A subscription service scam has garnered millions of dollars in credit card charges by creating fake dating and porn sites, staffing them with live customer support, and using stolen credit card accounts to pay for "services."
Endpoint security firm ReasonLabs stated in a Sept. 23 advisory that a Russian-speaking cybercrime group has created hundreds of fraudulent websites since 2019, likely using third-party proxies, as well as dozens of business sites that act as both a generic name for credit card charges and as a hub for customer support calls. By using recurring charges that are small enough to escape many customers' notice, the fraudsters were able to keep chargeback requests low enough to avoid being shut down and continue profiting from the scam.
While the different components of the scheme are not original, the sum total managed to bypass credit card companies' fraud detection and garner millions of dollars in revenue, ReasonLabs' research team said in the advisory.
"Eventually, once — some of — these users find these charges, they will immediately approach the issuer for a dispute and replacement of the card number, which will cause chargebacks."
The three-year scam highlights the resurgence of credit-card fraud, especially for businesses that are dealing with a hybrid workforce. Two-thirds of companies have experienced fraud in the past year, according to a recent study from KPMG. Security experts have meanwhile warned that third-party scripts on websites — part of the software supply chain — could be at risk of being co-opted to steal credentials and credit-card information.
Designed to Seem Legitimate
In the latest credit card scam, the cybercriminals created the right mix of components to dodge anti-fraud defenses and to remain unnoticed by consumers who don't always check their credit card bills, researchers said. While unsurprising, the scope of the fraud is quite brazen, Timothy Morris, technology strategist for security management firm Tanium, said in a statement sent to Dark Reading.
"Real companies can run virtually, so it isn’t hard to imagine fake companies running virtually," he said. "Front-end user interfaces, back-end customer support, payment providers, [and other components] give this swindle all the ingredients of legitimacy."
The scheme was also given the veneer of credibility by these 200 fake sites — mainly adult- and dating-themed — that supposedly were the source of the charges. While adult sites are classified as high risk in the financial industry, the combination of live sites and active business hubs helped make the scheme seem legitimate.
The type of fake site that the fraudsters used also likely made the scheme more successful, Matt Mullins, senior security researcher at Cybrary, said in a statement sent to Dark Reading.
"Dating sites, adult sites, and other services have social stigmas associated with them that puts the victim in a questionable light," he said. "This questionable light also makes it more likely that a victim will try to resolve it themselves versus calling up a customer service representative and trying to resolve it."
Finally, the criminal group uses typical credit card spending patterns to make the transaction less suspicious. Rather than use test transactions followed by large transaction, the criminal group uses recurring payments of small dollar amounts to escape notice.
Because most financial providers have strict agreements with high-risk businesses — such as adult sites — to limit the level of chargebacks, the cybercriminal group takes a variety of actions to avoid chargebacks. The fake businesses' names are fairly generic, they charge small dollar amounts, allow the user to cancel their "subscription," and have live customer support, ReasonLabs said.
"The fraudsters applied each individual customer service website for payment processing in order to distribute the chargebacks between many websites rather than just one," the company stated in its advisory. "This would ensure that their payment processing capabilities will not be revoked once one site reaches the agreed rate of chargebacks, or refunds, which is divided by the number of legit transactions."
The campaign is ongoing, but ReasonLabs has notified the companies affected by the fraud to help shut down the cybercriminal enterprise.