Fraudsters are getting so advanced it doesn't make sense

December 20, 2023 - SecurityCultureBest Practices

I hate fraud. So much.

Twice in the past year we’ve seen fraud so advanced it didn’t make sense. I want to share these experiences because I find them fascinating, and in the hope it prevents more victims.

I also hope that this discussion normalizes discussing fraud. It’s a massive industry causing both long-lasting financial and emotional pain to its victims, but we as a society won’t be able to effectively educate and prevent it if the true scope and impact aren’t better appreciated.

“Too good to be true,” but it’s true?

Last holiday season, while visiting my parents for the holidays, I experienced a very weird attempted fraud. While 3 generations enjoyed the time, my dad was on an extended phone call that just would not end.

We could tell it was something about their DirecTV service, and eventually started asking, “Dad’s getting scammed, isn’t he?”

We made sure he wasn’t giving any payment or banking info, and waited for the call to end. Thirty minutes later…

“So that was a scam call, right?”

“No! It’s actually a really good deal.” He explained how Google and DirecTV are doing a promo, and he got a free month of service and a free pay-channel just for taking the call.

That’s what the fraudster led with.

The actual “deal” was a reduced monthly rate (sounded reasonable). He just needs to go to Home Depot to get some gift cards, then call the special number to read them the codes, and they’d do the free promo thing!

Now, my dad’s not stupid, but he didn’t know gift cards = scam. There’s lots of stuff to know, and nobody can know it all. But still, something must have felt phishy, right? Right?!

No, because…

They paid his bill?

“No, look! They already gave us a free month and turned on a pay channel!”

He shows us the TV with the newly unlocked pay channel, and the email from DirecTV showing a ~$150 credit to the account.

The email was legit: the SPF, DKIM, and DMARC showed it came from DirecTV, and that a payment had indeed been made to their account. Their online account also showed the payment.

Oddly, the last 4 digits of the card used didn’t match any of my parents’ cards. The fraudster, while on the phone with my dad, paid my parents’ bill using a stolen credit card.

That’s… weird.

Time to call DirecTV.

We called DirecTV about this obviously-a-scam situation, and the conversation ended something like this:

“Yeah, you just made that payment to the account. You don’t owe any money! You’re all good! Also, my system won’t give me any information on why/who/how the free premium channel is on the account.”

Not helpful. Oh well. We tried.

The rabbit hole goes deeper.

While we saved my dad from becoming a victim and feeling that particular shame, I still had no idea what happened.

We pieced together a few things:

  • The fraudster knew my dad’s DirecTV account info. Knew that he was a DirecTV customer. We don’t know for certain if my dad provided the account number at the beginning of the call, but he doesn’t think he did. But it was a targeted call, regardless.

  • The fraudster wasn’t working alone. We’re not sure exactly how it happened, but fraudster #2 was likely on the phone with DirecTV modifying the account, perhaps just relaying back my dad’s security answers to the DirecTV, or perhaps something more problematic.

  • The fraudster has stolen credit cards they use to pay bills, to gain trust with victims.

  • This was a finely-tuned machine. They had the opening salvo ready to go, with a great incentives just to listen to the “offer”. For those who haven’t seen Mark Rober or Jim Browning’s work on YouTube, a lot of these operations have dozens or hundreds of employees. It’s big business.

In digging into this, I found other victims discussing this on the DirecTV forums going back years. I cannot speak to others’ experiences, but it seems likely that DirecTV customer data is/was leaked, allowing direct targeting.

At the time, I had a family party to get back to, but I continued thinking about it for months afterwards, until…

Airline fraud, kinda-sorta?

A friend and partner of ours, David at Merchant-Accounts.ca (highly recommended if you want a more personal but still highly competitive payment processing service), emailed asking for our thoughts on some weird fraud he was seeing related to an airline. Here’s what happens:

  1. Someone searches for a flight and finds a site selling tickets for a good price.

  2. The customer pays for the ticket(s), enters all their info, and receives their ticket(s). All good so far.

  3. The customer shows up at the airport, gets on the flight and flies with no issue… or they’re told the tickets were fraudulently purchased, charged back, and/or canceled due to fraud.

  4. Either way, whether they flew or not, the customer thinks they have legitimately purchased airfare. They have no idea that they were involved in a scam. Some of them even got to fly as expected. How could it be fraud?

Makes no sense, right? How is a fraudster coming out ahead here?

Eventually, one of the airline’s employees showed up at the gate for a flight with a different airline and the same thing happened to them. Tickets were canceled because they were fraudulently paid for.

For a period of time it was quite confusing, but eventually the scam started to become more clear.

How the fraud works (we think):

The entry to the fraud is in step #1 above. When the victims are searching for flights, they somehow end up on the fraudster’s website. It looks legit enough to fool people. Maybe it’s a typo-squatted domain. Maybe it’s just a nicely done up site that looks reasonable, and scrapes Expedia/Orbitz/whatever.

To make the fraud more effective, the fraudster takes 10% off the actual cost of the ticket. The victim completes the purchase by entering their credit card info. Behind the scenes a real ticket is bought for this customer, paid for by the fraudster using a stolen credit card.

Even if the customer had concerns about the legitimacy of the website, they end up getting a real ticket at a good price, so no need to bother looking twice.

If the purchaser travels soon enough, it’s unlikely that the owner of the stolen credit card will realize the fraud. In this case the passenger would fly, get what they expected and be none the wiser. But sometimes the airline ends up getting a chargeback and canceling the tickets before the travel date, which is how the airline started to become aware of the scam.

