Network News

X My Profile
View More Activity

Scammers Play Robin Hood to Test Stolen Credit Cards

The Symantec security blog today talks about a trend its authors are seeing more of: Scammers using stolen credit cards to make small donations to online charities.

The prevailing theory is not that the criminals are being altruistic Rather, security researchers believe the donations are being made to test whether a stolen card is still active, much in the same way that thieves test stolen physical cards at gas pumps, where there is little chance of anyone spotting them if the card comes up canceled.

According to Symantec, "bank behavior monitors may be less likely to pick up on donations to charities. Legitimate charitable donations are not daily transactions for anyone with a credit card, and so it would be difficult to determine if they are out of the norm."

This is hardly a new trend. Two years ago, in the wake of Hurricane Katrina, Security Fix spotted scam artists using stolen credit cards to donate to the Katrina relief efforts. Last year, in a story I wrote about hacked online merchants, I found additional evidence that criminals were using online charities to test stolen credit card accounts.

At the ShmooCon hacker conference in Washington, D.C., earlier this year, I had dinner with a guy who worked as an administrator for one of the major 2004 presidential campaign Web sites. Turns out, at one of the busiest periods of the online fundraising period, tens of thousands of small, five-cent donations came into the campaign over the course of several days from a group of computers located in Eastern Europe, with payments being made via thousands of different credit card numbers.

In that case, the crooks had automated their process for testing stolen card numbers. The campaign the source worked for was forced to deny all $60,000 that came in.

I would look for this to happen, possibly on a much larger scale, in the upcoming 2008 presidential election.

By Brian Krebs  |  July 6, 2007; 1:15 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Word of Caution About Google Calendar
Next: Cell Phone Spying Service Leaking Data?

Comments

USB key with credit card to record transactions for income tax and prevent unauthorized use...this is a convenience.
Fidelity Investments, my account, can easily be wiped out with a wiretap the government can't find. They can't find anything:)
I think Verizon employees have found a second income....really.

Posted by: charlesandrew@gmail.com | July 7, 2007 9:07 AM | Report abuse

you don't have to be a 'hacker' on the 'outside' to do anything. Simple enterprise network administration skills is all it takes.

For example, if I decide to SPAN, sniff my finance system, export SQL to a db dump and take it home on my laptop I get 100,000 credit cards.

Any amateur in any organization can do it. WAKE UP PEOPLE. The simple fact of the matter is that the companies you trust are hiring people that are incompetent and don't know a thing about what people can do on the inside. 'IT Managers', CIO's and Directors are the problem. Try some accountability in your companies. Try TESTING the CIO, Directors and IT Managers as they test their line staff. You'd be surprised how much they 1: don't know. 2: don't care. and 3: have put at risk and continue to put at risk for corporate gain - at your expense.

So, how long would it really take for me to get 100,000 credit cards? Hmm.. 5 minutes. Maybe... 3.

Depends on if I would decide to write a virus and cover my tracks by blowing up the entire LAN and WAN while taking a chainsaw to the 110 blocks and knocking out all the phone lines. Try figuring that out while I'm walking out the front door with a smile on my face and your money in my laptop.

Posted by: bfft.. you're all at risk Sheeple | July 8, 2007 12:26 PM | Report abuse

^^LOL

Posted by: Anonymous | July 9, 2007 3:47 AM | Report abuse

What the article doesn't state is that not only would they have to refuse $60,000 in 5-cent donations (that would be 300,000 transactions) is that most processors charge about 25-cents per transaction, meaning that they would have also gotten stuck with potentially $75,000 in fees for that $60,000 in fraudulent donations. And that is not even including transaction fees to reverse the transactions and the cost of voiding or crediting transactions back, nor the $35 chargeback fees if they missed any of them.

Posted by: Brian | July 9, 2007 1:18 PM | Report abuse

Oops - must have hit the wrong key on the calculator. It's actually much worse:

Corrected:

What the article doesn't state is that not only would they have to refuse $60,000 in 5-cent donations (that would be 1,200,000 transactions) is that most processors charge about 25-cents per transaction, meaning that they would have also gotten stuck with potentially $300,000 in fees for that $60,000 in fraudulent donations. And that is not even including transaction fees to reverse the transactions and the cost of voiding or crediting transactions back, nor the $35 chargeback fees if they missed any of them.

Posted by: Brian | July 9, 2007 1:32 PM | Report abuse

To help combat Identity Theft, Citi Visa Card now provides I.D. Protection to all of it's card members. The Discover Card also shows a strong initiative by offering a $0 payout for any fraudulent purchases.
http://financialdirectoryservices.com

Posted by: Ted Garrett | August 2, 2007 1:01 PM | Report abuse

To help combat Identity Theft, Citi Visa Card now provides I.D. Protection to all of it's card members. The Discover Card also shows a strong initiative by offering a $0 payout for any fraudulent purchases.
http://financialdirectoryservices.com

Posted by: Ted Garrett | August 2, 2007 1:03 PM | Report abuse

To help combat Identity Theft, Citi Visa Card now provides I.D. Protection to all of it's card members. The Discover Card also shows a strong initiative by offering a $0 payout for any fraudulent purchases.
http://financialdirectoryservices.com

Posted by: Ted Garrett | August 2, 2007 1:05 PM | Report abuse

My name is Elena. To me of 20 years.
I would like to get acquainted with you if you not against.
I Look forward to hear you soon with impatience. Adult Dating[url=http://toplop.com/?idAff=59]Adult Dating[/url]

Posted by: datindplo | August 26, 2007 7:50 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company