Chances are you’re familiar with scam strategies like account takeover or friendly fraud. But there are tools to address these issues.
The unique thing about Fraud as a Service is that FaaS is not about a specific tool or type of fraud. Rather, it is an online source where fraudsters can purchase or subscribe to the tools or data needed to commit fraud.
While it is relatively easy to launch a single fraud attempt, building a fraud operation large enough to justify the risk requires time, money and technical expertise. Similar to how software-as-a-service (SaaS) providers deliver software on a subscription basis, FaaS services offer a wide range of tactics and personal information that can be used by their subscribers to commit fraud.
FaaS is not limited to a single tactic. For example, the service may conduct distributed denial of service (DDoS) attacks on behalf of its customers or rent botnets to criminals, who can then use the rented tools for their own botnet attacks.
FaaS providers may have access to stolen payment card data, health records, or social media accounts. They can use this data to create fake users (which are then sold or rented to subscribers), or they can simply sell the raw data and let fraudsters create their own fake accounts.
It’s even possible for scammers to buy complete, pre-populated social media accounts with a single click. Regardless of the type of fraud criminals want to commit and their technical skills, there are almost certainly turnkey solutions that facilitate their crimes.
All of these transactions take place on the dark web, which makes FaaS operations particularly difficult to track and disrupt. Even if you manage to intercept a single fraud attempt, the service provider is still out there offering the same tools and services to other fraudsters.
FaaS organizations operate much like any other organization: there are stooges, money couriers, researchers, contractors, dark web hackers, technical specialists, managers, and team leaders. Although undoubtedly not quite as lavish, the Deep Web of organized cybercrime could be thought of as the equivalent digital setting of a James Bond movie. Indeed, the Bond film SPECTRE depicted a global terrorist organization that may well have been a precursor to the criminal syndicates on the Dark Web.
More prosaically, FaaS is likely the criminal heir to cloud services, which have allowed fraudsters to insidiously exploit the same services people use every day in their personal lives and online businesses. Facebook, which was once used simply to share everyday life with friends and family, is now one of many popular hunting grounds for criminals hoping to capture victims and steal their personal information.
FaaS is not only about conducting attacks to defraud large companies. Instead, it has become a profitable product that is sold to other fraudsters. According to Hacker News, underground forums sell malicious code, hacking services and bulletproof hosting at low prices, and even rent out entire botnets. Zeus malware, which is freely available on the Internet, was improved and upgraded by developers who created a commercial demo website for potential buyers and, without blushing, published their own Facebook page for the latest version of the toolkit (the page has since been closed).
It is not just the raw code that is distributed by fraudsters. Eric Geier of eSecurity Planet explains, “There are also numerous other services required to execute a successful large-scale attack, such as malware quality assurance (QA) (yes, it’s true), distribution, and search engine optimization (SEO). All of these goods and services can come together to provide the originator of the attack with a customized process that simultaneously makes it nearly impossible to catch because of the many third-party vendors involved.”
Other services available to criminals include money laundering, money couriers, friendships with corrupt insiders in large corporations, paid infection and exploitation services, and virtual criminal markets.
If you wanted to start your own digital criminal enterprise, why do all the work (or any of it) yourself when you could take advantage of FaaS?
Ideally, such a hacker would operate via the Dark Web, but you can also find fellow criminals on the Surface Web via forums and word of mouth. However, this is dangerous and illegal. White hats often pose as black hats on these sites.
How much will it cost you? Prices vary and you need to weigh the risk; criminals are not known for their ethics. In a Business Insider article describing the prices you’ll have to pay for hacking activities, there’s an interesting offer from a hacker to improve Yelp ratings – interesting because some online job boards on the Surface Web are known for advertising similar services and looking for freelancers to give their company a good rating. But using the Dark Web is undoubtedly more lucrative, anonymous and cost-effective, although much, much riskier.
Since FaaS uses the same methods, tools and tactics as ordinary fraud – although usually in a more efficient and organized way – there are no special tricks to combat it. What merchants need to do in the face of this new threat is to apply the same best fraud prevention practices that have always been recommended, complemented by anti-fraud tools that have been selected and calibrated for their business.
Below are some simple measures merchants can take to prevent fraud:
When it comes to protecting customer accounts, standard password requirements are inadequate. While many online businesses are becoming more specific about the types of characters that must be included, the most important factor in password security is length. Setting a minimum password length of 10 or 12 characters helps prevent password cracking and makes it more difficult to reuse passwords. In fact, it’s probably a good idea to tell customers directly when they set up an account that they should not reuse a password they use for another service, although many customers will ignore this warning.
Two-factor authentication is another important way to protect customer accounts, and new authentication methods are coming to market all the time. Merchants can now offer customers the option to authenticate with a text message, the Google Authenticator app, or biometric data such as a fingerprint or selfie.
When anti-fraud measures fail, which is inevitable from time to time, and a fraudulent transaction is made, the genuine cardholder is sure to issue a chargeback as soon as they realize what has happened. If there is genuine fraud, the merchant has no way to fight the chargeback and represent the transaction. The only way to avoid credit card chargebacks and prevent the chargeback rate from rising is to prevent fraud in the first place.
FaaS is yet another development in the ever-growing problem of e-commerce fraud. Each time merchants and cybersecurity firms learn how to patch a vulnerability or identify a new scam, fraudsters set to work figuring out how to circumvent the latest protections or outsmart consumers who have seen through the latest phishing scam.
Preventing fraud is one of the cornerstones of any effective chargeback defense strategy. While many chargebacks are themselves fraudulent in nature and can be combated with the right evidence, true fraudulent chargebacks have a legitimate basis and merchants must take a proactive stance to fend them off. Reputable chargeback management firms always work with merchants to assess their fraud risk profile and make recommendations for tools, prevention practices and other solutions that can help them avoid falling victim to common fraudsters, sophisticated FaaS syndicates and everything in between.