Advanced transaction laundering - Competitor takedown attacks

Transaction laundering, also known as transaction cleansing, has existed in the payments industry for years. It involves processing the card sales of one merchant through the merchant account of another. In the e-commerce arena, this is difficult to spot for acquirers and payment service providers (PSPs) because the transactions are generated by seemingly legitimate front websites.

Transaction laundering today is not a singular issue. The fact is: Criminals have innovated around it. It’s almost a case study for business-savvy product development. To use modern management-speak, they have been agile and pivoted their propositions. They have iterated their business models to encompass one-off and per-transaction fees for regular income. Transaction laundering now includes merchant affiliate network scams, ‘crime as a service’, cyber extortion and competitor takedown attacks.

Vintage transaction laundering

In the old, pre-internet days, Merchant A may have processed sales through Merchant B’s card terminal if he did not have his own terminal. Or if he took card payments so infrequently it was not worth committing to a monthly contract, terminal rental fees and a dedicated comms line. Alternatively, Merchant A may have had an acquiring contract and diversified his business activities without informing his acquirer.

Acquirers didn’t like it. It was against their terms and conditions as well as card scheme rules. But it happened on a fairly small scale. However, the e-commerce channel created new use cases, made the practice scalable and lowered the risks of being caught. Merchants would deliberately aggregate sales from undeclared websites and/or for illegal, restricted or scheme-prohibited products and services.

Let’s throw affiliate marketing into the mix

In e-commerce, affiliates play an important role by referring potential customers to merchant websites in exchange for an incentive. They usually do not capture or store card details, maintain a direct relationship with cardholders or dispatch goods/services to them.

Illegitimate or unscrupulous affiliates do all of these things. They also maintain side-relationships with merchants to process card payments without having direct access to the payments system. They do so by visiting the merchant’s website, placing an order for an item or service with a similar price to the one they sold their customer, and enter the card details received. The merchant processes the payment and pays the affiliate’s incentive.

If this is a collusive relationship between the affiliate and the merchant, it ends there. However, if the affiliate is duping the merchant into processing transactions, then he may take the precaution of entering stolen or made-up customer details. This ensures that no direct relationship exists between merchant and end customer.

‍

‍

Variations on a theme

Unscrupulous affiliates may exploit their customers as well as merchants. They may change the order or payment details (e.g. amount or billing frequency). They may deploy deceptive sales and marketing techniques, for example setting up recurring card payments without the customer’s explicit permission or selling via negative option. Because the affiliate is often selling unsavoury – if not downright illegal – goods or services, he does not have to fear serious pushback from his customers.

The affiliate network scam can also be deployed as a variant of the traditional bust-out merchant. After a period of normal trading, the affiliate deposits a large number of fraudulent transactions or enters card details obtained from a data breach, claims their incentive payments and disappears.

This type of fraud is difficult, although not impossible, to detect. Merchants can look out for batches of transactions or concentrations from IP addresses. Orders from certain affiliates may have suspiciously low cancellation, refund or chargeback rates. Customer login details provided may never be used, even though they were paid for.

Test transactions gone bad

Criminals did not stop there. They extended the principle of collecting and storing card details before manually entering them into a second website. When the major card schemes set up their brand protection programmes at the beginning of the decade, they conducted test transactions at websites under investigation.

Criminals harvested these test card numbers by designing dummy websites claiming to sell illegal products/services. As these had complicated URLs, they were unlikely to be found via search engines. Finally, the criminals anonymously tipped off the card schemes and waited for them to conduct test buys on the site. They harvested the card details and began to monetise them.

Firstly, they offered ‘crime as a service’ competitor takedown services for up to €500,000 on darknet forums. They would be commissioned to manually enter these test card numbers on competitor sites to trigger acquirer and card scheme investigations, fines and so on.

Secondly, they developed an online protection racket where they would contact merchants and threaten a competitor takedown attack if they didn’t pay a certain amount of money. They also turned these extortion attempts into a service offering to run the merchant’s transactions against their blacklist of test card numbers, charging them a $1 fee per transaction and giving them steady, regular income.

‍

Web Shield’s intelligence

At Web Shield, we have been monitoring these on these kinds of scams from the beginning. One such case was pay2us.biz, an affiliate transaction laundering case that evolved into a competitor takedown vendor in 2012 and then into a cyber extortion racket. If you want to know more about this specific case, check out our 2016 article in the Paypers.

These kinds of attacks are still going strong in 2019. Just recently, we observed how the card details of a test purchase on an obviously non-compliant website were entered into a merchant’s system, but without an affiliate link or extortion attempt. In this sense and as no clear financial gain for the perpetrator was involved, it seems to have been a competitor takedown attack in the purest sense of the word.

The conclusion for us: test transactions can still be weaponised, and it is important to conduct any non-compliance investigation in an unbiased manor, as the potential fraudulent merchant could well be the victim of a competitor takedown attack.

In summary

Transaction laundering has been around for years. Acquirers and PSPs are advised to keep abreast of the changing threatscape, as they are at risk. For their part, the card schemes need to review how test transactions are conducted. The problem: there are no silver bullets to the problem. As we have seen, cybercriminals are agile and always try to find a way to circumvent controls and illicit access to payment systems. Engaging a specialized service provider for online investigations like Web Shield improves your non-compliance response process and ensures that the true perpetrator is identified.