Nguyen. “The opportunity, or ‘market,’ for fraud is so big that there’s room for all kinds of talents, just like honest professions.”
Sometimes, “mules” are hired to do the shopping — often unaware that they’re part of a scam. These end-of-the-line criminals are the ones who tend to get caught, Nguyen says. “They get arrested, make the news, and then are replaced with other people,” he says.