On November 23, 2016, someone using the name Joseph Tanner tried to buy a series of digital gift cards to be delivered to someone with the name Kasper Gleason (not their real names). In reality, Kasper Gleason was a fraudster using Tanner’s name, credit card number, and billing address to illegally buy the gift cards. These stolen credentials had been making the rounds of the Dark Web since 2014, and were actually offered to fraudsters as free samples to prove their validity. Since then, fraudsters have used this same information to try to purchase items from dozens of different merchants. In 2019 alone, these credentials were discovered 44 times across the Dark Web.

A study released Wednesday by cybersecurity providers IntSights and Riskified looks at how these fraudulent attempts with one credit card could be thwarted. The information and advice in this study can be useful to merchants seeking to combat e-commerce fraud.

The way the gift card orders were placed using this stolen credit card raised several red flags with Riskified’s fraud prevention software. The scammer placed four orders–the first at 1:49 a.m., the second just one minute later, the third six minutes after that, and the final one a minute later. All the details remained the same across the four orders. This quick succession of orders with the same details was one sign of possible fraud to Riskified, which deduced that Gleason checked out multiple times hoping that one of the orders would go through.

The time the orders were placed was another sign of possible fraud. Fraudsters often schedule orders at off hours in an attempt to sneak past merchants with manual reviewers, according to the study.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

The orders were the first ones placed with the online gift card vendor with this account, which had been created just a day earlier. That was another warning sign. Orders by new accounts and by new customers often catch the attention of fraud managers, IntSights said.

The delivery email address for the account was kgs337373@gmx.com. This was yet another sign. Random email addresses such as this one are considered riskier than are addresses such as Kasper.Gleason@gmail.com or kgleason@gmail.com. This is because fraudsters need a lot of email addresses, and create them quickly and haphazardly by trying to find ones that aren’t already in use.

Riskified also cross-checked the card number, physical address, and email address, and discovered that no legitimate orders had been placed by the original card holder with that card number, nor had this person ever shopped on IP addresses outside of New York State. Using the company’s solution and armed with all of this information, the online card merchant correctly declined all of the orders.

Fraudsters also use more sophisticated and automated tools to commit fraud against online retailers, according to the study. One such tool is an account checker, which injects stolen usernames and passwords into the appropriate fields on an online order form to see which credentials work. Such tools can even counteract some of the defense mechanisms used by online merchants.

Fraudsters also employ auto-buying bots to try to buy items using stolen credit card credentials. These are similar to the bots used to win auctions on sites like eBay. The criminals simply reconfigure them for their own illegal purposes.

Beyond learning from the examples in the study, what can online merchants do to better mitigate fraud on their own sites? IntSights offers the following tips organized by offense and defense:

A good offense requires a smart balance between fraud reduction and customer retention.

  1. Remove static or rules-based filters and blacklists. Instead, consider neural networks and machine learning to better detect fraud.
  2. Don’t rely solely on matches when evaluating orders.
  3. Be careful of adding friction and turning legitimate shoppers away.
  4. Look for a fraud solution that scales with your growth.
  5. Adjust your fraud approach to fit how your customers shop.

A good defense requires you to keep your pulse on an ever-changing landscape.

  1. Monitor social media for fake accounts, unauthorized product ads, and phishing scams.
  2. Regularly update customers on authorized contact channels for support.
  3. Monitor the Dark Web for new hacker tools.
  4. Watch your retail website carefully, especially pages that require credit/personal details.
  5. Control and limit access to company databases using multi-factor authentication.