Russian hackers are offering sophisticated training on how to steal up to £10,000 a month through credit-card scams, researchers have found.
Operating through encrypted forums on the dark web, the online marketplace for illegal goods, the gangs give lectures and comprehensive guides to evading detection, often with the strict rule that course participants do not target Russian credit cards.
Undercover monitoring of the dark web by Digital Shadows, an online risk management company, found student reviews bragging of purchases made using stolen card details with images of cameras, games consoles and beach holidays.
The company’s analysts investigated hundreds of criminal forums and found card details for 37,000 UK bank account holders on just two of the more popular dark web sites. The report warned that payment card fraud was expected to be worth as much as £18.5 billion globally by the end of 2018.
Digital Shadows said that there was a growing trend for the six-week online fraud courses, which are offered in the Russian language.
Advertisement
In exchange for 45,000 rubles (£575) plus about £150 course fees, aspiring cybercriminals were told they would make £9,200 a month, working a 40-hour week using stolen card details. The average wage in Russia is about £530.
Where PINs were necessary to steal from a victim, the courses offered “automated services which call cardholders in the UK in an attempt to scam their details using social engineering techniques”, the report found.
Scammers were also offered detailed coaching on social engineering and confidence fraud techniques for targeting victims over the telephone. One instructor advised the class to use conversation about the news and current events because they “play beautifully”.
The research identified a hierarchy of linked individuals forming organised crime networks online.
Payment card data harvesters did the “dirty work” of intercepting the card data, whether by physically running a “skimmer” over them or using computer viruses to steal them.
Advertisement
The details were then passed to distributors — who earned the lion’s share of the wealth — to repackage and sell on to fraudsters who used the stolen or cloned cards to buy goods. A fourth layer is made up of the criminals who are tasked with re-selling items and services bought with the stolen data.
Students were also given a guide and tools for hacking other people’s Paypal accounts.
The company withheld the names of many of the dark web sites used by the hackers for fear of advertising new strategies to would-be fraudsters, but among them was Alphabay, which has had various iterations over the years and was recently taken offline.
Another site, Fraud.cat, was used to test the strength of an IP address (the unique identifying code of a computer’s internet connection) against detection techniques.
Rick Holland, vice-president for strategy at Digital Shadows, said: “The card companies have developed sophisticated anti-fraud measures and high-quality training like this can be seen as a reaction to this. Unfortunately, it’s a sign that criminals continually seek to lower barriers to entry, which then put more criminals into the ecosystem.
Advertisement
“However, the benefit is that the criminals are increasingly exposing their methods, which means that credit card companies, merchants and customers can learn from them and adjust their defences accordingly.”