Written by Dima Khrustalov
One of the most common types of fraud using stolen payment cards (whether directly using compromised payment cards, or indirectly taking over e-commerce accounts with linked payment cards) is “reshipping fraud”. Reshipping fraud is quite straightforward - a fraudster steals a victim’s payment card and uses it to purchase an expensive product online. The product is shipped not to the victim’s address, rather to the address of a reshipper or mule, an individual who then ships the product to an address specified by the fraudster. The US Postal Service defines reshipping fraud as follows1: “Criminals operating primarily from Eastern European countries and Nigeria have been conducting widespread, international schemes involving bogus job offers, fraudulent credit card orders, and the reshipping of illegally obtained products. The scam begins when criminals buy high-dollar merchandise — such as computers, cameras, and other electronics — via the Internet using stolen credit cards. They have the merchandise shipped to addresses in the United States of paid “reshippers” (who may be unaware they are handling stolen goods). The reshippers repackage the merchandise and mail it to locations2 in Russia, Ukraine, Estonia, Lithuania, Romania, and Germany. Victimized businesses include such well-known companies as Amazon, eBay, and other Internet auction sites.”
Payment card enrollment, i.e., registering a payment card on an online account management service offered by the issuing bank, is an important step in facilitating successful reshipping fraud. Numerous threat actors on underground Russian-speaking cybercriminal and fraud forums are either offering such cards for sale or looking to buy them. We have seen regular, active discussions about payment card enrollment in these underground communities. What is the reason for the high popularity of enrolled payment cards among fraudsters and cybercriminals?
The enrollment of a payment card in an online account management service allows the accountholder to view online statements and balance, review transactions, pay bills online, and more. But that is not what fraudsters and cybercriminals are interested in.
They are interested in executing the following:
In most cases, online enrollment for payment cards is done using the PAN (Primary Account Number) and some of the accountholder’s PII (Personally Identifiable Information), including SSN (Social Security Number), DoB (Date of Birth), MMN (Mother’s Middle Name), billing address, etc. It is worth noting that many underground carding markets today sell compromised cards together with the cardholders’ PII. However, even if a card is sold without the cardholder PII, fraudsters and cybercriminals can easily obtain it using various services, both underground and legitimate. After the fraudster manages to enroll the payment card online, it can take five to seven days until the changes are applied to the account, and then the card can be used for reshipping or other fraud.
Cybercriminals prefer payment cards that have not been previously enrolled by the accountholder. In that case, the cybercriminal can enroll the card and have the sole access to online account management. But even if the accountholder has already enrolled the card, cybercriminals can attempt to take over the online account. Of course, such enrollment is considered less “safe”, since the cardholder may try to login, discover that he no longer has access to the account, and contact the bank to report the issue.
Not all issuers offer online card account management services, and even those that do may only offer the service for certain card types. Furthermore, some online card account platforms do a good job of detecting and blocking unauthorized registrations. As such, fraudsters and cybercriminals are constantly seeking financial institutions and specific card BINs that are easier to enroll. Information regarding what BINs of which banks can be enrolled online and tricks and tactics for successful enrollment is highly valuable and guarded among cybercriminals and fraudsters. This information is rarely publicly discussed on underground forums and communities, and many fraudsters are willing to pay a pretty penny for it. Through our deep coverage of underground forums and communities, we have discovered what financial institutions are being targeted due to the perceived higher likelihood of payment card enrollment. We recommend the following:
About the AuthorDima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.