November 26, 2013

Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also “test buys” from security researchers, law enforcement and other meddlers.

One anti-fraud measure commonly used in e-commerce is the address verification service (AVS), which seeks to verify the address of a person claiming to own a credit card. Some business employ additional “geo-IP” checks, which try to determine the geographical location of Website visitors based on their Internet addresses, and then match that with the billing address provided by the customer.

The trouble with these services is that they can get pricey in a hurry, and they’re often sold by the very companies that spammers are trying to outsmart. Enter services like fraudcheck[dot]cc: This service, run by an established spammer on a semi-private cybercrime forum, performs a multitude of checks on each transaction, apparently drawing on accounts from different, legitimate anti-fraud services. It accepts payment solely via WebMoney, a virtual currency that is popular in Russia and Eastern Europe.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

fraudcheck[dot]cc resells bundles of anti-fraud services from legitimate providers like MaxMind.

This fraudster-friendly antifraud service does the following analysis:

  • Queries the geo-IP location from four distinct sources;
  • Calculates the billing ZIP code distance from the customer’s geo-IP coordinates;
  • Checks the customer’s Internet address against lists of known proxies that are used to mask an Internet user’s true location, and assigns a “risk score” of zero to 4.2 (the higher the number, the greater the certainty that the purchase was made via a proxy).
  • Generates a “fraud score” from 0-100 to rate the riskiness of the transaction (100 being the riskiest)

The bulk of the fraud checks appear to be conducted through [hijacked?] accounts at MaxMind.com, a Waltham, Mass. company that screens more than 45 million online transactions per month for 7,000 companies. MaxMind sells a suite of legitimate anti-fraud solutions, including two specifically called out in the screen shot above (minFraud and GeoIP).

As detailed in this white paper (PDF), MaxMind’s minFraud service checks for a number of potential risk factors, such as whether the customer is using a free Webmail account, or there is a mismatch in the shipping and billing address. It also looks to see whether the customer is paying with a card from a known bank. Failure to identify a “bank identification number” (BIN) — the first six digits of any card — may indicate the customer is paying with a prepaid card and thus trying to mask their identity or location.

Based on the combined results of these tests, MaxMind’s service will assign a “fraud score” from 0 to 100, indicating the service’s best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it’s not clear why the service assigned such a high fraud score (96.84) to the transaction in question — perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.

Prepaid cards are a favorite investigative tool of academic researchers and fraud investigators working on behalf of brands whose trademarks are often abused in spam-advertised goods (think pirated software, designer goods and knockoff name-brand prescription drugs). As such, dodgy businesses that sell products advertised via spam tend to look askew at transactions made with prepaids.

Geo-location tools used by fraudcheck[dot]cc

Geo-location tools used by fraudcheck[dot]cc

At least, that was one conclusion of an outstanding academic paper, Priceless: The Role of Payments in Abuse-Advertised Goods (PDF), an exhaustive analysis of the payment processing systems deployed by spammers. According to that research, spammers place a huge emphasis on blocking “undercover buys” from researchers and investigators.

“In particular, if they can prevent an undercover buy from producing an authorization then there is no way to tie a Web site selling brand-infringing goods to the merchant account (and hence bank) normally used to process its payments,” the researchers noted.

The researchers, from George Mason University, the University of California, San Diego, and the International Computer Science Institute, found a number of shops that filtered out IP addresses used on previously unsuccessful orders, as well as spam-advertised shops that refuse to process payments on credit cards with particular BINs.

“Similarly, we have identified distressed programs that use IP geo-location to specialize payment options,”  to weed out purchase from certain countries, the researchers found. “All of these techniques raise the stakes for undercover purchasing since it again creates an increased “cover burden” for IP diversity, geographic diversity, BIN diversity, name diversity, etc.”

Damon McCoy, an assistant professor of computer science at GMU and one of the authors of the study, said fraudcheck.cc is indicative of a trend in underground businesses.

“We have seen a growing trend from these underground shops indicating that they are likely investing in increasingly sophisticated fraud checking systems and also employing a second line of defense by hiring people to manually check suspicious orders,” McCoy said. “They are becoming more willing to turn away some real customers to limit their risk of accepting a test purchase that might result in large fines.”

Fraudcheck[dot]cc is yet another example of a fraudster-friendly service that appears to be built on the back of compromised accounts at legitimate information services. Other examples include reshipping schemes that take advantage of carded and hijacked accounts at postage vendors; mass domain name registration servicesmoney mule scams that find new hires using hijacked employer accounts at major job search sites; and identity theft services that pull data directly from major consumer data aggregators.


