The topic of combating fraud in online banking systems is not new for most readers. Representatives of specialized communities and around the world regularly discuss its various options, describe in detail the schemes used against victims, exchange data on the amounts of real and potential losses, look for causes and minimize the risks and consequences of targeted attacks. Experts-analysts of commercial organizations annually publish reports on the results of their investigations into the facts of unauthorized operations in the RBS. Some figures are really interesting, but the lion's share of the above estimates, according to the information security officers of a number of banks, is somewhat overestimated.
But, as usual, behind billions of dollars in losses and complex high-tech schemes and attack algorithms, simple, but no less interesting nuances and details of fraud are lost. It is these details that will be discussed in this article.
Carding, phishing, pharming, spoofing, hackers, coders, cryptors, spammers - new specific terms are used by Russian information security specialists every year. One of these words that came to the Russian language from the English dictionary is the term "dropper", or, in abbreviated form, "drop".
The verb drop from colloquial English literally translates as "to throw, merge, lower". This verb perfectly matches the nature of actions and the role that droppers play in intricate fraudulent schemes.
At its core, a dropper is an intermediate link in a fraudulent chain that allows, with an acceptable level of risk, to withdraw non-cash funds from a bank or goods from a store warehouse to an external zone available for further manipulations (cashing out, resale, division and further transfer to controlled accounts, etc.)
"Yes, this is a simple laundering! Nalny schemes, combating the financing of terrorism, and so on!" - colleagues from economic security will exclaim and they will be right. Droppers can be used to cash out too. The organizers of fraudulent schemes have long understood that you will not be full by withdrawing criminal money from the accounts of robbed clients (RBS hacks do not occur as often as the participants of the scheme would like), therefore, the rest of the time, droppers are used, among other things, for cashing non-cash funds, nature whose receipts to the account of droppers can be the most exotic.
From the point of view of attackers, a dropper is a controlled person (currently it can be a legal entity / individual entrepreneur, but this does not change the essence of the term), into which non-cash funds are "merged" from "dastardly" bank accounts or goods ordered from store on behalf of the holders of payment cards, which he then transfers personally, sends by mail or transfers to his accomplice. Distinguish between adjustable and non-adjustable droppers. After all, the dropper often does not realize that what was received (merged) to him was received in a not entirely honest way.
Divorced droppers are those who have been fraudulently dragged into a criminal adventure. People who agree to participate in a fraudulent scheme, knowing in advance and understanding the risks of their new profession, are called non-diluted droppers. Most often they agree to do this on a regular professional basis, forming small communities (dropper networks). It is they who later become drop guides, but more on that later.
From the point of view of information security officers of financial organizations, a dropper is an individual or legal entity, a client of a financial organization with a valid account (personal or settlement) and a remote access system to an account (RBS, payment card), a resident of a certain area, the owner of the credentials necessary to carry out fraudulent transactions (mobile phone numbers, email addresses, electronic wallets, etc.), to the details of which the attackers send the target stream of unauthorized transfers from accounts (purchased) using previously stolen details of clients who are victims of non-cash money, goods or services.
In either case, the organizers of the fraudulent schemes offer droppers to take on the risks associated with the transit and cashing of funds or goods in exchange for a part of the profit.
Among malefactors, droppers (individuals) are considered the lowest caste. Often they become: beginners who are just beginning to delve into the essence of computer crimes and want to quickly get dubious experience; persons of low social status (alcoholics, drug addicts, homeless people) who are ready to sacrifice their own health and freedom for the sake of a one-time income from the sale of personal data or performing any not entirely legal operation; students and young people between the ages of 18 and 25 who need a constant flow of funds.
Droppers-legal entities (legal entities) are enterprises and individual entrepreneurs who find themselves in a difficult life situation (bankrupt, bankrupts, owners of a "failed" business, etc.), who put their organizations up for sale in the hope of getting minimal money before the final closure of their business. There are now many different sites on the Internet that offer legal assistance for little money and buy out documents for troubled organizations on special conditions.
Distinguish between trusted and untrusted droppers. Trusted - those who have passed the necessary checks by the organizers, have repeatedly participated in the schemes and have earned a criminal authority. In addition to cashing in, they can carry out other small orders within their small competence in the schemes of attackers: play the role of cover for a torpedo, become liaison with other droppers or messengers when delivering props (payment cards issued to other persons, PIN-envelopes, instructions, etc.). Untrusted droppers are all the others that can always be sacrificed at the right time, while diverting the attention of law enforcement agencies from other, more important participants in the scheme. Often, attackers are trusted by droppers who do not fully understand what they are at risk and what, when agreeing to the terms of the droppers.
