When the global economy gets a cold, the criminal underground is not immune.
Illicit markets dealing in stolen credit card information have had to make significant changes to the way they do business in the wake of the COVID-19 pandemic. Yes, the world of underground financial fraud has stayed active, but things have changed.
At the same time, unusual law enforcement activity in the first half of the year has made an even bigger impact on the sale of stolen credit cards.
Two times per year, analysts at Sixgill compile statistics about the state of credit card fraud. For the first half of 2020, we found that the number of stolen credit cards on the dark web dropped significantly - from 76.2 million to 45.1 million.
We attribute this decline to at least two major factors. Law enforcement activity in Russia resulted in the closure of several dark web marketplaces. Additionally, with fewer people shopping in stores because of lockdowns, criminals found it harder to obtain new data from skimmers and card readers surreptitiously attached to point-of-sale systems.
On the dark web, stolen credit card data is usually sold in two different formats.
The first format includes the CVV codes - these are the three-digit numbers on the back of a card. Fraudsters need CVVs to buy things online. Card data with CVVs tend to come from infected payment pages on websites, where criminals can copy the data as a customer enters their credit card info.
The second format is referred to as a “dump.” This data is obtained from skimmers attached to ATMs and other point-of-sale devices. With this information, fraudsters can “clone” credit cards and then use them for in-store and in-person purchases.
Prior to coronavirus, dumps tended to make up about 40 percent of the cards sold online. Our research showed that this percentage ticked downward - slightly - to 38 percent. And it makes sense that CVVs - which are obtained online - would grow as a share of stolen cards. More people are shopping online amid the lockdowns, ordering groceries and just about everything else as stores have closed or people want to stay inside.
Additionally, we found that several fraudsters were cut off from their ability to obtain dump data.
Figure 1.1 Threat actor advising others on how to be safe during the pandemic while carding.
In other posts, we found that related services were also cut off - the people that sold skimmers and the people that cloned cards as a service to others were unable to ship their wares amid the pandemic.
Figure 1.2 A threat actor posting announcements about credit card dumps.
Figure 1.3 A threat actor posting an announcement regarding pauses in services.
The Russia Connection
The vast majority of stolen credit cards originate from U.S. consumers, followed by India, Brazil and the United Kingdom. Credit cards issued in Russia make up just one out of every 500,000 stolen cards of the stolen cards sold on the dark web.
For years, most fraud experts have speculated that Russian law enforcement is content to allow cybercrime to flourish, so long as it is directed outward. And there’s a lot of evidence that a large amount of fraud schemes originate in Russia, where technical skills are high, but entrepreneurship and economic conditions deprive many well-educated people with opportunities.
But our research shows that Russian law enforcement was a major contributor to the overall decline in the number of stolen cards online. In March 2020, Russian investigators arrested 25 people and shut down dozens of dark web marketplaces. In 2019, these markets accounted for 54 of the world’s stolen credit card trade. In the process, several new dark web marketplaces rose to prominence.
So, what accounts for the sudden shakeup in Russian cybercrime? It’s clear from our data that the crackdown did not affect all of the dark web marketplaces operated in Russia. It’s likely that many of the accused criminals had drawn the ire of authorities by violating domestic criminal laws. In arresting the suspects, police found illicit narcotics, firearms, fraudulent Russian passports, and Russian law enforcement identification. In other words, these select criminals seemed to have violated the first rule of cybercrime: don’t hack where you eat.
Protecting Credit Cards in a Shifting Landscape
Activity on dark web marketplaces shows that the coronavirus lockdowns have changed the fraud landscape. As in-person shopping declined, so did the types of credit card fraud that depended on it.
This sequence of events points to a shifting strategy for cybersecurity professionals, and consumers as well. Merchants need to make sure they have tools in place to prevent e-skimming attacks like Magecart. And, as in-person shopping continues to tick upward, retailers should only use chip-enabled point-of-sale systems.
For consumers, it’s a good idea to change passwords regularly, avoid reusing passwords, and to keep an eye on bank statements for signs of unapproved activity. When consumers receive an order/shipping confirmation email, navigate to the site directly instead of clicking on links. This will minimize the chance of being redirected to malicious sites.