It’s been just over two years since the liability shift around EMV pushed retailers and financial institutions towards adopting chip-enabled cards and terminals, and the fraud landscape for cybercriminals has shifted along with that adoption.
In June, Visa reported that it had issued nearly 450 million chip cards and that 50% of U.S. storefronts now accept the more secure payment cards. Visa also said that merchants who have upgraded their systems saw their counterfeit fraud dollars drop substantially from the previous year.
However, fraud is not disappearing, it’s just shifting, said Monica Eaton-Cardone, the co-founder and COO of Chargebacks911, on SurfWatch Labs recent Cyber Chat podcast.
“We have enough adoption — enough people, enough merchants are making that transition — that it’s already scared a lot of the criminals who were preying on these card-present ways of stealing cards, and they’ve already started leaving that market,” Eaton-Cardone said. “Unfortunately, what has happened is that all of that criminal activity has just migrated to the online environment.”
Squeeze one area of fraud, and malicious actors will simply rush to exploit other areas — a “fraud balloon,” as SurfWatch Labs Adam Meyer describes it. For example, in recent months SurfWatch Labs has observed an increase in both cryptocurrency attacks and attacks against consumer accounts tied to payment card information, and gift card fraud is expected to surge in the coming months as well.
Although the fraud landscape is shifting, ample opportunity still remains for fraudsters to exploit the old payment cards. The EMV liability shift for gas station pumps, which holds merchants using outdated technology responsible for fraudulent transactions on EMV cards, was originally set to go into affect last month — but that has since been pushed back until October 2020. Visa said the delay was due, in part, to gas stations needing more time to upgrade because of issues with a sufficient supply of regulatory-compliant EMV hardware and software.
Merchants have traditionally been focused on removing friction from purchases and making the process as fast as possible, Eaton-Cardone said. As a case in point, Chipotle announced a point-of-sale breach earlier this year after reportedly stating prior to the 2015 EMV deadline that it did not plan on upgrading its point-of-sale systems due to concerns such as increased transaction times.
“When you’re focused on speed, you’re probably not as focused on security, so maintaining that balance really can be a lifesaving item when it comes to protecting your business from liability,” Eaton-Cardone said.
That security should start with the basics, she said, such as:
continually keeping software up to date in order to avoid known exploits,
having a layered approach to fraud that includes both technology and human review so there is more than one line of defense,
and putting a key focus on protecting data by following the Payment Card Industry Data Security Standard (PCI-DSS) and other well-established best practices.
Fraud is a dynamic issue, not a static one, and organizations need to adapt as the landscape changes — and that shift is increasingly towards the theft of data, Eaton-Cardone said.
“The world is transforming into a digital environment. It’s no longer cash is king. It’s really data is king.”
Listen to the podcast for more from Monica Eaton-Cardone on EMV technology, how organizations can defend against fraud, and what the fraud landscape will look like in the future.
The holiday shopping season is right around the corner, and gift cards are expected to remain as the most requested holiday gift for the tenth year in a row. It should come as no surprise then that gift card fraud has become a booming business for cybercriminals as they attempt to grab a slice of that $140 billion pie.
In fact, gift cards are one of the most frequently listed items on dark web marketplaces, and SurfWatch Labs expects the number of compromised gift cards for sale to rise in the coming months. As we noted last week in “How Cybercriminals Perpetuate Gift Card Fraud,” fraudsters employ a variety of simple tricks to find active gift card numbers and codes to steal — and millions of gift cards will soon be loaded with active balances across the country.
SurfWatch Labs’ threat intelligence data has already shown a significant increase in fraud in the third quarter, and those fraud concerns will remain elevated throughout the holiday season.
Stolen Gift Cards on Marketplaces
Compromised gift cards are often sold on cybercriminal markets; however, legitimate gift card marketplaces have grown rapidly over the past few years and criminals have begun leveraging them to sell stolen gift cards or to aid in laundering money.
