May 8, 2010

Visa is warning financial institutions that it has received reliable intelligence that an organized criminal group plans to attempt to move large amounts of fraudulent payments through a merchant account in Eastern Europe, possibly as soon as this weekend.

In an alert sent to banks, card issuers and processors this week, Visa said it “has received intelligence from a third-party entity indicating that a criminal group has plans to execute “a large batch settlement fraud scheme.”

From the alert:

The criminals claimed to have access to account numbers and the ability to submit a large batch settlement upload to occur over a weekend. Visa does not have any information as to when the fraudulent settlement activity may occur. The criminals claim to have access to a merchant account placed with a bank in Eastern Europe.

Upon receipt of this notification from the third-party, Visa immediately implemented monitoring of large settlement activity for banks located in Eastern Europe. To date, Visa has not seen abnormal or large settlement activity. Visa is continuing to monitor and will alert any affected Visa clients of abnormal activity, if necessary.

Although the source of the information is reliable, the information that Visa has received coming forward so far is limited. Visa suspects that this scheme may be linked to a consortium of online merchants that have been trying to secure processing arrangements after being shut down at several acquirers across many geographies.

Visa said institutions should start monitoring for large or unusual settlement activity, conduct monitoring daily, especially over weekends and long holidays, and review settlement and chargeback activity for high risk merchants and agents.

It’s unclear why banks wouldn’t already be looking for unusual settlement activity and conducting daily monitoring, but there it is. At any rate,  “high-risk” merchants generally handle the dicey and vicey types of online commerce, such as Internet gaming, adult Web sites, rogue anti-virus software sales and online pharmacies. Might be a good idea to keep an extra close eye out for these types of unauthorized charges over the next few days.

Visa urged institutions and processors that in the event that they detect this type of fraudulent activity, “immediate action must be taken to investigate, limit the exposure of cardholder data, notify Visa, report investigation findings, and inform your local FBI office or local law enforcement.”


17 thoughts on “Visa Warns of Fraud Attack from Criminal Group

  1. Gannon

    “It’s unclear why banks wouldn’t already be looking for unusual settlement activity and conducting daily monitoring, but there it is.”

    Um, yeah. I trust your implied question is rhetorical, BK. You see it’s these evil Icebergs … they sneak up on ships in the dead of night and attack. Look what happened to the Titanic!

  2. Jane B

    I gather from the last paragraph that this applies to North America (FBI), too.

    I guess what I don’t understand is how this would work. Would it apply to using Visa anywhere, or just on the internet.

    And is this a warning to look at our credit card statements for that type of ‘risky’ purchase, or does it warn people who make those purchases.

    1. MGD

      “I gather from the last paragraph that this applies to North America (FBI), too.”

      Primarily to North America, though it is applicable to western Europe also.

      .. “I guess what I don’t understand is how this would work. ..

      It works by criminals processing fraud charges against large volumes of stolen/hijacked card data which they have hacked/acquired. Merchant accounts are then set up and used to process the fraud charges and receive the illicit funds.

      Existing nefarious entities such as those mentioned by Brian, can also be used to filter in stolen card data for bogus purchases, and sharing the proceeds. A more common tactic is to used those systems to process stolen card data and the thieves earn the affiliate referral fee as the proceeds.

      ..Would it apply to using Visa anywhere, or just on the internet..

      Though the alert is issued by Visa it applies to all cards processed through the VISA /MC network, Amex is a separate and proprietary network.

      It doesn’t apply to using the card, it is a “Heads Up” alert to processors and card issuers to be on the lookout for large amounts of card fraud processing.

      It is primarily a cyber crime operation as the fraud charges are processed as CNP (Card Not Present) transactions, usually for intangible items coming from internet based merchant accounts.

      .. “And is this a warning to look at our credit card statements for that type of ‘risky’ purchase, or does it warn people who make those purchases….

      You should always check your statements for fraud charges., which is what the alert is about. Though the risk is higher if you use the card online, you are not immune to them on cards used only at B&M locations.

      MGD

  3. MGD

    …”Visa is warning financial institutions that it has received reliable intelligence that an organized criminal group plans to attempt to move large amounts of fraudulent payments through a merchant account in Eastern Europe, possibly as soon as this weekend.”

    Translation:

    For organized cybercrime this weekend will be no different than usual, other than a slight uptick in fraud processing and money laundering due to mandatory overtime. The result of their failure to meet the required monthly KPIs for April.

    Clearly the informer does not have the privilege of listening in on the intelligenceia of organized cyber crime. Moving “large amounts of fraudulent payments” through a single merchant account has been passé for some time. Current SOP is that “large amounts of fraudulent payments” are distributed over a network of bogus merchant accounts, and are rarely detected at any level within the system. A tried and true long term successful solution, and there is an “App” for doing that. Routinely done and hardly raises an eyelid within the system,

    The fact that system is still inherently reactive rather than proactive is another indicator that the processing system is still in version 1.0 mode, a spectator sport, versus global organized crime’s version 3.0.

    To this day there is no way to globally block at the merchant level the mass injection of fraud processing from cyber crime. It is up to each individual bank to block or flag a merchant charge at the inbound gateway on the receiving end, even if it is known to be an absolute fraud operation. The acquiring bank has to be located and contacted in order to cut off the merchant account.

    The lack of ability to globally block accounts within the system is a serious impediment in tackling organized cyber crime.