In 2007-2009 the term "dropper" meant people who provided their (obtained from the bank on an official basis) plastic bank card and the PIN-code from it to cybercriminals for a certain fee. Most often, this was required for multiple withdrawals of non-cash funds transferred from the outside at the right ATM of the right bank at the right time.
Historically, in 2005-2007, when plastic bank cards appeared on the market of electronic retail services with the ability to make purchases of goods via the Internet in stores in the United States and Europe, advanced cardholders began to massively order imported goods to addresses. Fearing an increase in the level of fraud, the owners of the largest foreign online stores have limited at the program level the ability to order goods with an indication of the delivery address outside their countries. But the citizens of the Russian Federation began to massively establish contacts via the Internet with the residents of the region to which the store belongs (most often - the citizens of the United States), and order goods through them as through intermediaries with the subsequent sending of the order. This scheme, invented "for good"
A similar scheme is still quite often practiced by cybercriminals, but it is guaranteed to work only for those banks whose processing centers could not or did not want to automate the processes of countering (filtering, identifying and blocking) the legalization (laundering) of proceeds from crime (in in accordance with the basic requirements of Federal Law) - by analogy with the owners of foreign online stores. The number of such banks is currently rapidly decreasing, incl. thanks to the success of the representatives of the supervisory departments of the Central Bank. Most banks have already learned how to identify suspicious transactions in an endless stream of transactions and block / limit withdrawals on plastic bank cards at ATMs,
Mousetraps for potential droppers
The cybercriminals promptly responded to the appearance of blacklists and automatic systems for detecting suspicious transactions in a number of large banks (predecessors of modern complex solutions of the Antifraud class).
This annoying circumstance forced them to adjust the scheme of using droppers and abandon the repeated use of valuable props. Without thinking twice, the scammers decided to take banks in number: the details of not only individuals, but also legal entities and individual entrepreneurs began to be used as droppers. The details of the droppers - legal entities, obtained on a reimbursable basis from colleagues in the black market (semi-official buyers of bankrupt organizations) - began to be used by cybercriminals (after preliminary verification of the presence of filtering systems in the bank) pointwise and with high caution, mainly for guaranteed transfers, much less often than data droppers - individuals.
At first, cybercriminals even developed their own stereotypes, for example, that a dropperphysicist is a cheap consumer goods. It is "good" in that it is not tied to a region, it can move and open accounts on its still clean passport in different banks, in different regions. In this sense, a dropper-yurik is a comparatively "expensive product", while a clean and not exposed product is actually a piece.
With the help of social networks, thematic forums, announcements on poles and bus stops, the attackers have succeeded and are still able to constantly replenish their ranks and not depend on the degree of luck or personal qualities of one or another participant in a distributed network of droppers.
But then, in 2010–2011, the global approach to the search for droppers and props on the black market fundamentally changed: algorithms for attracting and stimulating droppers appeared. Those who previously played the role of an ordinary dropper themselves, in the light of active actions by police, began to think more about their own safety and about building regional networks and pyramids (by analogy with network marketing). The term "dropper" or the person responsible for the development of a network of droppers in the desired or in any foreign country has come into the use of cybercriminals. The function of managing droppers, which was previously performed by young hackers inspired by their successes and the size of unexpected profits, began to be performed by people who have nothing to do with computer security or programming. but at the same time they are quite experienced in the criminal business and who want to get the same money. Methods that were completely typical for this category of people went into work: manipulation, deception, blackmail, threats, etc.
The cybercriminals managed to find some droppers using old connections in the regions and use them openly. But most often (this way there are less risks for the drop conductor and the organizer of the criminal scheme), the droppers were attracted without disclosing all the plans and nuances of the shadow business, in general terms, but at the same time they were regularly stimulated according to a well-developed commercial scheme.
