Criminals have created sophisticated networks to monetize stolen credit card data, in part by buying valuable goods — from laptops to sports nutrition products — that are then resold for cash, according to security researchers at Hewlett-Packard Enterprise.

The network includes “administrators,” who create demand and reshipping websites for “stuffers,” who purchase products requested in the U.S. using the stolen card data. They in turn ship product to “drops” — usually in the U.S. — and who then reship the goods to Russia or Eastern Europe.

From there the group’s operators sell the products in grey markets for fat profits. The money they make in part pays the admins, who recruit stuffers and who are paid a percentage (sometimes in Bitcoin) from each product type they buy.

Drops often make nothing at all.

The schemes were outlined in an HPE report issued this month, which looked at how criminals are able to get around retailers who no longer ship products bought online to certain countries — mainly in Eastern Europe, where many of the gangs are — because so many purchases from there are fraudulent.

According to some estimates, the reshipping operations could account for 1.6 billion credit and debit cards being abused for more than US$1.8 billion a year.

HPE research done over a six month period starting last August shows most drops are in the U.S., because that’s where the most targeted retailers and stolen credit card data is.

“As an example of the scale and potential profitability,” says the report, “a single investigated site processed US$1.5 million of merchandise in 2015, representing $1 million in profit to the operator.”

The real suckers in this arrangement are the drops, who in the study were often found in low income areas. That’s probably because they are promised what appears to be easy cash — sometimes as high as US$750 a week, plus commission on each item reshipped by working from home. Or, they may be promised a flat rate per package. “Which model is offered makes no difference,” says the report, “because drops are almost never paid.”

This has been going on for some time. Security reporter Brian Krebs wrote on the indictment in 2011 of 100 people suspected of being part of one of these rings.The Canadian Anti-Fraud Centre’s web site warns residents about so-called mystery shopper and reshipping scams.

Goods in demand include gift cards, laptops, cameras, blenders, iRobot vacuums, rifle scopes and clothes. Victims include WallMart, Amazon, Best Buy, Staples, U.S. carriers such as AT&T and Verizon, and upscale retailers like Saks Fifth Avenue.

The report admits retailers have a problem: Spotting these fraudulent transactions is difficult if they don’t know a credit card being used online has been stolen. HPE advises CISOs to monitor for this activity and to keep up to date on how scam operations work to tune their defences.

As for individuals, to avoid being suckered into becoming a drop they are urged to be wary of online job listings with spelling mistakes, and jobs whose tasks include wiring funds, package forwarding and being an “import/export specialist.”

Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
Download Now