Security Researchers Uncover A Multimillion Dollar Credit Card Scam, Here's How It Works
Researchers at the cybersecurity firm ReasonLabs have discovered a credit card scam campaign estimated to have extracted tens of millions of dollars from tens of thousands of credit card holders. This scheme
utilizes fake dating websites, a dedicated payment processor, and customer support services all created and maintained for the purpose of charging recurring subscription fees to the credit cards of oblivious victims. The researchers identified over 200 websites they believe are operated by a Russian crime syndicate running this fraud
One of many fraudulent dating websites featured in this campaign
The fraud scheme uncovered by the researchers depends on multiple fake websites and services operating in tandem, beginning with a large number of bogus dating and hookup sites. While the various sites have different themes, the same basic structure and design is shared across many of them. Members of the public who stumble across these sites can freely register accounts on them, though there are very few accounts registered.
An analysis of their web traffic reveals that virtually all of it comes from visitors with US IP addresses who directly navigate to the sites by entering their domain names in the address bar, rather than visitors directed there by search results or other referrals. The websites also have low bounce rates and fairly high average visit duration times. These web traffic statistics form an irregular profile for websites that are publicly available on the open web. Even US-based websites with dedicated user-bases get a significant portion of their traffic from search results, referrals, and non-US users, and many of these visitors often don’t stay for long. It’s likely the case that these fake dating websites are visited solely by the threat actors operating this fraud campaign.
The fraudulent payment processor operated by the crime syndicate
Readers might find it odd that the threat actors wouldn’t be trying to lure unsuspecting victims to these fake dating websites in an attempt to procure their credit card information. However, the fake dating websites play a different role in this scheme. Rather than acquiring victims’ credit card information through phishing, the threat actors instead source this information from credit card dumps. Cybercriminals can acquire stolen credit card credentials from online databases for as low as 15 cents per card
, which is a small price to pay if you can extract much more from each card in fraudulent charges.
The threat actors behind this campaign go about charging victims’ credit cards by signing them up for subscriptions to the fake dating websites. These subscriptions are all processed by a payment processing service called RocketGate that seems to have been set up by the crime syndicate behind this fraud scheme. This means all funds collected from the subscription fees are directed to the crime syndicate.
One of the fraudulent transaction support websites
Rather than beginning with a test transaction, then racking up large charges—as many criminals do with stolen credit cards—the threat actors instead sign victims up for relatively inexpensive recurring subscription fees that slowly and more steadily accumulate into larger amounts over time. These smaller, recurring transactions are less likely to be detected by credit card companies and holders alike. The threat actors also disguise the transactions with generic-sounding billing information. The threat actors present this behavior as a measure intended to protect the privacy of their subscribers, as many of the hookup websites are salacious and unsavory.
In the case that card holders notice the charges, the threat actors have set up a litany of support websites that correspond in name to the billing information. Like the fake dating websites, many of these support websites re-use the same design and structure. Nonetheless, they all offer unique email addresses and toll-free numbers that victims can contact to reach an actual support service. If the victims decide to cancel their fraudulent subscriptions, the support service will actually cancel their subscriptions and issue refunds.
This level of customer support may seem surprising for a fraud scheme, but it helps keep the payment processor in the good graces of credit card companies, so the scheme can continue to charge other victims. This fraud campaign
serves as a good reminder to watch your credit card history for unexpected or suspicious transactions, so as to not become a recurring victim of fraud.