On the Internet, including on social networks, tempting ads began to appear promising everyone quick money for seemingly simple and safe actions. The essence of one of these announcements is as follows: a large "construction company" (the exact name is not specified for obvious reasons) requires employees for a "contract" who have their own / are able to receive plastic bank cards and are ready to hand them over for regular transfer of wages to illegally employed to the "construction organization" by foreign workers from the post-Soviet space. It was proposed to officially issue bank cards for employees of this very "construction company" (that is, in terms of this article, for droppers). The responsibilities of the dropper in this scheme are: The dropper must prepare in advance the documents necessary for opening an account (the number of documents depends on the requirements of the selected bank), arrive at the right time at the right bank, open an account, write an application for the issue of a regular debit payment card to this account, if available, subscribe to the system SMS-informing to the mobile phone number of the "construction company". After receiving the card, he transfers it and the PIN-envelope in the manner prescribed by the "contract agreement" (by mail, in person, through an intermediary, etc.) to the representative of the "construction company". For each visit to the necessary bank, the dropper received a certain fee - from $ 10 to $ 100, - the more visits (minimum - 2), the more profitable for the dropper the cooperation with this "company". arrive at the right time at the right bank, open an account for yourself, write an application for the issue of an ordinary debit payment card to this account, if available, subscribe to the SMS-informing system to the mobile phone number of the "construction company". After receiving the card, he transfers it and the PIN-envelope in accordance with the procedure established by the "contract agreement" (by mail, in person, through an intermediary, etc.) to the representative of the "construction company". For each visit to the desired bank, the dropper received a certain fee - from $ 10 to $ 100, - the more visits (minimum - 2), the more profitable for the dropper the cooperation with this "company". arrive at the right time at the right bank, open an account for yourself, write an application for the issue of an ordinary debit payment card to this account, if available, subscribe to the SMS-informing system to the mobile phone number of the "construction company". After receiving the card, he transfers it and the PIN-envelope in accordance with the procedure established by the "contract agreement" (by mail, in person, through an intermediary, etc.) to the representative of the "construction company". For each visit to the desired bank, the dropper received a certain fee - from 500 to 5000 rubles, - the more visits (minimum - 2), the more profitable for the dropper the cooperation with this "company".
In other similar schemes, the dropper performed all the same actions, only he did not give the plastic bank card to the "representative of the construction company", but regularly (no more than twice a month) or upon a call from the accountant-dropper independently withdrawn a certain amount from the nearest ATM. Here the next term appears - "torpedo" (in English thematic literature - "mule"), or a person who makes cash withdrawals from an ATM using a plastic bank card (cards), often issued to third parties, and sends 80-90% of amounts for the WesternUnion system for additionally specified drop channel details. The remaining 10–20% was a bonus to a torpedo (in the context of the article - a subspecies of a dropper) for a job well done.
With the help of social networks, thematic forums, announcements on poles and bus stops, the attackers have succeeded and are still able to constantly replenish their ranks and not depend on the degree of luck or personal qualities of one or another participant in a distributed network of droppers. Since the organizers of such schemes risk not their own money, but the funds stolen from the victims of fraud, they can afford to be quite calm about the constant rotation within the dropper network. They are protected from law enforcement agencies, since none of the droppers know the organizer of the scheme, and most often communication with the dropper takes place only via the Internet (Jabber, Telegram). If any of the current droppers decides to leave the shadow scheme and take with them all the money transferred to him in accordance with the cash out plan,
Another example of the creation of dropper networks is the appearance of microfinance organizations, the name of which changes with a frequency of 2-3 months. These organizations attract young and ambitious financial directors and managers through advertisements on the Internet and fictitiously employ young and ambitious financial directors and managers, whose only task is transit: opening personal and current accounts in the necessary banks and making transfers of incoming funds to these accounts in Russian and foreign banks. After a microfinance organization comes to the attention of law enforcement agencies, it mysteriously disappears (bankrupt, resold, liquidated, etc.), and another one appears in its place, with updated details, but the same employees and work scheme.
Thus, at present, cash withdrawal schemes have been organized and debugged, in which droppers thirsty for quick money are used by attackers almost blindly, without a clear idea of the possible consequences.
What's the catch?
Currently, cashing schemes have been organized and debugged, in which droppers thirsty for quick money are used by attackers almost blindly, without a clear idea of the possible consequences.
Advertisements for work as a dropper, massively posted on the Internet, are designed primarily for people in difficult life circumstances. Attackers, in fact, do not care what a given person's situation is, no matter the age or religion of the candidate, it is only important to what extent the candidate meets the basic requirements for a dropper in a given network. The typical dropper profile in the Russian Federation and in other countries is approximately the same. Indicators for a potential candidate (individual) for a job in such cases should be evasive answers from the employer-drop guide to the simplest questions asked.
