After revoking the license of Qiwi Bank in February, which is notorious for high-risk transactions involving settlements between citizens and shadow businesses, attackers began to look for an alternative to Qiwi wallets. In particular, one of the options for them is analogs from Ozon: according to Angara Security, the number of messages about buying and selling verified Ozon e-wallets for p2p transfers has tripled since February. Analysts also record an increase in ads about their use for illegal operations, including illegal withdrawals and withdrawals for a percentage
Looking for an alternative
According to Angara Security, which Forbes reviewed, the number of reports about the purchase and sale of verified Ozon e-wallets for p2p transfers tripled in 2024. At the time of the study (end of April), analysts recorded a significant increase in messages, Angara Security explains, without specifying their number. In the presence of such ads in the Network, Forbes was also convinced.
In time, this increase coincides with the moment when the Central Bank decided to deprive Qiwi Bank, known, in particular, as the operator of electronic Qiwi wallets, of the right to engage in banking activities. Among the main complaints made by the Central Bank against the bank were high-risk transactions involving settlements between citizens and shadow businesses. We are talking about money transfers to crypto exchanges, illegal online casinos and bookmakers, as well as transfers of stolen funds to so — called droppers-individuals who accept illegally withdrawn funds to their own or other people's accounts and cards and withdraw them in the interests of criminals for a percentage. The Central Bank mentioned numerous precedents of opening e-wallets using personal data of individuals without their knowledge and conducting operations on these wallets without the consent of customers.
Having lost the popular tool, the attackers began to pay attention to similar products. So, in addition to announcements about the purchase and sale of Ozon wallets, Angara Security analysts also record the sale of Ozon Bank's personal accounts with maximum verification statuses, as well as offers of services for direct transfer of funds from "stolen personal accounts to other cards for further cashing out".
At the same time, Telegram has recently become one of the main platforms for distributing such messages, the company points out. "Of course, some of the data is published on the darknet, but the main body of information in this case is collected using OSINT (Open Source intelligence, Open Source intelligence) tools, which allow you to monitor and analyze messages in groups and chats, as well as the so-called malvertising-promotion of content from intruders using advertising tools of the platform." - explain in Angara Security. Forbes sent a request to Telegram.
Scammers offer three main ways to purchase e-wallets, pay attention to Angara Security. First of all, this is the purchase of a database with data from legitimate users, which, according to experts, " creates risks for existing customers of Ozon services." Secondly, the attackers use the capabilities of the service itself, which allows you to link digital cards to an anonymous account, for which a SIM card of a mobile operator is enough to register. The third method is offers to buy e-wallets in Telegram and the Darknet. For example, an Ozon Bank e-wallet can be purchased for 2599 rubles.
"Financial services of the largest Russian marketplaces, originally developed for the purpose of "seamless" customer experience, are becoming the objects of attention of participants in the gray payment market. Settlements using electronic wallets provide more opportunities for transactions, involving more participants in illegal schemes-from cashing out funds to financing undesirable organizations, " Angara Security experts warn.
"Excellent replacement"
Monitoring of activity in the dark Web shows that in February 2024, the number of ads for the sale of Ozon Bank accounts doubled compared to January, a source in a large cybersecurity company said. "In March and April, there is a slight 10-15% decrease in the number of ads. But in some cases, sellers position Ozon Bank wallets as an excellent replacement for Qiwi wallets. Most often, such accounts have a low cost, which attracts buyers, " he continues.
In the middle of 2023, the cost of accessing Ozon Bank's personal account on the darknet was 700-2500 rubles, but now it varies in the range of 500-10, 000 rubles and depends on several factors, the Forbes source shares his observations. "These are the status of the wallet (anonymous, basic, advanced), the verification method (via Public Services, using a passport photo, or via a mobile operator), the probability of blocking the account (depending on the time since registration and whether there were any transactions at that time), as well as the data received by the buyer (minimum dial — phone number for Ozon Bank, login and password from the sms receiving service; maximum dial — phone number, code word, secret code, passport data, proxy for Ozon Bank, login and password from the sms receiving service)," he lists.
However, according to another source in a large information security company, verified wallets of all payment services are sold on the darknet, and their number "directly depends on the popularity among the population."
Transfer to a fake person
Ozon told Forbes that to detect fraudulent activity, the bank has built a multi-level fraud analysis process that uses special detecting algorithms, machine learning, and a number of other technologies. "If the system detects any suspicious activity, the fraud monitoring team promptly blocks the movement of funds and checks such cases, which may include additional identification, as well as in some cases confirmation of the source of funds," says a company representative. — At the same time, the fight against fraud is a continuous process. Fraudsters are constantly inventing new schemes, so we are constantly working to improve our own rules and tools to combat fraud." Ozon also actively interacts with regulators and other market participants, which also makes it possible to successfully combat systemic fraudulent activity, the company concludes.
At the beginning of the year, during the revocation of the license from the "popular e-wallet service", the number of transfers to bank cards of front persons (dropers) increased by about 50% relative to the average daily number, the Fraud Protection department of F. A. C. C. T. states :" And the cost of ordering bank cards increased by about the same amount in ads on shadow resources. cards issued to dropers".
