A massive operation that has reportedly siphoned millions of USD from credit cards since its launch in 2019 has been exposed and is considered responsible for losses for tens of thousands of victims.
The site operators, thought to originate from Russia, operate an extensive network of bogus dating and customer support websites and use them to charge credit cards bought on the dark web.
This way, the charges appear legitimate, and the websites are not readily approving fund returns on the grounds of fraudulent transactions, resulting in the enrichment of the crime syndicate behind the operation.
The discovery and report about the global operation come from researchers at ReasonLabs, who shared their findings with BleepingComputer before publication.
Massive website network
The operation uses two kinds of domains that serve as the basis of the operation, namely, dating sites and customer support portals.
When visiting the websites for the companies of some of these alleged dating sites, we found that the corporate sites did not exist or had non-existent email addresses, such as ‘email@example.com.’
Although functional, these sites don’t receive noticeable traffic and are ranked very low in Google Search results, as the purpose of their existence isn’t to draw victims but allegedly to serve as money laundering channels.
ReasonLabs says the sites have the same HTML structure and content, so they appear to have been created by automated tools.
According to ReasonLabs, the customer support portals either use a fake entity’s name or design their sites to resemble real brands like McAfee, ReasonLabs, and other firms.
“In addition, many of the support sites are designed with colors and logos to impersonate the brand. A big part of the operation is getting as many gray charges as possible before a consumer contacts support or their CC company,” Andrew Newman, CTO and Co-Founder of ReasonLabs, told BleepingComputer.
The operators also appear to have made a greater effort to hide the 75 support portals from search engine indexing, using anti-crawler instructions in Robots.txt (“disallow all”).
Payment processing and charging
The biggest obstacle of the operation is registering these sites as payment acquirers with processors, who typically classify them as “high risk” even when they’re legitimate due to the category having high charge-back percentages.
To avoid being blacklisted, the researchers say that each website applied individually to avoid losing them all at once in case fraud is revealed in any of them.
As for producing proof of legitimacy, all of the sites feature a 24/7 support chat and a working telephone line, outsourced to a genuine support center provider.
Furthermore, all sites list a toll-free number for “subscribers” if they want to cancel a payment, which is typically not found in fraudulent sites.
Once the payment processors approve them, ReasonLabs believes the operators tap on the pool of millions of stolen payment cards on the dark web (CC dumps), and charge them on the sites.
ReasonLabs noticed that most of the cards used in operation belong to people in the United States, but they also bought cards from French-speaking countries.
The charging takes place either by using an API or manually, while the site operators are very careful not to trigger anti-fraud alarms and also to extend the time before the victim realizes the charges.
They charge small amounts, use generic names that might blend with the victim’s spending habits, use recurring payments with the same amount, and avoid performing test transactions.
Finally, the operators use the incorporated “cancel subscription” system to charge the customers back in some cases, thus artificially reducing the charge-back rate and making their operation appear authentic.
All these combined tactics have enabled this operation to last for so long without being discovered, making tens of millions in USD by charging small amounts from many people.
Unfortunately, BleepingComputer has randomly tested several of the 275 fake websites listed in the ReasonLabs report, and they are all online at the time of writing.
However, this may change soon, as ReasonLabs says they have reported the sites to payment processors and law enforcement.
“We have reported the entire scam to over 1 dozen parties that were one way or another touched by it. This includes payment providers Visa and Mastercard, in addition to numerous other services such as AWS, GoDaddy, all the various registrars,” explained Newman.
“We are also reporting the scam to Fraud.org, a project of the National Consumers League (NCL), a nonprofit advocacy organization based in Washington which shares consumer complaints with a network of more than 200 law enforcement partners.”
A full list of the sites can be found in ReasonLabs’ report.