Fraudsters who target online stores need to get items shipped somewhere. But how do they evade security?
Welcome to the 22nd episode of SEON’s Cat & Mouse Show, where today we spoke with a fraudster who specialises in targeting eCommerce companies.
For the sake of anonymity, we called them Anonymous D and here are some key takeaways from the short conversation we had with them.
There Are Two Kinds of Drops
The first thing to understand is that Anonymous D differentiates between two kinds of drops. The bank drops and physical drops. Here’s how they explain it:
“The cash-out process means actually turning something into money such as a crypto payment or other types of digital goods that we can use. During this process, we need a drop which can be either a physical address or a bank drop or any intermediate service or layer that helps us to cover our tracks and stay undetected.”
How to Access a Post Box Anonymously
The physical address part is probably the most challenging, but fraudsters know exactly how to solve that problem…
“We utilize multiple ways to set up these drops, for example, it can be a re-shipping service. There are many services out there where you can rent a virtual post box and then you can use this address to send goods from this place to another.”
Sometimes it also helps to have accomplices, even if they aren’t aware that they take part in a criminal organisation.
“You can also do social engineering and post advertisements to lure people in to work for you, they provide their own addresses to have them as a drop and then do some more social engineering to make them send the goods to your end address or your actual buyers.”
Other times, fraudsters have to take a more hands-on approach.
“You could simply go to a vacant house, you can stay in your car nearby and wait for the delivery men to arrive and leave the package on the porch. You can even convince receptionists to accept packages and provide some cash in exchange. There are many ways to be able to receive goods.”
Keeping the Addresses Alive For As Long As Possible
One challenge fraudsters face is that addresses are in short supply. So they have to be creative to keep them alive for as long as possible:
“Many fraudsters tend to reuse a drop for as long as we can. Basically what we do is perform minor changes in the address, for example when we put a space, we put another character or perhaps leave some typos.”
Key Takeaway – Monitoring the Checkout Data
According to Anonymous D, the weakest point in the online store’s security measures is definitely the checkout process. Fraudsters have creative ways of reusing the same addresses in order to receive illegally acquired goods.
Tools like string analysis or feeding data through Machine Learning can help create better risk rules, which could prevent your online store from shipping goods to bad agents in the future.
See a live demo of our product
Jimmy is the CCO of SEON and brings his in-depth experience of fraud-fighting to assist fraud teams everywhere.