July 19, 2018
Cybercrime: Exploiting Security Weaknesses in Online Merchant Platforms
Posted November 16, 2017
Cybercrime has evolved from individual lone wolves committing fraud purely for personal profit into a sophisticated and networked criminal industry.
As this criminal industry has grown, so has the scope of its many illicit activities – including raising and laundering money for terrorists.
Indeed, the Internet is vast and anonymous, and proposes a large number of ways for cybercriminals to abscond with someone else’s money. Some of the most common channels previously exploited by cybercriminals include cryptocurrency services, crowdfunding platforms, charities websites and social media channels.
Always on the lookout for their next target, these sophisticated cybercriminals are now exploiting the security weaknesses in various online marketplaces to raise and launder money.
Who are we fighting?
You can only fight your enemy once you know who it is. Cybercriminals communicate, collaborate, and work in highly organized, networked groups, launching cyberattacks that are increasingly more sophisticated, have severe consequences and often serve political purposes.
And the motivations for these cybercriminals are as varied as the attacks themselves. Be it for the monetary gain of an individual or larger criminal organization, or strictly for manipulation, the ultimate goal obviously dictates the appropriate attack strategy.
For example, sabotage of any kind – political or otherwise – would require immaterial assets, such as knowledge and media distribution. For this purpose, cybercriminals often target media services, favoring social engineering attacks to steal credentials, collect data and create fake accounts on media’s platforms, similar to the bot attack on the FCC earlier this year.
Conversely, making a profit would require the stealing of material assets, such as identity credentials or credit card information. To achieve this objective, cybercriminals would most likely target eCommerce and financial services organizations with, for example, advanced account takeover tactics.
Fake accounts in merchant’s platforms
Financial services organizations, including lending, crowdfunding, and e-currency platforms, are obvious hack targets because they present clear opportunity for monetary gain. This means cybercriminals must develop particularly sophisticated attacks to bypass established defenses.
These primary targets often have robust and effective defenses in place, prompting cybercriminals to turn their attention to easier targets, including fundraising platforms, charities and some e-marketplaces. In August, the Wall Street Journal revealed that U.S. investigators discovered how a cybercriminal was funding ISIS by “selling” non-existent computers and printers through a famous online marketplace.
Unfortunately, this type of attack happens every day. Fraudsters create fake merchant accounts and pretend to sell non-existent goods, enabling them to raise a significant amount of money. According to the Financial Times, this strategy has raised $200 billion a year for fraudsters in the U.S. alone, from around 335,000 unregistered merchants.
How to stop it?
In theory, stopping this type of fraud seems simple: organizations need to know with certainty who is on the other end of a transaction. But how can eCommerce organizations monitor the massive number of transactions they receive each day? Even if they can achieve this goal, how can they identify good customers from fraudsters as they both interact anonymously on the web?
Fortunately, fraudsters leave many signals behind that making them identifiable. New technologies have the capabilities to collect, compare and analyze these signals on a real-time or near-real-time basis. To prevent fraud, eCommerce and payment services providers can leverage a multitude of information about each and every transaction – what device is used, where is the user located, what the user’s linked accounts are, how many devices does this consumer commonly use and whether any of their apps are corrupted.
With all of this data, businesses can get a more accurate picture of the person on the other end of a transaction, be it a legitimate user or some type of cybercriminal.
Will this be enough to stop terrorist funding? Of course not. But, as more avenues close, terrorists will be left with fewer options. And, that’s a good start.