August 24, 2020

Fraudsters Making the Most of COVID-19

by Lior Katz, SecuredTouch

Fraud is, at its core, an opportunistic endeavor; scammers are always shifting their activities in response to consumer demand and online traffic trends. And just like legal businesses, different underground activities are being affected by the pandemic in different ways.

Some are thriving, while others are starting to feel the pinch as coronavirus lockdown restrictions affect operations. For example, fraud focused on credit card skimming of eCommerce websites is thriving as the volume of online purchases skyrockets, while schemes centered around illegally obtaining travel visas are tanking as a result of travel restrictions.

We went fishing in the Dark Web for the latest fraud schemes on the market. Below, we share a few examples of what we found and our insights.

Fraudsters are moving in step with online sales

While precise figures are not easily obtainable, it is certain that eCommerce is experiencing a boom. According to the COVID-19 Commerce Insight dashboard, there has been a 110% year-over-year increase in pure eCommerce orders in the U.S. alone. Digital Commerce is reporting a 52% increase in online sales, and even an 8.8% increase in online shoppers since the coronavirus began.

The Ultimate Guide to Fighting eCommerce Fraud in 2020 - Whitepaper

That's all well and good, but it makes eCommerce one of the fastest-growing opportunities for cybercriminals to defraud digital businesses, resulting in millions of dollars in losses. Tried and tested fraud schemes such as credential stuffing, account takeover, and streaming potluck continue to be popular ways to defraud eCommerce sites and online retailers today.

What's new in fraud these days?

What we discovered is that fraudsters have not changed their online tactics much during the COVID pandemic. Rather, they are trying to squeeze even more out of their existing strategies. Specifically, we are seeing a pivot towards fraud schemes targeting the last-minute delivery and food delivery services as well as a spike in fraudulent refunds. Criminals have also found ways to beat the system offline -- lurking around residential neighbourhoods searching for delivered packages sitting out on porches. Let's have a look at a few real-life examples from the underworld.

Straight from the oven: taking advantage of the increased demand for food delivery services

Online food and takeaway markets are booming. Services like Just Eat, Foodpanda, Delivery Hero, and Grubhub are having a field day during the lockdown. This specific spike in legitimate traffic has led to these services taking the biggest hits, more ATO, NAF, CC fraud, coupon fraud, and phishing schemes to steal personal data using more sophisticated methods.

Read More: Shedding Some Light on the Online Underbelly

What makes these services an even juicier target are all the promotional campaigns these services are running -- and they can scam both the actual companies or consumers. Using bots and various other device manipulation tactics, fraudsters can quickly scale attacks that hack promo codes or use stolen credit cards before the merchant is even aware of the action. The nature of these businesses is to be fast; customers must receive their goods within a short period of time. And of course, fraudsters can also run refund fraud schemes: more on this below.

Fraudsters can also mask themselves among legitimate services as a means to execute phishing attacks using various social engineering methods. In a recent announcement, Domino's Pizza customers in the U.K. have been targeted by scammers. A website link circulated on WhatsApp offering free pizza during the lockdown. The message, which claimed to be from Domino's Pizza, turned out to be a phishing scam tricking the customers to enter personal details. Those login/password combinations were then harvested by the criminals behind the site.

Ramping up refunds

Fraudsters are sticking to tested methods that work and stepping up their exploitation of refunds.

Refunds for Fraudsters
Screenshot from the dark web: fraudsters continue their refund scams during COVID19

When it comes to refund fraud, account takeover is still king

One of the easiest ways to commit refund fraud is through an already established customer account with a high reputation. With an increased usage of eCommerce accounts now due to COVID19, fraudsters are jumping at the opportunity to exploit legitimate user accounts.

Of course, fraudsters can make purchases with saved payment details -- a standard account takeover strategy -- but they can squeeze even more out of it by requesting refunds on already dispatched items, often ordered by a legitimate account owner.

Thanks to the demand for a smooth customer journey and the high value of loyal customers to any business, these accounts are subject to fewer security hurdles and therefore refund requests are likely to be approved automatically or with very little oversight. Once the refund request is approved, the money credited to the account can now be used by the fraudster.