When preparing the materials for this article, I came across an instruction carefully prepared by a drop guide for potential droppers and sharpened for one of the Siberian banks. This instruction, according to the organizers of the fraudulent schemes, was supposed to be a guarantee of the successful implementation of the plan.
Next, I will give an example of a dialogue (see table) of a newly-minted dropper candidate with an experienced dropper, a representative of one of the cash-in networks, taken from Internet correspondence, with additional comments that reveal the essence.
Table. Example of dialogue between a candidate and an experienced dropper
From an example of a dialogue with an attacker, it can be seen that the main purpose of the drop channel is to artificially form in the dropper a sense of calmness and normalcy in the situation with the transfer of a plastic bank card to a third party after its registration in a bank.
The text of the instructions for preparing the dropper:
BEFORE SUBMITTING AN APPLICATION TO THE BANK, REMEMBER
You are an employee of the construction company "S **** ia" (LLC "S **** ia").
This company was established in March 2009 and is engaged in the construction of residential and non-residential buildings.
Buildings up to three floors, garages, warehouses, office premises.
Previously, the company was called "**** construction studio".
You are officially employed. The work book is not in your hands, but at work - in the personnel department of the enterprise. You receive your salary in cash at the accounting department.
TIN of your company 2 **** 1940; the company is serviced by the bank "****" and OJSC **** bank.
Legal and actual address of LLC "S **** Iya" (limited liability company): **** 061, city ****, st. ****, 53A. The warehouse is located in the same place.
Opening hours of S **** Iya LLC: 10: 00-18: 00 (Monday-Friday).
The staff of LLC "S **** Iya" employs about 60 people.
E-mail of the company: ****@****.ru. Website: ****. Ru
Founder of the company (owner): X **** s Nikolay Alekseevich.
Specialist OK (HR department): K **** lion Anatoly Sergeevich.
The bank will ask you for the contact numbers of the director (or HR department) and the company's accountant, so you must learn their names in advance and save the numbers in your cell phone:
8 (****) 205-25 - ** - write this number as "Director S **** kov Dmitry Anatolyevich";
8 (****) 205-25 - ** - write this number as "Accountant S **** ova Valentina Nikolaevna".
We enclose a map of the location of our office.
Please contact only one bank - the one that we have chosen with you, otherwise there will be no confirmation!
Indeed, from the point of view of the legislation, there is nothing criminal here, in any case, the responsibility for the transfer by the holder of his plastic bank card to a third party at his own request (even if there is motivation) is not provided. At the time of the transfer of the card and PIN envelope, the owner (potential dropper) violates only the clauses of the agreement with the bank: information security requirements in terms of ensuring the confidentiality of details and the safety of the account access tool. But this is not a violation of the law, for this they are not fined or imprisoned.
Nobody informs the dropper that bringing him to civil, property, and in some cases - to criminal liability, possibly after the organizers of the scheme of unauthorized transactions to transfer from the victim's account and crediting funds to the account of the plastic card of this dropper in the "right" bank, in the process of cashing out (torpedo) funds at an ATM using a plastic card, when transferring cash withdrawn from an ATM through the Western Union system to the drop channel, as well as at any time after the victim of fraud submits an application to law enforcement agencies in the prescribed form with specifying the exact details of the dropper received from the bank.
How to identify a dropper and what punishment awaits him, we will tell in part 2 of this article, which will be published in the journal "Information Security №3"
(c) Alexey Pleshkov. Independent Information Security Expert.
But, as usual, behind billions of dollars in losses and complex high-tech schemes and attack algorithms, simple, but no less interesting nuances and details of fraud are lost. It is these details that will be discussed in this article.
Carding, phishing, pharming, spoofing, hackers, coders, cryptors, spammers - new specific terms are used by Russian information security specialists every year. One of these words that came to the Russian language from the English dictionary is the term "dropper", or, in abbreviated form, "drop".
The verb drop from colloquial English literally translates as "to throw, merge, lower". This verb perfectly matches the nature of actions and the role that droppers play in intricate fraudulent schemes.
At its core, a dropper is an intermediate link in a fraudulent chain that allows, with an acceptable level of risk, to withdraw non-cash funds from a bank or goods from a store warehouse to an external zone available for further manipulations (cashing out, resale, division and further transfer to controlled accounts, etc.)