39 thoughts on “An Anti-Fraud Service for Fraudsters

  1. legit

    Nothing wrong with this service .Its cheap ,robust and user friendly .What more do you want ? 🙂

  2. Francis, the talking mule

    “potential risk factors, such as whether the customer is using a free Webmail account … Prepaid cards are a favorite investigative tool of academic researchers and fraud investigators working on behalf of brands whose trademarks are often abused in spam-advertised goods”

    Wouldn’t free Webmail accounts and prepaid cards also be a favorite of fraudsters trying to stay anonymous?

    1. TheOreganoRouter.onion

      I read that three times, and that’s what I thought to, looks like we are on the same wavelength.

      I would think that most credit card companies use strict address and zip code verification and if that information is just slightly off or doesn’t Geo-Locate to a I.P. number in that vicinity then the charge gets declined .

      Another thought provoking article. Also downloaded “Priceless: The Role of Payments in Abuse-Advertised Goods ” for offline reading. Thanks for even more information to read

      1. Sharona

        I agree with the comments re: confusing sentence on prepaid debit cards and investigative toolls (a little discombobulated) etc. Perhaps some part of that sentence was redacted for some reason or another. However, assumption correct re: fraudsters are hand-in-hand and your money in that hand & the other, literally because — yes this is true — little if no supervision of any financial institute in the prepaid debit card busines. Also, not many if any, applicable laws or legislation in effect right now concerning supervision/oversight/enforcement issues on ppdc’s. No arrests, no investigations, no prosecution. Thousands left completely broke and thousands are completely broke, have no recourse and cannot obtain assistance from any governmental agency, unless they are lucky. An internet bank can run any type of scheme they want, esp. prepaid debit cards they control, and financially slaughter the masses, prepaid or credit card wise. It is happening, you will see. Eye opener.

    2. BrianKrebs Post author

      Possibly. But the fraudsters are concerned primarily with two things: chargebacks and test buys that might be an attempt to discover the merchant bank that is doing the fraudster’s processing.

  3. alexlee

    there is nothing wrong with such service

    they are no forcing u to use it

    and they are not stealing ur bank info

    so ? its up to u to use or no

    another cheap article from krebbs

    1. TheOreganoRouter.onion

      Bad spelling and grammar, what does that tell you?

      Are you from Eastern Europe?

      1. Stinker Jo

        Even if he is what are you going to do about it ?

        P.s Yo mama is so fat and dumb that the only reason she opened her email was because she heard it contained spam. HA HA .

  4. bonehead

    The speculation by the author at this point is that the fraud checks appear to be conducted via hijacked accounts. That’s the key point that would make this bad…!

    I’ve read enough articles from this author where his instincts and hunches turn out to be very accurate. I trust with a great degree his speculation is based on findings that strongly support putting that in the publication…

    1. Peter

      100% agreed.

      Brian’s posts always seem to be spot on and a lot of research conducted to gather the information for the post.

      As usual though it appears that some of the people involved in such activities are the ones giving negative comments.

    2. Mike Sangrey

      To underscore Brian’s apparent intuition of ‘hijacked accounts’…

      If one is trying to undermine security researchers and also trying to prevent fines relative to fraudulent activity, then one would try very hard to NOT leave bread crumbs. I would assume that signing up for an honest account on a fraud prevention site would require one to give fraud-free information. Seems to me that is not a bread crumb, but a full loaf.

      Thus it makes sense to me that the fraudsters hide their tracks via hijacked accounts.

    1. Peter

      I did wonder when I saw what was on the page. Reckon they are unto shenanigans or someone hacked them believing they were doing the right thing?

  5. meh

    How long before this is being regularly performed on every transaction we do everywhere? Time to use cash for everything and shop locally 🙁

    Tin foil hat time :\ The legitimate uses of it are almost more invasive than the illegitimate… Combine that with some links to the data brokers and they can link up every thing you do in real time – probably already being done.

  6. Prairie Dog

    I have doubts about geolocation. I live on the east coast. The first time I went to L.A. I followed a web site’s advice and told both my credit card banks that I’d be on the other coast. Neither took any info or seemed to care. While I was in L.A. I had no trouble using either credit card, on line or in person.

    The second time I went to L.A. the banks did take info on the hotel I would stay at and how long I expected to be there. I assume that was so a human could override a geolocation warning if necessary, but I wonder.

    I had one other peculiar incident. Back in the late 1960s my wife went back to New Mexico to visit her family. While there she bought some furniture for her mother. The credit card company declined the charge. When she called the 800 number she was told that the card shouldn’t be in New Mexico since the billing address was back east. (so much for human geolocation.) When I called the bank to get the charge authorized the fellow I spoke to said the the geographic refusal was improper, because the card was for traveling, after all.

