The black hat hackers who exploit network security flaws to steal credit card data turn around sell that data on underground electronic black markets. Criminals, often referred to as bad actors, buy the card data and monetize it with fake ecommerce transactions.
Standing in the way are the fraud detection systems, which prevent the bad actors from simply spraying large amounts of card data at the credit card gateways. These fraud detection systems are designed to look for transactions that resemble human behavior, and to block those that appear to come from automated systems created to monetize large amounts of stolen credit card data.
For cybercriminals, a new platform called Voxis works around the detection systems. Andrew Komarov, CEO of IntelCrawler who reported the Voxis platform on the company’s blog, explained:
"The Voxis platform relieves these bad actors from laboriously entering credit card data into fake ecommerce websites. The actors upload a batch of stolen credit card data into Voxis that then submits fraudulent card transactions with the characteristics of a human sending a payment from a mobile device or PC."
The Voxis Group, as they call themselves, offers its platform for sale, as shown in the screenshot below showing an offer Komarov discovered on a website black hats and bad actors use to conduct their illegal business.
With Voxis, the bad actors need a fake ecommerce site and at least one merchant account with a payment processor. No ecommerce software development skills are needed because black hats will also build a fake ecommerce site on spec, like the one in this screenshot, also discovered by Komarov.
All the bad actors need is intent, an internet connection, and a little knowledge about payment gateways. Buy a domain, use a stolen identity to open an account with a merchant payment processor, and buy stolen credit card data – the bad actor is in business.
Kamarov explained how these bad actors put these pieces together:
"Taking advantage of fraudulently obtained merchant accounts, bad actors can use speed to automate and load cards to be charged for predetermined amounts at predetermined times, all with the goal of sliding under fraud detection systems. The emulation of human behavior and buying patterns increases their probabilities of having charges authorized."
The Voxis Group claims its platform will auto-fill CVV numbers, the 3- or 4-digit code on the front or back of credit cards. The platform supports 32 different credit card payment processors, allowing a bad actor to move from one processor to the next when fraud is detected and service is shut down.
If the data breach has not been detected and the credit card numbers canceled, Kamarov said that the stolen cards could be used for as many as 15 to 20 days.
As the credit card transactions accumulate, the bad actors recruit money mules to transfer the cash into offshore and grey accounts beyond the reach of law enforcement. Money mules are typically hapless individuals recruited online into what they believe are legitimate jobs as local agents responsible for accepting the money from the payment processor fraud and transferring it per the bad actors’ direction, taking a small percentage as compensation in the process.
Apple Pay, CurrentC, and point-of-sale equipment can’t stop this. Only tighter data center security or early warning of a breach can stop it. The problem is that breaches often go undetected for days, weeks, and sometimes longer, which the bad actors count on to earn their returns on the credit card data in which they invested.