In 2023, a host of indications suggested that the payment fraud underground has recovered from the system shocks that occurred in 2022 following Russian law enforcement’s crackdown against domestic cybercriminals and the full-scale Russian invasion of Ukraine that followed. The volume of cards posted for sale on dark web carding shops has recovered; cybercriminals have refined their techniques for stealing funds and data; despite a major disruption, dark web card-testing services continue to flourish. Moreover, fraudsters’ reliance on social engineering and increasingly sophisticated cyber-based tools and tactics throughout 2023 suggest that they are up to the challenge of bypassing rules-based fraud detection and prevention programs to enact their criminal schemes.
The 2023 events and fraud trends analyzed in this report offer a glimpse into the payment fraud threat landscape for 2024. The data discussed in this report represents an obvious risk of financial fraud for financial institutions (FIs), payment processors, merchant services providers, and other stakeholders. Less obvious is the reputational risk for FIs: trust, like any other currency, is transactional, and potential FI failures to prevent payment fraud ultimately chip away at customer trust and willingness to do business with those FIs. To reduce these risks, stakeholders should leverage comprehensive reanalysis of merchants that have likely been breached and card accounts that have experienced fraud to identify indicators of compromise, then extrapolate these indicators across a wider population to proactively identify potential threats. This approach would increase the value derived from fraud prevention efforts in return for increased operating costs, particularly as they relate to implementing an effective “analytical loop”. Nevertheless, for many stakeholders, the financial and reputational benefit of reduced payment fraud would likely outweigh increases in operating costs.
Looking ahead, the events and trends of 2023 indicate that 2024 will likely witness continuing growth in hybrid cyber-fraud threats as well as a persevering — if not flourishing — card fraud underground. The risk implication is that stakeholders should view payment fraud as a hybrid cyber-fraud threat and allocate business resources accordingly, which they can achieve through increased resource-sharing between cyber threat intelligence (CTI) teams and fraud teams and the concerted development of specific use cases for coordination, such as the analytical loop recommended above. Most stakeholders would likely garner net financial benefits from a cyber-fraud fusion approach to fraud prevention as a result of improved business outcomes and operational efficiencies.
Payment fraud occurs in a life cycle (Figure 1). By analyzing the data trends and events related to each stage of this life cycle, stakeholders in the payments ecosystem — including FIs, payment processors, merchant services providers, and others — can gain key insights to mitigate the risk of fraud.
Figure 1: Payment card data is often stolen, sold, and monetized within a greater fraud life cycle (Source: Recorded Future)
As covered in our previous annual report, 2022 was a year of system shocks. Russia’s 2022 cybercrime crackdown and subsequent full-scale invasion of Ukraine early in the year reverberated throughout the card fraud underground. As a result, the volume of payment cards posted for sale on dark web carding shops in 2022 contracted by 38%, shrinking from over 90 million cards in 2021 to under 60 million.
Despite these system shocks, fraudsters demonstrated remarkable adaptability and resilience in the face of adversity throughout 2022:
This report is based on an analysis of data from dark web and clearnet sources, including dark web carding shops, dark web marketplaces, dark web forums, dark web card-testing services, Telegram Messenger channels, and open-source reporting, including previous reporting from Recorded Future. This report also includes data from Recorded Future’s proprietary Magecart e-skimmer scanner, Magecart Overwatch. Transaction analysis used to identify sources of breached data and enriched merchant information for this report was achieved in collaboration with partner FIs. The data we analyzed in this report was collected from January 1, 2023, to November 30, 2023.
In 2022, we predicted that the future of the payment fraud market in 2023 would remain highly dependent on the outcome of Russia’s war in Ukraine. In reality, however, the payment fraud threat landscape of 2023 has demonstrated that threat actors were far more resilient than we anticipated.
This report covers major 2023 fraud trends, updates, and what those findings mean for the payment fraud threat landscape in 2024. We organize this report by the stages of the payment fraud life cycle, beginning with card compromise and ending with an analysis of the fraud schemes threat actors used to monetize stolen data in 2023.
Throughout 2023, threat actors developed their tools and tactics, techniques, and procedures (TTP) to combine old methods and new tricks, refining techniques in a manner that will likely continue in 2024.
