Thieves Utilize Triangulation Fraud on Auction Sites

by Tim Sloane 0

This article from the Krebs on Security web site identifies how stolen cards can convert an auction site into an ATM:

“How do fraudsters “cash out” stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they don’t yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder.

So-called “triangulation fraud” — scammers using stolen cards to buy merchandise won at auction by other eBay members — is not a new scam. But it’s a crime that’s getting more sophisticated and automated, at least according to a victim retailer who reached out to KrebsOnSecurity recently after he was walloped in one such fraud scheme.”

The scheme is conducted as follows:

“The scheme works like this: An auction fraudster sets up one (or multiple) eBay accounts and sells legitimate products. A customer buys the item from the seller (fraudster) on eBay and the money gets deposited in the fraudster’s PayPal account.

The fraudster then takes the eBay order information to another online retailer which sells the same item, buys the item using stolen credit card data, and has the item shipped to the address of the eBay customer that is expecting the item. The fraudster then walks away with the money.

One reason this scheme is so sneaky is that the eBay customers are happy because they got their product, so they never complain or question the company that sent them the product. For the retailer, the order looks normal: The customer contact info in the order form is partially accurate: It has the customer’s correct shipping address and name, but may list a phone number that goes somewhere else — perhaps to a voicemail owned and controlled by the fraudster.”

While sophisticated analytic tools can be applied to this type of fraud, one company discovered a low tech mechanism that effectively blocked a bot that was conducting triangulation fraud on its web site:

“Bill said he believes the orders may have been placed by automated “bot” programs running on instances of Amazon’s EC2 platform (instances that were also likely paid for with stolen card data).

“The fraud kept going until we put in some things that blocked his bots at Amazon EC2 from transacting with our site,” Bill said.

Bill allowed that he can’t prove it wasn’t just a human manually transacting from all those EC2 systems. However, another security measure that Bill’s company established to fight triangulation fraud lends credence to the theory that some sort of automated EC2-based bots may indeed be involved in placing the unauthorized product orders. Bill’s firm put new data fields in the part of the checkout process where customers type in their name and address. This trick uses data fields that are hidden from regular Web site visitors but that are still visible on the site to computers and Web crawlers.

The idea is to separate orders made by humans from those entered by automated bots. Although the latter may dutifully supply some phony requested data in the new data fields, legitimate, human customers would never input data into those extra fields because they can’t see the information being requested in the first place.

‘Blocking EC2 purchases and the data fields have worked really well blocking this fraudster’s bots from spamming our email forms,’ Bill said.”

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group

Read the full story here