Marketplaces like Raise often provide customers links to help check gift card balances before listing. However, researchers have shown that balance-checking websites can be exploited by cybercriminals to determine active cards if the websites do not implement proper security measures.
As Raise has grown in popularity, customers have reported multiple instances of gift cards having their balances completely or partially gone by the time buyers used them, as well as instances of tens of thousands of gift cards being used to launder stolen credit card money through the site. Those issues may have helped push the company to expand its money-back guarantee on gift cards last year from 100 days to 365 days in order to help assuage some of the concerns users had about buying potentially compromised cards.
Stolen Gift Cards on the Dark Web
The dark web is in a more fluid state heading into this holiday season than it was in 2016, and that’s largely due to the law enforcement takedown of two of the top three most popular markets, AlphaBay and Hansa Market, this past summer. However, finding gift cards for sale on various smaller marketplaces is still relatively easy.
Over the past few months, SurfWatch Labs has observed a variety of gift cards for sale for popular organizations on cybercriminal markets. SurfWatch Labs has not purchased the cards or verified the legitimacy of the postings, but they include:
gift cards for popular chains such as Whole Foods ($100 for $35), Hooters ($50 for $10), and Starbucks ($10-$20 for $3);
various gift cards that may be partially used, such as a $17 Applebee’s gift card for $6.80, and a $32 Five Guys gift card for $12.80;
and sellers claiming to have gift cards for dozens of other restaurants, specialty retailers, hospitality organizations, entertainment venues, and more at similarly discounted prices.
It’s unclear how the numerous gift cards for sale were stolen — or what percentage are actually legitimate — but a quick search of a dozen random companies listed found that nearly all had websites where users could check their balances. And of those, only a few required CAPTCHAs, which researchers have suggested be implemented to help slow down automated attacks.
Other common gift card fraud prevention tactics include making sure that unactivated gift cards are not easily accessible and that their numbers are hidden behind scratch-off coverings, that organizations don’t use sequential numbering or other easily recognizable patterns with their gift cards, and that consumers who have gift cards use them in a reasonable time so the window for potential attacks is shortened. In addition, some stores have implemented limits on the amount of gift cards that can be purchased at once, have begun requiring photo ID for high-dollar purchases, and are attempting to warn buyers of potential scams related to gift cards.
However, until those increased protections become more widespread, we will likely once again see a rise in gift cards being leveraged for fraud and other illicit purposes this holiday season.
Two months ago, Fan Xia, a 29-year-old research assistant from UW-Milwaukee’s engineering department, was arrested for laundering more than $300,000 via an international scheme involving gift cards. According to the criminal complaint, Xia would receive gift card information from scammers in India, use that information to buy iTunes and Google Play gift cards, and then scratch off the codes and forward the information to another set of individuals in China.
The case is hardly unusual — fraud leveraging gift cards has become more the norm than the exception — but it does highlight several ways in which criminals typically exploit gift cards:
Police were tipped off to the fraud ring after a Wisconsin man reported that a caller impersonating the IRS requested he pay via gift cards $4,987 in back taxes, which is the exact type of gift card scam the IRS has been warning about the past couple years.
The man fell for the scam and bought three Target gift cards, two worth the maximum $2,000 and one worth $987. Those cards were then used to launder the scammed money via numerous iTunes and Google Play gift cards allegedly purchased by Xia. Police said Xia had taken pictures of the scratched-off codes of approximately 6,100 such cards over an 11-month period, totalling $305,000.
The victim who was duped by the IRS impersonator grew suspicious and tried to cancel the cards after providing the scammers the information, but the active gift cards were quickly used by Xia, who was allegedly buying up to $3,000 worth gift cards a day with the data from India.
As the holiday season grows closer, there will likely be renewed warnings for both consumers and organizations about similar scams. The gift card market has grown to become a $140 billion dollar industry, and the average consumer will purchase at least two gift cards during the holidays. However, those gift cards remain relatively insecure compared to traditional payment cards, and cybercriminals will likely continue to exploit those weaknesses as consumer activity ramps up in the coming months.