Throughout 2023, Magecart e-skimmer infections remained arguably the premier example of how threat actors enable fraud through cyber tactics, techniques, and procedures (TTPs), a trend that is unlikely to change in 2024. Magecart e-skimmers collect customer information and payment card data during the e-commerce checkout process, and many e-skimmers replace legitimate payment card data collection forms with a facsimile to bypass payment gateway configurations.
The attack chain for a Magecart e-skimmer infection typically looks as follows:
Magecart merchant infection data offers insight into whether a card is likely to have been compromised before that card is posted for sale on dark web carding shops.
Infection Status | All Infected E-commerce Hosts | Currently Infected E-commerce Websites |
Active during 2023, regardless of when the infection occurred | 5,700 | 1,900 |
First detected during 2023 | 3.500 | 1,000 |
Table 1: Of all e-commerce hosts that were infected throughout 2023 (regardless of when they were infected), more than half actually sustained their infections in 2023, and around 1 in 3 remain infected as of this writing (Source: Recorded Future)
Ultimately, we identified multiple Magecart campaigns throughout 2023, each with their own specialized TTPs. Notable 2023 campaigns included Megaebun, Kritec, Grelos GTM, flex-query, and gopay. Throughout the year, the primary TTPs used in Magecart infections (for example, payment form replacement, injection of e-skimmer code, obfuscation of e-skimmer code, and more) remained fairly consistent. We also continued to see Magecart actors using platforms such as Google Tag Manager (GTM), Telegram Messenger, and attack-carrier domains — that is, legitimate websites abused by threat actors to host e-skimmer files or receive stolen data — as attack infrastructure. These TTPs are likely to remain widespread in 2024.
Meanwhile, we observed several key advancements that demonstrate Magecart actors continue to refine their TTPs for evading detection, including:
In 2023, the overwhelming majority of infections targeted e-commerce businesses frequented by US customers, part of a historical trend that is likely to continue in 2024. Nevertheless, merchants in other countries with developed e-commerce sectors also faced the risk of e-skimmer infection (Figure 2).
Figure 2: This map displays the concentrations of e-skimmer infections targeting online e-commerce customers in various countries, with logarithmic values used to enhance contrast. For infections where e-commerce website traffic data used to determine the infection’s targets was unavailable, we supplemented the chart with the merchant’s domain hosting and business headquarters geodata. (Source: Recorded Future, Similarweb)
Throughout 2023, we worked with partner FIs to identify potential common points of purchase (CPPs), or merchants where multiple compromised cards within a single set have transacted. Often, CPPs are likely to be sources of compromise. Our analysis of CPPs in 2023 demonstrated few novel developments, underlining the perennial nature of the threat that card compromise poses to merchants, FIs, and their customers.
Infection Status | All Infected E-commerce Hosts | Currently Infected E-commerce Websites |
Active during 2023, regardless of when the infection occurred | 5,700 | 1,900 |
Table 2: In 2023, we collaborated with partner FIs to attribute for-sale records on dark web carding shops to 2 out of every 3 CPPs identified through transaction analysis (Source: Recorded Future, partner FIs)
As is typical, the bulk of CPPs we identified in 2023 were US-based merchants, which will likely remain prominent targets for fraudsters in 2024. The map chart below shows the locations of CPPs we identified. Blue pins represent CPPs that were linked to CNP data breaches, whereas orange pins represent CPPs linked to CP data breaches.
Figure 3: Orange pins represent the physical location of merchants affected by CP breaches, whereas blue pins represent the headquarters for companies affected by CNP breaches (Source: Recorded Future)
Figure 4: In 2023, the overwhelming majority of compromised cards posted for sale on dark web carding shops and attributed to CPPs belonged to US cardholders in major metropolitan areas (Source: Recorded Future, partner FIs)
Throughout the year, transaction analysis and merchant data enrichment surfaced various patterns in the merchant category codes (MCCs) most frequently associated with CPPs. Of the top 5 most common MCCs among CPPs this year, 5812 (“Eating Places and Restaurants”) was far and away the most common MCC. This corresponds to the high frequency of small restaurants and bars among sources of card data in 2023 and previous years, a trend that will likely remain steady going into 2024.
