Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

Key Findings

• The underground payment card economy in 2021 saw new tactics enable new attack vectors, raising certain fraud schemes to higher prominence, such as attacks leveraging Google Tag Manager (GTM) and WebSockets, the Skimmer-as-a-Service model, and card checker innovations.
• The levels of Card Present (CP) records offered for sale on the dark web have continued to decline, furthering the trend that COVID-19 accelerated away from CP cards and towards Card Not Present (CNP) records.
• Cybercriminals have demonstrated the efficiency of compromising multiple merchants with a single attack by targeting ordering platforms that service dozens of merchants.
• Gemini Advisory assesses with high confidence that the shift towards CNP is likely here to stay (albeit potentially less extreme in post-COVID conditions) and that Magecart attacks will likely remain dominant in the near future.

Background

The underground payment card economy in 2021 maintained the previous year’s trends as it continues to emerge from the COVID-19 pandemic conditions. However, new tactics have enabled new attack vectors, raising certain fraud schemes to higher prominence. Gemini Advisory’s dark web intelligence offers insight into the most notable trends in 2021’s fraud threat landscape.

The levels of Card Present (CP) records offered for sale on the dark web have continued to decline, furthering the trend that COVID-19 accelerated away from CP cards and towards Card Not Present (CNP) records. While there were over 70 million CP cards for sale in 2020, only 36 million appeared in 2021. Conversely, there were 40 million CNP records for sale in 2020 and 60 million in 2021, demonstrating relative consistency. The United States remained far and away the most common source of compromised payment card records.

Alongside the growing proportion of dark web CNP carding fraud has come a steady slew of Magecart attacks. These also primarily target the United States but have used increasingly sophisticated tactics, including Telegram bots, scripts that transmit payment card skimmer scripts and stolen data over WebSocket connections, and scripts that abuse Google Tag Manager (GTM) containers to conceal malicious scripts. Malicious actors particularly targeted small to medium-sized merchants that often lack the security resources of larger companies. Additionally, attacks on third-party payment processors offered actors a unique opportunity wherein a single compromise provides access to capture card data from the transactions of dozens of companies. Another emerging trend is the Skimmer-as-a-Service model, which lowers barriers-to-entry by providing the card skimming and data sales components allowing cybercriminals to focus on the identification and exploitation of vulnerable e-commerce sites.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.