After a three-year investigation by the FBI and the UK’s Serious Organized Crime Agency (SOCA), British authorities announced they have arrested the sophisticated network of cyber criminals behind DarkMarket, one of the world’s top criminal websites. The site, which operated out of an unassuming London Internet café, was an international cyber supermarket for stolen credit card and bank account information that officials say has cost the banking industry tens of millions of dollars.

According to a recent article, “Welcome to DarkMarket: a global shop for cybercrime and banking fraud,” the DarkMarket site was an online superstore of personal data, viruses, tutorials, and a whole host of other resources for fraudsters. In order to gain access to the site, which was by invitation only, those wanting to become members had to offer up details of 100 compromised credit cards – 50 each to two separate members who would then test the cards in the market to see if the information was valid. If the information was usable, the applicant would gain entrance to the site. If not, access would be denied.

Once in, members could trade everything from credit card details to bank account PIN numbers obtained through hacking, phishing scams, and ATM skimming devices. The site even had a crime “menu,” where for very reasonable prices, members could purchase, among other things:

• Information needed for online transactions ($3-$10 depending on quality)
• Credit card images ($30 each)
• Bank logins (2% of available balance)
• Billing details needed for opening or taking over accounts ($150 for accounts of $10k balances, $300 for accounts with balances of $20k)

Of the estimated 2,000 members who had access to the site, so far the bust has led to the arrest of more than 60 members who are scattered throughout the globe, in countries including the UK, United States, Canada, Germany, France Turkey, Israel and Russia.

The scope and reach of the DarkMarket website underscores the magnitude of such an operation, as well as the growing problem of organized fraud. With more personal information accessible over the Internet, cyber criminals have built thriving illegal networks to buy, sell and trade financial data and share information on how to defraud all types of online businesses. Certainly businesses are dealing with an increasingly sophisticated threat and must continually evolve and be vigilant to defend their businesses from attack.

I commend the National Fraud Reporting Centre (NFRC) for getting the hotline going. The helpline will allow individuals and small businesses to report cyber crime to a central agency, simplifying what would otherwise be a confusing process involving potentially several different government ag encies. A similar effort in the U.S., the Internet Crime Complain Center (IC3), currently allows individuals to file complaints of internet fraud through its website.

In both cases, setting up centralized agencies to manage reports of internet crime allows for greater cooperation among different law enforcement agencies—from local police to state and federal bureaus—so that large-scale operations of identity theft and phishing attacks, for example, can be more easily identified and addressed at the appropriate level. Also, by offering individuals one clear method of reporting internet fraud, as opposed to several, the hope is that more victims and informed third-parties will be inclined to report what they know.

As we’ve mentioned in previous posts, because most cyber crimes are committed across national borders, local law enforcement is severely limited in its ability to catch and prosecute individuals who commit such crimes. While continuing efforts are being made to stop these criminals, engaging the public about online fraud trends is a worthwhile step in helping raise awareness and hopefully prevent more people and businesses from becoming victims of Internet crimes.

Establishing programs such as the Action Fraud hotline and the IC3, can also build alliances and partnerships between individuals, groups and businesses that could benefit from sharing fraud information and intelligence. Collaborating with your peers to fight fraud is the basic concept behind iovation’s fraud management system, which provides a shared environment that allows online businesses to benefit from the thousands of additional resources, tools and experiences to better protect themselves from online fraud and abuse.

Device reputation is an important component of best practice fraud management – 2009 was a difficult year for business, but one trend that emerged was an increased visibility into how valuable device fingerprinting and reputation solutions can be as part of any sophisticated fraud prevention architecture. Some of our articles on this topic:

• The First Five Benefits You Will See From Device Reputation
• Not All IP Addresses are Created Equally
• Device Fingerprinting Techniques – Several Choices

Online retailers are under attack – Online retailers continue to find themselves under attack and we touched on this topic a number of times this year. Here are some of the highlights:

• Online Merchants Are the Real Victims of Identity Theft
• Interview with Merchant Risk Council Executive Director, Tom Donlea
• Fighting Friendly Fraud With Device Reputation

Online games continue to attract attackers – Massively Multiplayer Online (MMO) games continue to be a favorite target of hackers. Financial fraud coupled with theft of accounts, virtual assets and exploitation of in-game economies through gold farming all pose serious threats to the online gaming industry. Some of the highlights:

• iovation Interviewed at Casual Connect on Protecting MMOs from Fraud
• Virtual Money is the Most Popular Digital Good
• Fighting MMO Fraud and Abuse isn’t Child’s Play

Online dating scams threaten virtual communities – Online romance scams are a prevalent and serious threat to online dating sites. Stopping scams and preserving the customer experience are necessary in order to ensure a healthy future for online dating industry as a whole. Some of our articles on this topic:

• Online dating scams, the biggest threat to a growing industry
• Social networks and malware, a potent combination
• Online Dating – Blocking the Bad Guys

Fraudsters and scammers continue to organize – Fraudsters are working together more than ever to defraud online businesses. We have touched on this topic a number of times throughout the year:

• Exposing Online Fraud Rings – Untangling the Web
• Botnets – Propagating Threats, DoS, and Identity Theft
• Conficker Starts Up Botnet to Enable Online Fraud

We hope you have found some (or all) of these posts interesting and valuable. We look forward to exploring many new topics relevant to the fight against fraud in 2010.