Restaurants and bars in the United States remain vulnerable to CP breaches due to their frequent use of centralized point-of-sale (POS) systems. Servers often obtain cards from customers for payment to bring them to the POS and out of the customer’s view. This presents unscrupulous staff members with an opportunity to steal the data contained on a card’s magstripe using a pocket skimmer.
Top 5 CPP MCCs for 2023 | Description |
5812 | Eating Places and Restaurants |
55330 | Automotive Parts and Accessories Stores |
5691 | Men’s and Women’s Clothing Stores |
5999 | Miscellaneous and Specialty Retail Stores |
5941 | Sporting Goofs Stores |
Table 3: In 2023, most CPPs we surfaced were associated with the above MCCs (Source: Recorded Future)
Figure 5: In 2023, nearly a fifth of the CPPs we surfaced used 1 MCC, and nearly 40% of all CPPs used 5 MCCs (Source: Recorded Future)
As restaurants and bars continued to comprise most CP data breaches in 2023, platform breaches once again allowed threat actors to punch above their weight. By compromising a single online platform, threat actors can potentially compromise transactions with all merchants that make use of the platform. We confirm that merchants indicated as CPPs through transaction analysis were breach sources through manual Magecart analysis, and we consider platform breaches likely if Magecart or transaction analysis point to a substantial amount of CPPs using that platform.
Among this year’s likely platform breaches, the highest-impact compromises targeted a variety of industry verticals:
Finally, in 2023, we observed a marked increase in the quantity of suspected scam pages among CNP CPPs identified through transaction analysis, suggesting that online scam website campaigns will present a growing threat throughout 2024. Unlike traditionally compromised e-commerce merchants, scam websites are purpose-built to steal card data through online payments or phishing tactics. Often, victims receive bogus or low-quality goods or nothing at all after submitting their payment data.
In 2023, several high-impact scam website campaigns, including those listed below, suggest that 2024 will bear witness to an increased threat of card compromise and financial theft via scam and phishing pages:
In 2023, for-sale card records presented a higher fraud threat than card records posted for free. In 2023, cards issued by at least 10,000 FIs across the globe were offered for sale in the carding shops we analyzed. The quality of card records posted for sale tends to vary by carding shop, but this card data universally belongs to higher threat segments than free card data posted online.
In 2023, threat actors posted higher volumes of stolen credit cards for sale on dark web carding shops compared to 2022, indicating that the dark web fraud ecosystem has rebounded from the initial system shocks caused by Russia’s 2022 law enforcement crackdown and subsequent full-scale invasion of Ukraine. Barring any additional unforeseen system shocks, this recovery will likely continue in 2024. Ultimately, the ongoing recovery in stolen card data volumes demonstrates the adaptability of fraudsters, who tend to remain adaptive and resilient in the face of adversity.
Figure 6: In 2023, volumes of stolen cards posted for sale on dark web carding shops recovered from their 2022 low (Source: Recorded Future)
In 2023, we began analyzing stolen card records posted for sale from 10 new dark web carding shops. Many of these sources were created to fill market vacuums spawned during Russia’s 2022 law enforcement crackdown in the lead-up to Russia’s full-scale invasion of Ukraine, and their establishment also points to a recovering card fraud underground.
Carding Shop Tier (Cards Posted for Sale Each Year) | Count of New Carding Shops Analyzed in 2023 |
Low tier (500,000 or fewer) | 6 |
Mid tier (500,000 to 2 million) | 3 |
Top tier (2 million cards or more) | 1 |
Table 4: In 2023, we began analyzing CNP and CP records posted for sale on 10 new carding shops, many of which were created throughout 2022 and 2023 to fill market vacuums as part of an ongoing recovery (Source: Recorded Future)
Despite the multitude of 2023 carding shop openings, in July 2023, a single mid-tier CNP carding shop announced its closure for the second time. Previously, this carding shop opened in April 2022, closed in late September 2022, and reopened in April 2023. Our analysis indicates this carding shop’s operators likely earned $300,000 in revenue following its reopening. The closure of this relatively minor marketplace with low card volumes had no substantial impact on the stolen card data market at large.
