A money-laundering fraud ring is targeting donation sites, taking advantage of the outpouring of charity sparked by the global pandemic.
Dubbed Cart Crasher by the Sift security firm, the fraud ring leverages guest checkout options on donation sites to steal money and launder stolen payment cards.
The scheme is straightforward: First, fraudsters set up recipient accounts on various donation sites. Then, they create and post fake causes for which to receive donations.
From there, the crooks use stolen credit cards, and fake usernames and emails, to “donate” thousands of dollars to their own fabricated causes (via automated scripts). The donations are made in denominations of $5 or less. And, using the option to check out as a guest in order to skip the need to create accounts makes the activity much harder to trace.
“Using stolen credit cards, fake accounts, and automated scripts to do the dirty work, this fraud ring repeatedly funneled small amounts of money to themselves by setting up fake causes on various giving sites in order to request donations,” according to Sift’s annual report on evolving fraud tactics, released Wednesday.
According to Sift, Cart Crasher achieves a dual purpose with its strategy: The fraudsters can not only test stolen payment information to see if it’s valid, but it also allows them to steal and then clean funds from the stolen accounts.
And, the time is right for such an approach, given that charitable giving is surging.
“In 2020, the pandemic drove online giving up by 21 percent, providing cover to fraudsters who hide behind traffic and transaction surges, knowing that many merchants won’t be equipped to handle scaling demand and rising fraud simultaneously,” according to the report. “With automation to execute these illicit transactions at inhuman speed, it’s a scheme with the potential to cheat merchants and consumers out of thousands of dollars—and allow fraudsters to use those ill-gotten gains to buy more stolen data on the Dark Web.”
Evolving Fraud Tactics
Sift also found that cybercriminals in general have evolved their payment-fraud tactics over the course of the last year. Based on data from more than 34,000 apps and websites, researchers found a 69 percent increase in average attempted fraud value since last year, across multiple verticals. The firm said that this is a clear sign of automation at work: Bots, scripts and malware taking advantage of easier-to-use checkout experiences and password reuse to do more damage in less time.
“The combination of tech and new tactics is causing the most concern…fraudsters are weaving them together to supercharge new, sophisticated patterns of attack,” according to Sift. “Fraudsters are as knowledgeable about the mechanics of digital commerce as the legitimate merchants they target. They can accurately identify security vulnerabilities, and know how to use a merchant’s success against them. As internet traffic surged last year by between 50 to 70 percent, the amount of money spent by online shoppers nearly doubled. Fraudsters seized on climbing transaction volumes and unanticipated consumer behaviors like stockpiling.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)