As happens with ransomware and other forms of cyber crime, the credit card fraud landscape tends to evolve and follow “industry trends” over time. A new report from threat intelligence firm ReasonLabs finds that since 2019, at least one major gang in this space has switched focus to building out fake dating and customer support websites and using these to trick legitimate payment processors into granting them access to their services.
Once the scammers have the ability to charge credit cards, they purchase stolen cards from the dark web and run charges against them.
Fake dating, customer support sites aimed at tricking legitimate payment processors
Merchants generally need to show some evidence of a legitimate business, such as a functioning online store, to set up an account with payment processing platforms. Dating sites might seem like a counterintuitive choice for credit card fraud at first, as payment processors generally classify them as “adult sites” and a “high risk” category due to unusual amounts of chargebacks and fraudulent payment attempts. However, the fact that these businesses are known to have high rates of chargebacks also works in the attacker’s favor by providing an explanation for what would otherwise be seen as unusual business activity. The attacker is also likely targeting more fringe payment processors that have a lower bar of acceptance for “high risk” businesses.
Dating sites with implications of pornography or prostitution seem to be the attacker’s primary focus. ReasonLabs finds that there are about 200 of these domains involved in credit card fraud, often focusing on things like specific fetishes or marital affairs. These sites use a fairly stock but legitimate-looking design, and sometimes incorporate elements such as affiliate links and ads for other adult sites to look more natural. However, if one registers an account and digs into the sites, one quickly finds there are very few dating profiles available; the attackers apparently count on payment processors not going that far. Another tell is that these sites are hard to find with search engines, have very little traffic, and have traffic that disproportionately comes from a single source.
The customer support sites, of which there are about 75, are meant as a secondary element that helps to add legitimacy to the scam and obfuscate the credit card fraud. These generally have vaguely legitimate-sounding names such as “westfee” or “idatabill,” some attempting to directly copy existing services of this type by changing or omitting a letter or two. The attackers include a “virtual chat” feature that is continually staffed; the reason for this is that this is a standard element that payment processors check for legitimacy. The group that this report investigates actually contracts with a legitimate outsourced customer support service to monitor all of these sites.
Once the attacker has convinced the payment processor that the websites and customer service portals are legitimate businesses, the path to rampant credit card fraud is opened. An account with the payment processor equals the ability to charge credit card numbers that the business has access to, which the hackers obtain from the dark web. The research finds that at any given time there are millions of card numbers available for purchase in this way, and that the scammers are mostly targeting cards from the United States and France.
With working credit card numbers in hand (usually filtered out with a series of small test transactions), the attackers subscribe the victims to a made-up subscription service for one of their fake dating sites that bills them on a recurring monthly basis. To fly below the radar, the attackers keep the charge amounts relatively small and bill under a generic name in the hopes the victim will not notice the charge on their statements. If the victim does notice, they are provided with a link to easily unsubscribe from the “service”; this is to the overall benefit of the scammer, as each of their websites is only alloted so many chargebacks with the card issuer per month before they get into trouble with the payment processor. They may also offer a toll-free number for canceling the subscription.
Credit card fraud schemes evolve to use multiple layers, psychological elements
This layered credit card fraud scheme is thought to have netted tens of millions of dollars over the past three years. The particular group that ReasonLabs studied is thought to be based in Russia, to register its domain names with GoDaddy and to build its infrastructure with Amazon AWS.
The key reason for the group’s ability to grow to this size and operate for so long without detection is not just its cautious approach in dealing with payment processors and billing victims, but also in manipulating victims psychologically. Targets do not want to be linked to an “adult” site even if it was not a transaction that they initiated, and the anonymized nature of the billing does not look out of place for these sorts of services.
Matt Mullins, Senior Security Researcher for Cybrary, notes that this is just a new iteration of an old scam that has been seen on various social media sites: “In the past, scams like this existed for subscription services for things like SMS / Text messages, Youtube channels, and other vectors which allowed criminals to rake in steady streams of cash that flew under the radar. For example, individuals would use YouTube voting on viral videos to encourage users to ‘vote’ which would enroll them in an SMS service that would charge an enrollment fee monthly. The hope being that the user wouldn’t notice because their credit card was on auto draft from the provider. With the duration working in favor of the attacker because the claim would look illegitimate due to “using the service” for longer periods of time, thus providers not wanting to eat the cost. As outlined in the article, there are some things the scammers are doing to appear legitimate, even if the scoring (using a system like Vantiv) has flagged it as suspect,”
“Review of one’s finances and credit card statements is always advised as a stalwart approach against these sorts of scams. Some companies (like Capital One) are excellent about notifying customers if there are anomalies or deltas in their standard bills. Lastly, using ephemeral card services (or virtual card in some circles) can prevent these sorts of attacks as well since the card is not static like a traditional credit card,” recommended Mullins.