"Yes, this is a simple laundering! Nalny schemes, combating the financing of terrorism, and so on!" - colleagues from economic security will exclaim and they will be right. Droppers can be used to cash out too. The organizers of fraudulent schemes have long understood that you will not be full by withdrawing criminal money from the accounts of robbed clients (RBS hacks do not occur as often as the participants of the scheme would like), therefore, the rest of the time, droppers are used, among other things, for cashing non-cash funds, nature whose receipts to the account of droppers can be the most exotic.
From the point of view of attackers, a dropper is a controlled person (currently it can be a legal entity / individual entrepreneur, but this does not change the essence of the term), into which non-cash funds are "merged" from "dastardly" bank accounts or goods ordered from store on behalf of the holders of payment cards, which he then transfers personally, sends by mail or transfers to his accomplice. Distinguish between adjustable and non-adjustable droppers. After all, the dropper often does not realize that what was received (merged) to him was received in a not entirely honest way.
Divorced droppers are those who have been fraudulently dragged into a criminal adventure. People who agree to participate in a fraudulent scheme, knowing in advance and understanding the risks of their new profession, are called non-diluted droppers. Most often they agree to do this on a regular professional basis, forming small communities (dropper networks). It is they who later become drop guides, but more on that later.
From the point of view of information security officers of financial organizations, a dropper is an individual or legal entity, a client of a financial organization with a valid account (personal or settlement) and a remote access system to an account (RBS, payment card), a resident of a certain area, the owner of the credentials necessary to carry out fraudulent transactions (mobile phone numbers, email addresses, electronic wallets, etc.), to the details of which the attackers send the target stream of unauthorized transfers from accounts (purchased) using previously stolen details of clients who are victims of non-cash money, goods or services.
In either case, the organizers of the fraudulent schemes offer droppers to take on the risks associated with the transit and cashing of funds or goods in exchange for a part of the profit.
Among malefactors, droppers (individuals) are considered the lowest caste. Often they become: beginners who are just beginning to delve into the essence of computer crimes and want to quickly get dubious experience; persons of low social status (alcoholics, drug addicts, homeless people) who are ready to sacrifice their own health and freedom for the sake of a one-time income from the sale of personal data or performing any not entirely legal operation; students and young people between the ages of 18 and 25 who need a constant flow of funds.
Droppers-legal entities (legal entities) are enterprises and individual entrepreneurs who find themselves in a difficult life situation (bankrupt, bankrupts, owners of a "failed" business, etc.), who put their organizations up for sale in the hope of getting minimal money before the final closure of their business. There are now many different sites on the Internet that offer legal assistance for little money and buy out documents for troubled organizations on special conditions.
Distinguish between trusted and untrusted droppers. Trusted - those who have passed the necessary checks by the organizers, have repeatedly participated in the schemes and have earned a criminal authority. In addition to cashing in, they can carry out other small orders within their small competence in the schemes of attackers: play the role of cover for a torpedo, become liaison with other droppers or messengers when delivering props (payment cards issued to other persons, PIN-envelopes, instructions, etc.). Untrusted droppers are all the others that can always be sacrificed at the right time, while diverting the attention of law enforcement agencies from other, more important participants in the scheme. Often, attackers are trusted by droppers who do not fully understand what they are at risk and what, when agreeing to the terms of the droppers.
In 2007-2009 the term "dropper" meant people who provided their (obtained from the bank on an official basis) plastic bank card and the PIN-code from it to cybercriminals for a certain fee. Most often, this was required for multiple withdrawals of non-cash funds transferred from the outside at the right ATM of the right bank at the right time.
Historically, in 2005-2007, when plastic bank cards appeared on the market of electronic retail services with the ability to make purchases of goods via the Internet in stores in the United States and Europe, advanced cardholders began to massively order imported goods to addresses. Fearing an increase in the level of fraud, the owners of the largest foreign online stores have limited at the program level the ability to order goods with an indication of the delivery address outside their countries. But the citizens of the Russian Federation began to massively establish contacts via the Internet with the residents of the region to which the store belongs (most often - the citizens of the United States), and order goods through them as through intermediaries with the subsequent sending of the order. This scheme, invented "for good"
A similar scheme is still quite often practiced by cybercriminals, but it is guaranteed to work only for those banks whose processing centers could not or did not want to automate the processes of countering (filtering, identifying and blocking) the legalization (laundering) of proceeds from crime (in in accordance with the basic requirements of Federal Law) - by analogy with the owners of foreign online stores. The number of such banks is currently rapidly decreasing, incl. thanks to the success of the representatives of the supervisory departments of the Central Bank. Most banks have already learned how to identify suspicious transactions in an endless stream of transactions and block / limit withdrawals on plastic bank cards at ATMs,
Mousetraps for potential droppers
The cybercriminals promptly responded to the appearance of blacklists and automatic systems for detecting suspicious transactions in a number of large banks (predecessors of modern complex solutions of the Antifraud class).
