Threat actors and fraudsters have a long history of finding opportunity in crisis. Financial fraud increased drastically after the attacks on 9/11, and after the 2008 downturn.
New research from Sixgill shows just how quickly criminal schemes can react to changes in the economy.
Between March 2020 and May 2020 - the earliest days of the pandemic, payment platforms such as Cash App and PayPal saw a 10.7 percent increase in usage. This spike was largely the result of increased online shopping and a big jump in people sending money to cash-strapped friends and family, according to Apptopia.
Fraudsters were paying attention. We counted the number of times the 14 largest payment platforms were mentioned on deep and dark web forums and messaging platforms frequented by hackers and criminals. The rise was staggering: from February until the peak in May, the total number of mentions rose 262%.
Posts mentioning PayPal and CashApp logs rose significantly.
This increase dovetails with other signs of increasing fraud amid the chaos of the pandemic. During the COVID-19 lockdowns, there was a 400% increase in cybercrime reported to the FBI, and the UN reported a 350% increase in phishing sites. With PayPal routinely cited as one, if not the most-targeted brand in phishing attacks, we would expect it to have been very heavily targeted during this time, resulting in an increase of logs for sale.
Indeed, PayPal led the pack among mentions. From December 2019 through June 2020, there were 6.29 million mentions of these payment apps on the dark web, 37% of which referenced PayPal. There was a very clear concentration at the top. PayPal and Cash App account for nearly two-thirds of mentions, while mentions of the other payment platforms did not even pass the 1% threshold. However, keep in mind that 0.2% represents over 10,000 mentions.
Payment platforms can be exploited in several ways. The first is fairly obvious.
Thieves use stolen login credentials to clear out an account. It’s risky to do this. Law enforcement can track the bank account that the stolen money was sent to fairly easily. On the dark web, these are referred to as “logs.” Sophisticated criminals, seeking to limit their exposure, will sell the stolen credentials in bulk - sometimes 10 at a time, but also in larger groupings of hundreds or thousands.
These actors claim to have hundreds to low thousands of PayPal logs.
Most stolen credentials come from phishing attacks. Therefore, the increase of logs for sale on the deep and dark web indicates that many people fell for phishing scams in the chaotic early days of the pandemic.
Another way that payment platforms are exploited is by using them to launder and obscure the source of stolen funds. These are known as “transfers.” Think of it this way: a thief clears out a PayPal account with stolen credentials. Where does the money go? By sending it to their own bank account, they provide law enforcement with a roadmap to finding the perpetrator. To avoid this, they seek a transfer. In exchange for a fee, a middleman will accept and route the stolen funds. However, the middleman doesn’t use his or her own account. That would expose them to criminal liability. Rather, they disperse the funds through a network of other compromised accounts, sometimes in numerous jurisdictions to make it harder for law enforcement to track.
Because operators of transfer services need to have intimate familiarity with antifraud mechanisms and the technical capabilities needed to avoid them, these services are offered at a premium. The fees can be as much as one-third of the amount transferred . And, like any service offered on the dark web, there’s no real guarantee that the middleman is “legitimate.” They may just abscond with the money.
Due to the economic situation caused by the pandemic, this actor is turning to fraud and requires PayPal transfers.
Consumers have turned to payment platforms because they are easy. PayPal facilitated commerce on the internet by providing a simple way for people to pay for things. Venmo and Cash App make it easy for people to send money to friends and family. And some businesses also rely on these services because they don’t require credit card-reading devices.
But the ease with which consumers have adopted them is mirrored by the ease with which criminals have exploited and targeted them. Payment platforms will need to become more agile in their anti-fraud responses. It’s the only way to stay ahead of hackers that can change their business models at a moment’s notice.
Download the full report, Corona Cash: Payment Platforms on the Dark Web During Covid-19, to for more trends and examples of how payment apps provide critical infrastructure in dark web financial crime.