"The fight against drops is a serious challenge for the entire banking community, and absolutely all players face it. On the darknet, you can find an offer to buy cards or compiled databases from publicly available information of any major bank. After revoking the license of the "popular e-wallet service", leading Russian banks and payment systems have strengthened the protection of their systems in order to prevent an explosive increase in the number of drops used. As far as we know, Ozon Bank has also strengthened fraud monitoring measures in this area," F. A. C. C. T. concludes.
Looking for an alternative
According to Angara Security, which Forbes reviewed, the number of reports about the purchase and sale of verified Ozon e-wallets for p2p transfers tripled in 2024. At the time of the study (end of April), analysts recorded a significant increase in messages, Angara Security explains, without specifying their number. In the presence of such ads in the Network, Forbes was also convinced.
In time, this increase coincides with the moment when the Central Bank decided to deprive Qiwi Bank, known, in particular, as the operator of electronic Qiwi wallets, of the right to engage in banking activities. Among the main complaints made by the Central Bank against the bank were high-risk transactions involving settlements between citizens and shadow businesses. We are talking about money transfers to crypto exchanges, illegal online casinos and bookmakers, as well as transfers of stolen funds to so — called droppers-individuals who accept illegally withdrawn funds to their own or other people's accounts and cards and withdraw them in the interests of criminals for a percentage. The Central Bank mentioned numerous precedents of opening e-wallets using personal data of individuals without their knowledge and conducting operations on these wallets without the consent of customers.
Having lost the popular tool, the attackers began to pay attention to similar products. So, in addition to announcements about the purchase and sale of Ozon wallets, Angara Security analysts also record the sale of Ozon Bank's personal accounts with maximum verification statuses, as well as offers of services for direct transfer of funds from "stolen personal accounts to other cards for further cashing out".
At the same time, Telegram has recently become one of the main platforms for distributing such messages, the company points out. "Of course, some of the data is published on the darknet, but the main body of information in this case is collected using OSINT (Open Source intelligence, Open Source intelligence) tools, which allow you to monitor and analyze messages in groups and chats, as well as the so-called malvertising-promotion of content from intruders using advertising tools of the platform." - explain in Angara Security. Forbes sent a request to Telegram.
Scammers offer three main ways to purchase e-wallets, pay attention to Angara Security. First of all, this is the purchase of a database with data from legitimate users, which, according to experts, " creates risks for existing customers of Ozon services." Secondly, the attackers use the capabilities of the service itself, which allows you to link digital cards to an anonymous account, for which a SIM card of a mobile operator is enough to register. The third method is offers to buy e-wallets in Telegram and the Darknet. For example, an Ozon Bank e-wallet can be purchased for 2599 rubles.
"Financial services of the largest Russian marketplaces, originally developed for the purpose of "seamless" customer experience, are becoming the objects of attention of participants in the gray payment market. Settlements using electronic wallets provide more opportunities for transactions, involving more participants in illegal schemes-from cashing out funds to financing undesirable organizations, " Angara Security experts warn.
"Excellent replacement"
Monitoring of activity in the dark Web shows that in February 2024, the number of ads for the sale of Ozon Bank accounts doubled compared to January, a source in a large cybersecurity company said. "In March and April, there is a slight 10-15% decrease in the number of ads. But in some cases, sellers position Ozon Bank wallets as an excellent replacement for Qiwi wallets. Most often, such accounts have a low cost, which attracts buyers, " he continues.
In the middle of 2023, the cost of accessing Ozon Bank's personal account on the darknet was 700-2500 rubles, but now it varies in the range of 500-10, 000 rubles and depends on several factors, the Forbes source shares his observations. "These are the status of the wallet (anonymous, basic, advanced), the verification method (via Public Services, using a passport photo, or via a mobile operator), the probability of blocking the account (depending on the time since registration and whether there were any transactions at that time), as well as the data received by the buyer (minimum dial — phone number for Ozon Bank, login and password from the sms receiving service; maximum dial — phone number, code word, secret code, passport data, proxy for Ozon Bank, login and password from the sms receiving service)," he lists.
However, according to another source in a large information security company, verified wallets of all payment services are sold on the darknet, and their number "directly depends on the popularity among the population."
Transfer to a fake person
Ozon told Forbes that to detect fraudulent activity, the bank has built a multi-level fraud analysis process that uses special detecting algorithms, machine learning, and a number of other technologies. "If the system detects any suspicious activity, the fraud monitoring team promptly blocks the movement of funds and checks such cases, which may include additional identification, as well as in some cases confirmation of the source of funds," says a company representative. — At the same time, the fight against fraud is a continuous process. Fraudsters are constantly inventing new schemes, so we are constantly working to improve our own rules and tools to combat fraud." Ozon also actively interacts with regulators and other market participants, which also makes it possible to successfully combat systemic fraudulent activity, the company concludes.
At the beginning of the year, during the revocation of the license from the "popular e-wallet service", the number of transfers to bank cards of front persons (dropers) increased by about 50% relative to the average daily number, the Fraud Protection department of F. A. C. C. T. states :" And the cost of ordering bank cards increased by about the same amount in ads on shadow resources. cards issued to dropers".
"The fight against drops is a serious challenge for the entire banking community, and absolutely all players face it. On the darknet, you can find an offer to buy cards or compiled databases from publicly available information of any major bank. After revoking the license of the "popular e-wallet service", leading Russian banks and payment systems have strengthened the protection of their systems in order to prevent an explosive increase in the number of drops used. As far as we know, Ozon Bank has also strengthened fraud monitoring measures in this area," F. A. C. C. T. concludes.
