New wave of credit card fraudsters opt for in-store pickup option
Pilfered card data, Zip codes used by fraudsters to pick stores close to victims.
Credit card breaches are the gift that keeps on giving—to Eastern European cybercriminals, at least. Taking advantage of the loosened security that comes with the holiday gift-buying rush, recent traffic on underground card fraud websites indicates that payment card fraud rings are using data from major retail system breaches in a campaign of fraudulent online purchases. But instead of directing the shipments to drop points that might draw the attention of fraud detection algorithms and law enforcement, they’re taking advantage of the latest “gotta have it now” approach to online shopping—the “in-store pickup” option.
According to data collected by Security Scorecard from traffic to “carder” forums—sites operating on the public Internet but requiring an invitation from established members to join—some of the new fraud campaigns this year are targeting major retailers with in-store pickup options. “What’s interesting now is that they’re getting brazen,” said Alex Heid, Security Scorecard’s chief research officer, in an interview with Ars. “They’re walking right to the store.”
The shift comes as stores have begun to frequently block shipments to addresses other than a credit card’s billing address, and the practice of using a controlled delivery point to collect fraudulent purchases has become increasingly risky for fraud rings. At the same time, credit card data breaches have been happening with less frequency—but when they do happen, they’re huge, as in the case of Home Depot, and they can pay off for months before banks cancel cards.
The fraud rings, which are mostly operated from within Eastern Europe (and in some cases may be tolerated by law enforcement in those countries because they’re conducting a form of economic warfare against the US), aim to use stolen credit card numbers to purchase items that can quickly be resold for near retail value. In at least one case, that means Apple products, as an open advertisement for would-be accomplices notes:
We are in search of workers who are serious and ready to make money with Store pickup deals which is more profitable from buying and using of dumps the site we work with are as follows : bestbuy.com, walmart.com and sears.com
Items to be picked up are mainly – Apple Products such as Ipads & Ipad Mini, Imac, Macbook Book Pro, Iphone and all other products available for pickup in your state!
The Requirement for Work:
- Should Have an Emboser, so you can make creditcard and present it to store which will enable to you pickup stuffs
- Should be Able to Work All day Round, since the orders are placed and processed in some mins-hours!
- Should be able to proof you can do what you claim to do!
- Respect Us and We Will Respect You!
The Percentage Deal is 50% (me)-50% (you)
The fraudster posting this advertisement even provided an ICQ address and Yahoo e-mail address for prospective partners to contact him.
This sort of fraud has been aided and abetted by recent credit card breaches that have leaked not just card data but the billing address ZIP code associated with them. Using the ZIP code data, fraudsters can target retail locations close to the billing address of a stolen card number—reducing the likelihood that fraud prevention systems will block the transaction. (Credit card companies frequently decline online transactions for in-store pickup at locations far from a billing address—something I’ve experienced personally when someone tried to buy a birthday gift for me during a visit from out of town.)
The shift to in-store purchases is partially because the old ways of doing credit card fraud have gotten increasingly riskier. While some aspects of the business remain the same—using mostly services such as Western Union and MoneyGram to move cash around, with some movement to Bitcoin and Perfect Money as a replacement for the seized Liberty Reserve, according to Heid— retailers and law enforcement are hip to the older methods of fraudulent online purchases sent to a drop point and using counterfeit cards to buy rafts of untraceable gift cards. “We’ve been seeing lower-level actors getting popped with more frequency,” Heid said.
By recruiting someone in the same area as a victim’s billing address and providing them with the data required to create a fraudulent credit card, the criminal organizations dodge computer-based fraud detection algorithms and put the risk of detection largely on the shoulders of the person trying to pick up the item in the store. Much of the year, that might be a coin-toss for success. But as Heid put it, “The fall isn’t just the shopping season for the holidays—it’s the shopping season for fraudsters” because seasonal retail employees often aren’t trained to spot fake credit cards and retailers are more concerned with dealing with volume than clamping down on potentially bad transactions.
“Retailers are not exactly training seasonal employees on the sophisticated techniques of Eastern European cyber-criminals,” Heid said.