This annoying circumstance forced them to adjust the scheme of using droppers and abandon the repeated use of valuable props. Without thinking twice, the scammers decided to take banks in number: the details of not only individuals, but also legal entities and individual entrepreneurs began to be used as droppers. The details of the droppers - legal entities, obtained on a reimbursable basis from colleagues in the black market (semi-official buyers of bankrupt organizations) - began to be used by cybercriminals (after preliminary verification of the presence of filtering systems in the bank) pointwise and with high caution, mainly for guaranteed transfers, much less often than data droppers - individuals.
At first, cybercriminals even developed their own stereotypes, for example, that a dropperphysicist is a cheap consumer goods. It is "good" in that it is not tied to a region, it can move and open accounts on its still clean passport in different banks, in different regions. In this sense, a dropper-yurik is a comparatively "expensive product", while a clean and not exposed product is actually a piece.
With the help of social networks, thematic forums, announcements on poles and bus stops, the attackers have succeeded and are still able to constantly replenish their ranks and not depend on the degree of luck or personal qualities of one or another participant in a distributed network of droppers.
But then, in 2010–2011, the global approach to the search for droppers and props on the black market fundamentally changed: algorithms for attracting and stimulating droppers appeared. Those who previously played the role of an ordinary dropper themselves, in the light of active actions by police, began to think more about their own safety and about building regional networks and pyramids (by analogy with network marketing). The term "dropper" or the person responsible for the development of a network of droppers in the desired or in any foreign country has come into the use of cybercriminals. The function of managing droppers, which was previously performed by young hackers inspired by their successes and the size of unexpected profits, began to be performed by people who have nothing to do with computer security or programming. but at the same time they are quite experienced in the criminal business and who want to get the same money. Methods that were completely typical for this category of people went into work: manipulation, deception, blackmail, threats, etc.
The cybercriminals managed to find some droppers using old connections in the regions and use them openly. But most often (this way there are less risks for the drop conductor and the organizer of the criminal scheme), the droppers were attracted without disclosing all the plans and nuances of the shadow business, in general terms, but at the same time they were regularly stimulated according to a well-developed commercial scheme.
On the Internet, including on social networks, tempting ads began to appear promising everyone quick money for seemingly simple and safe actions. The essence of one of these announcements is as follows: a large "construction company" (the exact name is not specified for obvious reasons) requires employees for a "contract" who have their own / are able to receive plastic bank cards and are ready to hand them over for regular transfer of wages to illegally employed to the "construction organization" by foreign workers from the post-Soviet space. It was proposed to officially issue bank cards for employees of this very "construction company" (that is, in terms of this article, for droppers). The responsibilities of the dropper in this scheme are: The dropper must prepare in advance the documents necessary for opening an account (the number of documents depends on the requirements of the selected bank), arrive at the right time at the right bank, open an account, write an application for the issue of a regular debit payment card to this account, if available, subscribe to the system SMS-informing to the mobile phone number of the "construction company". After receiving the card, he transfers it and the PIN-envelope in the manner prescribed by the "contract agreement" (by mail, in person, through an intermediary, etc.) to the representative of the "construction company". For each visit to the necessary bank, the dropper received a certain fee - from $ 10 to $ 100, - the more visits (minimum - 2), the more profitable for the dropper the cooperation with this "company". arrive at the right time at the right bank, open an account for yourself, write an application for the issue of an ordinary debit payment card to this account, if available, subscribe to the SMS-informing system to the mobile phone number of the "construction company". After receiving the card, he transfers it and the PIN-envelope in accordance with the procedure established by the "contract agreement" (by mail, in person, through an intermediary, etc.) to the representative of the "construction company". For each visit to the desired bank, the dropper received a certain fee - from $ 10 to $ 100, - the more visits (minimum - 2), the more profitable for the dropper the cooperation with this "company". arrive at the right time at the right bank, open an account for yourself, write an application for the issue of an ordinary debit payment card to this account, if available, subscribe to the SMS-informing system to the mobile phone number of the "construction company". After receiving the card, he transfers it and the PIN-envelope in accordance with the procedure established by the "contract agreement" (by mail, in person, through an intermediary, etc.) to the representative of the "construction company". For each visit to the desired bank, the dropper received a certain fee - from 500 to 5000 rubles, - the more visits (minimum - 2), the more profitable for the dropper the cooperation with this "company".
