Laundering the spoils from cybercrime can be a dicey affair, fraught with unreliable middlemen and dodgy, high-priced services that take a huge cut of the action. But large-scale cybercrime operations can avoid these snares and become much more profitable when they’re able to disguise their operations as legitimate businesses operating in the United States, and increasingly they are doing just that.
Today’s post looks at one such evolution in a type of service marketed to cybercrooks that has traditionally been perhaps the most common way that thieves overseas “cash out” cybercrimes committed against American and European businesses, banks and consumers: The reshipping of goods purchased through stolen credit cards.
Cybercrooks very often rely on international reshipping services to help move electronics and other goods that are bought with stolen credit cards, shipped abroad, and then sold for cash. Many fraudsters use stolen credit cards to pay for U.S. Postal Service and FedEx shipping labels — a.k.a. “black labels” — but major shipping providers appear to be getting better at blocking or intercepting packages sent with stolen credit cards (at least according to anecdotal evidence from the cybercrime forums).
As a result, crooks increasingly are turning to a more reliable freight: So-called “white label” shipping services that are paid for with cybercrime-funded bank accounts via phony but seemingly legitimate companies in the United States.
CASHING OUT
In the case of a breach at an online merchant that exposes the card number, expiration and card verification value (CVV), the compromised card numbers typically are used to purchase high-priced electronics at online stores that are known to be “cardable” — that is, the stores will ship to an address that is different from the billing address.
In the case of “card present” breaches (such as at those that have hit Target, Neiman Marcus, P.F. Chang’s and others) — where attackers use malicious software to compromise cash register transactions and gather data that can be used to fabricate new cards — fraudsters employ teams of “runners” who use the card data to create counterfeit cards and buy high-priced merchandise at big box retailers.
In either card-present or card-not-present fraud, one of the most lucrative ways for fraudsters outside of the United States to cash out stolen credit cards is to have carded goods shipped overseas, where electronics and other luxury items typically sell for a much higher price than in the United States (think new iPads and iPhones, e.g.).
The hardest step in this whole process is successfully getting the goods out of the United States, because a large percentage of retailers simply refuse to ship to areas like Russia and Ukraine due to high rates of fraud associated with those regions.
Traditionally, fraudsters get around this restriction by turning to reshipping services that rely on “mules,” people in the United States who get recruited to reship packages after responding to work-at-home job scams. These reshipping mules are sent multiple packages containing electronics that have been purchased with stolen credit and debit cards. They’re also sent prepaid and pre-addressed shipping labels, and the mules are responsible for making sure the goods are reshipped quickly and accurately.
Over the past year, however, more and more users of reshipping services advertised in the cybercrime underground have reported problems with a greater share of their packages being intercepted or canceled. Apparently, the shipping companies are getting better at detecting shipping labels that are paid for with stolen credit cards and hijacked accounts.
LABEL CITY
Enter LabelCity, a “white label” service that advertises “corporate rates” for shipping Priority Mail International through the U.S. Postal Service (USPS) — rates that come in slightly below the rates that the USPS charges retail on its shipping calculator.
“Our service provides 100% guarantee on delivery of the goods. Return of funds to 30 days,” the proprietor of LabelCity promises in an online advertisement. “We started doing white labels (i.e., cash disbursed-for)! Our labels are made automatically through the admin panel, and automatic replenishment! Our corporate rates will surprise you, minus 15-20% of the price of USPS!”
Services like LabelCity explain why reshipping operations remain among the most popular methods of cashing out many different forms of cybercrime: Buying luxury goods that can be resold overseas at a significant markup amplifies the fraudster’s “profit.”
Take, for example, the scourge of IRS tax refund fraud, an increasing form of cybercrime that has been documented extensively on this blog. With refund fraud, the IRS is tricked into sending the fraudsters prepaid credit cards that can be used like cash. But rather than merely pulling the cash from those cards out of ATMs all around the world, it makes more sense for the crooks to take that cash and reinvest it into purchasing goods here in the United States that can often sell for twice the purchase price in countries like Russia and Ukraine.