Read More: Account Takeover - The Rising Fraud Tsunami

Fraudulent accounts abound

Merchants strive to smoothly onboard as many new customers as possible. With this in mind, merchants are lowering certain security hurdles in order to make the account creation and payment processes as smooth as possible for their customers.

This trend towards seamless customer journey makes the possible ROI of this type of attack higher than normal for a fraudster. Now fraudsters can easily create new accounts for the sole purpose of getting goods for free, taking advantage of relaxed security checks and less scrutiny of new customer accounts.

Refund fraud-as-a-service targeting Grubhub or UberEats

Refund fraud-as-a-service targeting Grubhub or UberEats
Screenshot from the dark web: Krushshop selling their services

Newbie fraudsters are paying more experienced peers to commit refund fraud on their behalf. In the screenshot, you can see Krushshop is promoting their service taking advantage of the COVID-boosted traffic to food delivery services.

The necessity to deliver a speedy service is made more challenging by the onslaught of volume of orders, making this environment extremely attractive to anyone trying to make a quick buck. There is no room for delays in payment approvals, as the time it takes between an order being placed and delivered is critical and the key to a good customer experience. This also adds another layer of opportunity where merchants do not want to upset customers -- especially when they have so many new customers -- when they claim an order was not delivered, and demand a refund. There is no time to check with the delivery team or question the customer to determine the validity of the complaint.

In addition to his more advanced and sophisticated skills, Krushshop knows the best way to pass the security hurdles -- they have done his homework (we like to call this the reconnaissance phase of an attack). In this case, among other things, they know that keeping the order under $75 will keep it from being flagged as a suspicious activity or session. All their customers have to do is pay up-front in bitcoin, complete 4 easy steps, and they will get their food almost free and they will get the commission.

Login, Reconnaissance, Monetization: Breaking Down Fraud Flows - eBook

No-touch deliveries provide the cherry-on-top

No-contact delivery and rapidly growing volumes of online orders together create the perfect storm for the rapid growth of old and tried fraud schemes. Delivery services are experiencing an unprecedented boom. Global delivery leader DHL saw an increase of 36% in domestic volume and 28% cross border volume compared to the daily averages seen in February.

As these delivery services take steps to protect their employees, "no signature" and "no show deliveries" are often used as a solution. However, these methods are easily abused by fraudsters. To maintain social distancing, customers no longer have to sign for deliveries, lowering more security hurdles for fraudsters. This has a domino effect as the merchant, therefore, does not have any evidence if the package arrived or not, so when the legitimate cardholder makes a refund or chargeback request, there is no signature available to confirm the identity (as much as possible) of the recipient on the other side.

Screenshot from the dark web: fraudsters take advantage of no-contact deliveries during COVID19
Screenshot from the dark web: fraudsters take advantage of no-contact deliveries during COVID19

Stepping up offline activities

Remember the video Glitter Bomb vs. Package Thief? Criminals have ramped up their offline activities, lurking around neighborhoods looking for packages sitting out on porches. It is a whole new approach to "social [distancing] engineering."

Glitter Bomb Thumbnail
Video: Pranking Package Thieves by Mark Rober on YouTube

While this might not directly fall into the "fraud" category, as it involves stealing of physical goods from a customer's home, this trend demonstrates how online fraud shifts in step with the changes in the real world. As customers order more online, fraudsters find new ways to take advantage, both online and in the real world.

Read More: It's Time to Think Like a Fraudster

Adapting to the new reality

Fraudsters are continuously adapting, testing new ways to take advantage of the system, and looking for vulnerabilities. They are constantly trying to create advantages for themselves. Above are just a couple of examples of how fraudsters are adapting to the coronavirus realities. The one thing is certain -- as fraudsters adapt their tactics, businesses need to find new ways to protect themselves.

The key to beating fraudsters is to have visibility into the entire customer journey. Take a deep dive into how behavioral biometrics picks up on non-human behaviors and behavioral anomalies throughout the fraudster's journey, ensuring early detection -- before the damage is done.

Download the eBook