HPE researchers have uncovered a complex web of shipment scams which rely on US operators and stolen credit card information to provide goods fradulently to customers in Russia.
Credit card fraud is big business. Data breaches at high-profile companies are becoming commonplace, and as data collection -- and theft -- surges, the sale of stolen information has become established as a business in its own right.
Unfortunately for victims that often bear no responsibility for such theft, this can lead to pillaged bank accounts and identity theft as goods are purchased using their funds for other purposes.
Large-scale criminal operations often rely on fraud to keep going. According to Hewlett-Packard Enterprise (HPE)'s security research analyst report, stolen credit card data is being used in "reseller" operations in areas where many US companies will no longer ship due to high levels of fraud -- such as Eastern Europe.
Items in high demand are purchased in the US using stolen information and then resold for cash through international scams made possible through the Internet.
Bypassing these corporate restrictions is important, and so cybercriminals will often find an intermediary able to receive the goods before they are sold on in other countries.
This intermediary part of the supply chain is of particular interest to HPE's researchers. In a study taking place between August 2015 and February 2016, the team found that reshipping websites are commonly used to maintain contact with "stuffers" -- those who use stolen credit card data in the United States to purchase items fraudulently -- and "drops," who often unwittingly will accept these products for reshipment across restricted areas, such as Russia and Ukraine.
Drops are most often recruited in the United States through email, where they later visit reshipment websites to be assigned their tasks.
"Bosses make their profits by selling high-demand goods in grey markets, realising high margins due to low acquisition costs," said the report, released on Tuesday.
"Admins make a cut of these profits by creating the website, recruiting drops, providing fraudulent shipping labels and selling the goods. Stuffers make their cut of the goods purchased typically as a percentage assigned to each product type."
Most drops are located in the US, however, Germany is also impacted by such schemes. Everything from consumer electronics to clothes and toys are purchased online by stuffers.
While a number of the reshipping websites have only been in operation for a few months, business is booming. HPE found that despite this short time frame, hundreds of drops have taken place, leading to thousands of products already being purchased using stolen information before shipment.
People seeking a "work from home" setup are most often recruited. They may be promised a base monthly pay or as cash-per-package. Often, however, the stuffers are scammed and no payment is ever made, bumping up the profit margins of the cybercriminal operator -- who makes every effort to appear legitimate to recruit staff.
In short, not only are the victims of credit card fraud left potentially out of pocket, but the mules which support the underlying structure of the scam through their efforts under the belief the work is a legitimate enterprise receive nothing, either.
"Spotting these fraudulent transactions can be difficult as they often occur soon after a card is breached and before the issuer is able to shut down the card number," HPE says. "HPE Security Research advises retailers to monitor for this activity and stay aware of scam operations such as these, as the operations in turn evolve their tactics to avoid detection and maximise profit."