The recent Annual Payment Fraud Intelligence Report: 2022 released by Recorded Futures and Insikt Group has illustrated some interesting facts and figures about the levels of cardholder data fraud during 2022.
Whilst it is always advisable to treat research numbers from the Dark Web with caution (as not everything can be seen without access to every source of data which is hard, if not impossible, in the dynamic changing world of the Dark Web) the findings are a useful indicator of trends.
Some of the headline figures include:
– During 2022 the researchers found 45.6m CNP (Card-Not-Present) and 13.8m CP (Card Present) records available for purchase on the dark web.
– These figures represent a 62% drop in terms of the data available for purchase in 2021.
– The Recorded Future Magecart Overwatch program found 1,520 unique malicious domains involved in infections of 9,290 unique e-commerce domains during the period.
– Over 20.5m full PAN (Primary Account Numbers) were posted in plaintext or as images in a wide variety of paste bins, forums and social media.
– Over 1,000 unique merchants suffered from breaches that exposed customer payment card data in 2022.
– The highest-impact compromises targeted outsourced online ordering solutions for restaurants and ticketing solutions for entertainment and transportation companies.
There is some speculation that the reduction of activity is driven in part by global events – especially related to the War between Russia and Ukraine – as well as the overall switch from card payments to other means of payment.
Despite the reduction in activity, the report detailed how the card fraud market and the threat actors who populate it demonstrated remarkable resilience.
Magecart
Magecart attacks remained popular among dark web cybercriminal communities. Magecart is a blanket term for the illegal digital card skimming scripts that can be maliciously injected into checkout pages on e-commerce servers running the Magento Content Management System. The objective of the attack is to steal payment card information. The initial malware scraped the users’ details from the checkout page and posted them to an external website. Early unpatched versions of the Magento platform were/are particularly susceptible to this.
Magecart actors continued to exploit Google Tag Manager (GTM), a marketing tool used to collect website usage metrics and track customer behaviour. 891 eCommerce domains were found to be infected by these Magecart variants.
Last year, a new Magecart threat surfaced, where a malware server used the HTTP referrer header in requests to limit downloading of malicious scripts. Links to the malicious Javascript files were injected into eCommerce shops, but the malicious scripts would only be activated when particular conditions were met. The HTTP referrer headers had to be present, and these values had to be present in the infected websites. It seems that this step was introduced to hamper the analysis of the problem.
So, what can we expect to see in 2023?
With the political issues mentioned still unresolved, we may likely see a lower rate of payment fraud than in previous years, but it still poses a significant risk to organisations.
Threat actors continue to develop and deploy more sophisticated attacks with no signs of slowing down, and they continue to adapt their techniques to keep up with the evolving payment environment.
As more countries adopt cardless payment solutions, we can expect to see a decrease in CP and an increase in CNP volumes. With the continued shift towards online payments, e-commerce sites will likely remain a target for cybercriminals. After the success of Magecart 2022, we can expect to see an increase in these attacks for 2023.
Industry predictions
“With the cost of living crisis biting even more as we start 2023, expect the fraudsters to be on the lookout for opportunities to take advantage of this. As customer authentication on e-commerce transactions is becoming more prevalent, the opportunity for Ecom related fraud is dwindling so more ingenious methods need to be deployed. Fake emails, texts and phone calls all purporting to assist with managing bills and saving money have risen significantly. Leaked credentials and personal information that can be gleaned from social media is making this easier than ever, so be vigilant and don’t share anything that could give away key pieces of information, specifically those used for ID checks (DOB/Address/Maiden Name/First School etc).”
– Paul Brennecker, Head of Information Security Services at 3B Data Security
Looking at predictions from others in the industry, it’s expected that more merchants will look to adopt the latest open banking APIs. These support variable recurring payments, as well as one-off payments. This could lead to a decline in direct debits, as they gradually lose market share as a payment method.
Buy Now, Pay Later (BNPL) products are also expected to be in high demand. Usage is set to increase in the short-medium term because of strong benefits for the consumers and merchants. However, credit losses are likely to increase significantly, and the sector is expected to lose its unregulated status in many markets.
Fraud reduction is still seen as the major use of data for most industries. The use of payment data for marketing and cross-selling purposes has become more difficult due to regulatory restrictions on the use of personal data. This has left the field clear for a small number of global big techs who have better technology and a different business model than conventional payment providers.
Protect the payment card data you process
At 3B Data Security, we have a wealth of experience in the payment card industry, having helped customers in multiple sectors in the UK and internationally. Our expert team specialise in PCI DSS compliance and PCI Forensic Investigations, with over 20 years of experience in payment security. Find out how our team can help protect your payment card data.