The supply of both CNP and CP records posted for sale on carding shops in 2023 increased to 71.4 million records, up from 60 million in 2022 — for fraudsters, likely a positive sign going into 2024. The median price of CP records remained stable as the median CNP record price increased from $8.55 to $12.00 per record, demonstrating growing perceived value for those records in aggregate. In keeping with historical trends, CNP records posted for sale in 2023 vastly outnumbered CP records.
Altogether, our analysis indicates that cards issued by at least 10,000 banks across the world were compromised in 2023.
Figure 7: In 2023, the volume and median price of CNP records posted for sale on carding shops exceeded those of CP records, indicating that threat actors continue to prefer CNP records for fraud (Source: Recorded Future)
In 2023, CNP card records posted for sale on carding shops generally belonged to higher threat level segments than CP card data, indicating that CNP card records likely face a higher fraud threat than CP records. This dynamic is a mirror reflection of fraudsters’ preference for CNP data over CP data over the past 5 years. This is the result of a range of factors, including improving physical card security measures (exemplified in EMV chip cards and near-field communication [NFT] payment methods) and the surging popularity of e-commerce transactions, which was accelerated by the COVID-19 pandemic.
We developed threat segmentation for card data on the dark web and other sources based on certain criteria that influence whether a given card is more or less likely to see a fraud event. We identified these criteria based on internal analytics and proprietary fraud data. High threat-level card segments are more likely to see fraud events, whereas low threat level card segments are less likely to see fraud events.
Figures 8 and 9: In 2023, CNP card records for sale on carding shops generally belonged to higher threat segments than CP records (Source: Recorded Future Intelligence Cloud)
In 2023, the quantity of cardholder PII available for purchase with for-sale card records on dark web carding shops predictably increased across the board. Similarly, in 2024, the availability of PII with stolen card records will likely be a function of the total card records available for sale. Fraudsters often use accompanying cardholder PII to support various fraud schemes.
Figure 10: In 2023, the amount of PII data available with for-sale card records predictably increased across the board (Source: Recorded Future)
The supply of stolen payment cards in different regions of the world is always subject to variation, and this was no less true in 2023 than it will be in 2024. This discrepancy can exist across multiple geographies within a single card issuer’s portfolio, and it is a result of a range of factors that either facilitate or complicate payment fraud with cards issued by FIs in certain countries, including:
Ultimately, regional differences mean that fraudsters likely perceive records in certain regions as having more or less value for fraud than those issued in other regions.
In 2023, while the supply of North American (NA) CNP and CP records exceeded European supply, the median price of European records was higher, suggesting a higher perceived potential return from fraud for European card records.
Figures 11 and 12: The supply of NA CNP and CP card records outstripped that of European cards in 2023, but the higher prices of European cards suggests fraudsters perceive they offer higher returns from fraud (Source: Recorded Future)
Among other regions, the Asia–Pacific (APAC) region led in both the volume and median price of CNP records posted for sale on carding shops in 2023. CP trends were less revealing. In 2023, the sheer volume of Latin American and Caribbean (LATAM+C) CP records posted for sale was largely accounted for by a glut of 400,000 Brazilian CP records posted for sale throughout 2023.
Figures 13 and 14: Outside of NA and Europe, APAC led in both card supply and median price on carding shops, and a glut of 400,000 Brazilian CP records in July 2023 accounted for a surge in the supply of LATAM+C CP records (Source: Recorded Future)
Each year, North America (NA) — and in particular, the US — leads the world in total volumes of stolen cards posted for sale on carding shops. In 2023, the supply of US-issued records and Canada-issued records substantially increased. Among CP records, the US witnessed an increase in volumes posted, while Canada saw a minor decrease.
Figure 15: 2022 and 2023 volumes of both CNP and CP records posted to dark web carding shops for Canada and U.S. FIs (Source: Recorded Future)
Precise comparisons between US- and Canada-issued records’ prices are nearly impossible due to the disparity in volumes between 2022 and 2023. Nevertheless, we observed an increase in high- and medium-priced Canadian CNP records in 2023 as the share of low-priced Canadian CNP records dropped. For Canadian CP records, the share of both low- and medium-priced records fell as the share of high-priced CP records surged by 50 percentage points compared to 2022.
