Cybersecurity researchers have uncovered a massive, multimillion-dollar credit card scheme that has flown under the radar since 2019. The scam involves charging illegally obtained credit cards a fairly small amount of money each month that appears as a charge from a generic-sounding service. If you aren’t paying close attention to your bank statements, you might miss them, and those monthly charges could add up to thousands of dollars over a few years.

ReasonLabs, the security firm that uncovered the scam, researched hundreds of suspicious websites linked to the scam and studied how they were set up, and how the sites were approved to take payments from major credit providers such as Mastercard and Visa. ReasonLabs estimated that the group behind the scam has been making between $10 million to $50 million each year from their scheme.

They believe this particular scheme is operated by a crime syndicate and found evidence that it originated in Russia. “The scam seems to abuse several security brands, such as McAfee and ReasonLabs, to execute fraudulent credit card charges,” the ReasonLabs research team said in a blog post. “The infrastructure is built on top of Amazon Web Services and uses GoDaddy to circulate hundreds of domains.”

Before we delve into how the criminals have gone undetected for so long, schedule some time to do a thorough check of your credit card activity over the past several months. If you do see a charge that is unfamiliar or suspicious, report it to your bank or credit card company right away.

The scammers started by creating a network of more than 200 dating and adult websites with little content and no significant website traffic. The sites ranked very low on Google, making them hard to find. Each site looked similar and used the same simple structure, which indicates that the cost to build these websites was minimal.

Next, they set up 75 customer support websites with different names from the dating sites. They touted this as a privacy benefit — the innocuous-sounding names would be used for billing statements. This was designed to fool someone into thinking the websites were legitimate if they happened to stumble on one. But the real purpose was to avoid detection by the victims who had never visited these sites or signed up for a monthly subscription. And just in case that didn’t work, the fraudsters also used names that were close to recognizable brands to better fool victims once the charge showed up on their monthly statements.

So where did they get the credit card numbers? RansomLabs concluded the card numbers most likely came from the dark web, a bustling marketplace for stolen financial credentials of many types. Earlier this month, Privacy Affairs published its report “2022 Dark Web prices for cybercriminals services” revealing that a hacked U.S. credit card number with expiration date and CVV can be bought for $17; bulk discounts were available. Because the monthly charges for this scam ranged from $29.95 to $49.95, even if only half the fraudulent charges were successful just one time, they’re making money.

How did they set up payment with legitimate payment providers? That’s where the customer service sites played a role. One common requirement for online businesses to be approved to take payments is by providing a customer service site to handle account issues. ReasonLabs explained: The fraudsters applied each individual customer service website for payment processing in order to distribute the chargebacks between many websites rather than just one. This would ensure that their payment processing capabilities would not be revoked once one site reaches the agreed rate of chargebacks, or refunds, which is divided by the number of legitimate transactions.

They also avoided test transactions, a common practice among cyberthieves. If a small charge goes through, they’ll proceed to larger ones, which can be a red flag to payment processors as well as consumers. Avoiding test transactions, keeping the monthly charges relatively low and setting them up as recurring charges helped the criminals avoid detection.

If a victim noticed a charge and then went to the website, they were given a toll-free number to cancel the subscription and could talk with a real person, often a legitimate third party service that had no idea they were part of a scam. When you put all of the pieces of this scam together, it’s complex and effective: a fraudulent foundation covered with legitimate and unwitting partners.

Review your statements carefully, investigate any charges that don’t ring a bell and if you think it’s fraud, report it and let your bank take it from there.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness, and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.

Newsletter