A new e-commerce fraud group believed to be operating out of Southeast Asia has been running a sophisticated operation involving data science, fraud detection, online payments, and e-commerce expertise that allowed the threat actor to rip off estimated $660 million in stolen laptops, cell phones, computer chips, gaming devices in November alone.
The operation was discovered by researchers at cybersecurity firm Signifyd more than a year ago.
“Like a burglar casing a home, the Southeast Asian fraudsters lurked online and launched small attacks to test the vulnerabilities of various merchants and to better understand the protections put in place by retailers and by a number of third-party fraud protection providers,” the company noted in a report.
The researchers say that the early attacks were quickly extinguished and led to relatively small losses, suggesting that the attackers were testing the waters before launching a large-scale campaign, which hit with full force in November.
The fraudsters use stolen credentials and account takeover to place orders from unsuspecting consumers' accounts, often using stored payment methods. Then, they re-ship them to Asia for repackaging and resale at a premium.
It seems to be a patient, confident, and well-organized retail fraud operation, established to fool online retailers. Signifyd estimates the fraud attacks placed $3.3 billion in US ecommerce goods at risk during November, generally the busiest shopping month of the year.
“An operation with this fraud ring’s level of reach requires a highly sophisticated group dedicated to analyzing fraud defense systems, a steady pipeline of stolen log-on credentials and identities, teams that organize the shipping and reshipping of the products it obtains illegally and a field operation that can resell the goods,” the company said.
Interestingly, the threat actor appears little concerned about being recognized, not bothering to hide clues in the illegitimate orders that point back to the fraud ring. For instance, the group regularly uses distinctive, repeated names in online checkout forms.
“They kind of leave their signature,” the researchers say. “They are not really trying to hide. It’s like,‘Catch me if you can.’”
Although Signifyd has been able to shut down the operation for now, the company believes that “its leaders are out there recalibrating, regrouping and reviewing their options for their next wave of attacks.”