In other similar schemes, the dropper performed all the same actions, only he did not give the plastic bank card to the "representative of the construction company", but regularly (no more than twice a month) or upon a call from the accountant-dropper independently withdrawn a certain amount from the nearest ATM. Here the next term appears - "torpedo" (in English thematic literature - "mule"), or a person who makes cash withdrawals from an ATM using a plastic bank card (cards), often issued to third parties, and sends 80-90% of amounts for the WesternUnion system for additionally specified drop channel details. The remaining 10–20% was a bonus to a torpedo (in the context of the article - a subspecies of a dropper) for a job well done.
With the help of social networks, thematic forums, announcements on poles and bus stops, the attackers have succeeded and are still able to constantly replenish their ranks and not depend on the degree of luck or personal qualities of one or another participant in a distributed network of droppers. Since the organizers of such schemes risk not their own money, but the funds stolen from the victims of fraud, they can afford to be quite calm about the constant rotation within the dropper network. They are protected from law enforcement agencies, since none of the droppers know the organizer of the scheme, and most often communication with the dropper takes place only via the Internet (Jabber, Telegram). If any of the current droppers decides to leave the shadow scheme and take with them all the money transferred to him in accordance with the cash out plan,
Another example of the creation of dropper networks is the appearance of microfinance organizations, the name of which changes with a frequency of 2-3 months. These organizations attract young and ambitious financial directors and managers through advertisements on the Internet and fictitiously employ young and ambitious financial directors and managers, whose only task is transit: opening personal and current accounts in the necessary banks and making transfers of incoming funds to these accounts in Russian and foreign banks. After a microfinance organization comes to the attention of law enforcement agencies, it mysteriously disappears (bankrupt, resold, liquidated, etc.), and another one appears in its place, with updated details, but the same employees and work scheme.
Thus, at present, cash withdrawal schemes have been organized and debugged, in which droppers thirsty for quick money are used by attackers almost blindly, without a clear idea of the possible consequences.
What's the catch?
Currently, cashing schemes have been organized and debugged, in which droppers thirsty for quick money are used by attackers almost blindly, without a clear idea of the possible consequences.
Advertisements for work as a dropper, massively posted on the Internet, are designed primarily for people in difficult life circumstances. Attackers, in fact, do not care what a given person's situation is, no matter the age or religion of the candidate, it is only important to what extent the candidate meets the basic requirements for a dropper in a given network. The typical dropper profile in the Russian Federation and in other countries is approximately the same. Indicators for a potential candidate (individual) for a job in such cases should be evasive answers from the employer-drop guide to the simplest questions asked.
When preparing the materials for this article, I came across an instruction carefully prepared by a drop guide for potential droppers and sharpened for one of the Siberian banks. This instruction, according to the organizers of the fraudulent schemes, was supposed to be a guarantee of the successful implementation of the plan.
Next, I will give an example of a dialogue (see table) of a newly-minted dropper candidate with an experienced dropper, a representative of one of the cash-in networks, taken from Internet correspondence, with additional comments that reveal the essence.
