연간 결제 사기 인텔리전스 보고서: 2022년

편집자 주: 이 내용은 보고서 전문에서 발췌한 것입니다. 각주가 포함된 전체 분석 내용을 읽으려면 여기를 클릭하여 보고서를 PDF로 다운로드하세요.

이 보고서는 2022년 결제 카드 사기 환경에 대한 트렌드와 지표를 제공하며, 가장 자주 유출되거나 악용되는 테스터 판매자를 식별합니다. 이 보고서의 대상은 금융 기관 및 판매자 서비스 회사의 사기 및 사이버 위협 인텔리전스(CTI) 팀입니다.

Executive Summary

2022 was a year of system shocks, and the payment card fraud market did not survive unscathed. Russia’s cybercrime crackdown — followed promptly by its full-scale invasion of Ukraine in February 2022 — spawned lower carding volumes for the remainder of the year. In total, 2022 saw 45.6 million card-not-present (CNP) and 13.8 million card-present (CP) payment card records posted for sale to carding shops on the dark web. These figures were considerably lower than the 60 million CNP and 36 million CP records posted for sale in 2021. Taken together, this decreased supply, demand, and turnover defined the payment card fraud market and threat landscape throughout 2022.

In spite of this, the card fraud market and the threat actors who populate it demonstrated remarkable resilience. Magecart actors launched campaigns that employed fake payment card forms, exploited legitimate merchant web infrastructure to deploy e-skimmers, and used HTTP referer headers to impede remediation by security analysts. One of these campaigns led to the compromise of 2 online ordering platforms, a trending tactic that exposes merchants who use the platforms to the risk of being compromised. Meanwhile, high-profile merchants were increasingly exploited by individual threat actors and checker services on the dark web in order to verify the validity of stolen cards. And finally, as war in Ukraine hampered cybercriminals’ ability to engage in card fraud, one top-tier carding shop exploited the lull in supply by flooding the market with recycled payment card records. Although frustrated by these records’ low quality, resourceful threat actors may nevertheless use them as cheap sources of personally identifiable information (PII) that they can weaponize to carry out targeted account takeover (ATO) attacks against their victims.

By employing proactive anti-fraud strategies that integrate intelligence from throughout the payment fraud life cycle, financial institutions and card issuers can reduce card fraud losses in 2023. The overall level of card fraud activity in 2023 will be highly dependent on whether or not Russia’s war in Ukraine continues; if it does, threat actors’ ability to engage in card fraud will likely remain degraded. But should the war end, a renewal or increase in payment card fraud may follow.

주요 연구 결과

• 45.6 million CNP payment card records were posted across dark web carding shops in 2022, down 24% from 2021. It is highly likely that this year’s relatively low CNP volumes are the result of Russia’s early-2022 cybercrime crackdown and its subsequent full-scale invasion of Ukraine. In 2022, the highest-impact CNP breaches affected online ordering platforms.
• 13.8 million CP payment card records were posted across dark web carding shops in 2022, down 62% from 2021. While it is possible the year’s events contributed to this drop-off, year-by-year CP volumes have also steadily declined due to the rising global adoption of more secure in-person payment methods. In 2022, CP breaches overwhelmingly affected small restaurants and bars.
• The Recorded Future® Magecart Overwatch program discovered 1,520 unique malicious domains involved in the infections of 9,290 unique e-commerce domains at any point in 2022.
• 최소 2,050만 개의 유출된 결제 카드의 전체 기본 계정 번호(PAN)가 다크웹 포럼, 페이스트빈, 소셜 미디어 등 다양한 리소스에 일반 텍스트 또는 이미지로 게시되었습니다.
• 레코디드 퓨처가 모니터링한 21개의 카드 수표 서비스는 660개의 고유 판매자 식별 번호(MID)와 연결된 2,953개의 고유 판매자를 불법 카드 수표에 악용했습니다.
• 위협 행위자들은 3D 보안(3DS) 프로토콜이 제공하는 보호 기능을 회피하거나 우회하는 데 집중했으며, 공격을 용이하게 하는 수단으로 고객 서비스 콜센터를 악용하는 사례가 점점 더 많아지고 있습니다. 또한, 2022년 한 해 동안 게시된 값싸고 재게시된 결제 카드 기록이 급증하면서 ATO 공격의 공격 표면이 증가했습니다.
• 결제 사기 라이프사이클은 공급망, 구매자와 판매자 간의 조율된 교환, 체커와 같은 서비스 제공으로 뒷받침되는 실제 시장과 매우 유사합니다. 이렇게 높은 수준의 조직은 카드 사기의 기회와 영향을 증가시키지만, 동시에 데이터가 풍부한 환경을 조성하기도 합니다. 따라서 카드 발급사, 매입자, 가맹점 서비스 제공업체는 결제 사기 수명 주기 전반의 인텔리전스를 통합하고 통합하여 사기에 선제적으로 대응해야 합니다.

배경

Payment card fraud exists as part of a sophisticated underground economy. Production networks, supply chains, and dark web carding shops provide threat actors with the means to market criminal services and wares to their peers or to purvey stolen data to end users who engage in card fraud. Within this shadow economy, payment card fraud conforms to a certain “life cycle”, as seen in Figure 1 below.

그림 1: 결제 카드 사기는 일반적인 라이프 사이클을 따릅니다(출처: Recorded Future).

At the beginning of the life cycle, physical compromises facilitate the theft of payment card data from merchants’ card-present (CP) transactions. Meanwhile, cybercriminals enact digital compromises — often with Magecart e-skimmer infections — to steal card data from online card-not-present (CNP) transactions. These stolen card records are posted for sale to the dark web, where partial payment card data is put on display so criminal buyers can go “window shopping”. Occasionally, carding shops release full stolen payment card data for promotional purposes, which provides one of the many opportunities for criminals to snatch up full primary account numbers (PANs). Before making a sale, carding shops use aptly named checkers to appraise stolen card sets; individual criminals use the same checkers to verify their records’ validity before or after purchase. Once “end user” fraudulent actors acquire their desired payment card data, they monetize it, usually through fraudulent transactions. If actors can acquire enough of a victim’s personally identifiable information (PII), they can even attempt account takeover (ATO) attacks to cash out their victim’s bank account.

레코디드 퓨처는 2022년 내내 이러한 그림자 경제를 모니터링하여 고객이 결제 카드 사기 라이프사이클의 모든 단계에서 사기를 차단할 수 있도록 지원했습니다. 모니터링 과정에서 2021년에 이어진 트렌드와 2022년 이벤트에서 유기적으로 성장한 새로운 트렌드를 모두 관찰할 수 있었습니다.

편집자 주: 이 내용은 보고서 전문에서 발췌한 것입니다. 각주가 포함된 전체 분석 내용을 읽으려면 여기를 클릭하여 보고서를 PDF로 다운로드하세요.