    Since early 2009 word on the street out of Europe has been that organized cyber criminals have been investing large amounts of the fraud proceeds of crime into bank ownership. The last weak link in the chain for these criminals has been the ability to be cut off and blocked by the acquirer banks. Owning a bank solves the problem, you can then play fake whack-a-mole with your own acquirer accounts every 90 days or so.

    The reliance on charge back threshold flags as a primary vector in detecting a merchant fraud operation is last decades technology. As an organized cyber crime entity how much of an operational disturbance is it to only be able to run $200K+ 100% fraud through each account before hitting the chargeback flag threshold.

    The widely reported $40 million a month generated from the fake anti virus fraud is another example of the impotence within the system. The fake AV processing accounts qualify as shoot on sight, yet the massive fraud operation has been running for how many years now, virtually undisturbed. Every account that is set up to processes fake AV payments contains multiple fraud criteria indicators that should pro-actively flag it before it ever gets off the ground.

    MGD

    1. Emily

      High fraud losses are used by banks to justify gouging all cardholders, so the banks profit from the fraud.
      In 1983, insurance companies started overpaying all claims in order to justify massive rate raises, which created greedy hospitals and doctors who got used to the overpayments. The situation escalated to the crisis of the past two decades in which everyone loses.

  4. JCitizen

    Thanks Brian! I’ll keep on eye on my accounts over the weekend!

  5. PJ

    I purchase a T-Mobile ‘to go’ phone refill card last week on-line, and had to call them back and go through a ‘public records verification quiz’ just to get the darn minutes on my phone.
    Is it misplaced effort to force a 10 minute phone interrogation just to spend $100 with T-Mobile, while the syndicates move million$?

    1. Sallaia

      PJ, as a financial industry employee I can answer why that transaction got flagged. Criminals with stolen card data love purchasing prepaid phones and minutes. They also frequent iTunes and even Walmart (a good source of gift cards). Our debit card monitoring has to constantly flag these seemingly innocent merchants (usually depending on amount and/or time compared to usual activity) due to the criminals trying to make their transactions look as normal as possible.

  6. Steve

    $40 million a month generated from the fake anti virus fraud

    A month?

    P.T. Barnum apparently nailed it.

    1. Patrick

      Too harsh.

      Professional antivirus hasn’t kept up with the morphing threatscape, nor have the benevolent mass producers of security holey software, operating systems and browsers/readers included.

      1. JCitizen

        Patrick;

        I disagree; the code changes in some of the best security software has been more dramatic in just the past 6 months than I’ve seen in the past two years!

        Some cloud based companies have gone to what is apparently a mode to fight fire with fire. They install like – and act like a root-kit so they can deal with the malware on the same level as some of the nastiest crack-ware on the web.

        Everything from using virtualization to complete kernel changes on their heuristic engines has completely changed the landscape on the good guy’s side of the equation.

        I’ve seen the most dramatic changes in four of these companies; Comodo,MBAM, Alwil, and Lavasoft.

        MalewareBytes Anti-Malware has had several kernel changes in just the last three months!!

        So far – as long as I keep all applications updated; my various defenses are winning in the honeypot war; and my RAM usage has dropped half a gigabyte!

        1. Patrick

          I cannot argue that the companies you mention have made great strides, what I am against with the too harsh phrase is the blame the user attitude when many users have tried to keep abreast with current AV solutions and other product updates too.

          The enterprise I work for has had fake AV pop up, right past all of the high tech unmentionables that we thought were keeping us safe. They were ineffective against the morphing threatscape.

          Glad to hear the good changes talk, but it remains propaganda imo.

          1. JCitizen

            All I know, is that in my honey pot, they work. I’m not being paid for this, and they are all freely available, so I have no ax to grind.

            My only gripe is with Comodo not being compatible with MPAA ruled DRM. Hollywood must be allowed to spy on me if I want to enjoy their entertainment. If you block it, the blu-ray, or media center shuts down.

  7. Lucas

    The intended audience would be credit card issuers worldwide and merchant acquiring banks and processors in Europe.

    It doesn’t say where the card data was stolen from, but it was probably purchased on the black market. Could have come from anywhere. That’s why card issuers need to be on alert for suspicious transactions.

    Because the merchant account is supposedly setup in Europe, banks and processors in Europe need to be on the lookout for suspicious batch settlements. I wonder though if that info was a decoy? But then why bother when everyone was already at a baseline level of alertness?

    The criminals have basically shot themselves in the foot if it isn’t false info. Having access to a merchant business account to perform settlement doesn’t mean they instantly have money in pocket or a tangible item purchased that can be sold. They still need to get the money received and launder it. The Visa alert should make it a non-event since all the charges can be reversed before the criminals get their hands on the money.

  8. Rob

    Ooh, this is neat. Visa sent this out as a confidential notice, so it looks like Krebs has a few informants in the industry… That I like.

    The financial world is a weird one, it’s nice to see some sunlight and transparency on these issues: most people don’t know they exist.

  9. Johnny Lunchbucket

    Your on to something very ugly. Credit card bustout schemes cost banks in the hundreds of millions each year the funds being stolen are going to organized Pakastani gangs (aka terrorists), Armenian gangs, and now Eastern European gang (aka Nation States). Credit card aquirers pass on the expenses in the form of high interchange fees that are eventually absorbed by businesses and consumers. Stolen cards and ID theft are used to ring up the fraudulent sales at fly-by-night businesses. The money is moved out before the charge-backs and charge offs are discovered. A much bigger problem exists here. There is a bill in Congress now that may help.

Comments are closed.