Sept. 23, 2022 — A massive operation that has reportedly siphoned millions of USD from credit cards since its launch in 2019 has been exposed and is considered responsible for losses for tens of thousands of victims.
The site operators, thought to originate from Russia, operate an extensive network of bogus dating and customer support websites and use them to charge credit cards bought on the dark web.
This way, the charges appear legitimate, and the websites are not readily approving fund returns on the grounds of fraudulent transactions, resulting in the enrichment of the crime syndicate behind the operation.
The discovery and report about the global operation come from researchers at ReasonLabs, who shared their findings with BleepingComputer before publication.
Massive website network
The operation uses two kinds of domains that serve as the basis of the operation, namely, dating sites and customer support portals.
When visiting the websites for the companies of some of these alleged dating sites, we found that the corporate sites did not exist or had non-existent email addresses, such as ‘[email protected].’
Although functional, these sites don’t receive noticeable traffic and are ranked very low in Google Search results, as the purpose of their existence isn’t to draw victims but allegedly to serve as money laundering channels.
ReasonLabs says the sites have the same HTML structure and content, so they appear to have been created by automated tools. According to ReasonLabs, the customer support portals either use a fake entity’s name or design their sites to resemble real brands like McAfee, ReasonLabs, and other firms.
“In addition, many of the support sites are designed with colors and logos to impersonate the brand. A big part of the operation is getting as many gray charges as possible before a consumer contacts support or their CC company,” Andrew Newman, CTO and Co-Founder of ReasonLabs, told BleepingComputer.
The operators also appear to have made a greater effort to hide the 75 support portals from search engine indexing, using anti-crawler instructions in Robots.txt (“disallow all”).
Payment processing and charging
The biggest obstacle of the operation is registering these sites as payment acquirers with processors, who typically classify them as “high risk” even when they’re legitimate due to the category having high charge-back percentages.
To avoid being blacklisted, the researchers say that each website applied individually to avoid losing them all at once in case fraud is revealed in any of them.
As for producing proof of legitimacy, all of the sites feature a 24/7 support chat and a working telephone line, outsourced to a genuine support center provider. Furthermore, all sites list a toll-free number for “subscribers” if they want to cancel a payment, which is typically not found in fraudulent sites.
Once the payment processors approve them, ReasonLabs believes the operators tap on the pool of millions of stolen payment cards on the dark web (CC dumps), and charge them on the sites. ReasonLabs noticed that most of the cards used in operation belong to people in the United States, but they also bought cards from French-speaking countries.
The charging takes place either by using an API or manually, while the site operators are very careful not to trigger anti-fraud alarms and also to extend the time before the victim realizes the charges.
They charge small amounts, use generic names that might blend with the victim’s spending habits, use recurring payments with the same amount, and avoid performing test transactions.
Finally, the operators use the incorporated “cancel subscription” system to charge the customers back in some cases, thus artificially reducing the charge-back rate and making their operation appear authentic.
All these combined tactics have enabled this operation to last for so long without being discovered, making tens of millions in USD by charging small amounts from many people.
Unfortunately, BleepingComputer has randomly tested several of the 275 fake websites listed in the ReasonLabs report, and they are all online at the time of writing. However, this may change soon, as ReasonLabs says they have reported the sites to payment processors and law enforcement.
“We have reported the entire scam to over 1 dozen parties that were one way or another touched by it. This includes payment providers Visa and Mastercard, in addition to numerous other services such as AWS, GoDaddy, all the various registrars,” explained Newman.
“We are also reporting the scam to Fraud.org, a project of the National Consumers League (NCL), a nonprofit advocacy organization based in Washington which shares consumer complaints with a network of more than 200 law enforcement partners.”
A full list of the sites can be found in ReasonLabs’ report.
Courtesy of Bill Toulas, BleepingComputer.com
(Oct. 1, 2021) Credit unions may begin submitting data on credit card agreements with their members, and applying data submission requirements, to the CFPB’s website for collecting credit card information, NCUA said this week.
