This article is presented for informational purposes only and does not constitute a call to action. All information is aimed at protecting readers from illegal actions.
As a result of my work, I have to rummage through the underground forums in search of fresh information about vulnerabilities, password leaks and other interesting things. Sometimes we consult representatives of law enforcement agencies on the topic of new vulnerabilities, attacks and attack patterns, there are situations when law enforcement agencies share “new products”.
I think many will share my point of view that if a "scheme" or "vulnerability" got to the forum, then, as a rule, all the "cream" from it has long been taken by someone. And forums outside of the .onion zone should not be taken seriously. But this time a scheme was found that surprised me with its relative simplicity and novelty. Actually, today’s story will be about how hackers steal and launder money through food delivery services.
How they killed a significant part of the car *** a, background
People who are versed in anti-fraud systems and the security of bank payments have long known that most of the services that accept credit card payments online have long ago connected a system for additional verification of payments by phone (via SMS, call or application).
At MasterCard, this system is called 3D Secure, abbreviated as 3DS, at VISA it is a similar Verified by Visa (VbV) system. The bottom line is simple, if you entered the data from your credit card somewhere, for a successful payment, you will also need to enter the code received from the SMS, call or application to confirm that it is you who are making the purchase, and not hackers are robbing you.
With the introduction of these systems, a significant part of payments from someone else's (stolen) credit cards went into oblivion.
Giants are more important about the volume of revenue and turnover of funds than security
However, large, highly loaded services such as Booking.com, Airbnb, Amazon.com, Facebook.com have disabled or are limiting their use of this additional checkout feature, as it (most likely) has a strong impact on sales and conversions. Of course, they replaced it with additional verification within the account and neural networks with the coolest anti-fraud solutions, but this did not help much. The problem is not new and is widely discussed.
Also, the US Federal Trade Commission said 13 million complaints were received from 2012 to 2016, 3 million in 2016 alone, 13% of which is identity and credit card theft. And this data is for the United States only. The reality is that it is better to keep a staff of lawyers dealing with the return of payments from other people's cards than to reduce the turnover of funds. As a result, whole forums appeared with a proposal to book a hotel for 25% -50% of the cost. Business risks are no more.
This is how a fairly popular scheme of money laundering from stolen credit cards through rental housing services appeared (an example of one that suffered from the actions of carders). In a simplified version, it looks like this:
Naturally, there can be a million options for the above scheme, from registration on Booking, Airbnb of non-existing apartments (this is real), to registering an account with your data, without the knowledge of the owner of the apartment / hotel. People en masse search / buy up unscrupulous hotel owners or offer their services.
Why is money laundered precisely through apartment rental services? As I wrote Above there is no (or is used to a limited extent) VBV and 3DS and maps are easier to "drive in" there. Also, hotel owners often sin by laundering money through pre-authorization and completion at POS terminals with support for manual card input, but this is a completely different story, which I will tell you next time. Let's return to our food delivery service.
Food delivery services also don't care whose card
GLOVO, UBER, Yandex Food and other cheap delivery services have rapidly burst into our lives along with hotel booking services. And you know what? They don't really care if the name of the account owner matches the name on the credit card. It is not important for them where to deliver and where to get the goods. They, like the hotel booking giants, are not so important about VBV and 3DS, much more important is turnover and revenue.
So, while working on another order for testing antifraud systems in HackControl, collecting new fraudulent schemes, I came across a "novelty". Carders and scammers have come up with a scheme that looks like this at first approximation.
Disclaimer and conclusions
This publication is not intended to show vulnerabilities in a particular food delivery service or accommodation booking. It is not intended to be a comprehensive guide to protecting and preventing fraudulent activity. It cannot be interpreted as a call or a guide to action. Fraudulent credit card transactions, the use of someone else's data when booking hotels or delivering food are completely illegal and a criminal offense.
The overarching takeaway is that anti-fraud system creators, risk directors and architects need to sometimes go underground to see how else they can use the services they have developed. Now, when conducting the same social engineering, we and other companies offer clients to test their services for fraudulent business logic.
Today, even penetration testing without checking business logic is no longer complete. Business does not buy template services, sales go rather through business analysts who help improve a particular process and prevent risks. When creating a delivery service, you need to think over not only the main risks, such as “will they not deliver drugs through us,” but also other risks of illegal use of the service in illegal activities.
As a result of my work, I have to rummage through the underground forums in search of fresh information about vulnerabilities, password leaks and other interesting things. Sometimes we consult representatives of law enforcement agencies on the topic of new vulnerabilities, attacks and attack patterns, there are situations when law enforcement agencies share “new products”.