How Cybercriminals Exploit Gift Cards
To use money on a gift card, fraudsters need the card code or number and, in some instances, the associated PIN. In the case involving Xia, he is alleged to have bought and scratched off the iTunes and Google Play codes himself to help launder money originally stolen from phone scam victims. However, there are several methods in which fraudsters can gain access to gift card codes without paying for them.
The most straightforward method for fraudsters to get codes off of physical gift cards is by simply grabbing a stack of inactive cards, which tend to be easily accessible at most stores. If the cards use magnetic strips, the card data may be stolen and cloned with a magnetic stripe reader/writer. If the cards use redeemable codes, fraudsters can scratch off the codes, copy them, and then replace the scratch-off label. Some companies don’t even bother hiding gift card numbers behind a scratch-off since they’re not usable until purchased, which makes it even easier for fraudsters to steal the data.
The fraudsters then return the cards for legitimate consumers to purchase — without knowing that the card numbers or codes they are buying are already in the possession of malicious actors.
That method, though simple, is pretty difficult to scale. Larger fraud operations tend to leverage technology, along with weaknesses in gift card security, in order to automate the compromise of gift cards.
Professional pen-tester Will Caput recently gave a presentation on how he was able to exploit the patterns of various organizations’ gift cards in order to brute force his way to discovering active card numbers. For example, Caput noticed that the gift card numbers one Mexican restaurant used were identical except for one incrementing number and the randomized last four digits. He told Wired that he could target the website used to check gift card balances with the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the last four random digits in about 10 minutes. Rinse and repeat that process via the incrementing number and a fraudster can easily generate a large number of active cards to use or to sell via cybercriminal markets.
In fact, cybercriminals used a similar approach earlier this year with GiftGhostBot, which was detected performing automated attacks against nearly 1,000 customer websites in order to check millions of gift card numbers for active cards.
Attacks like GiftGhostBot have led some companies to disable their gift card balance-check websites — or to implement CAPTCHAs and other measures to combat automated attacks. Unfortunately, many gift cards remain vulnerable to simple attacks, and cybercriminals continue to shift their attention towards gift cards as traditional payment cards become more secure due to the adoption of EMV and other fraud-prevention tactics.
Many of those compromised gift cards are then bought, sold, and traded on dark web markets and other websites, a practice we’ll examine in the second part of this blog series.
The financials sector saw an increase in incident volume in the third quarter of 2017, and much of that increase revolved around cyber-attacks targeting various cryptocurrency platforms, as well as payment card breaches in the consumer goods sector that led to increased fraud activity on cybercriminal markets.
Key takeaways from SurfWatch Labs’ threat intelligence findings for the period include:
Banks remained as the top trending group associated with cybercrime in the financials sector, accounting for nearly one quarter (24.4%) of the negative cyber events collected by SurfWatch Labs; however, that percentage was down from 38.1% in the first half 2017 and 35.8% across all of 2016.
That drop was largely attributed to increased activity in the specialty financials group, which saw its percentage of threat intelligence jump from 7.4% in the first half of 2017 to 19.4% in Q3 as malicious actors increasingly targeted cryptocurrency platforms.
Payment cards were the dark web target category to see the most significant increase, accounting for 14.6% of the financials sector’s dark web threat intelligence – a rise from 7.1% in the first half of 2017.
Cybercrime incidents related to the banking group remained the most widespread in SurfWatch Labs’ Q3 threat intelligence data. However, when excluding our dark web data, many of the most noteable cyber-attacks – including all five of the top trending incidents for the period – occurred at cryptocurrency organizations in the specialty financials group.