    So who do I trust to get it right, software or a human?

    1. Melf

      It’s sad that we live in a world where you have to call the bank to spend money if your location is different than some registered location in many databases.

      1. JCitizen

        It has been my experience that the card companies use multiple factors for triggering fraud stops. One of the other of many factors is habitual behavior; if you do a lot of traveling and buying in other locations, that flag may not block the purchase. I can’t remember the other flags that happen, but I know I once went on a trip to pick up some freight, I don’t actually travel much, and the purchase was big enough, and the item was unusual enough to set off the alert. I had to talk to the bank over the phone to get it approved. Luckily they recognize my voice and know me personally, or it would have been more time consuming. So purchase size, cost, location, habits, and type of produce can all contribute to the trigger for the block alert. These aren’t the only metrics by any means though.

    2. arp

      I visit the US several times a year, but the first time I bothered to inform my bank I would be in the States (European card) it was blocked as soon as I got off the plane!

      I would’ve been better off not even telling them, and it left me without any cash to use the airport payphone

  7. JeFF

    well, yes, they certainly use some fraud scoring.

    But fraudcheck.cc domain name has been registered November 10th, 2013. Brand new, so to say. And so maybe not so relevant. Or planted, whatever.

  8. khax

    haha..whoever hacked that page has a certain sense of humour…

  9. AlphaCentauri

    Citibank watches locations very closely. Buying gas while driving through several states will get my card frozen every time if I don’t call in advance of a trip. They want to know exact dates of travel, and they can only associate a limited number of states with my account.

    1. stine

      Amex does this too, but you can drive from Atlanta to Texas before their systems will throw an alert… And this was after filling up 5 times on I-20. At the 6th stop, the pump said ‘see cashier’.

  10. BigMackke

    I always use a certain web based email account when
    ordering online, to prevent spamming of one of my
    ISP email accounts and more important web based
    accounts. I don’t trust them, even when they claim
    they don’t sell, etc. your given email address.
    Fraudsters should face very serious penalties for
    stealing peoples money. Take someones money
    and you’re negatively impacting every facet of
    their life. This even leads to family breakups
    and/or suicide in some cases. I truly despise
    these parasites. If I could get away with it, I’d
    be tempted to liquidate these scum.

  11. Cassandra

    “Based on the combined results of these tests, MaxMind’s service will assign a “fraud score” from 0 to 100, indicating the service’s best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it’s not clear why the service assigned such a high fraud score (96.84) to the transaction in question — perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.

    Prepaid cards are a favorite investigative tool of academic researchers and fraud investigators working on behalf of brands whose trademarks are often abused in spam-advertised goods (think pirated software, designer goods and knockoff name-brand prescription drugs). As such, dodgy businesses that sell products advertised via spam tend to look askew at transactions made with prepaids.”

    This explains why fraudcheck.cc would want to block use of prepaid cards, but not why MaxMind would. Legitimate online vendors have no reason to care if a card is prepaid or not. If the card (number) was fraudulently obtained, it won’t trace back to the scammer whether it has a BIN or was prepaid — it will trace back to the rightful cardholder if it has a BIN. Also, the fraudster probably got whatever card number he could get his grubby mitts on.

    At the same time, this and other policies of MaxMind seem like they would inconvenience a ton of legitimate online purchasers.

    1. Lots of people use free webmail, even as their primary account, often so that their mail can be accessed from anywhere and any device, or simply because the price is right.

    2. Lots of people use free webmail throwaway accounts for each one-off interaction with a website, to reduce the risk of exposing their main email to spam! Irony here.

    3. Prepaid cards make it possible for people with poor credit scores/no reliable income, who are ineligible for actual credit, to make Internet purchases. Itinerant workers, the unemployed, and others in the “underclass” who comprise as much as 16% of the American population. Sure, these people don’t tend to have very much money, but when they do, it’s as green as anyone else’s.

    4. There’re also people who just don’t want debt, or consider usury immoral, and just want to buy something online on a debit-like up-front basis instead of on credit.

    5. Prepaid cards are, ironically, one of a consumer’s best tools for protecting against fraud. Loading a prepaid card with $10 to order a $9.96 widget ensures that the most they can conceivably lose is $10 if the merchant is a scammer or the card number leaks to blackhats. If they use a “real” credit card, they could be liable for up to $50 of fraudulent charges — five times their risk with the prepaid in this instance — and that’s if they can make a solid case that they were ripped off. Being out fifty bucks is close to the *best* case scenario. The *worst* case scenario is a giant debt they can’t convince the banks shouldn’t be theirs, and a wrecked credit score. Remember: once they have your money (or think you owe it), it’s an uphill battle to claw it back. Much better to lose $10 than to lose $40,000 and have to fight to get back $39,950 of it.