Besides providing statistics on what online purchases people were spending their hard-earned money on during Black Friday, ReD also noted that online criminals were out in force, busy spending other people’s money. “Whilst online retailers witnessed a huge upturn in sales this Black Friday, fraudsters are also ‘spending’ more, with an average value of $248 per transaction online, 23% more than the average genuine customer,” said ReD’s CEO, Carl Clump.

And in most cases, it seems that fraudsters were clamoring for the same hot commodities as everyone else. Based on ReD’s list, the three most popular items bought with stolen credit cards were gift cards, Nintendo Wiis and Xbox 360s. Of course, this doesn’t mean that fraudsters will soon be kicking back and playing their stolen video games. It’s important to remember that for criminals, online theft is a business, and the principles of supply and demand are still in effect. Fraudsters choose to steal items that are in high demand because it will be easy to turn those goods around for a quick profit.

The problem is, if online criminals are profiting—it means online merchants aren’t. And while a new camera or video game might be at the top of many of our wish lists this season, for online criminals, it always comes down to one thing: money.

This attack is even more relevant to me personally as I witnessed this attack on a friend of mine this past weekend. My friend received a voice message telling him that his debit card account had indications of fraud and to call the 800 number immediately to get details. Once he connected to this number he was directed to enter his card number to get details on the incident. It so happened that he didn’t have his card with him so he hung up intending to call back later. When he did call back, he called the number of his financial institution on his card instead of the number left on voice mail. It was a good thing he did. There they indicated that there was no fraud activity on his account and that he had been a victim of a vishing attack.

In this incident it turned out ok because he never entered his personal information, but it could have easily turned out differently. The lesson from this incident is that as with websites, you shouldn’t trust messages directing you to a phone number that requests personal or financial data. If you receive an indication of fraud or some other problem with a financial, or other account, you should dial the actual company number and have them direct you to the appropriate department. Do not trust phone numbers left to you in a voice mail that ask you for personal information.

When personal identities have such value to scammers, individuals must be increasingly vigilant about protecting this data and ensuring that they do not deliver it into the hands of the bad guys.

This is an interesting concept, but the execution of this with online businesses will make all the difference. The key here is the merchants and their adoption of this technology. If adoption is slow, then the card company may be forced to allow use of this card at sites without the pin. If this is the case, the improved authentication is rendered useless because a scammer could still steal the card information and use it online. If, on the other hand, the card issuer continues to require the use of the pin in order to complete an online transaction despite slow adoption by merchants, this could doom the use of the card by consumers as they won’t find enough places to use it.

Online merchants are the key to the success of this experiment and they have incentives to make this work. CNP fraud is a big problem and costs online companies billions of dollars per year. If they can band together to speed adoption of this technology, it will go a long way to changing how online fraud occurs.

While the trust between friends on sites like Facebook and MySpace certainly contributes to the problem, there are probably three other factors that should be mentioned:

1. Social networking sites are driven by links. Where e-mail is about easy and quick communication, social networking sites are driven by shared links to interesting news propagating on the web. In the case of Twitter, probably more than 90% of tweets contain links to articles on the web.
2. Browser exploits are THE method of propagation for malware. Worried about the latest self propagating worm exploiting a zero day vulnerability? The threat from a worm pales in comparison to the volume of attacks coming through your browser. TippingPoint’s Pwn2Own contest highlights browser vulnerabilities and the results from this year’s contest were scary. On the first day Safari, Firefox and Internet Explorer all hit the dust with new zero day exploits. This contest actually saw the first official exploit for IE8. Today, scammers take advantage of the weakness of the browser by linking users to infected sites through phishing and link postings. URL shortening complicates this because the user has no idea of what site they are really linking to.
3. Social posts are far less filtered than e-mail. The e-mail spam and virus filtering market has matured and most users have some rudimentary form of filtering for one or both of these items in e-mail. With social networks there is no such filter other than choosing who you befriend and follow. If you are following the latest #trend on Twitter, you will get the good, bad and ugly of links including links to phishing sites.

Link quality poses a serious threat to social networking sites. With numbers demonstrating that the effectiveness of malware attacks in social networks is 10 times as effective as e-mail you can be sure that scammers are taking notice. The inherent nature of social networks makes this a difficult problem to combat. The best advice for all users today? Think before you click and keep your anti-virus software up to date.  Social networks need to identify scammers, ban their accounts and prevent them from creating new ones in order to ensure the future of their sites. This, coupled with greater user awareness, should help reduce the problem.