How crooks use your doppelgangers to pay with your card

April 9, 2019

You probably know that weird phenomenon: Airplane crashes get significantly more media attention than traffic accidents, despite the number of casualties per year being significantly smaller in the former. The same phenomenon applies to other aspects of life, including cybersecurity and cybercrime reporting.

When back in 2014 we discovered Carbanak, the cybergang that had stolen more than a billion USD, that was a big deal for the press. But we should not forget that the more common credit card fraud that happens every day results in significantly bigger financial losses. For example, The Nilson Report estimates that in 2018 card fraud caused about $24 billion in losses and is set to grow significantly this year. Carding — that’s what cybercriminals and security specialists call card fraud — is not dead. On the contrary, it’s growing.

How criminals use data harvested from users' devices to fool antifraud systems and siphon money from victims' accounts

That may seem surprising, with more and more banks implementing strict security systems and clever fraud-prevention solutions based on machine learning, and otherwise protecting funds on cards from being stolen. Theoretically, that should’ve stopped at least the newbie crooks from stealing money from cards, but the statistics say otherwise. And on darknet forums, if someone asks a question like “What is the first step in a cybercriminal career?” the answer is “carding.”

Fortunately, carding has indeed become harder because of the security measures implemented by banks and payment platforms. Unfortunately, antifraud systems don’t work that flawlessly in reality — and special services, tools, and marketplaces for those services and tools are available for those who want to give stealing money from others’ credit cards a try.

Digital fingerprinting: Borrowing an identity to steal from its card

Kaspersky Lab researcher Sergey Lozhkin has discovered a market on the darknet, called Genesis, that is used to sell users’ digital masks. He delivered a keynote on his discovery at the Security Analyst Summit 2019. A digital mask consists of a user’s digital fingerprint — Web history, OS and browser information, installed plugins, and so on — and information about the user’s behavior: what they do online and how they do it.

Why would crooks sell masks, and how is that related to carding? Digital masks are used by antifraud systems to verify users. If the digital mask that an antifraud system sees matches the one it has previously seen for the same user, it will mark the transaction legitimate. For quite a lot of banks, that means they won’t even require a 3D Secure code sent by SMS or push notification to the user to confirm the transaction.

So, if a criminal somehow manages to steal your digital mask and your online banking credentials, the antifraud system will think it’s you and won’t raise any flags. That way the criminal can siphon all the money from your account without being noticed.

That is why some malefactors scrape the data from users’ devices and put it on Genesis for sale. Others buy that information, which costs $5 to $200 depending on the amounts of data and credentials included, and use it to pretend to be the owner of that digital mask.

To do that they use a free browser plugin. Developed by the people behind Genesis and called Genesis Security, the plugin lets them use the digital mask to recreate the legitimate user’s virtual identity and thus fool antifraud systems. Basically, it modifies the parameters the antifraud system sees so that they match the parameters of the victim’s device and recreates their behavior.

Collecting the fingerprints

So, where do the cybercriminals behind Genesis get the data they sell? The answer is simple, but rather vague: from various malware species.

Not every piece of malware tries to encrypt your data for ransom or steal your money right after it gets on your device. Some species sit quietly, gathering all the data they can reach and creating those digital masks that are later sold on Genesis.

Other ways to bypass fraud prevention

The first way to bypass fraud prevention systems is to look familiar. The other is to look completely new. And, since criminals know about the other way, there’s a service on the Internet to do that as well.

Completely new means next to no matching parameters between the digital mask used and any other digital masks the service is aware of. It means the fraudster won’t be allowed to log in to a service with a fraud prevention system, even if they install a new browser on their PC, if some of the parameters — such as computer hardware, screen resolution, and many more — will be the same as in the digital mask they used earlier.

But a service called Sphere allows the crooks to create a new digital identity and customize all of those parameters so that the fraud prevention system sees them as someone completely new. And it has no reason not to trust that new person.

Saying no to doppelgangsters

The problem is that no matter how advanced the fraud prevention system is, these techniques still work, because the fraud prevention system’s algorithms that determine if the person is allowed to access the funds rely on exactly the same data the malefactors harvest.

So, is it possible to protect from this advanced card fraud?

For banks, protection requires introducing mandatory two-factor authentication, maybe even using some biometrics such as fingerprint reading (real, not digital), iris scanning, or face recognition as the second factor. Banks also need to be aware of the various kinds of fraud that emerge; otherwise, they won’t implement measures to fight that fraud.

From the user’s perspective, the only way to protect yourself from this type of card fraud is to make sure no one can harvest your digital mask. And to do that, you need to install a robust security solution that will eliminate every single piece of malware trying to tamper with your data.