Several of the top trending cyber-attacks in Q3 revolved around the hijacking of Ethereum Initial Coin Offerings (ICO) in order to steal cryptocurrency. Notable attacks include:
In July, Coindash said that an actor gained access to its website during the company’s ICO and changed the text on the site to a fraudulent Ether wallet address – resulting in $10 million worth of Ether being stolen from investors.
Veritaseum also reported in July that it had $8.4 million worth of tokens stolen during its ICO as a result of a “very sophisticated” attack, which may have involved at least one corporate partner dropping the ball, according to the company’s founder.
In August, Enigma Catalyst said that investors were scammed out of approximately $500,000 of Ether when malicious actors hijacked the company’s website, mailing lists, and Slack accounts and subsequently offered a fake pre-sale to investors ahead of the company’s upcoming ICO.
In addition, there were a variety of other cryptocurrency-related attacks during the period. For example, a bug was found in the multi-signature wallet code used as part of Parity Wallet software, which led to wallets being exploited and reports of approximately $34 million worth of Ether being stolen before white hat hackers intervened to prevent an additional $85 million in theft. In addition, a malicious actor was also able to trick the hosting provider of the open source Classic Ether Wallet into hijacking the Classic Ether Wallet domain, resulting in potential theft as transactions were made on the site.
As cryptocurrencies continue to gain legitimacy and value, it is likely that malicious actors will continue to shift towards targeting them in both the near and long term. For example, one group is tracking over 150 active Ethereum scams heading into the fourth quarter of the year. Exploiting the popularity of cryptocurrencies has proven to be highly profitable for both cybercriminals and state actors, such as North Korea.
Fraud Activity Increases on the Dark Web
SurfWatch Labs also observed an increase in the amount of fraud-related activity in Q3, with fraud accounting for 43.6% of financials dark web threat intelligence – a significant jump from previous periods. In the first half of 2017, fraud accounted for 24.4% of collected dark web intelligence, and during 2016 it accounted for 24%.
Digging deeper into the data, it is clear that point-of-sale (POS) and other payment card breaches helped to drive a significant portion of fraud activity in Q3. In the first half of 2017, the target tag of “payment cards” appeared in only 8.3% of the dark web threat intelligence collected by SurfWatch Labs. In Q3 that number rose to 14.5%.
Some of the notable payment card breaches announced during Q3 include:
The fast food chain Sonic has been tied to at least a portion of five million fresh payment cards being sold on a cybercriminal market.
Whole Foods announced a POS breach involving its taprooms and restaurants.
Avanti announced a POS breach affecting an undisclosed number of the company’s self-serve snack kiosks.
Equifax’s massive breach included more than 200,000 payment cards.
B&B Theaters announced it was investigating a payment card breach that may date all the way back to 2015.
Sabre announced a breach affecting its SynXis Central Reservations system back in May, and affected hotels continued to issue breach notification letters throughout Q3.
Third-party vendor Aptos continues to be tied to payment card breaches at online retailers.
Other payment card breach notifications and investigations have continued to be announced in the days since Q3 ended, including a POS breach at Hyatt Hotels and Irish retailer Musgrave warning SuperValu, Centra, and Mace customers to be on the lookout for fraud. In addition, Flexshopper announced it exposed payment card information, and Tommie Cooper and Cricut announced they discovered malware on their website checkout pages.
Numerous organizations also warned of payment cards phishing scams during the period – including Netflix, Uber, E-ZPass, Newcastle University, and more. A number of other data breaches and leaks involved partial payment card information.
The financials sector continues to be the target of a wide range of attacks due to the nature of the data organizations hold and the services they provide. As we noted in our Fraud and the Dark Web whitepaper, the number of avenues through which malicious actors can carry out fraud has increased along with the number of digital accounts tied to financial information. However, Q3 saw an increase in more traditional payment card fraud activity on the dark web – likely resulting from several large one-off POS breaches, as well as issues at vendors that have spread through the supply chain to affect both in-person and online purchases.