Figures 16 and 17: As total supply of NA CNP and CP records increased in 2023, the share of higher-priced records generally increased (Source: Recorded Future)
Europe
In 2023, the UK, France, Spain, Türkiye, and Italy were the top 5 European countries by sheer volume of records posted for sale on dark web carding shops. The volume of Türkiye-issued records surged between 2022 and 2023, and growth in card volumes for the UK, France, and Spain occurred alongside parallel growth in Magecart e-skimmer infections targeting users from those countries. For these countries, only the volume of Italian card records decreased from 2022 to 2023.
Figure 18: As Türkiye-issued records nearly doubled between 2022 and 2023, increasing volumes for the UK, France, Spain, and Italy were accompanied by increasing Magecart infections targeting those countries’ users (Source: Recorded Future)
Latin America and the Caribbean (LATAM+C)
The top 5 LATAM+C countries defined by posted volume did not change from 2022 to 2023, though both Brazil and Mexico had lower record volumes in 2023. Volumes of cards issued by FIs in Peru, Argentina, and Columbia on carding shops in 2023, with Peru showing the highest percentage increase.
Figure 19: Among the top 5 LATAM+C countries by sheer volume of cards posted for sale, Brazil’s and Mexico’s card volumes decreased year-on-year but remained the top 2 (Source: Recorded Future)
Middle East and Africa (MEA)
Among the top 5 Middle Eastern and African (MEA) countries by sheer volume of records posted for sale in 2023, 3 countries had similar volumes compared to 2022. For the 2 outliers — South Africa and Egypt — the volume of cards issued from FIs in these countries respectively decreased and increased substantially compared to 2022.
Figure 20: In 2023, the volume of all cards posted for sale for 3 of the top 5 MEA countries by sheer volume was similar to 2022, with South Africa’s and Egypt’s card volumes substantially decreasing and increasing, respectively (Source: Recorded Future)
Asia–Pacific (APAC)
Among the top 5 APAC countries in sheer volume of card records posted for sale in 2023, the volume of Japanese records increased most, likely as a result of records posted for sale on carding shops that predominantly offer Japanese records. This increase was also accompanied by a surge in Magecart e-skimmer infections targeting Japanese users. At the same time, the volume of India-issued records posted for sale witnessed a net decrease. The supply of Indonesia-issued records experienced the highest percentage increase for the period.
Figure 21: Among the top 5 APAC countries by sheer volume of cards posted for sale, Australia-issued card volumes remained stable as Japan- and Indonesia-issued card volumes surged and India-issued volumes decreased (Source: Recorded Future)
In 2023, cybercrime-focused sources on Telegram were a rich source of full card data posted on the internet, demonstrating their growing importance. Despite vast increases in the volume of free card data on the dark web and other sources, free card data likely provided less value in potential fraud returns compared to for-sale data on carding shops. Altogether, threat actors posted 48 million free card records on various sources this year, up from 20.5 million in 2022. The vast majority of these records (41.3 million) were posted on Telegram sources, up nearly eightfold from 5.5 million from 2022. Fraudsters often use these Telegram sources to validate and/or generate payment card data.
The remaining free card data we analyzed in 2023 originated from carding shops (where free card data is often released to promote the source), pastebins, dark web forums, and other sources. Figure 35 below breaks down the most common sources for our free card data and includes roughly 94% of all free card data we analyzed from dark web and clearnet sources in 2023.
Figure 22: In 2023, the vast majority of full card records originated from Telegram sources, indicating the growing relevance of Telegram sources for threat actors (Source: Recorded Future)
Most free card records analyzed in 2023 belonged to low or medium threat segments, as is typical for free card records — a paradigm that is unlikely to change in 2024. High threat-level card segments are more likely to see fraud events; low threat level card segments are less likely to see fraud events.
