The Voxis web service platform addresses cybercriminals’ unmet need with business savvy matching that of the best Silicon Valley internet companies. Voxis automates the monetization of stolen credit card data, flying under the radar of fraud detection systems. In an interview after Voxis was first reported yesterday, Andrew Komarov, CEO of security researcher firm IntelCrawler, explained:
"The supply of credit card data from the many reported, unreported, and undetected data breaches doesn’t constrain cybercriminals. Reducing the time-consuming process of monetizing the card data and increasing the number of cards monetized is the constraining criminal need that Voxis meets. It increases the selling price of the stolen cards and increases the take of fraudulent transactions before the card numbers’ shelf life expires, going bad like old fruit on a grocer’s shelf."
A stolen batch of credit card data can be discovered in many ways, rapidly devaluing the cybercriminals’ spoils. The breach could be detected and the cards cancelled, or payment processors will be tipped off when seeing a high rate of charge backs when cybercriminals make fraudulent transactions or mistakes on fake ecommerce sites.
Komarov shed some light on the criminal economics of credit card fraud:
“The wholesale value of a credit card is $1 or $2 right after the breach, and with time loses value. But compare the wholesale price to the value created with one or two charges of $40 to $80. Charges submitted carefully using the automated services of Voxis will go undetected by the payment processing service and credited to the cybercriminal’s account. Capable cybercriminals don’t want to be detected, so moving quickly from the time of breach they put through one or two modest charges on each card, not thousands of dollars, and in 10 or 15 days, transfer all the money from merchant account held by the payment processor to a money mule or specially prepared company with a corporate account linked to the fake ecommerce site and cash out. Depending on the amount of money, professional fraudsters cooperate with organized crime groups specializing in money laundering."
The cybercriminals using Voxis put up a fake ecommerce website, usually outsourced to a criminal contractor. Then an account with a merchant payment processor is opened using false or stolen corporate and individual identities. There are many payment processing companies that act as middlemen between the merchants and the credit card companies. A sales and service business, payment processors market to and contract with merchants to accept charge transactions online, forward them for reconciliation and payment by the credit card companies, and credit the merchants’ accounts when funds are received.
The Voxis platform mimics human buying behavior. It randomizes amounts and intervals of charges to make them appear normal. Credit card data is imported into Voxis and ecommerce items and prices are added. Automated processing rules are designed to keep the transactions’ frequencies and amounts from appearing suspicious to the credit card companies. Voxis automates the execution of the transactions, filling the merchant account with cash.
Sometimes the cybercriminals at the Voxis Group will process the credit cards they’ve stolen themselves. They also share the Voxis platform with partners in some sort or criminal licensing arrangement, like any legitimate internet company would. Automated credit card fraud processes more cards, reduces detection and increase the criminals’ take.
Compared to selling the credit card data on the wholesale market, merchandising the card data requires payment skills to fool the processors and business and legal skills to control companies through which the fraud is committed.
For the time being, with so many breaches, these cybercriminals’ main problem is they have more cards than they can use.