Stolen credit card numbers sometimes spill onto the dark web for the most mundane reason: People carelessly give them up.
According to researchers with Gemini Advisory, a China-based e-commerce scam appears to be harvesting payment information not through direct hacks on companies or using pernicious malware to skim data, but with a simpler approach. The fraudsters set up hundreds of websites that appear to sell legitimate goods, but instead capture card numbers for sale on the dark web, Gemini says.
It ends up being a double-dip for the crooks: In addition to vending the card data and other information about shoppers in cybercriminal forums, they also collect money for items that are “faulty, counterfeit, or nonexistent,” Gemini says in a report published Thursday. The dark web sales have led to profits upwards of $500,000 over the past six months, but the total take is “likely significantly larger,” considering all the money the scammers probably collected for the bogus goods.
Tens of thousands of payment records from the U.S. and elsewhere have been exposed, Gemini says. The report comes as the coronavirus pandemic has upended retail experiences for much of the world, and U.S. and European consumers are entering into a holiday shopping season that will more online than ever. It’s also a reminder that while Magecart malware and other payment information skimmers get a lot of attention from cybersecurity researchers, there’s more than one way to pilfer a credit card number.
An operation like this takes some infrastructure, of course. To appear as legitimate merchants while hiding their connections to the larger scam, each of the sites needs a unique merchant name and merchant identification number (MID). Getting an MID “requires either a direct partnership with an acquiring bank or a relationship with a third-party merchant company that works with a dedicated acquiring bank,” Gemini notes, adding that “nearly 200 of the scam sites from the identified group were linked to the Chinese acquiring bank Jilin Jiutai Rural Commercial Bank Co., Ltd.”
Gemini doesn’t link the bank directly to the scam — it’s possible the relationship was managed through third-party companies.
Gemini says there are about 600 associated web addresses, and most of them are registered through China’s ename.net. The fake stores generally use the e-commerce platform OpenCart, because it’s open source — as opposed to a platform like Shopify, which has fraud monitoring and mitigation policies in place. The group also relies on web infrastructure from Cloudflare “to hide its IP addresses for all of its sites,” the report says.
“This cookie-cutter approach was likely taken to facilitate the rapid deployment of a large number of scam sites,” Gemini says.
The fraudsters also have other techniques to lure people in and appear legitimate.
“For the average customer, there is no visible link between the different sites within the network as each appears to be a distinct, legitimate shop,” Gemini says. “The sites use Google Ads and social media advertisement campaigns to attract customers with offers for products at a discount below market deals. The sites’ advertisements almost always indicate that the deals are part of a limited-time sale to pressure potential customers into making a purchase.”