    6. Prepaid cards also protect a consumer’s exposure to shady practices that may not be bright-line fraud, such as evergreening charges, as well as fraudulent misuse of credit card numbers given for non-payment reasons, such as because some site demanded it as proof of identity or similarly (which they really shouldn’t, but it happens). A prepaid card with a buck and change left on it is perfect for one of these things, or for signing up for 90 days of free whatever without any danger that they’ll “forget” you told them to cancel and start billing you after the 90 days. (AOL, anyone? Back in the day, they were infamous for this.)

    But, of course, many of the reasons for using prepaid cards and *all* of the reasons for services like MaxMind stem from one really egregious mistake made by the whole e-commerce infrastructure: relying on knowledge of a shared secret, the “credit-card number”, to authenticate transactions. They should have developed a public-key based system instead, where to authenticate a transaction you prove you know the private key for some e-bank account (without disclosing that key to anyone, even a merchant).

    Ideally, we’d have an e-commerce system built around an “e-checkbook”. You’d get one with a checking account. It would consist of a USB dongle-like device with a small display screen, and would be a trusted hardware device, not reprogrammable once initialized and sealed by the bank — so, impossible for malware to infect, even if plugged into an infested home computer.

    Websites could ask the browser to perform a transaction; the browser could detect if the device was plugged in and prompt the user to attach it if it wasn’t.

    The website would query the device and get a bank URL and public key, then query the bank. The bank would issue a “check number”, encrypted with that key. The website would send this to the device. The device would light up with some information about the transaction (especially, the dollar amount and payee) and the user could accept or decline. Accepting would result in it writing an “e-check” in the same amount that it had displayed, payable to the payee, and signing it with its internal signing key. The check would have the bank’s issued “check number” as well, which the device internally decrypted and incorporated into the check. The check number prevents the merchant or an eavesdropper using a replay attack to ding the account for several copies of the same fee, as the bank will decline further transactions attempted using the same account and check number.

    The website then sends the e-check to the bank, which clears it quickly if the funds are available and tells the merchant site, which then considers the charge successful.

    The above scenario prevents several attacks.

    1. Eavesdroppers cannot discover the account’s private key. Of course, SSL now stops them discovering the account’s *secret* key (credit card number), so no change there.

    2. Merchants also cannot discover the account’s private key. (Contrast with the above.) So, they can’t abuse it or inadvertently leak it by getting hacked.

    3. Transactions cannot be replayed, due to the check number (uniquely issued by the bank per transaction+account).

    4. The merchant cannot deceive the user as to the amount being charged. The device is a sealed, trusted hardware unit that cannot, by the bank’s construction of it, show one amount while signing an e-check in a different, larger amount. Whereas a present-day website can say something is $9.99 but charge your card $999. Thus, the user can decline any larger-than-expected transaction and can be assured they’re risking no more than what it says on the LED readout on their dongle.

    5. If they regularly do business with site X, they can familiarize themselves with how that shows on the device’s readout as the “payee” of the e-check. A MITM attack aimed at intercepting a user’s transaction initiation and substituting their own, in the same amount, to a different payee will then be detectable by the user. Spoofing the payee field won’t help the attacker as it would result in the money going to the user’s intended payee instead of to the scammer! As this is the actual payee field of an actual (though electronic) check, and is what determines who the bank sends the money to.

    Such a device could ideally be used from any machine, securely — your home computer (even if infected by malware), a public computer (library, cybercafe), and even could replace the little card reader terminals in shops — they could provide a usb port you could plug into to do a debit-style purchase in-store, and be no more able to scam you than a website.

    The user has to trust far fewer parties in such a setup. Instead of the merchant, every merchant they’ve ever done business with, the merchant’s site’s hacker, everyone he sells the card numbers to, *and* the bank, she need only trust her bank. Encryption prevents anyone impersonating her transaction authorizations to her bank or vice versa. Credit, where desired, can be added by way of an e-account with overdraft or credit-card-account-like properties, instead of being the default.

    Recurring payments can be paid, but the user has to separately agree to each payment in turn; sites/services can provide a window in which to pay (or just a deadline, with any amount of prepayment in advance allowed) before service is cut off, and issue reminders, but they cannot “evergreen” or do other shady things to part users from their money, nor rely on people forgetting about a quietly-occurring recurring charge for something they’re no longer using to inflate profits at people’s expense.