In a “regulatory alert,” the agency said credit unions may begin submitting data to the bureau’s “Collect” website using submission deadline dates of:
- Feb. 14, 2022, for terms of credit card plans (TCCP) survey data;
- Jan. 31, 2022, for quarterly credit card agreement submissions;
- March 31, 2022, for annual reports related to college credit card marketing agreements and data.
On Aug. 20, the consumer bureau issued new technical specifications for complying with credit card agreement and data submission requirements under the Truth in Lending Act (TILA) and the Credit Card Accountability Responsibility and Disclosure (CARD) Act of 2009. In the specifications, the bureau said all submissions would be made via the agency’s Collect website beginning in January.
The Collect website has been available since July 2018 for those participating in the semiannual TCCP Survey. According to the bureau, 83% of survey submissions early this year were made via Collect.
NCUA, in the letter, reminded that credit unions selected to participate in the TCCP Survey or are required to submit an annual report of college student credit card agreements can register now. Any credit union with 10,000 or more credit card accounts as of any quarter-end is required to make quarterly credit card submissions to the CFPB, the credit union regulator said, and must register for Collect by Nov. 1, 2021.
“Once a credit union receives its login credentials, it will be able to review its current submissions and make the required submissions for the fourth quarter of calendar year 2021 starting on Dec. 1, 2021,” NCUA said.
LINKS:
(Aug. 13, 2021) Just a reminder that state credit union examiners from around the country can participate in Monday’s (Aug. 16) Kentucky Examiner School, developed to help examiners build skill sets and enhance their knowledge around a core area of topics. The program starts 9 a.m. and runs until 4 p.m., ET; cost is $200 for NASCUS member examiners. See link below for registration information … Credit card account limits declined overall during the COVID pandemic – the largest declines being for high-credit-score borrowers – though a spike in account closures early in the pandemic began a decline after May 2020 that continued through at least May 2021, the CFPB said this week. According to the bureau, credit limits for prime and near prime borrowers broke with their previous upward trend and largely flattened out beginning in March 2020; they began to grow more quickly beginning in February 2021. At the other end of the credit spectrum, the bureau reported, credit card limits for subprime and deep subprime borrowers changed little during the pandemic.
LINKS:
Agenda, registration, KY Examiner School Virtual Event
Credit card limits are rising for most groups after stagnating during the pandemic
(April 2, 2021) Seven policy statements issued in 2020 from late March to early June that provided temporary flexibilities to financial institutions in the areas of consumer mortgages, credit reporting, credit cards, and prepaid cards are rescinded as of April 1 (Thursday), the Consumer Financial Protection Bureau (CFPB) announced this week.
The bureau also said it was rescinding its 2018 bulletin on supervisory communications and replacing it with a revised one describing its use of matters requiring attention (MRAs) “to effectively convey supervisory expectations.” That new bulletin, 2021-01, states that “effective immediately,” the bureau will no longer use “supervisory recommendations” in these communications.
“We are now over a year into the disruptive and deadly COVID-19 crisis. The virus has affected industry as well as consumers, but individuals and families have been hardest-hit by the pandemic’s health and economic impacts,” said CFPB Acting Director Dave Uejio. “Providing regulatory flexibility to companies should not come at the expense of consumers. Because many financial institutions have developed more robust remote capabilities and demonstrated improved operations, it is no longer prudent to maintain these flexibilities. The CFPB’s first priority, today and always, is protecting consumers from harm.”
The rescinded policy statements were issued between March 26 through June 3, 2020, and temporarily provided financial institutions with flexibilities regarding certain regulatory filings or compliance with consumer financial laws and regulations. The bureau said the rescissions “reflect the Bureau’s commitment to consumer protection, and the fact that financial institutions have had a year to adapt their operations to the difficulties posed by the pandemic.”
The bureau, in its release, included links to each policy statement rescission notice and the new MRA bulletin.
Rescission of Statement on Bureau Supervisory and Enforcement Response to COVID-19 Pandemic (March 26, 2020)
Rescission of Statement on Supervisory and Enforcement Practices Regarding Quarterly Reporting Under the Home Mortgage Disclosure Act (March 26, 2020