Security news that informs and inspires

How Drop Networks Keep Cybercrime Groups in the Money

When cybercriminals steal a batch of credit card numbers, it’s the beginning of a race against time for them as they try to run up as many purchases as they can before the breach is discovered and the cards are canceled. That spending spree, though, is just the first link in a global supply chain that involves people and organizations spread out around the world working to ensure the ill-gotten goods get to their wrongful owners.

For cybercrime gangs, getting the credit card numbers or bank information often is the easy part. That data is available in a variety of places to those willing to take it. What’s more complicated is finding a way to monetize that stolen information, whether by packaging it up and reselling it to other criminals or by making fraudulent purchases. Criminals who choose the latter path face a thorny problem: how to take delivery of their merchandise without leaving a trail for law enforcement to follow to their front door.

That’s where the global network of reshippers, money mules, and insiders come in. Combined, these people--some of whom likely don’t know they’re working for a criminal enterprise--make up a large, distributed support infrastructure for cybercrime gangs. One of the challenges the gangs have to confront is shipping their goods through legitimate delivery companies. This requires legitimate shipping labels, a not-insignificant problem given the automation that’s involved.

“Some drop networks also prepare shipping labels as part of their service, an indicator that the threat actors also have access to accounts belonging to major commercial and public-sector shipping services,” Luke Rodeheffer and Mike Mimoso of Flashpoint wrote in a blog post detailing research the company has done into these networks.

“Using the access afforded by those accounts and the shipping services’ APIs, criminals are able to produce thousands of labels for customers; one recent review on an underground site raved that 99.9 percent of the labels were processed properly, ensuring that stolen goods reached the buyer or the drop network. Cybercriminals often use drop networks to obfuscate the destination and/or origin of stolen funds, or fraudulently purchased goods.”

"The mules will use these labels to ship carded goods to buyers or other drops on the network for resale in online marketplaces, including Amazon and eBay."

Disguising both the beginning and the end of the shipping process for stolen goods is vital for cybercrime groups. Having thousands of dollars in fraudulently purchased luxury goods delivered to your home address is a career-limiting move, so many groups will use multiple levels of drops, reshippers, and mules who don’t know one another and have no real-world connections. The separation of duties and compartmentalization is vital to keeping the criminals behind these schemes protected.

“The fraudulent labels are a key part of this process. One underground service allows customers to create labels and distributes them as PDFs to customers, who then send the labels to mules in the drop network. The mules will use these labels to ship carded goods to buyers or other drops on the network for resale in online marketplaces, including Amazon and eBay. The labels play an important role in the shipping of fraudulently purchased items, a method by which many cybercriminals monetize compromised accounts,” Rodeheffer and Mimoso said.

These criminal networks don’t operate in a vacuum, either. They’re often tied in with malware gangs, spammers, and other organized groups that make up the cybercrime underground.

“Some drop networks operating on the Eastern European cybercriminal underground have been linked to spam campaigns actively recruiting mules in the United States and Europe. Some drop networks observed by Flashpoint analysts include sites registered to companies in U.S. states,” Rodeheffer and Mimoso said.