How Crooks are Making $20,000 Weekly Defrauding Stripe
AlphaBay is gone, shuttered by the Feds, but the crimes perpetrated continue to thrive.
One of the more popular and profitable crimes involved one of Silicon Valley’s Darlings, Stripe.com. Scores of cybercrooks were relentlessly robbing Stripe of thousands of dollars per week. Stripe’s vulnerability was so popular that a cottage industry had sprung up around supplying criminals with the means to maximize profits when targeting the company. Sellers provided tutorials, both live and written formats. They provided bank accounts and prepaid debit cards to use with Stripe, ready to operate websites, initial funding services, no IP panels so the location of charges couldn’t be determined, specific credit card BINs that worked well with the payment processor, cash out services, and whatever else a burgeoning criminal might need in order to bring home close to $20k per week in stolen funds.
Payment processor fraud was popular up until the day the Feds closed AlphaBay down, July 5th, 2017. No payment processor was more popular among cybercriminals than Stripe. Stripe was the easiest to set up, the easiest to rip off, and it provided the most profit. Though AlphaBay may be gone and its owner dead--a victim of suicide in a Thailand jail—Stripe processor fraud is still alive and well. Speaking to a few of the popular stolen credit card information sellers previously vending on AlphaBay, GGMcCloud1, Gaia88, and Ston3d, they all confirmed that Stripe fraud is alive and well and reported continuing strong sales concerning “Stripe Friendly BINs”.
I’ve been asked by a couple of firms to send details on how criminals were ripping off Stripe. What follows is the meat of that report along with suggestions on how to curtail the fraud.
First, the thief must acquire an identity. The identity should be of a living person with a high credit score, but not someone who employs credit monitoring services. The identity will be used to set up a fraudulent bank account and also a Stripe Account. For Stripe to work properly it is important that the bank account details match the Stripe details across the board. The criminal will need a complete “Fullz”: Name, Address, SSN, DOB, DL#, Credit Report, and Background Check. On various Dark Markets, “Fullz” sell for $30-$100 and allow for the buyer to request gender, age, credit score range, and location.
At the time of AlphaBay’s closure targeted banks easiest for a criminal to open an account included Suntrust, B of A, Regions, and Capital One. Typically, the thief would apply for an account online, using all of the victim’s real information, including the address. The thief would choose paperless billing and usually not request a debit card. Accounts such as these are used as a dump. Stripe sends the stolen funds to this account and then the thief transfers the funds elsewhere to cash out. If the crook does intend to use this bank account to cash out as well, then it works a bit differently. The “Fullz” the thief uses should be local to the criminal. The criminal WILL order a debit card and will either steal it directly from the victim’s mailbox, will have the mail redirected, or will add a “Drop” address to the victim’s credit report and set the bank account up using the Drop Address once it is reflected on the credit report.
The next step in this fraud involves setting up an ecommerce store selling a low-risk item. A paid domain is a necessity, and it is better if it has some age to it. The crook will buy the domain under the victim’s name, using a prepaid debit card. He will also buy the most expensive WordPress package, and any additional bells and whistles. Setting up a webstore is an important part of this crime. If the fraudster isn’t comfortable building his own webstore, there are a variety of vendors on Dark Markets offering such services. Prices range from a couple of hundred dollars to well over $1000 if the buyer needs to have his Stripe account “Charged”.
The crook likes to set up Stripe using third party systems, such as Shopify. Or they spoof the victims phone number and call in to register. Why? Going this route defeats any security measure Stripe has in place when registering direct.
