The Big Business of Cybercrime During Holiday Shopping Season

By Angel Grant, Director, RSA Identity and RSA Fraud & Risk Intelligence

During the holiday shopping season, you aren’t the only one running around with an agenda. For cybercriminals, this is their peak season too. Criminals will deploy more attacks as they try to increase their inventory of stolen credentials, and many will try executing fraudulent transactions with the information they’ve acquired over the past 12 months.

Today, hacking is more than just cybercrime – it is big business.

While the tactics being deployed by cybercriminals vary, many have certainly become common: phishing, ransomware and malware. With stronger security practices and education, many business leaders and consumers alike understand how these schemes work to fool you into clicking an errant link or attachment. But what’s not seen at the surface is the deep interworking of a cybercrime market.

Whether on the Dark Web or even in criminal marketplaces hosted by Facebook, Instagram, Reddit and other popular social media platforms, there are a variety of groups that are being run as functioning companies. Each organization has a “boss” along with technical and operational employees. Let’s look at what role each plays in this ecosystem:

  • “The Boss”: These are the gang leaders. They may have an association with a criminal network and because they are typically not technical individuals, they hire experts who can help them carry out fraud.
  • Technical: You can think of these individuals as the ones often (stereotypically) depicted in a black hooded sweater. They’re responsible for creating the malware, designing tools for carding and phishing kits and develop the infrastructure that will carry out the attacks.
  • Operational: This role can take many forms, but is an integral piece in the cybercriminal operation:
    • Fraudster/marketing: They create and deploy social engineering schemes – phishing, scam ploys – for all purposes, with the intent of getting someone to click and open the malicious software onto their device.
    • Trader/Sales: They are buying, trading and selling stolen account credentials, financial information and personally identifiable information (PII) on underground marketplaces, or even on social media, with other cybercrime organizations.
    • Forgers: They develop fake documentation, false licenses and/or passports, and even fabricate payment cards for the purpose of payment card cloning.
    • Servicemen (mules): As the name indicates, these are the laborers who are doing a majority of the “dirty work” like attempting fraudulent transactions or in-store pickups.
    • Mule-herders/HR: These folks are the Sales and HR arm of the organization. They’re recruiting mules and organizing item drops and offer transfer and exchange options.

With an organization this established, it would seem that the business of cybercrime would be better understood. However, a majority of this criminal activity is taking place in domains that aren’t utilized by the Average Jane or Joe. They’re communicating and transacting on the Dark Web, which is the fringe of the Internet that most don’t encounter every day. Activities are hosted on the TOR network or similarly encrypted networks where you need to know someone before being invited to join – somewhat like an organization’s VPN or shared network.

However, the RSA Anti-Fraud Command Center is increasingly seeing growing use of an emerging “Grey Web,” which leverages a wide range of social media platforms. Many of the marketplaces on the Dark Web have become too competitive, leading criminal organizations to turn to other avenues of merchandising their goods and services to a larger audience. Underlying this is the fact that social media is innately mobile and can be used across an array of devices, making it more convenient for fraudsters to communicate with one another and conduct business. The platforms being exploited most for this nefarious activity include: Snapchat, WhatsApp, Telegram, Instagram and Facebook.

While it may seem that the odds are stacked against us, there are steps you can encourage your customers and your employees to take to protect their digital presence, including:

  • Monitor your accounts: Activate fraud alerts like new payee, money withdrawal, high value credit card transaction, insurance claim submitted, use of hospitality loyalty points, etc.
  • Take advantage of multi-factor authentication (MFA): Whether selfie pay, biometrics, or one-time password, utilize a platform’s native MFA capabilities as they’re harder to hack.
  • Take inventory of all connected devices: We now live in a connected world and need to adapt to it. When receiving a new device, start by changing the default user name and passwords, installing security updates and turning off the device when not in use.
  • Resist the click: This evergreen advice never gets old. Whether a text, email or social media promotion, avoid clicking on something from a sender you don’t know.
  • Back it up: Many phishing attempts are now linked to ransomware. That is why it is especially important to back up data offline.
  • Beware of work-at-home scams: Around the holiday season, many criminal networks will scam innocent victims by having them reship packages or receive funds in their bank account. If it sounds too good to be true, then it probably is.

To get a full view of all the cybercrime trends observed by RSA, download the Q3 2018 Quarterly Fraud Report here.