On the flip side, the number of cryptocurrency related breaches, particularly those tied to Ethereum, have highlighted a shift that may have legs – particularly since there is less regulation and, in some cases, less security to circumvent in order to pull off multi-million dollar heists. For example, it was reported that at least one Slack account with administrative privileges at Enigma used a previously leaked password and didn’t require two-factor authentication. Likewise, the incident involving Classic Ether Wallet began by simply socially engineering a third party over the phone by impersonating the site’s owner. Malicious actors are quick to copy the successful techniques of their peers, and we will likely see similar attempts against cryptocurrency organizations in the future.
The recent Equifax breach once again has the whole nation talking about cybercrime — and the widespread fraud and identity theft likely to follow in the wake of 143 million compromised consumers. Identity theft is a major concern for individuals, but as SurfWatch Labs chief security strategist Adam Meyer noted, malicious actors spring boarding off of breached information to authenticate as legitimate users is perhaps a more significant concern when it comes to organizations.
Meyer’s thoughts echo the findings of SurfWatch Labs’ recent whitepaper, which found that malicious actors tend to be focused on authentication when it comes to fraud on dark web markets and cybercriminal forums.
The most observed type of dark web fraud in 2017 is account fraud, which has accounted for more than a quarter (25.2%) of all the fraud-related activity observed on the dark web this year. That includes a wide variety of different accounts that can be accessed with stolen customer credentials, including:
online accounts for banking and financial services;
online store accounts, as both buyers and sellers;
accounts tied to monthly subscriptions or other recurring services;
accounts related to the growing number of digital cryptocurrencies;
By comparison, credit card fraud, which is what many consumers may associate with the dark web, has only accounted for 16.7% of the activity so far this year.
The focus on this more indirect fraud — the buying, selling, and trading of access to accounts connected to payment information or services — is driven by both the huge growth in the number of online accounts and the weak authentication that so often accompanies those accounts.
The Equifax breach has simply exacerbated those authentication concerns to the point where outlets like Wired and The Verge are writing that we may need a “fundamental reassessment in how, and why, we identify ourselves” and that it may be “time to burn it all down and start over.” SurfWatch Labs analysts, along with many other researchers, have been warning for years that the pool of forever-compromised information is continuing to grow deeper and cause more issues for business unprepared to deal with that reality.
What can organizations do to protect themselves? Unfortunately, that is not a one-size-fits-all answer.
“Collectively, organizations lose billions of dollars to fraud-related cybercrime every year,” the whitepaper noted. “Individually, how each organization should address the problem of fraud can vary greatly depending their unique risk footprints.”
However, there are some general best practices that all businesses should keep in mind when it comes to combating fraud, such as:
Continuous monitoring of malicious actors: Dark web markets, paste sites, social media, and other communication channels are often used to leak stolen data and discuss cyber threats. Organizations should have a way to monitor any leaks or threats that may directly affect their customers, employees, or supply chain. In addition, organizations should stay abreast of any changes in the cybercriminal tactics, techniques, and procedures being used by malicious actors so that they can adapt their cyber defenses.
Discourage the the use of weak or already compromised passwords: Consumers have a growing number of accounts that are either tied to financial information or able to be easily monetized by cybercriminals, and consumers’ poor password habits are frequently exploited by malicious actors. NIST recommends advising users against passwords that have been previously breached, and in August 2017 security researcher Troy Hunt provided a list of 320 million compromised passwords that organizations can implement to encourage the use of more secure passwords as they see fit.
Encourage two-factor authentication: With so much fraud centered on compromised accounts, having an additional layer of authentication can greatly reduce the chances of those accounts being compromised. Organizations may be reluctant to create additional steps in the login process, but there is an expanding number of secondary authentication options available with varying levels of security and usability.
Prioritize and take action against the most impactful threats: In 2014, FICO reported that the average duration of a physically compromised ATM or POS device was 36 days. In 2016, that dropped to just 11 days – and the average number of payment cards affected by a single compromise was cut in half. Implementing training and systems to consistently address the most common and impactful threats facing your organization can have a significant impact in reducing fraud.