Which brings us to the next step in defrauding Stripe, “Charging”. When someone opens a Stripe account, Stripe pays out all credit card charges to the account owner in 7 days. Once the account has a legitimate charge ran through it, Stripe pays out in 2 business days. “Charging” is the criminal running one or more legitimate charges through Stripe in order to get the payout down to two business days. At one point, this was possible using prepaid debit cards. It still is to some extent, but is hit and miss. So the fraudster needs a way to run a charge through that won’t result in a chargeback. That can be difficult. After all, the fraudster doesn’t want to use his own credit card or that of his friends to charge the account. That story only ends with cuffs and jailtime. Our fraudster may try to run through stolen credit card information and hope that a chargeback is delayed long enough for him to start running through dozens of stolen cards. That is the whole basis of “Stripe Friendly BINs”, BINs which typically take a long time to initiate chargebacks. The fraudster might actually sell some items to collect legit payments. Or he might be too scared that such an action might later be linked to him. To address the problem of “Charging”, several Dark Market vendors offer “Charging” Services. At a cost of $500, a vendor name “Vusion” will fund your stripe account with $300 in chargeback free funds.
Once the account is charged and aged a bit, usually a bit more than 30 days, then the crook can start running stolen credit card data through. Depending on the age of the Stripe account and how much legitimate looking traffic has went through determines how long the fraudster can run stolen cards through the account. A newly opened account will only support two fraud tickets before it is closed. An older account with more traffic will support more tickets and live longer. Amounts ran through the Stripe system don’t really matter. To Stripe, $50 or $500 are treated exactly the same. As such, criminals try to run each stolen card for as much as possible.
The fraudster runs the cards through. The funds are deposited to the bank account set up earlier. Depending on how the bank account was set up, the fraudster may then cash out through that account, send funds to another account, or use a variety of other methods to obtain the cash Stripe sent out.
There are a variety of tools available which might aid in defrauding Stripe:
1. No IP Panel. The ability to run credit card data through the Stripe system without associated IP addresses. This is accomplished either by using a third-party payment app in conjunction with Stripe or by purchasing such a panel developed by hackers for specifically that purpose. Price to purchase? $1200
2. Antidetect 7.1 or similar. A software tool which prevents device fingerprinting. Prices vary.
3. Socks5 Proxy. Provides a clean residential IP within 25 miles of the actual account holder. Price $.30
4. RDP. Remote Desktop. Provides a residential, clean, computer and IP address within 25 miles of the actual account holder. Remote controlled by the criminal. Price: $5-$30
5. Phone Spoofing. The ability to mimic the actual account owners phone number when phoning in to banks, Stripe, etc. Price: Roughly $.15 per minute
Using the above process, countless members such as lewisdool, JohnDoett, m0zz, FraudGod, SxurceForge, and others were and are continuing to defraud Stripe for more than $20,000 USD per week.
So goes the process in a nutshell. There are tweaks implemented by various individuals which raise success levels, but the process remains mostly as described.
So how does Stripe stop it? Well, first you have to wonder how committed Stripe is to stopping it. Not saying it is true, but a cynical person might think all that fraud going through Stripe helps pad the books to make them look more profitable. Not saying I believe that, but a cynical person. Good thing I’m not cynical.
Me? I’m sure Stripe is committed to stopping this type of fraud. Good thing it isn’t all that difficult. Strange, though. Companies like Square have gotten considerably harder to commit fraud on. Stripe remains fairly easy. Gotta wonder why.
The above is a basic blueprint used by most criminals. Easy enough to look for those indicators for the Stripe Team.
Here are a few ideas. There are tons more. Literally, I can spend a couple of hours going through ideas on how to counter this stuff.
Massive increase in income should be automatically moved back to at least a 7 day payout. Meaning small amounts which look like they are simply there to make the account look legit, followed by rapidly increased sales after a given period—shut the account.
Use of Prepaid Cards should always result in at least a 7 day payout.
Stripe could verify phone numbers through a variety of means. Prepaid numbers, VOIP, new numbers—all should be flagged. Return calls or SMS messages should be send to phone number on file.
Companies like Emailage offer services to determine age of email address. A new email address should always be at least a 7 day payout.
Thieves rely heavily on aging these accounts so they will take a couple of fraud notices before Stripe closes them down. Why wait? First indicator should flag the account and action should be taken then.