LabelCity is a great reminder that cybercrime is seldom an isolated event or a single-victim crime: Much of it is connected in some way. In most cases, one fraud begets another, and thieves — particularly those perpetrating such crimes from across international borders — often string together multiple forms of fraud in a bid to extract maximum value from their activities.
Update: In case there was any confusion, the LabelCity mentioned in this story is not the same thing as the legitimate e-commerce site LabelCity.com.
How can they possibly be 15% to 20% cheaper than money-hemorrhaging USPS?? If that’s correct, they should just start up as a legitimate company! Perhaps this is robbers swindling thieves?
FedEx and UPS both give business/bulk discounts.
The only reason they are loosing so much money is because Congress forced them to: http://business.time.com/2013/02/07/how-healthcare-expenses-cost-us-saturday-postal-delivery/
And don’t forget UPS and FedEx would very much like that Saturday delivery advantage and cheaper rates of the USPS to go away…
I sometimes send packages to a friend in eastern Europe. I use a reshipper in NYC who charges, at most, half the rate of USPS and UPS. He runs a legitimate business and my friend even gets whacked with import duties paid directly to the local customs service. I’m not sure how he does it – I think he’s aggregating packages to the same area, and shipping them to the same receiver, who then runs everything through customs and a local delivery company. However they do it, it’s substantially cheaper than the regular shipping companies, while only taking a few days longer.
The starting discount for a commercial account is around 50% – if he does substantial volume he could easily be at 70%+.
I simply stopped using credit cards for anything other than online purchases, long ago. And even for online stuff, I will use “virtual/one-time-use” cards that are promptly invalidated after the order.
Restaurants, supermarkets? Cash. Gas stations? Cash. The occasional pricey item at a big-box store? Cash. It *is* possible to largely stop these frauds. Skimmers are rendered useless, hacked data dumps are useless, etc.
Too many other people don’t think the same way, unfortunately.
This seems like sound practice to me and one that I also recently decided to do myself.
Interestingly you are quite likely not spending the same amount of money when you choose to pay by cash also. When a purchase is made using a card the customer is disconnected from the sensation of losing money that is caused by physically removing cash from their wallet or purse. It has been scientifically quantified that this causes people to spend more as they lose the sensation of losing something. The effect in many cases is not small either in terms of the additional money people will spend once they are disconnected from the “real” money.
This might seem irrational and indeed it is but the mistake is assuming people are rational actors to start with – however we experience ourselves as rational so most people believe they will not behave this way unless you accept that we are indeed irrational creatures.
So now you know why retailers love people to pay by credit or electronically.
I don’t understand this point of view. With a credit card, the consumer has essentially zero liability for fraud, which is mandated by law. If a consumer loses the physical card, they have a certain number of days to report it before they’ll owe some money to the bank if fraud is committed. If however, the card number is stolen without the consumer losing the physical card, they have a significantly longer period where you have no liability. Checking montly statements and / or setting up alerts mitigates most of the risk in the latter case. For all intents and purposes, the banks carry the liability, not the consumer. There’s a small inconvenience for the consumer during the time it takes to have the card replaced.
If a consumer getd mugged with a lot of cash in their pocket, they’re out that money unless of course, they catch the thief and even then, it’s not too likely.
To me, it seems that people who adopt the “I wont use a credit card” seem to be protecting banks more than they’re protecting themselves.
My card number has been compromised 3 times in as many years. Financial impact to me… nothing.
That’s my question too. Forget about being mugged, what about simple loss? (Much more common than being robbed for most people.) Losing a credit card means a few days when you can’t use the CC. Losing cash? Sorry, out of luck.
I can see being leery of debit cards. But credit cards offer significant fraud and loss protections consumers. They are much better than cash. And cash customers have to pay the same price as credit, so they’re essentially subsidizing those protections for cc customers.
Forget even about loss of cash. How does one get the cash? Well, ATM!?
Ah yes, talking about a risk to get skimmed… !!! And then the thief has full access to your checking and saving.