Figures 23 and 24: In 2023, most free card records analyzed from the dark web and other sources belonged to low or medium threat segments, indicating they were less likely to see a fraud event (Source: Recorded Future Intelligence Cloud)
As total volumes of free card data surged from 2022 to 2023, the proportion of free card numbers accompanied by card verification values (CVV, also known as card security codes, or CSC) and expiration dates also increased, most of which originated from Telegram sources. While this increase is likely an incidental result of our increased analysis of Telegram sources in 2023, it does demonstrate the growing value that Telegram sources offer fraudsters for card validation and generation, particularly for account enumeration attacks.
Other cardholder data — including billing address, contact information, and highly sensitive PII, such as Social Security number (SSN), date of birth (DOB), or mother’s maiden name (MMN) — also frequently accompanied free card records in 2023. Cybercriminals can use information accompanying low-validity, expired, or otherwise low-value payment card records to conduct spearphishing attacks and steal account login credentials before pivoting to targeted account takeover (ATO) attacks against victims’ bank accounts.
Figure 25: A higher proportion of free card data records we analyzed in 2023 were accompanied by CVV and expiration date, demonstrating the value Telegram sources offer fraudsters for card validation and generation (Source: Recorded Future)
Looking forward to 2024, card-testing activity is unlikely to go anywhere. Fraudsters conduct card-testing activity through low-value transactions and zero-dollar authorizations that frequently precede primary “cash-out” fraud events. Fraudsters likely access this card-testing functionality by various means, including:
In 2023, a joint law enforcement operation dismantled Try2Check, a major checker service that abused a major US-based payment processor’s services for its card-testing functionality. However, while Try2Check’s disruption may have diminished access for fraudsters accustomed to using its card-testing services, our analysis indicates that the quantity of tester accounts used by fraudsters slightly increased throughout 2023. This indicates that although Try2Check may have played a major role relative to other dark web checkers, it was ultimately part of an ecosystem, and fraudsters moved quickly to fill its vacuum.
In 2023, our analysis of 1,700 tester merchants surfaced various patterns in the MCCs and merchant acquirers most frequently associated with the checkers’ tester merchants. Of the top 5 most common MCCs among tester merchants this year, only 8398 (“Organizations, Charitable and Social Service”) was dethroned from the Top 5 list of 2022. These MCCs and acquirers will likely remain common for tester merchants in 2024.
Top 5 Tester Merchant MCCs in 2023 | Description |
8011 | Doctors-not elsewhere classified |
5812 | Eating Places and Restaurants |
5999 | Miscellaneous and Specialty Retail Stores |
7299 | Other Services-Not Elsewhere Classified |
8099 | Health Practitioners, Medical Services-Not Elsewhere Classified |
Table 5: In 2023, most tester merchants we surfaced were associated with the above MCCs (Source: Recorded Future)
Figure 26: In 2023, over a quarter of the tester merchant MIDs we surfaced used 1 of 5 MCCs (Source: Recorded Future)
Figure 27: In 2023, 60% of the tester merchant MIDs we surfaced used 1 of 5 acquirers (Source: Recorded Future)
Part of the reason we observe these patterns each year is because fraudsters can likely more readily access merchant accounts from certain acquirers or MCCs to exploit as tester merchants. The tester merchant accounts used by fraudsters generally fall into 1 of 2 categories:
In 2023, open-source research allowed us to determine 40% out of tester merchants we identified were likely to be fraudulent merchant accounts, whereas the remaining 60% were likely to be legitimate merchant accounts. Looking forward to 2024, fraudsters will likely continue to employ a mix of legitimate and fraudulent merchant accounts for their card-testing activity.
The make-or-break moment of any fraud scheme occurs with the final theft of a victim’s money or data. In 2023, we observed 2 key themes in fraudsters’ efforts to effect cash-out and data theft attempts, both of which are likely to continue playing out in 2024:
Sophisticated Technical Solutions Combined with Increasingly Nuanced Workflows
Our analysis in 2023 surfaced various advanced fraud schemes that depended on sophisticated technical solutions, tailored services, or nuanced workflows to bypass fraud detection programs.