    Such a system would obviate the need for merchants to use services like MaxMind, as the only way the transaction that goes through could be fraudulent is either through the merchant’s own deception of the user or through the user being actually under duress (e.g. at gunpoint); neither of these two threat models is addressed by services like MaxMind anyway.

    It would also remove the reasons for consumers to use prepaid cards, as by declining any transaction over $10, say, they can limit their exposure to $10 (like loading a prepaid card with $10), and by declining any unexpected transactions they can avoid being dinged by “evergreen” charges or similar shady behavior.

    The user is as assured of control over the transactions conducted in her name as is the user of a regular old paper checkbook, or more given how much harder a properly-implemented digital signature is to forge than a handwritten one. The merchant, in turn, is therefore assured of a much lower risk of chargebacks so long as they don’t scam a customer themselves.

    The system also allows for anonymity (more than paper checks do); the generic merchant has no need of any of the user’s true identity information. Certainly they don’t need it for fraud prevention; if they need it to provide service they can get it separately, via a (secure) web form or whatever, as part of the user interaction. It also doesn’t lend itself to misuse for non-payment purposes, whereas credit cards have become “complected” with several unrelated uses on the internet, and consequently uses that logically should not be reliant on “user has not had a bankruptcy within the past seven years”, for example, end up entangled with such irrelevant criteria, and some sites lose potential customers needlessly, costing them money.

    This site is a recurring litany of massive card number leaks, skimmers being used to get data to impersonate others in transactions, and all manner of other criminality ancillary to or funded by this scamming — money mules, violence of various sorts, malware foisting, etc.

    All of that could be avoided by the proper deployment of PKI using a trusted, private-key-containing device issued to bank account holders, while expanding the availability of e-commerce to at least some disadvantaged people who find that even if they have the money they can’t pay online merchants with it. With malware foisting and all those other ancillary activities rendered unprofitable, much of this crime would evaporate, and with it the collateral damage (malware cleanups, murders, whatever else).

    We, as a society, should begin transitioning to such a system right away. Of course, I said all of this ten or more years ago in various places on the then-fledgling internet, but nobody listened, and now look where we are. Skimmers, hundred-million-card-number leaks and hacks, malware infestations, and other predictable consequences of a shared-secret-reliant authentication infrastructure now abound, with collateral damage ranging from lost data and lost money all the way up to destroyed lives.

    Perhaps *now* people will start listening.

    1. JCitizen

      Wow! You thinking of starting a news service? That was a whole other article you wrote there! :O

    2. TaskForce717

      Cassandra , did not bother reading your article but, Yo Brian Charge by the letter you can retire and belly up to the bar and drink top shelf booze and still hire a private jet to fly ya home . YAP YAP YAP LOL 🙂

    3. Cassandra

      *sigh* It looks like I’m still under the same curse as my namesake. Two snarky responses and no serious ones, and still everyone is using an insecure-by-design method to authenticate online money payment.

      1. Harry Johnston

        With respect, you’re not proposing anything either particularly novel or controversial. (If there had been some gaping flaw in your proposal, you might have gotten a serious response., but there’s not much point in responding to the fairly obvious.)

        There aren’t, however, many obvious ways for any of us to encourage implementation of such a solution. A direct government mandate would be one, but that’s politically unlikely. I think the best we can do is to carry on trying to encourage laws ensuring that as much of the financial risks as possible lie with the banks rather than the customers or the legitimate merchants. The cost to the banks of the status quo needs to exceed the cost of developing a new system before anything is likely to happen.

      2. meh

        When complexity goes up, usability goes down… There may be less fraud potential in that setup but it seems like preventing people from using it at all would be much easier.

        1. Cassandra

          “Usability goes down”? The user experience with the system I proposed would be very similar to using a chip & pin card at a store’s swipe terminal … except you could have such a terminal at home and use it for online shopping. Securely.

          If you’re familiar with making debit/credit card purchases at the store, you’d have no learning curve using this.

      3. nowhereman

        Well, this system already exists. It’s called ‘SMS verification’ 🙂

        1. JCitizen

          SMS can be defeated – there is a new app at the Chrome store for folks that use Android, that creates a class 0 virtual firewall for such problems. At least that is how I understand it from this mornings cursory reading.

  12. Avi Lambert

    E-Signing and Certifying SSL, and other services to manage data – these are areas where fraud develops, to be sure.

    The entire world of telephony is interesting, no?

    Cables and Wires basically, Servers, Reputations…

    The other comments have been entertaining otherwise.

Comments are closed.