The webinar will feature a discussion around cyber fraud, including an in-depth examination of the “Anatomy of Fraud,” what intel can be gathered from Dark Web markets and forums, and recommended courses of action to proactively mitigate the risk of fraud as well as how to effectively respond if fraud occurs.
An old data breach came back to life this week as Ashley Madison users who had their data compromised back in July 2015 are once again being blackmailed — this time by an extortion group threatening to launch a public website and contact people in victims’ social media networks. The website will allegedly be launched on Monday, at which point it will be clear if the threat is just a ploy to extort victims who are low-hanging fruit or if the group will actually carry out their attempt at public shaming.
“On May 1 2017 we are launching our new site — Cheaters Gallery – exposing those who cheat and destroy families,” a group using a Ukrainian top level domain recently wrote in an email to some Ashley Madison users. “We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites. This will include you if do not pay to opting out.”
Robin Harris wrote on ZDNet that the email he received quoted his personal Ashley Madison profile and that the blackmail price for “opting out” of the Cheaters Gallery website was around $500. Of course, paying that blackmail won’t accomplish much unless the victims are willing to keep paying ransoms in an endless game of extortion whack-a-mole. The breached Ashley Madison data has been circulating for 20 months now — ever since the account details of around 32 million users were published on the dark web — and numerous other actors have attempted to extort the victims in the past via extortion emails and letters sent to victims and their spouses. The repeated blackmail campaigns indicate that either victims are paying up and the campaigns are profitable or that the actors behind them at least believed they would be worth the investment.
Seeing another round of Ashley Madison blackmail threats nearly two years after the breach is a reminder that once data is exposed, it remains exposed forever. As SurfWatch Labs noted in a report last year, the pool of compromised data never empties; it only grows. That means that malicious actors can use, reuse, build upon, and find new ways to monetize that expanding pool of data now and in the future.
Other trending cybercrime events from the week include:
More payment card breaches: Chain restaurant Chipotle said that it is investigating a possible point-of-sale breach after detecting “unauthorized activity on the network that supports payment processing for purchases made in our restaurants.” The investigation is focusing transactions that occurred at locations from March 24, 2017 through April 18, 2017. Trading card dealer Blowout Cards announced a data breach due to “an exploit in the form of a modified payment .php file” that allowed the intruders to skim payment card information as customers checked out via its website. As a result, those who used credit and debit cards to check out via the site’s shopping cart between January 2017 and April 20, 2017, had their information compromised.
Espionage groups behind South Korea, Israel attacks: Iran’s OilRig hacking group is behind a series of targeted attacks against 250 individuals in government agencies, high-tech companies, medical organizations, and educational institutions such as the renowned Ben-Gurion University. The attacks took place between April 19 and 24 and employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. Two cyber-espionage groups linked to China have been observed launching a variety of attacks against South Korea’s government, military, defense companies, and a big conglomerate involved in deploying Terminal High-Altitude Area Defense, or Thaad, a U.S. missile-defense system designed to protect South Korea from a North Korean missile threat.
FIN7 campaign uses social engineering: The FIN7 group (also known as Carbanak) is targeting large restaurant chains, hospitality, and financial service organizations with spear phishing messages centered around complaints, catering orders, or resumes. The group has also been observed calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process, as it has done in previous campaigns.
Phishing leads to fraud, data breaches: Fraudsters were able to convince more than 500 University of California students to hand over their health information, and that information was used to steal almost $12 million from the university by writing fake medical prescriptions in the students’ names. The Iowa Veterans Home is notifying 2,969 people that their medical and financial information may have been compromised after three IVH employees fell for phishing emails that compromised their email account credentials.
