eCommerce Payment Fraud: how fraudsters “warm up the shop”

The process of carding or using a stolen e-commerce account for fraud can be divided into several key phases. In the first phase, a fraudster gains the necessary resources for fraud: stolen shop/email/bank/payment service accounts, stolen credit cards, resources for IP anonymisation (such as a proxy, VPN or RDP) and specialist fraud tools. The second step involves preparing and configuring all resources and software. Next, a fraud attack is initiated on a targeted website. The next phase could be the main attack (such as making orders with fraudulent payment methods), and “cleaning up” after the fraud. This blog post is specifically about the third phase, which is rarely described in the blogosphere. While initiating a fraud attack on an e-commerce website, many fraudsters seek to “warm up the shop”. This involves a set of tricks and actions that aim to make fraud easier and deceive merchants by behaving like a normal customer.

The ultimate goal of fraudsters working on e-commerce websites is simply to get what they want using fraudulent resources. This can be achieved by using a stolen account that can be bought on the Darkweb for several US ve the impression of being an ordinary customer. Red flags can be raised when buying an expensive product on a newly created account, or on an old account on a new device (the fraudster logs in to an account on his own device due to not always being able to imitate the account owner’s machine). To avoid this, a fraudster can try to imitate normal client activity on a website, giving the account time to mature, and even contact merchant customer services.

There are many actions a fraudster can take to ‘act like a customer’.

1. The first thing a fraudster does on a stolen e-commerce account is evaluate shopping history.

The fraudster aims to identify details about the account owner's previous orders to avoid a huge disparity between previous legitimate purchases and the new fraudulent purchases made by the criminal. Importance is placed on the type of products bought, their average value, shipping destination and payment method. Knowing this, a fraudster will be able to mimic the account owner's shopping behaviours. In other words, they will be able to choose products of similar price and type.

2. The next warm-up step is to browse shops.

Look at various products, add some of them to the shopping basket, read recommendations and check similar products to those they have already viewed. Everything should take some time. Finally, right before making a purchase, a fraudster can remove unwanted merchandise from the basket and buy only what he needs.

3. Fraudsters who use stolen accounts sometimes choose to buy something and send it to the account owner’s address.

In such an event this purchase is also treated as a warm-up exercise. On some anti-fraud systems, sending the first package to an old address can legitimize the device used by a fraudster to login to a stolen account.

And here fraudsters have two ways of dealing with a package sent to the account owner's home.

• The first is to treat it as a ‘cost of doing business’. If a fraudster considers it an investment to ensure that the fraud will succeed, they will probably send some cheap product to the account owner. All in all, the fraudster's goal is to make money, and they have already spent money to buy a stolen account and resources to hide their IP (VPN, proxy or RDP). Another flaw of this method is that the account owner may quickly recognise that something fishy is going on with their account and could take actions to immediately contact the shop/bank and block the fraud attempt.

• The second method is to cancel the purchase before it arrives to the account owner- but only after the fraudster makes all the planned fraudulent purchases on the account. It isn’t necessarily easy for the account owner to spot a fraudulent purchase, like in the case they receive an unwanted package. Still they can find out because of the order confirmation received on their email account; that’s why the fraudster can attempt an account takeover of their email account (if the fraudster has the necessary skills). Using a cancel order method can give fraudsters additional funds to spend. In some online shops, this money will be returned as a refund balance. Sometimes it could be easier to attempt a refund in fraud than other payment methods. In some cases, fraudsters aspire to enact fraud exactly through this refund balance.

Successful fraudsters don’t do things in a rush. Just the opposite, all activities on a hijacked account, or on a freshly created one in the stolen credit card owner's name, have to be done leisurely. All aforementioned steps like browsing through the shop or looking at recommendations should take some time, just like a normal customer would do it. In a huge number of fraud tutorials, there is advice to wait after account registration to allow it to age. Such ‘rest’ periods could be done not only after registration or first login. A patient fraudster would do it after warming up the shop account before they make an order. For example, they could add products they want to fraudulently purchase to the basket and then leave it for several days before taking action.

If a fraudster has no perseverance to do all of this, they could use a dedicated tool for fraudsters that automates a big part of the warming-up process. It can browse through a chosen shop, so the fraudster wouldn’t have to dedicate time to this boring activity. Such a tool is available on many Darkweb forums.

A nonchalant fraudster's behaviour, which most people don’t expect, is to contact merchants to get additional information about the order. During this contact, a criminal may not commit any visible fraud. At this point, they are just claiming to be the account owner or cardholder of the stolen credit card. Imitating another person is a core feature of many crimes, but at this stage, nothing is done to extort anything during contact with the merchant’s customer services. This is a warm-up method that uses social engineering tricks to set a bond between a fraudster and a merchant employee who will think that this is a routine engagement with a customer. It will be easier to pass a verification process in future when merchant employees already know a fraudster-client who has contacted them.

During an apparently regular customer enquiry, a fraudster can ask many questions about products they intend to order. Questions can be asked about product details, shipment safety precautions, how long the package will take to be delivered, payment details etc. The idea is to imitate a real customer who wants to buy in a targeted shop.

This is a warm-up method that uses social engineering tricks to create a bond between a fraudster and a merchant worker who will think that he is in contact with a regular customer. Fraudsters can, for example, pretend to use an e-commerce website for shopping for the first time, so it is likely they would make some mistakes during the ordering process. It will be easier to pass verification during future transactions as the merchants' employees already know a fraudster-client who has contacted them and interprets this as a friendly customer who only wants to purchase their package.

Fraudsters can make contact both by phone or by email. The first method requires more preparation from fraudsters because spoofing a phone conversation is more troublesome than spoofing email interaction. The criminal has to possess tools to spoof the victim's phone number and incorporate a convincing method for changing their voice. It is more difficult if they have to imitate the opposite gender, different age and accent. Fraudsters have to speak their victim’s language (remember, fraud is an international type of crime; often the criminal is located in another country than the victim). The preferred and simpler method is to spoof a victim's email, mostly because the fraudster doesn’t have to communicate by voice. In writing an email, anyone can imitate any gender, age and other personal aspects. Furthermore, using email, fraudsters can send scans of forged documents to further legitimize their fraudulent attempt. Usually, customer service has no way of checking if screenshots haven’t been photoshopped.