How Adversaries Conduct Reconnaissance for Fraud Operations

by | Sep 29, 2022 | Blog

Building on our series on the adversarial mindset, fraudsters will identify a target based on the ease and speed with which they are able to monetize their fraudulent activities.

Many of the reconnaissance steps involve a threat actor learning how a company conducts their business, and oftentimes, fraudsters end up understanding the business almost as well as the company and its employees do.

Generally speaking, the fraud centers on five categories:

  1. Account takeover
  2. Payment fraud
  3. Identity fraud
  4. Phishing scams with business email compromise
  5. Spam

When conducting reconnaissance against a specific target, threat actors and fraudsters will typically undertake the following steps:

  1. Identify a potential target’s product line and business procedures:
    1. Review the target’s accounts or services for consumers or for other businesses.
    2. Determine how payment is normally conducted on these products and accounts.
      1. For example, is payment online, invoiced, or rendered after a service is conducted?
    3. Identify Know-Your-Customer or product and account application procedures.
    4. Determine ease of account creation or account takeover.
      1. In other words, if the fraudster wants to be a consumer of the company’s service, can they immediately create an online account or do they have to submit an application that will involve a consumer credit check?
  2. Identify and test “gaps” within the institution’s products and/or procedures, such as whether the company uses weak identification methods or whether the company uses an “invoicing” model of payment (making potential bust-outs¹ on accounts while also remaining undetected or anonymized possible).
    1. Example questions an adversary will attempt to answer include:
      1. How do they conduct their customer authentication?
      2. How can one bypass these measures with minimal detection of anomalies?
  3. Determine how to compromise the institution’s consumer or client business accounts. Based on the sophistication of the actor, this could be through:
    1. Home-building or purchasing “brute-forcing” or “checking” tools specifically developed for a target’s website.
    2. Use of heavy-duty software to avoid browser IDs. The software enables fraudsters to create multiple instances of virtual machines in browser windows.
    3. Ability to spoof location. When a fraudster buys a bunch of compromised card details, they can quickly find out where the card they are using is registered to, and then spoof the location so it looks like they are in that location.
    4. Calling services and phone number spoofing. Fraudsters can buy real customer phone numbers online with card details – but they won’t have access to the actual phone. To get around this they can contact the customer’s phone company to request all calls be diverted to their own number so that they can verify purchases if needed. The dark web also advertises ‘calling services’ where someone can call a victim’s bank and credit card provider to change their registered phone number.
    5. Collecting breach datasets to conduct credential validation attacks against a target’s website.
    6. Creating or purchasing malware that could be deployed against a target’s website and/or clients to collect their online credentials.
    7. Simply purchasing accounts that are already compromised. As well as payment card details and personal information, fraudsters buy and sell device IDs and driving licenses. Fraudsters can use this to appear more convincing, or they can mix different customer details up and create new accounts under these synthetic (fake) IDs.

Cyber-enabled fraud is now commercialized in underground forums such that fraud actors are providing compromised accounts and other selectors or services for purchase across a wide variety of deep web, dark web, and social media platforms.

Now, even unsophisticated actors can conduct account takeovers, payment fraud, identify fraud, and phishing scams by purchasing “ready-made” compromised accounts, without having to go through the trouble of conducting the compromises themselves.

This fraud-as-a-service ecosystem has widespread implications for retail, technology, social media, and financial institutions because the cyber-enabled nature of account and payment fraud allow unsophisticated actors in one area of the globe to purchase services from anonymous, sophisticated actors in other regions.


¹A bust-out is a type of credit card fraud where an individual applies for a credit card, establishes a normal usage pattern and solid repayment history, then racks up numerous charges and maxes out the card with no intention of paying the bill.