I think many will share my point of view that if a "scheme" or "vulnerability" got to the forum, then, as a rule, all the "cream" from it has long been taken by someone. And forums outside of the .onion zone should not be taken seriously. But this time a scheme was found that surprised me with its relative simplicity and novelty. Actually, today’s story will be about how hackers steal and launder money through food delivery services.
How they killed a significant part of the car *** a, background
People who are versed in anti-fraud systems and the security of bank payments have long known that most of the services that accept credit card payments online have long ago connected a system for additional verification of payments by phone (via SMS, call or application).
At MasterCard, this system is called 3D Secure, abbreviated as 3DS, at VISA it is a similar Verified by Visa (VbV) system. The bottom line is simple, if you entered the data from your credit card somewhere, for a successful payment, you will also need to enter the code received from the SMS, call or application to confirm that it is you who are making the purchase, and not hackers are robbing you.
With the introduction of these systems, a significant part of payments from someone else's (stolen) credit cards went into oblivion.
Giants are more important about the volume of revenue and turnover of funds than security
However, large, highly loaded services such as Booking.com, Airbnb, Amazon.com, Facebook.com have disabled or are limiting their use of this additional checkout feature, as it (most likely) has a strong impact on sales and conversions. Of course, they replaced it with additional verification within the account and neural networks with the coolest anti-fraud solutions, but this did not help much. The problem is not new and is widely discussed.
Also, the US Federal Trade Commission said 13 million complaints were received from 2012 to 2016, 3 million in 2016 alone, 13% of which is identity and credit card theft. And this data is for the United States only. The reality is that it is better to keep a staff of lawyers dealing with the return of payments from other people's cards than to reduce the turnover of funds. As a result, whole forums appeared with a proposal to book a hotel for 25% -50% of the cost. Business risks are no more.
This is how a fairly popular scheme of money laundering from stolen credit cards through rental housing services appeared (an example of one that suffered from the actions of carders). In a simplified version, it looks like this:
- They take an apartment for rent with the right to sublease.
- Register an apartment on booking.com and / or Airbnb
- Buy stolen credit card details
- Allegedly, they book an apartment from themselves, using the data of stolen cards
- Are already receiving clean money from Booking or Airbnb
Naturally, there can be a million options for the above scheme, from registration on Booking, Airbnb of non-existing apartments (this is real), to registering an account with your data, without the knowledge of the owner of the apartment / hotel. People en masse search / buy up unscrupulous hotel owners or offer their services.
Why is money laundered precisely through apartment rental services? As I wrote Above there is no (or is used to a limited extent) VBV and 3DS and maps are easier to "drive in" there. Also, hotel owners often sin by laundering money through pre-authorization and completion at POS terminals with support for manual card input, but this is a completely different story, which I will tell you next time. Let's return to our food delivery service.
Food delivery services also don't care whose card
GLOVO, UBER, Yandex Food and other cheap delivery services have rapidly burst into our lives along with hotel booking services. And you know what? They don't really care if the name of the account owner matches the name on the credit card. It is not important for them where to deliver and where to get the goods. They, like the hotel booking giants, are not so important about VBV and 3DS, much more important is turnover and revenue.
So, while working on another order for testing antifraud systems in HackControl, collecting new fraudulent schemes, I came across a "novelty". Carders and scammers have come up with a scheme that looks like this at first approximation.
- Register a store / hot dog / restaurant / shop in the food delivery system, or simply indicate to the delivery man where exactly he should buy the order.
- Buy a stolen credit card and link it to your account.
- Through a stolen credit card and food delivery app, with an unsuspecting courier, they buy from their own store and wait for delivery.
- They take food back and so on in a circle.
Disclaimer and conclusions
This publication is not intended to show vulnerabilities in a particular food delivery service or accommodation booking. It is not intended to be a comprehensive guide to protecting and preventing fraudulent activity. It cannot be interpreted as a call or a guide to action. Fraudulent credit card transactions, the use of someone else's data when booking hotels or delivering food are completely illegal and a criminal offense.
The overarching takeaway is that anti-fraud system creators, risk directors and architects need to sometimes go underground to see how else they can use the services they have developed. Now, when conducting the same social engineering, we and other companies offer clients to test their services for fraudulent business logic.
Today, even penetration testing without checking business logic is no longer complete. Business does not buy template services, sales go rather through business analysts who help improve a particular process and prevent risks. When creating a delivery service, you need to think over not only the main risks, such as “will they not deliver drugs through us,” but also other risks of illegal use of the service in illegal activities.
