When large data breaches like the infamous ones at Target or Home Depot take place and millions of cardholders’ information has been stolen, it usually ends up on underground markets, where it’s sold in bulk. Many times, this information is purchased by criminals and used to create counterfeit cards to make purchases at brick-and-mortar stores. But with nearly 70% of credit cards currently EMV compliant (with chips) and debit cards slated to follow this year, making fraudulent purchases with counterfeit cards is becoming more difficult. As we’ve mentioned many times before, fraud is expected to shift to card not present channels, and the criminals have adapted with elaborate and sophisticated schemes to cash in on any weakness in the system they can find. Hewlett Packard Enterprise’s “Monetizing Stolen Credit Card Data” report gives us a window into the processes they’re employing to defraud U.S. cardholders and merchants of over $1 Billion each year.
Many of the large-scale criminal organizations that HPE investigated are based in Eastern Europe, a location many U.S. retailers will no longer authorize e-commerce shipments to, based on the high propensity for fraud. Because U.S. goods are so highly desirable, these criminals have built sophisticated reseller operations to purchase and ship these goods so that they can resell them for profit.
Organizational Structure
Reshipping operations seem to require relatively little setup, as many identified by HPE have only been in existence for a couple of months. While many were new, a handful of the sites have been open for several years. One single operation that HPE investigated processed $1.5 Million in merchandise in 2015, which turned a $1 Million profit.
The operations have four main roles:
- Bosses/Operators - these individuals are the keys to establishing the operation and organizing each respective party in the chain.
- Admins - the admins are responsible for the day-to-day maintenance of the website and the workflow of getting products purchased and to a drop for reshipment. They are also responsible for recruitment and engagement of stuffers and drops.
- Stuffers - the stuffers are the people responsible for purchasing the products online, and then selecting a drop to receive the goods.
- Drops - these folks are located in countries where e-commerce transactions are trusted and will be shipped to. The merchandise is paid for by someone called a “stuffer,” but shipped to a drop, who then turns around and reships the product to the desired end location - where the boss/operator is located.
How Drops Get Recruited
Much like card cracking operations, reshipping recruiters prey on low-income individuals, often financially desperate and therefore easily convinced to join the operation without ever realizing they’re engaging in criminal activity. HPE also found many drops tend to be transient people, with a history of changing addresses often.
The admins responsible for recruiting drops have created a well-oiled machine of a process. Many of the “job postings” provide no clear reference to illegal activity, and promise a pretty big payoff for what seems like a fairly simple and straightforward job. Their postings are often found in Facebook groups for people looking to make quick money at home, and often look and feel legitimate. HPE found some operations that received over 1000 applications. The employment process follows standard practice with onboarding emails and the applicant handing over personal details such as government IDs, but to a shadow company that doesn’t actually exist.
The reshipping operations offer lucrative pay options to attract drops - which largely fall into one of two buckets.
- Drops are promised a base pay (sometimes as high as $750/week), plus a commission for whatever is shipped
- Drops are paid a flat rate per package shipped (i.e. $26/pkg)
Unfortunately for the drops, they are rarely ever paid. They’re usually promised monthly payments, and after about 45 days of work and no payment, the drop usually then realizes they’ve been part of a scheme. They often have no recourse for their time (or personal information that’s been handed over), and no way to contact the fake company.
With the volume of applications coming in from people, the reshipping organizations have realized that the acquisition cost of getting new replacement drops every month is actually cheaper than paying and retaining the existing ones. This creates a very isolating experience for drops, since they’re never exposed to the internal workings of the business, and are churned through at a very fast clip.
How the Goods Get to Eastern Europe
Once the drops receive the goods, they then reship the merchandise directly to Eastern Europe or through a shipping aggregator with prepaid labels that are supplied to them by the admin.
This process is usually facilitated through completely legitimate shipping services such as FedEx, UPS or other companies that specialize in shipping goods between the U.S. and Eastern Europe.
The use of drops makes it difficult for retailers to know which transactions are in fact, fraudulent. Several months ago on the Rippleshot blog, we covered the uptick in e-commerce shipment address changes, with specific examples of how fraud is being committed using those tactics. Check it out below: