How to “warm-up”/prepare a stolen account to commit gift card fraud

Fraudsters require patience to "warm-up" (prepare) stolen accounts to commit gift card fraud. Learn how it's done - and how to prevent fraud attempts.

Michał Barbaś

Intelligence Specialist
Vector

5 May 2022

Group

19 min read

In this post, we will show you how one of the more novel ways of committing fraud works in practice. There are many types of fraud, and even more methods to commit each of them. The problem for people fighting fraud is that they often don’t fully understand how fraudsters work - specifically, what they do, what tools they use, how they think, what they search for. In the Dark web, you can find the answers to these questions, and with this post we will bring the motives to light - and hopefully help merchants who fight fraudsters. Here you can find out how criminals connect card not present fraud with account takeovers and how they warm up the account to impersonate a typical customer. We have based our text on a tutorial on how to defraud electronic gift cards in one of the biggest e-Commerce shops on the Internet.

Getting started with fraud: the warm-up

There are many types of fraud that pose a threat to e-commerce companies. One example is carding, where fraudsters use stolen credit cards to pay for merchandise. As a result, the merchant loses their products and has to pay chargeback fees to the rightful cardholder whose card was stolen. Another big problem is account takeover (ATO) when a fraudster uses a stolen account for fraudulent purposes. Such an account can be hacked by a fraudster or the details purchased on the dark web. Stolen accounts can be used in many ways, for example, when accounts have a pinned payment method (credit card, Paypal, gift card, air miles, refund balance, etc.) fraudsters can make a profit from it. For several years the most successful carders connected the two types of aforementioned fraud. Fraudsters use both a stolen credit card and a stolen account that belong to the same victim. How do they obtain these?

In fraudster slang, there is something called logs. These are usually harvested by botnets from computers infected by malware. This way hackers can gain useful data from computers, usually logs consisting of:

  • Logins; usernames and passwords to accounts;
  • Credit card data (number, CVV, expiration date);
  • Personal data such as ID scan;
  • Cookies;
  • Information about the compromised device (IP address, location, operating system - this data will be handy for fraudsters when they want to imitate the victim);
  • Screenshots from the compromised device.

Logs are sold in dedicated shops on the dark web. Because of the extensive information within them, logs provide the biggest success rate in carding and ATO. They are used by mid-level and highly experienced fraudsters who know how to use them effectively. Gathering resources is usually the first phase for criminals who want to commit fraud. Obtaining good quality materials is always an important part to being a successful craftsman - it is no different for those involved in carding fraud.

Logs are very handy for fraudsters because they contain a lot of useful information that helps them enact fraud. Login details to various accounts are valuable in themselves. Usually, it is credentials to all accounts that were used by device user(s). It could be e-Commerce accounts that can be easily defrauded when they have typed a pin on a payment method. Even if the account has no pinned payment method, it can be very convenient for fraudsters because it is easier to defraud an old account that already has a positive purchase history. This is why carders look for stolen e-shop accounts.

Email accounts are another lucrative target that fraudsters can get access to from logs. Currently, email accounts are at the core of our digital lives. We use them for registering to various accounts, and for resetting passwords, for receiving invoices, communication with banks, with friends, and much more. Our email accounts are one of the biggest sources of information about ourselves. Interception of our email account could lead to many avenues of fraud - taking a loan out in our name, hijacking all accounts registered on this email account by resetting passwords, using phishing attacks against our friends from our contact lists, and so on. Information from hijacked accounts connected with information from stolen social media accounts can also provide a lot of information that could help a fraudster imitate us during a scam attempt. For example, when a fraudster pretends to be us during calls to the bank. Sometimes fraudsters can find valuable scans of the victim’s documents saved as an email that could be used for authentication - or worse, it could be sold on the dark web. Each stolen account will hold its weight in gold for a fraudster.

cryptocurrency-exchange-stolen-account-details

Not only logs contain a lot of technical data about stolen accounts - on dark web markets, fraudsters can buy stolen accounts to cryptocurrency exchanges with much data that allows them to imitate account owners. This imitation isn’t perfect and some details can be detected by profiling systems.

From logs, a fraudster can obtain personal data of compromised user devices that will be useful when imitating the victim’s device. Device data such as type of operating system, Internet browser, screen resolution, timezone, used language can be easily spoofed (imitated). Fraudsters seek to spoof them because it will increase the chance of success for an account takeover (ATO). If an e-Commerce website checks only basic data about users who log in, a fraudster who knows the victim’s device data and successfully spoofs them will most likely succeed with an account takeover.

Among data that a fraudster wants to spoof, IP addresses are particularly special. It is almost impossible to spoof the same IP address, so a fraudster will get an IP from the victim’s general area. This is one of the most important resources to buy. Fraudsters do it not only to act similarly to the victim, but also for their own security by covering their tracks. In future, if the police or merchant will be searching for the fraudster, they will see the spoofed IP address instead of the fraudster's real one. They can get this IP using one of several technologies, the most popular being: a VPN, proxies and RDP. The first two can be obtained legally and on the dark web, while the third one is available only on the dark web.

uas-service-stolen-accounts-warm-up

Uas-service was one of the most known shops specializing in selling hacked computers as RDP. A fraudster could buy access to a hacked computer and then use it as a proxy for attempting crimes. This shop was seized by Russian law enforcement in February 2022. Fraudsters could choose a country, city, computer operating system and Internet capacity. The important thing here is that they could even find hacked computers from small towns. When you buy a VPN, you usually only get an IP address from big cities.

The next important material from logs are cookies. These tiny files are generated by websites when a user visits them. Cookies are a great complement to stolen credentials and information about the victim's computer. Cookies can be inserted into browsers using special fraud tools or using dedicated extensions available for some browsers. When a fraudster uses stolen credentials, stolen cookies and changes their settings (browser, operating system, screen resolution, timezone, language) as the real account owner had, for most websites they will be recognized as the real account owner. They must not forget about changing their IP address to one from the victim’s area. Now the fraudster is almost good to go to succeed with an account takeover.

Not all stolen accounts bought on the dark web have a pinned payment method. Often fraudsters have to buy stolen credit cards on the dark web. They can buy them in several places, although the most popular are dedicated shops with stolen credit cards. Less popular are darknet markets (they are like eBay with illicit merchandise), dark web forums, or directly from stolen card vendors using communicators - this option is used usually when 2 sites of a transaction know each other well. Buying good-quality credit cards is one of the keys to success. In the dark web, business reputation is everything, so fraudsters usually go to the most reputable places such as Joker Stash shop (which was closed in March 2021). If a fraudster buys a stolen credit card from an uncertain source, they risk all their effort, time and money going to waste.

When a fraudster has all these resources at their disposal, they have more opportunities to commit successful fraud attacks. There are a wide variety of browser-like fraud tools dedicated to committing scams. Some of them can be obtained for free, while some fraudsters pay with cryptocurrencies. Among other interesting things is a tool that can be downloaded for free from a website that sells proxy servers from all over the world. The main task of this tool is to run and organize a collection of proxy servers, which is more helpful than changing it in browser settings. It has also other useful features - it can spoof various browsers, operating system screen resolutions, time zones, and DNS servers. Groups who make such tools usually care for their customers and grant documentation, often with video tutorials on how to use their tools.

antidetect-carding-tools

Examples of tools for carding that could be bought on one darknet market. A fun fact is that these tools have been available for free for many years, but here somebody is trying to sell it for $5.

Now, when all resources are collected, the fraudster has to configure and set it all up. Everything should be configured to imitate the computer of the victim whose logs the fraudster bought on the dark web. When a fraud tool spoofs the victim’s settings and enables a new IP address, fraudsters usually double-check if everything is running smoothly while using a third-party website. One of the most popular tools among fraudsters is www.whoer.net where anyone can check their IP address and computer settings such as the current operating system, browser, time zone, language, and some other basic settings.

Once everything is ready, a fraudster can start their attack which will be a combination of account takeover and carding. We could say that around 50% of their success depends on the previous steps. Access to resources, tools, quality, and configuration will be one of the deciding factors on the success or failure of a fraud attack. What else can a fraudster do to increase their odds? They can pretend to be a typical customer visiting an eCommerce website. Every unusual behavior can be fateful for fraudsters, so they try to look as normal as possible. Fraudsters try to prepare a merchant site for fraud in the process they call the warm-up. Fraudsters won’t avoid interaction with the merchant and its workers - quite the opposite, they will engage as much as possible to appear to be behaving naturally. They will spend a lot of time on the website, checking products, their opinions, details, customer reviews, survey recommended products - everything to imitate a regular customer. Below is a specific description of the warm-up process from one fraud tutorial.

step-by-step-how-to-warm-up-stolen-account

The warm-up begins!

Step 1: Carefully choose your way of entering the targeted site.

Advanced fraudsters carefully choose a way of entering a target site. In this case, they enter an e-shop site directly, not through any link. They have to use a shop domain that matches the country of origin of the stolen data.

Example: If you have stolen an account/credit card/logs from Germany, you must enter the domain eshop.de instead of eshop.com. Fraudsters know that entering a shop in a different location than the user's can trigger alerts on some anti-fraud systems.

Step 2: Login to the shop account.

Type password and login.

  • During account takeover fraud this is a critical moment because IF the shop has an anti-fraud system, it could be detected that there is a login attempt from a new device. Even if a new device is detected, the fraudster can still proceed with an account takeover using the account owner's email. But it’s more efficient for fraudsters to imitate victim devices using various resources (as previously mentioned) - this can be very effective if the shop doesn't use sophisticated profiling of their website users. In this case, we assume that the fraudster has imitated the victim's device successfully.

Step 3: Open a new tab with the shop’s menu.

Duplicate the shop in the browser, open a second tab with the shop menu. Go to account details and don't close this tab until the end of the process.

  • This tab has to be open "in case of an emergency". During the next steps, the shop can ask for some cardholder information (like credit card expiration date, cardholder name, zip code, address, etc.). Fraudsters should have constant access to all knowledge that the account owner should know.

Step 4: Evaluate shopping history on the stolen account

Before any purchase, the fraudster should evaluate the account owner’s purchase history. A fraudster should know details about the account owner's previous orders to avoid a huge disparity between old purchases and desired items. It’s important to remember:

  • the type of purchased products,
  • their average value,
  • shipment destination,
  • payment method.

Knowing this, a fraudster will be able to copy the account owner's style of shopping.

Step 5: Act like the owner of the account.

Now it is time for one of the main parts of ‘warming up the account’. A fraudster has to check what was already bought on this account and go through recommended products, check opinions and details and then add to the basket. If it is not a stolen account but a newly registered one, a fraudster has to browse various similar products. In this step, a fraudster imitates the behaviour of a customer who contemplates as they browse the shop.

  • Look at any product from the order history and click on its recommendation list. If there is no recommendation feature in a given shop, just browse the same type of product. Check its details, opinions, questions from other clients and add them to the basket. Repeat this process a few times. Each product should be viewed at random intervals. Add around 10 products to the basket. Behave like you are contemplating buying them. Discard half of them, give the remaining items further views, each in additional tabs. Spend 10-15 seconds on each product, looking again at their specifications etc.. Discard products until only 1-2 remain in the basket. At any moment during this step, a fraudster can leave it to rest for some time.

Step 6: Buy 1 product from the cart.

A fraudster will buy 1 physical product from the basket (it has to be a physical product that will be sent to the account owner's physical address). Although this is a fraudulent payment that uses a stolen credit card, the balance on a stolen account, or other pinned payment method, it is done to warm up the account. In this step, a fraudster is still acting to increase his credibility for fraud that has yet to be actioned.

  • If a merchant website detects a new device, a new IP, too many changes on the account (including the most crucial, such as address and contact data updates) and purchases shipped to a new address all within a short time, anti-fraud systems or a merchant employee could recognise that something is wrong. It would be far less suspicious if a package would be sent to an old account holder’s address - the one that has been used every time. It would seem that a fraudster has no interest in shipping a fraudulent package to the account owner's home address because it would be of no gain for the fraudster. So there could be a logical conclusion that it was not a fraudulent payment but a legit transaction made by the account owner. This is the legitimization a fraudster is looking for and it will be useful for the next step.

Step 7: If the payment was successful, check the tracking status.

  • Even if a payment was successful, the package could be stopped at a later step. A fraudster has to ensure that everything goes as planned and the package is on its way to the account owner's address. If everything runs smoothly they can go to the next step.

Step 8: Repeat points 1-7 but finish with purchasing a gift card.

Repeat all previous warm-up steps, but this time a fraudster’s goal will be to buy their main target - a gift card.

  • This step consists of all previous warming-up steps starting with looking at old purchases. In this case, a fraudster wants to buy a digital gift card, and if it is possible, he should start on a product which looks similar to a gift card. If there is no similar product, a fraudster should browse for various digital products such as game keys, coupons, tickets, or various typical gift products. Using this as a way of pointing towards any gift cards, they start to browse various types of this product. There are numerous types of gift cards from different brands, so it depends on the shop assortment and a fraudster-specific goal.

In this step a fraudster goes through various products, just to end up browsing gift cards or other digital merchandise. While looking at each of these products they view its details, opinions, photos, and look at similar products. Again they add around 10 of them to the basket, among them will be a gift card that is their final goal. Each product should be viewed on a different tab. After they gather 10 products in the basket, view each of them again for 10-15 seconds and discard them. They continue this until only a gift card is left.

Step 9: Achieve the goal: purchase the gift card and commit fraud.

Fraud payment with a gift card.

  • This is the next phase (final phase, below), where the fraudster commits the main part of the fraud.

Step 10: (only if point 9 was a failure): Repeat the warm-up activities

If a gift card order is not accepted, repeat the warming-up (the previous step) after 5-10 minutes. Even if the previous step was already in the new phase of the final stage of fraud, the fraudster could come back to warm up if a payment wasn’t successful.

  • Giving an account a rest, in this example for 5-10 minutes, is one of the most popular warming-up techniques. Lack of patience is one of the main enemies for fraudsters because too many changes and actions on an account can raise a lot of suspicions. That’s why instead of making a second fraud attempt, the fraudster should wait for some time. Waiting more than 10 minutes wouldn’t be a mistake. After a period of rest, warming up the account for a gift card should be repeated, but more carefully. In practicality, this means looking at all products, reviews, and comments should take more time than before.

The final phase of the fraud activity: buying gift cards

The next phase after warming up is the actual fraudulent act - the moment when a fraudster makes a payment in a fraudulent way. They can do it using a stolen credit card or payment method pinned to a stolen account. As was previously mentioned, the success of this fraudulent action relies on the previous phases - gathering proper resources, configuration and warming-up the website. If this final step doesn’t work, a fraudster can return to the previous phase - for example, they can make another warming-up attempt but more extensively and lasting much longer.

If a fraudster is successful, they receive a gift card to an email account registered only for that purpose. There are two main ways of using this gift card - to sell it or use it. Fraudsters can always take a risk and sell it on legal platforms or ultimately sell it on the dark web. And here we must mention that selling non-working gift cards is one of the most popular scams on the dark web. Yes, fraudsters scam each other very often. It is easier to scam other dishonest dark web users than to fraud an online shop, so many fraudsters chose this method of making money. Most dark web citizens know that so it is hard to sell stolen gift cards for somebody who doesn't have a good reputation as a seller. For this reason, in the dark web you can find wholesale buyers who purchase stolen gift cards from other fraudsters and then resell or use them.

The other option is to use gift cards to obtain other more expensive goods. There are various types of gift cards, some can be used for a variety of products, others only for computer games. It is always easier for fraudsters to work with digital goods because in this case, they don’t have to organize a safe home address to receive fraudulent packages. Furthermore, there is always a risk that fraudulent purchases of gift cards can be discovered and the gift card subsequently deactivated, therefore, fraudsters have to hurry to use or sell them.

And the final question is, what to do with the account that was used for fraudulent activities? Fraudsters can wait several days to see if something happens, for example passwords were changed. If not, there's a chance that the account owner remains unaware that anything suspicious has occurred, and a fraudster can try to make another fraudulent attempt using this account. If a fraudster commits one fraudulent act using this account, what’s to stop them from trying again?

dark-web-market-netflix-gift-card

Defrauded digital gift cards can also be sold on dark web markets. Here is a Netflix gift card on a [now defunct] darknet market. It could be bought using various cryptocurrencies: Bitcoins, Monero, Litecoins or Bitcoin Cash.

Ready to detect fraud just like Azul?

Ready to detect fraud just like Azul?

Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

Go to pricing