Other notable cybercrime events: A vulnerability in a popular third-party library used by HipChat.com led to a data breach. The email addresses and unique IMEI numbers from Ciphr phone users have been dumped online, and Ciphr claims that the leak was carried out by a rival secure phone company. A hacker claims to have compromised the forums of R2 games. Concordia University said that approximately 9,000 students may have been affected by unauthorized access to its online course systems. The information of 8,000 Home Depot customers who had lodged complaints with its MyInstall program was found exposed online. Ransomware infected some City of Newark computers. WikiLeaks has published the user guide for the “Weeping Angel” tool allegedly developed by the CIA.
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.
Cyber Risk Trends From the Past Week
Facebook and Google confirmed this week that they were the victims of the $100 million phishing scheme announced by the Department of Justice of last month.
The scheme was carried out by Evaldas Rimasauskas, a Lithuanian man who allegedly impersonated the large Taiwan-based manufacturer Quanta Computer in order to dupe the companies into making a series of fraudulent payments. According to the indictment, Rimasauskas, registered and incorporated a company in Latvia with the same name as Quanta Computer and then forged email addresses, invoices, and corporate stamps in order to convince the accounting departments at the two tech companies to make transfers worth tens of millions of dollars over a two year span, stealing $100 million in total.
Facebook and Google both told Fortune that they have since recovered the bulk of the funds.
Acting U.S. Attorney Joon H. Kim said in a DOJ press release that “this case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”
That same concern was echoed in a report from the Association for Financial Professionals published in early April. According to the report, 74 percent of finance professionals reported that their organizations were victims of business email compromise (BEC) scams in 2016, a 10-percentage point increase from the previous year.
Likewise, in December 2016 the FBI warned of a dramatic increase in BEC scams, which attempt to assume the identity of a person of authority within the company or — in the case of the Facebook and Google thefts — a trusted vendor before asking to initiate a fraudulent wire transfer.
On Friday, 32-year-old Russian hacker Roman Seleznev was sentenced to 27 years in prison for running a cybercriminal operation that stole millions of payment cards, resulting in at least $169 million in damages to small business and financial institutions. It’s the longest sentence ever issued in the U.S. for cybercrime, and the court documents and testimony that led to the sentence revealed the inner workings of a decade-long operation that helped to grow and evolve payment card fraud into what it is today.
Earlier this month, in documents urging the judge to issue a lengthy sentence, the prosecution said Seleznev may have harmed more victims and caused more financial losses than any other defendant that ever appeared before the court:
“Seleznev is the highest profile long-term cybercriminal ever convicted by an American jury. His criminal conduct spanned over a decade and he became one of the most revered point-of-sale hackers in the criminal underworld. … Unlike smaller players in the carding community, Seleznev was a pioneer in the industry. He was not simply a market participant – he was a market maker whose automated vending sites and tutorials helped grow the market for stolen card data.”
In total, the government was able to identify 2,950,468 unique credit card numbers that Seleznev stole, possessed, or sold related to more than 500 U.S. business, subsequently affecting 3,700 financial institutions around the world. And — as the government pointed out — that is just the known losses.
Driving Small Businesses to Bankruptcy
As we wrote when Seleznev was convicted on 38 of the 40 counts he faced last year, many of the organizations he targeted were small businesses, and the testimony of seven of those businesses were heard in the court case.
Seattle’s Broadway Grill has perhaps been the most publicized of the point-of-sale breaches. Owner CJ Saretto testified that bad publicity from the breach instantly reduced the restaurant’s revenue by 40 percent and eventually forced him to “walk away from the business, shutter the doors, [and file] personal bankruptcy.” Other owners testified that the effect on business was “horrendous,” that the breach forced them into heavy debt, and that business “has never been the same” since the incident.
It’s no coincidence those that testified in the case against Seleznev were small business owners. Seleznev tended to target small businesses in the restaurant and hospitality industry, particularly if they had poor password security around their point-of-sale devices.
Seleznev “developed and used automated techniques, such as port scanning, to identify retail point of sale computer systems … that were connected to the Internet, that were dedicated to or involved with credit card processing, and that would be vulnerable to criminal hacks,” the indictment stated.
