Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also “test buys” from security researchers, law enforcement and other meddlers.
One anti-fraud measure commonly used in e-commerce is the address verification service (AVS), which seeks to verify the address of a person claiming to own a credit card. Some business employ additional “geo-IP” checks, which try to determine the geographical location of Website visitors based on their Internet addresses, and then match that with the billing address provided by the customer.
The trouble with these services is that they can get pricey in a hurry, and they’re often sold by the very companies that spammers are trying to outsmart. Enter services like fraudcheck[dot]cc: This service, run by an established spammer on a semi-private cybercrime forum, performs a multitude of checks on each transaction, apparently drawing on accounts from different, legitimate anti-fraud services. It accepts payment solely via WebMoney, a virtual currency that is popular in Russia and Eastern Europe.
This fraudster-friendly antifraud service does the following analysis:
- Queries the geo-IP location from four distinct sources;
- Calculates the billing ZIP code distance from the customer’s geo-IP coordinates;
- Checks the customer’s Internet address against lists of known proxies that are used to mask an Internet user’s true location, and assigns a “risk score” of zero to 4.2 (the higher the number, the greater the certainty that the purchase was made via a proxy).
- Generates a “fraud score” from 0-100 to rate the riskiness of the transaction (100 being the riskiest)
The bulk of the fraud checks appear to be conducted through [hijacked?] accounts at MaxMind.com, a Waltham, Mass. company that screens more than 45 million online transactions per month for 7,000 companies. MaxMind sells a suite of legitimate anti-fraud solutions, including two specifically called out in the screen shot above (minFraud and GeoIP).
As detailed in this white paper (PDF), MaxMind’s minFraud service checks for a number of potential risk factors, such as whether the customer is using a free Webmail account, or there is a mismatch in the shipping and billing address. It also looks to see whether the customer is paying with a card from a known bank. Failure to identify a “bank identification number” (BIN) — the first six digits of any card — may indicate the customer is paying with a prepaid card and thus trying to mask their identity or location.
Based on the combined results of these tests, MaxMind’s service will assign a “fraud score” from 0 to 100, indicating the service’s best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it’s not clear why the service assigned such a high fraud score (96.84) to the transaction in question — perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.
Prepaid cards are a favorite investigative tool of academic researchers and fraud investigators working on behalf of brands whose trademarks are often abused in spam-advertised goods (think pirated software, designer goods and knockoff name-brand prescription drugs). As such, dodgy businesses that sell products advertised via spam tend to look askew at transactions made with prepaids.
At least, that was one conclusion of an outstanding academic paper, Priceless: The Role of Payments in Abuse-Advertised Goods (PDF), an exhaustive analysis of the payment processing systems deployed by spammers. According to that research, spammers place a huge emphasis on blocking “undercover buys” from researchers and investigators.
“In particular, if they can prevent an undercover buy from producing an authorization then there is no way to tie a Web site selling brand-infringing goods to the merchant account (and hence bank) normally used to process its payments,” the researchers noted.
The researchers, from George Mason University, the University of California, San Diego, and the International Computer Science Institute, found a number of shops that filtered out IP addresses used on previously unsuccessful orders, as well as spam-advertised shops that refuse to process payments on credit cards with particular BINs.
“Similarly, we have identified distressed programs that use IP geo-location to specialize payment options,” to weed out purchase from certain countries, the researchers found. “All of these techniques raise the stakes for undercover purchasing since it again creates an increased “cover burden” for IP diversity, geographic diversity, BIN diversity, name diversity, etc.”
Damon McCoy, an assistant professor of computer science at GMU and one of the authors of the study, said fraudcheck.cc is indicative of a trend in underground businesses.
“We have seen a growing trend from these underground shops indicating that they are likely investing in increasingly sophisticated fraud checking systems and also employing a second line of defense by hiring people to manually check suspicious orders,” McCoy said. “They are becoming more willing to turn away some real customers to limit their risk of accepting a test purchase that might result in large fines.”
Fraudcheck[dot]cc is yet another example of a fraudster-friendly service that appears to be built on the back of compromised accounts at legitimate information services. Other examples include reshipping schemes that take advantage of carded and hijacked accounts at postage vendors; mass domain name registration services; money mule scams that find new hires using hijacked employer accounts at major job search sites; and identity theft services that pull data directly from major consumer data aggregators.