Table. Example of dialogue between a candidate and an experienced dropper
| No. | Candidate question | The response of the scammer-dropper | Comment |
| 1 | What is this vacancy? How can you get to work? | This is not a vacancy, but additional earnings for the most promising for an indefinite period. | Manipulation. Play on words. No specifics |
| 2 | What's the catch? | There is no catch: you are doing your job well, we appreciate it and pay you money for this. I would like to note right away that we are not interested in having difficulties with the tax, the company is well-known, large, and we do not need tax claims | Manipulation. Emphasis on the imaginary reliability of a virtual large company |
| 3 | And yet, why do you need such bank cards? | Example: there is a construction site where unofficial workers work, without permission, respectively, it is impossible to pay them officially, but it is very necessary, and the money must be handed out. For this, in most cases, such salary cards are needed. This is a normal practice. | Manipulation. Emphasis on the normality of the situation. But there is nothing normal in the example. This is a clear violation of the current law, which a large company will not do. |
| 4 | How does it all happen? | A representative of our company meets with you, and if you arrange him at the first meeting, then immediately go to the bank. We give money for all registration costs. You get | Another manipulation, in which the calculation is for a quick passage of the procedure and quick receipt of money |
| 5 | How do you pay? | Payment is made at the rate of X money per bank, after receiving the cards (the bank issues cards for 5-10 days) and Y for each visit to the bank after receiving the card, on average per month we will ask you to drive up twice or three times | |
| 6 | When can I close my cards? | Any day, at your request, after notifying us | Formation in the dropper of an imaginary sense of security and ownership of the situation. Fraudsters do not report that in the event of illegal actions using a plastic bank card, the legal responsibility rests entirely with the holder. |
| 7 | Am I breaking any applicable laws? | No, neither you nor we break the law. Separate clauses of the agreement between the bank and you on the prohibition of transferring a plastic bank card to a third party are violated. Taxes from the salary, which is transferred to the cards, are paid, this is beneficial to the construction company itself | |
| 8 | What are the conditions for this earnings? | The requirements are standard, like everyone else: no criminal record, decent appearance, permanent registration, if you have debit cards (more than 5) - inform about them in advance. Age from 18 years. Commitment and interest in work are welcome | Manipulation. Emphasis on the normality of the situation |
| 9 | Can I bring a friend? And make money? | Yes you can! In this case, we give you the money personally, and you yourself pay with your friend | The classic network marketing scheme in action |
| 10 | I agree, what should I do? | Please provide your name, age and contact phone number. If there are a lot of cards (more than 5), please let us know so that there are no difficulties with the registration of our salary cards. You will be called shortly. At the moment, only 10 people are required, no more | Minimum requirements to get started. Artificial introduction of restrictions does not give time to think. The appearance of previously not specified conditions |
The text of the instructions for preparing the dropper:
BEFORE SUBMITTING AN APPLICATION TO THE BANK, REMEMBER
You are an employee of the construction company "S **** ia" (LLC "S **** ia").
This company was established in March 2009 and is engaged in the construction of residential and non-residential buildings.
Buildings up to three floors, garages, warehouses, office premises.
Previously, the company was called "**** construction studio".
You are officially employed. The work book is not in your hands, but at work - in the personnel department of the enterprise. You receive your salary in cash at the accounting department.
TIN of your company 2 **** 1940; the company is serviced by the bank "****" and OJSC **** bank.
Legal and actual address of LLC "S **** Iya" (limited liability company): **** 061, city ****, st. ****, 53A. The warehouse is located in the same place.
Opening hours of S **** Iya LLC: 10: 00-18: 00 (Monday-Friday).
The staff of LLC "S **** Iya" employs about 60 people.
E-mail of the company: ****@****.ru. Website: ****. Ru
Founder of the company (owner): X **** s Nikolay Alekseevich.
Specialist OK (HR department): K **** lion Anatoly Sergeevich.
The bank will ask you for the contact numbers of the director (or HR department) and the company's accountant, so you must learn their names in advance and save the numbers in your cell phone:
8 (****) 205-25 - ** - write this number as "Director S **** kov Dmitry Anatolyevich";
8 (****) 205-25 - ** - write this number as "Accountant S **** ova Valentina Nikolaevna".
We enclose a map of the location of our office.
Please contact only one bank - the one that we have chosen with you, otherwise there will be no confirmation!
Indeed, from the point of view of the legislation, there is nothing criminal here, in any case, the responsibility for the transfer by the holder of his plastic bank card to a third party at his own request (even if there is motivation) is not provided. At the time of the transfer of the card and PIN envelope, the owner (potential dropper) violates only the clauses of the agreement with the bank: information security requirements in terms of ensuring the confidentiality of details and the safety of the account access tool. But this is not a violation of the law, for this they are not fined or imprisoned.
Nobody informs the dropper that bringing him to civil, property, and in some cases - to criminal liability, possibly after the organizers of the scheme of unauthorized transactions to transfer from the victim's account and crediting funds to the account of the plastic card of this dropper in the "right" bank, in the process of cashing out (torpedo) funds at an ATM using a plastic card, when transferring cash withdrawn from an ATM through the Western Union system to the drop channel, as well as at any time after the victim of fraud submits an application to law enforcement agencies in the prescribed form with specifying the exact details of the dropper received from the bank.
How to identify a dropper and what punishment awaits him, we will tell in part 2 of this article, which will be published in the journal "Information Security №3"
(c) Alexey Pleshkov. Independent Information Security Expert.
