Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.
Written by Nicole Abramov
For purposes of this post, we named the group the “BlackWidows Group”. The group consists of approximately twenty Russian-speaking cybercriminals, who target financial institutions in the United States and Europe. In the United States alone, BlackWidows Group produces hundreds of new accounts per day.
The types of accounts opened can be split into three main categories: bank accounts, reloadable prepaid card accounts, and brokerage accounts.
The group is extremely efficient and has streamlined its process to perfection. All members adhere to the group’s techniques and procedures, operating as a well-oiled machine and filling daily quotas per country and per bank.
The process of registering new accounts begins by obtaining “fullz” – compromised PII (including full name, address, SSN, date of birth, and more) that is readily available for purchase in underground markets. The group compiles identities and related data to be used during the account registration.
Next, it is essential to set up an ‘anti-detect’ tool of choice, used to mask the cybercriminal’s identity and bypass anti-fraud measures. The group uses the popular “Indigo Browser”, which has several useful features such as browser fingerprint customization and integration with popular underground proxy providers.
Armed with a stolen identity, a BlackWidows Group member then configures a new “profile” on Indigo Browser and sets the IP address, time zone, language, and geolocation data to match those of the victim. Using an underground proxy provider, the cybercriminal selects a proxy server whose geolocation corresponds to the victim’s physical address
With technical preparations out of the way, the group proceeds to retrieve the last bit of necessary information – the victim’s phone number. Using legitimate background check services, they search for previous phone numbers used by the victim. Such numbers may be used during the account registration process as they are more likely to pass certain identity verification tools.
The last step is straightforward - creating a new email account to match the victim's PII and to be used in account applications. BlackWidows Group seems to prefer Outlook and mail.com.
At this point, the group can begin self-registering accounts for the stolen identities. The group often uses the same victim PII for registration of accounts at multiple financial institutions. As described above, all the data in the applications accurately belongs to the victim, excluding the contact information - email address and phone number – which is in the group’s control.
It is noteworthy that BlackWidows Group uses a number of services that provide free online SMS receipt for either publicly available numbers or a private number of choice. When two-factor authentication is required for account opening or subsequent activity, the group likely leverages these services to receive the verification messages.
Once the accounts are successfully created, the group sometimes allows them to “age”. The accounts rest with no suspicious activity, and gain a history of seemingly legitimate user login sessions. Aged accounts are more valuable in that they are less likely to trigger anti-fraud controls than newly-registered accounts.
Cybercriminals and fraudsters engaged in new account fraud often source PII and synthetic identities via the Dark Web. They also buy and sell such accounts on various Dark Web marketplaces and communities. Finally, they share tools and techniques to carry out new account applications and subsequent fraud at scale. Leveraging intelligence collected from the Dark Web and the broader Digital Underground, organizations could learn of upcoming new account campaigns targeting them, discover recently-opened fraudulent accounts, and spot signals of new account fraud.
Through our deep coverage of the Dark Web and the broader Digital Underground, we are monitoring:
Contact us to learn how you can leverage this intelligence to disrupt new account fraud.
About the AuthorNicole Abramov is a Threat Intelligence Analyst at Q6 Cyber. Prior to Q6, Nicole was a Cyber Threat Analyst in the Israel Defense Forces.