Laundering the spoils from cybercrime can be a dicey affair, fraught with unreliable middlemen and dodgy, high-priced services that take a huge cut of the action. But large-scale cybercrime operations can avoid these snares and become much more profitable when they’re able to disguise their operations as legitimate businesses operating in the United States, and increasingly they are doing just that.
Today’s post looks at one such evolution in a type of service marketed to cybercrooks that has traditionally been perhaps the most common way that thieves overseas “cash out” cybercrimes committed against American and European businesses, banks and consumers: The reshipping of goods purchased through stolen credit cards.
Cybercrooks very often rely on international reshipping services to help move electronics and other goods that are bought with stolen credit cards, shipped abroad, and then sold for cash. Many fraudsters use stolen credit cards to pay for U.S. Postal Service and FedEx shipping labels — a.k.a. “black labels” — but major shipping providers appear to be getting better at blocking or intercepting packages sent with stolen credit cards (at least according to anecdotal evidence from the cybercrime forums).
As a result, crooks increasingly are turning to a more reliable freight: So-called “white label” shipping services that are paid for with cybercrime-funded bank accounts via phony but seemingly legitimate companies in the United States.
In the case of a breach at an online merchant that exposes the card number, expiration and card verification value (CVV), the compromised card numbers typically are used to purchase high-priced electronics at online stores that are known to be “cardable” — that is, the stores will ship to an address that is different from the billing address.
In the case of “card present” breaches (such as at those that have hit Target, Neiman Marcus, P.F. Chang’s and others) — where attackers use malicious software to compromise cash register transactions and gather data that can be used to fabricate new cards — fraudsters employ teams of “runners” who use the card data to create counterfeit cards and buy high-priced merchandise at big box retailers.
In either card-present or card-not-present fraud, one of the most lucrative ways for fraudsters outside of the United States to cash out stolen credit cards is to have carded goods shipped overseas, where electronics and other luxury items typically sell for a much higher price than in the United States (think new iPads and iPhones, e.g.).
The hardest step in this whole process is successfully getting the goods out of the United States, because a large percentage of retailers simply refuse to ship to areas like Russia and Ukraine due to high rates of fraud associated with those regions.
Traditionally, fraudsters get around this restriction by turning to reshipping services that rely on “mules,” people in the United States who get recruited to reship packages after responding to work-at-home job scams. These reshipping mules are sent multiple packages containing electronics that have been purchased with stolen credit and debit cards. They’re also sent prepaid and pre-addressed shipping labels, and the mules are responsible for making sure the goods are reshipped quickly and accurately.
Over the past year, however, more and more users of reshipping services advertised in the cybercrime underground have reported problems with a greater share of their packages being intercepted or canceled. Apparently, the shipping companies are getting better at detecting shipping labels that are paid for with stolen credit cards and hijacked accounts.
Enter LabelCity, a “white label” service that advertises “corporate rates” for shipping Priority Mail International through the U.S. Postal Service (USPS) — rates that come in slightly below the rates that the USPS charges retail on its shipping calculator.
“Our service provides 100% guarantee on delivery of the goods. Return of funds to 30 days,” the proprietor of LabelCity promises in an online advertisement. “We started doing white labels (i.e., cash disbursed-for)! Our labels are made automatically through the admin panel, and automatic replenishment! Our corporate rates will surprise you, minus 15-20% of the price of USPS!”
Services like LabelCity explain why reshipping operations remain among the most popular methods of cashing out many different forms of cybercrime: Buying luxury goods that can be resold overseas at a significant markup amplifies the fraudster’s “profit.”
Take, for example, the scourge of IRS tax refund fraud, an increasing form of cybercrime that has been documented extensively on this blog. With refund fraud, the IRS is tricked into sending the fraudsters prepaid credit cards that can be used like cash. But rather than merely pulling the cash from those cards out of ATMs all around the world, it makes more sense for the crooks to take that cash and reinvest it into purchasing goods here in the United States that can often sell for twice the purchase price in countries like Russia and Ukraine.
LabelCity is a great reminder that cybercrime is seldom an isolated event or a single-victim crime: Much of it is connected in some way. In most cases, one fraud begets another, and thieves — particularly those perpetrating such crimes from across international borders — often string together multiple forms of fraud in a bid to extract maximum value from their activities.
Update: In case there was any confusion, the LabelCity mentioned in this story is not the same thing as the legitimate e-commerce site LabelCity.com.