EPS going down for fraudsters

In the current fraud eco system, being a harvesting fraudster is easier than ever – but the EPS - earning per scam - has gone down dramatically.

This is particularly true for fraudsters focused on online banking fraud.

In the early days of Phishing, the pricing model for stolen online banking credentials was not really established. You couldn't use the same pricing model used for stolen credit cards; it made little sense.

In the credit card world, stolen cards were already a commodity. A credit card with just the basic information would have been sold for $1 if you buy it in the thousands. Those that came with CVV2 (the last three digits on the back of the card), would sell for $2 or so. Fullz, which in the underground carding lingo means full information on the cardholder, not just the card – things like address, balance, credit limit and social security number – would sell for $5 to $10, depending on volume. These prices have eroded over time, but the pricing model itself did not change in the last decade.

But there's a big difference between compromised credit cards and online banking accounts. First, the scale: there are millions of "fresh" stolen credit cards sold every week in the fraud underground.

Then there was the issue of cards being a universal means of payment; you could use just about any card from any scheme – Visa, MasterCard, American Express, Discover or JCB – in just about any online, phone or brick & mortar merchant. That's why you can sell a "dump" of stolen credit cards from various card companies, and the only question you'll be asked is whether these are "fresh", recently compromised accounts with good balances.

Which isn't the case for online banking fraud.

Here the credentials can only grant you access to a specific portfolio within a specific bank. If you can only cash-out ABC Bank Business Accounts, you need the specific credentials required by ABC Bank Business portfolio. You cannot sell a "dump" of online banking credentials from many various banks, because your average cash-out fraudster will only be interested in a small, specific sub-set of your credentials.

So pricing was tricky. Fraudsters that took to Phishing didn't really know how much they could charge.

Instead, the prevalent pricing scheme was a revenue share. You'd negotiate your share with the cash-out fraudster, and hope you got a good enough deal. You'd ask for 60% of the proceeds, the cash-out provider will say you're crazy and that he'll be cutting his own throat for anything more than 40%, he's got expenses and all, and you'll probably settle on something in the middle.

These business relationships were very much in line with the fact Phishing was a custom crime. You had to phish specific targets so that you cash-out partner will be able to empty the accounts. A revenue share was a sound basis for a long-term cooperation.

By 2006, the gold standard for revenue share was 50% of the final proceeds, after expenses. These followed the money trail: the cash-out fraudster first entered the victim's account and emptied it by sending money to the mule. The mule took 5%-10% commission, and wired the funds to a "drop" outside the country. The drop took 10%-15% commission as well as paid the money wire fees. Whatever was left was evenly split between the harvester and the cash-out fraudster.

This arrangement held up for a few years. On one hand cash-out carries more risk, and requires a carefully planned operation. Phishing became a mainstream line of crime, so supply of stolen credentials was steadily increasing. This would have caused prices to drop.

But on the other hand, banks were not really playing along. They would change their websites to include warnings about Phishing, use various counter-measures or just change the login process. As a result, Phishing became a more demanding line of work.

In the last couple of years, though, Phishing kits became so universal, automated and idiot proof that, at the end of the day, everyone could do Phishing. Some cash-out fraudsters started to think of launching Phishing attacks themselves. Eventually the weight shifted towards their side of the underworld, and today you'll see harvesters getting as little as 20% of the proceeds from the fraud.

To offset the deteriorating value of Phished credentials, harvesters managed to scale up their Phishing attacks. They attacked more brands, used bigger botnets to spread their spam, and used more convincing social engineering to increase the yield of victims per attack.

Trojans, by the way, are a different story. I'm planning to write a blog about the pricing models of Trojan collected data, so stay tuned.