Figure 28: In 2023, the frequency of references to 3DS bypass on various sources increased by nearly 20% compared to 2022 (Source: Recorded Future Intelligence Cloud)
Figure 29: In 2023, there were nearly 25 times more references to an online advertising platform on various sources compared to 2022; many of these references were related to a fraud-based malvertising ecosystem (Source: Recorded Future Intelligence Cloud)
Telegram Source Type | Count of Channels |
All sources | 398 |
Sources with free card validation capabilities | 304 |
Sources with free card generation capabilities | 172 |
Table 6: Of the Telegram sources we analyze, most offer fraudsters free card validation and/or generation services (Source: Recorded Future)
Social Engineering Tactics
As cybercriminals applied sophisticated technical solutions to bypass fraud detection rules, they also demonstrated increased reliance on social engineering tactics that manipulate victims into facilitating the theft, exploiting the unwitting assistance of victims to bypass the fraud detection mechanisms entirely. This trend was almost certainly facilitated by the 2023 advent of generative artificial intelligence (AI) and will likely continue into 2024.
Fraudsters’ social-engineering efforts were most apparent in their scam and phishing website campaigns, a trending threat in 2023. These scam and phishing campaigns combined cookie-cutter designs and open-source tools with sophisticated technical means to disseminate their scams, cash out victims’ payment cards and crypto wallets, and steal victim data. Scam operators typically demonstrate a superb understanding of consumer psychology to maximize the impact of their social engineering tactics and scam campaigns, and third-party dark web services allow threat actors to outsource the creation or operation of their scam and phishing campaigns. Examples of these services include:
Increase coordination between CTI and fraud teams as part of a fraud fusion effort to reduce the threat posed by the convergence of cyber and fraud threats. Fraudsters’ increasing sophistication and reliance on social engineering are likely part of a 2-pronged, cyber-based assault against the rigorous fraud detection rules employed by FIs, and the potency of this combination is grounded in the fact that most FIs establish distinct business units with separate practices to mitigate cyber and fraud risk. In particular, increasing resource-sharing between CTI and fraud teams will likely improve business outcomes while reducing operating costs through shared resources, and the concerted development of specific use cases for coordination between CTI and fraud units will provide a foundation for more effective future cooperation.
Possible use cases for CTI and fraud teams include the following:
New Account Fraud (NAF) and ATO Attacks
Take Preemptive Action on Dark Web Intelligence Reporting
Conduct Analysis of Suspected CPPs and Tester Merchants
Keeping in mind our observations from 2023, 2 trends will likely influence the payment fraud threat landscape in 2024.
First, fraudsters participating in the dark web payment fraud underground will almost certainly continue to persevere, refining their methods as they continue to find ways around the barriers FIs put up to protect their customers. FIs can reduce the threat posed by this trend through tactical measures, including by operationalizing Recorded Future’s card and merchant datasets. While we cannot predict with certainty the specifics of how stolen card supply on carding shops will look, they will likely continue to serve as a major source of stolen card data regardless of what the year throws at them. Similarly, although specific Magecart e-skimmer deployment or data exfiltration techniques may evolve, the attack vector itself will likely remain viable looking at 2024 and beyond. Checkers will continue to offer card-testing services to fraudsters and other dark web entities through tester merchants, and Telegram sources will continue to serve as viable tools for fraudsters seeking to generate or validate free card data. While we cannot accurately predict a full recovery or resurgence to pre-2022 levels, fraudsters’ adaptability and resilience in the face of 2022’s system shocks and the 2023 aftermath demonstrate that payment fraud is not going anywhere.
Second, fraudsters’ growing reliance on cyber-based fraud schemes and social engineering will continue to empower them to bypass rules-based fraud detection systems. Because this combination of strategies exploits the limitations of rules-based systems more generally, FIs can reduce the threat posed by this trend by increasing coordination efforts between their CTI and fraud business units. Note that this convergence of cyber and fraud risk domains was not a novel development in 2023 but rather part of a continuing trend that is likely to become even more prominent in 2024. In this respect, the early 2023 advent of viable generative AI tools is unlikely to significantly alter the balance between fraudsters and the organizations that seek to stop them, even as it changes the surface of the threat landscape. In 2024, AI will likely become yet another front in the arms race between fraudsters seeking methods to effectively bypass fraud controls and the organizations that erect those fraud controls to stop them.
Gemini Advisory, a Recorded Future company, provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.