“He quickly learned that many of these businesses’ point of sale systems were remotely maintained by vendors with poor password security,” the government said in its sentencing memorandum. “Because most of his victims were small businesses, they were unlikely to have in-house IT or security personnel. As a result, these companies made extremely attractive targets for someone with Seleznev’s skills as a hacker.”
Track2, Bulba, 2Pac, and POS Dumps
However, Seleznev went far beyond merely stealing payment card information, he also helped to develop and operate websites to market the stolen data and promote more individuals to get into payment card fraud. Seleznev was 18 years old when he began participating in the Russian underground “carding” community under the alias “nCuX,” and seven years later, in 2009 when the U.S. Secret Service tried and failed to coordinate his arrest, he had become a major provider of stolen credit card data, according to court documents.
Just three months after being tipped off to the potential arrest by contacts inside the FSB and retiring his “nCuX” alias, Seleznev was back in the game under the name “Track2.” He soon unveiled two new automated vending websites, “Track2” and “Bulba,” which allowed buyers to to automatically search and purchase his stolen credit card data by using filters such as a particular financial institution or card brand.
Those features have become commonplace now, but as the prosecution noted, it was “a major innovation” at the time and the “Track2 and Bulba websites achieved instant success.”
“[The sites] made it possible for criminals to efficiently search for and purchase stolen credit card data through a process as easy as buying a book on Amazon,” the prosecution wrote. “Automated vending sites increased the efficiency [of] credit card data trafficking, and remain the gold standard for credit card trafficking to this day.”
In April 2011, Seleznev was injured in a terrorist bombing in Marrakesh, Morocco, and hospitalized for several months. His co-conspirators ran the Track2 and Bulba websites in his absence until they closed up shop in January 2012 citing no new dumps to sell.
Once again, Seleznev choose to return to cybercrime by innovating his operations. Switching monikers to “2Pac,” he launched a new automated vending site that would not only sell his stolen data but would offer stolen cards from “the best sellers in one place.” Seleznev would take a portion of the proceeds for each sale, and he used this model to resell credit data stolen in popular breaches such as Target, Michaels, and Nieman Marcus on the 2Pac site.
In addition, Seleznev needed a continuous stream of dumps and customers to fuel his 2Pac site, so he began teaching others the basics of payment card fraud via a sister site, called “POS Dumps.”
The POS Dumps website contained four categories to teach amateurs how to successfully commit payment card fraud:
Choosing and buying equipment
Choosing and buying dumps
How to generate Track1 and why it is needed
Writing the dumps onto cards
The website even had links to eBay to purchase the necessary equipment (an MSR206 manual swipe magnetic card reader/writer) and custom malware to help write the stolen payment card data onto other cards.
The prosecution wrote that the POS Dumps website “trained thousands of new criminals in the basics of how to use the data to commit fraud.” Similar types of tutorials related to fraud and cybercrime remain among the most commonly listed items on dark web markets today, according to SurfWatch Labs’ data.
A Record 27-Year Prison Sentence
Court documents from the defense called the long prison sentence “draconian.” However, Seleznev clearly knew his actions could have serious consequences. He monitored the U.S. court’s PACER system for any criminal indictments against him, and when agents arrested him in the Maldives as he attempted to board a plane in 2014, he immediately asked if the U.S. had an extradition treaty. The U.S. did not have a formal treaty with the Maldives, but an agreement was obtained in the days prior to take custody of Seleznev.
The prosecution described Seleznev’s sentencing guideline calculation as “literally off the charts.” A score of 43 recommends a life sentence, and Seleznev scored 16 points above that — a 59.
The judge agreed with the prosecution and sentenced Seleznev to 27 years in prison last Friday.
“The notion that the Internet is a Wild West where anything goes is a thing of the past,” said U.S. Attorney Annette L. Hayes. “As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind. Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands.”