I’ll rather stick to the safe credit card. ☺
On the other side of that argument – I distinctly dislike the idea that my credit card can be entangled into supporting this large crime underground (as shown by Brian, here) – to the point that cash for nearly everything works just fine for me.
The fact that the merchants I use get an additional ~5% (as opposed to the banks) with cash is a bonus. To each his/her own…
Or, you could get that cash by walking into your bank and talking to a real person. There are no skimmers in that process.
This. The consumer is not liable for credit card fraud (well, I think it’s the first $50 or so). On the other hand, if someone jacks your debit card (/information), you’re liable for 100% of the charges.
However, now that the US is moving to chip-and-pin, it’s my understanding that the liability issue is also changing.
The US is moving to EMV, not full flegged Chip and PIN. Many of the larger commercial banks are sending cards out now and Walmart and Sams Club are accepting them, as they won’t let me use my magnetic strip anymore. Chip and PIN won’t apply to credit cards, as US Banks would classify those as Cash Advances. So ‘mericans would have to use Debit cards to really do Chip and Pin. However, the Banks engineered us as consumers not to input our PIN, because they made more from Visa/MC Interchange than PIN debit, so they billed us $0.25 to $1.00 for PIN transactions. The chip should initially reduce card present fraud, as they have been unable to decrypt the chip, but in time they will. As for the liability shift, if a cardholder has a Chip and the Merchant cannot accept it in a card present situation, the liability goes to the Merchant in October 2015. Any chip based fraud would still reside with the issuing Bank.
JBu92 – consumer liability on debit card transactions in the US is limited to $50 (up to $500 if you notify your bank of fraudulent transactions within 2 – 60 days of becoming aware card was lost or stolen). This is covered under Regulation E. Both MC and Visa offer zero liability for debit transactions that used signature but MC recently extended to PIN debit as well.
Put yourself in the shoes of the merchant. Online order arrives. Cardholder wants shipment to someone across the country. Merchant (happy for the business) complies. 30 days later, a dispute is filed for ‘Unauthorized use’. Merchant tells bank “But the billing address matched”. Bank denies claim, because bank never authorized the shipping address. Merchant is out the shipping cost, the wholesale merchandise cost, and possibly a chargeback fee. Cardholder gets charge wiped off card. Cardholder is happy with bank, but the merchant suffers.
I agree with you, this is a downside of using cash to make payments. There are pros and cons to making payments using either method.
Interesting ways of moving Physical goods – but what about other fraudulent purchases? I recently had over $500 in charges from Expedia and another travel service appear on my CC (immedialtely canceled). How would these be used for money laundering? Is it reasonable from the crooks’ point of view, to get refunds on masses of unused tickets and/or hotel rooms?
Could be related to – http://krebsonsecurity.com/2012/01/flying-the-fraudster-skies
And still several nations want to blame Bitcoin as “being at the center of organized money laundering”, while apparently cash is totally clean! God-damned bankers and their greed and fear is so obvious it’s laughable.
Another good informative article
Nice work Brian. Lots to follow-up on here for those paying attention.
Where does “LabelCity” advertise? I can understand that you don’t want to provide links (Why provide free advertising for them? Or help out the miscreants who want to use their services?) But how open are they? Are they on underground forums, or do they work more openly than that?
Why would criminals need to go to “white label” services when the major US banks will gladly launder their criminal proceeds for them?
http://www.huffingtonpost.com/avinash-tharoor/banks-cartel-money-laundering_b_4619464.html
Brian wrote “fraudsters get around this restriction by turning to reshipping services that rely on ‘mules'”
Since “money mule” is your term for locals who empty U.S. bank accounts and send the loot to the mother ship in Russia, just use the term “pack mule” in this context.
You’re welcome.
The problem with “not using credit cards online” is two fold: 1) The bad guys often compromise the bank/debit/and credit card hosting service companies themselves, or involved middlemen (e.g. Experian), and 2) Many of the recent biggest compromises are done at the physical merchant. So if you use creditcards/bankcards/debt cards at all, you’re vulnerable.
But hasn’t using cash (with it’s associated pros and cons) eliminated the risk of the latter scenario occurring?