Where is the benefit to the fraudster?

Fraudsters aren’t usually so kind as to legitimately provide real things to the people they are defrauding. However, the fraudster still had something of value: the victims money. So let’s think about the transaction flow.

Our suspicion is that the fraudsters have set up a new merchant account to use in their fraud. It’s not getting chargebacks (for the most part) because people are getting actual tickets. Even though the fraudster is selling the ticket at a discount, they have managed to bring their cost to zero, since they’re buying their inventory with stolen credit cards. The fraudster’s unlikely to get chargebacks, at least for a while, because the victim got the service and is blissfully unaware.

It’s only if the first victim (whose stolen card was used to buy the second victim’s – the travelers – tickets) notices the purchase and catches it in time that the tickets are canceled, and the fraud becomes apparent. At that time though, the fraudsters have made off with the funds. David had this to say, which is at least one possibility:

> The merchant account is probably opened fraudulently, but run in good standing, at least for a period of time. The payment processor is funding out all the money that’s been processed to what they think is a legitimate and well run travel agency. The worst fraudsters are the organized, patient ones. We once had a merchant run their merchant account clean for a year. Then said they were going to do a huge weekend so we bumped up their allowed trading volumes. They did a huge pile of volume, we funded them out (after “knowing” them for a year) – and then boom, they’re gone and chargebacks pour in.

This airline fraud got me thinking about the DirecTV fraud I’d experienced firsthand. In both cases, the question remained:

But still: Why bother stealing money from card #2 if they already have stolen card #1?

The fraudster clearly already has a stolen card that works. They can buy airline tickets or pay a DirecTV bill. Why not just use that to buy what they want in the first place

What we currently believe (but is just our opinion) is that the answer is money laundering:

Gift cards are like cryptocurrency: easy to lose, and fantastic for criminals.

Credit cards can be charged back. Bank transfers can be traced. Wire transfers are a pain in the ass. Crypto’s an even bigger pain in the ass (especially for new users; also, crypto feels more scammy).

But gift cards? Easily and immediately accessible at just about any grocery or big box store. A fraudster can even spin a story about how Google and DirecTV are partnering, so get Google gift cards!

The fraudster already has stolen credit cards, but they can’t really use a stolen card for a lot of things. Can’t use it to pay rent. Can’t use it to pay for anything that’ll trace back to you (or your criminal organization).

What the fraudster wants is untraceable, easy money.

Gift cards, unlike the credit cards, can be used effectively anonymously, and they can be sold (for a little under value) on ebay. (I’d like to believe the degree to which ebay knowingly profits off this is limited, but I’d be very keen to see any additional research on this topic.)

By using a stolen card to gain trust and buy time with the victim (either by actually purchasing airline tickets or by paying a DirecTV bill), they can launder a stolen card into gift cards.

Takeaways?

Data leaks facilitate fraud.

Does it matter that fraudsters know you have an account at DirecTV? You might not think so, but in this case it was used to more effectively target victims.

Unfortunately, data leaks will continue. If you haven’t already, try putting your email into haveibeenpwned.com. If your email returns nothing, congrats. I’m in there 7 times for my personal and 10 times for my work emails, and that’s almost certainly not the extent of it.

Take a defensive posture when it comes to what information you assume a fraudster might know about you. Speaking of which…

Never provide personal info on an inbound call.

Did your bank call you? No they didn’t. Even if they did, they didn’t.

Ask for a callback number that you can verify on their public website, then call them back. No reputable company should have a problem with it. And if they do, they’re wrong.

This’ll nip most things in the bud. Little extra hassle, and you might need to wait on hold when you call in, but it’s better than risking it. (Caller ID is easily faked.)

Don’t judge fraud victims.

Everybody’s been taken for a ride in one way or another. Everybody’s clueless about something “obvious” to somebody else. With data leaks (and AI being able to impersonate voices), highly targeted fraud is becoming more commonplace.

Tell your family.

The AARP has a good explanation of what to never do with gift cards. Let your family know: “gift cards are for gifts, NOT for payments.”

We should talk more about fraud.

I don’t think we, as a society, talk about fraud and betrayal enough. Yes, we hear about big frauds on the news. Coffeezilla’s exploration of the Sam Bankman-Fried / FTX fraud is incredible, and I highly recommend watching it.

But that’s HUGE fraud. What about small fraud? Not $15B but $1.5k? There’s a lot of shame associated with being the victim of a fraud, but I’d wager most people have been defrauded at least once by the time they hit their 40s. Or taken advantage of by an abusive or manipulative person. Different, but (I think) similar in the shame it can leave behind.

Businesses, also, are loath to talk about being victimized. I get it. There are myriad reasons to keep quiet and few incentives to be open. But it’s the thieves who benefit from our culture of silence. Nobody wants to admit to being taken advantage of, but humans often are pretty helpless as individuals. It’s only by sharing our knowledge and experiences that we can make the meaningful, lasting changes necessary to reduce fraud.

We work hard at Foxy to maintain the most secure environment and company culture we can. We are a Level 1 Service Provider (the highest level) with PCI, on Visa’s and MasterCard’s global registries, and we’re externally audited annually to ensure we’re doing the best we can.

We don’t take the trust our users place in us lightly. Please reach out if you have any questions about our security, or anything else we can help you with.