I terminated my only CC in January. I no longer travel, so I don’t need the hassle. Debit card is used at my local bank ATM only. I’m seeing an extra $1,000.00 + in my bank account each month. Using cash/check I mostly purchase what I need, not what I want.
Card emancipation is a victory.
So how do they get away with the bulk rates and large volume without making a massive traceable target on their backs?
It costs virtually nothing to create a company, or to buy “shelf” companies that have been aged for a year or two. My guess it they have numerous front companies with bank accounts they can use to buy large quantities of labels. USPS is something like $20B in the red, so I’m not sure how much they are going to be looking into companies sending them tons of cash these days.
There’s also the matter of enforcement overload. I remember having a discussion with an acquaintance who works at one of the ISACs; we discussed the interfacing with law enforcement and attorney generals’ offices. Even in cases where investigation is obviously needed and all parties agree, there’s still a lot of inertia simply due to tasks already on everyones’ plates. It’s a sad but true fact that there’s a lot more malicious activity in existence than there is staff to address it.
Add in the fact that some people will purchase labels and put a ridiculously low weight on the package and ship something that weighs a lot more. These items may not fix in flat rate boxes, so they simply lie on the label. They carry it to the post office, wait until the busiest time of the day, and simply place the overwieght package in the growing pile of pre-paid packages.
I ship though USPS ALOT. Their rates and shipping is the fastest – and lowest in the USA. Two to three days across the USA. Well worth it. Yes, I’d pay a bit more to get the same service…or Use Fedex…..
They are a LOT better than the
U People Suck in the crap brown truck….
Wouldn’t it create a common point though where you can trace all these fraudulent charges to a single shipper and then trace where the stuff is mailed to or picked up and get them way easier? Seems like this would just make it a lot easier to catch them, unless I’m missing something.
“Laundering the spoils from cybercrime can be a dicey affair, fraught with unreliable middlemen and dodgy, high-priced services that take a huge cut of the action. But large-scale cybercrime operations can avoid these snares and become much more profitable when they’re able to disguise their operations as legitimate businesses operating in the United States, and increasingly they are doing just that.”
I thought this was about Banks based on the opening paragraph.
Many of the reshippers have a legitimate core business and simply augment it by looking the other way with package mule schemes. This augmentation often loops the legitimate reshipper into money triangulation (essentially laundering). Label City will be open to civil or possibly criminal action if it knowingly/willingly abets illicit activities. Yes, there’s more work than can be addressed but law enforcement partnerships with retail organizations allows more to get done; few retailers help, while most won’t. Too many retailers hide behind Terms of Service (TOS) and insist upon being compelled to cooperate which gives bad actors ample time to abscond. If the payment method was a fraudulently obtained device, there should be no customer privacy issue and no TOS protection.
This problem appears to have started with a “hack.” At Target that was traced back to a spearphishing email. What was the hack here?
Brian,
In case you didn’t catch it, your work on paunch is reference 27 in the cisco midyear security report.
Good old shell companies.
So, it’d be really nice for us sys admin and dba type folks to get more information on how this happened so we can do some vulnerability checking… just saying, i understand the vagueness but it’d be really nice to know if our systems are vulnerable :-/
I’ve often wondered about all those reseller outfits you see on Ebay, Amazon, Walmart, etc selling expensive and popular goods. Are they actually reselling merchandise purchased with stolen credit cards? Also you’ll sometimes see something like a $5 item being offered for $1000. If their own syndicate bought the item for $1000 is that a way to launder money into a “legit” company? It just doesn’t make sense to me.
one of the most common and overlooked money laundering systems is often found in plain site. Used Car lots. In particular the buy here/pay here type. Bad guy 1 goes to the hoopty auto auction, buys some barely running machine for around 1000 bucks cash. He takes it to his “lot”, says, 500 down, 100 bucks a week….in no time he recoups his money…..and to top it off, if he has to repo the vehicle, he can simply resell it! again and again…it’s usually an all cash exercise as most of the folks who have to buy at these lots, don’t have good credit, and don’t have bank accounts.