Hackers steal and launder money through food delivery and hotel reservation services.

As a matter of duty, you have to delve into underground forums in search of the latest information on vulnerabilities, password leaks and other interesting things. Sometimes we advise representatives of law enforcement agencies on the topic of new vulnerabilities, attacks, and attack schemes, and there are situations when security forces share their “new products”. I think many will share my point of view regarding the fact that if a “scheme” or “vulnerability” got on the forum, then, as a rule, someone has long since removed all the “cream” from it. And forums outside the .onion zone should not be taken seriously. But this time, a circuit was found that surprised with its relative simplicity and novelty. Actually, there will be today's story about how hackers steal and launder money through food delivery services.

How they killed a significant part of carding, the background

People who are familiar with anti-fraud systems and the security of bank payments have long known that most of the services accepting payments by credit card online have long connected an additional system for verifying payments by phone (via SMS, call or application). VISA has such a system called 3-D Secure for short, 3DS , it works within the Verified by Visa (VbV) system, Mastercard has an analogue called Mastercard SecureCode (MCC). The bottom line is simple, if you entered the data from your credit card somewhere, for a successful payment, you will also need to enter the code received from the SMS, call or application to confirm that it is you who make the purchase, and not the hackers rob you.



With the introduction of these systems, a significant portion of payments from other people's (stolen) credit cards went into oblivion.

Giants value revenue and turnover more than safety

However, large, highly loaded services like Booking.com, Airbnb, Amazon.com, Facebook.com have disabled or limited use of this additional verification feature, since it (most likely) had a big impact on sales and conversion. Of course, they replaced it with additional verification inside the account and neural networks with the coolest antifraud solutions, but this did not help much. The problem is not new and is widely discussed ( proof ). The US Federal Trade Commission also stated that between 2012 and 2016, 13 million complaints were received, 3 million in 2016 alone, 13% of which are identity theft and credit cards. And this data is only for the United States. The reality is that it is better to keep a staff of lawyers involved in the return of payments from other people's cards than to reduce the flow of funds. As a result, whole forums appeared with a proposal to book a hotel for 25% -50% of the cost ( proof ). Business risks no more.



So a fairly popular scheme for laundering money from stolen credit cards through rental housing services appeared ( an example of a victim of carders' actions). In a simplified version, it looks like this:

1. Take an apartment for rent with the right to sublease.
2. Register an apartment on booking.com and / or Airbnb
3. Buy stolen credit card details
4. Allegedly booking an apartment with ourselves, according to the data of stolen cards
5. Get already net money from Booking or Airbnb

Naturally, there may be a million options for the above scheme, from registering on Booking, Airbnb non-existing apartments (this is real), to registering an account for your data, without the knowledge of the owner of the apartment / hotel. People are massively looking for / buying up dishonest hotel owners ( proof ) or offer their services ( proof ).



Why is money laundered specifically through apartment rental services? As I wrote above, there are no (or limited use of) VBV and 3DS, and cards are easier to “drive in” there. Also, hotel owners often sin by laundering money through preauthorization and termination in POS terminals with support for manual input of cards ( proof ), but this is a completely different story about which I will tell you next time. Let's go back to our food delivery providers.

Food delivery services also do not care whose card

GLOVO, UBER, Yandex Food and other cheap delivery services quickly burst into our lives along with hotel reservation services. And you know what? They don’t really care if the name of the account holder matches the name on the credit card. They don’t care where to deliver and where to get the goods. VBV and 3DS are not so important for them as hotel booking giants, where turnover and revenue are much more important.



So, working on the next order of testing antifraud systems in HackControl, collecting new fraudulent schemes, I came across a “novelty”. Carders and scammers have come up with a scheme that, in a first approximation, looks like this.

1. Register a store / hot dog / restaurant / bench in the food delivery system, or simply indicate to the delivery man exactly where he should buy the order.
2. They buy a stolen credit card and attach it to the account.
3. Through a stolen credit card and food delivery application, with an unsuspecting courier, they are bought up in their own store and are waiting for delivery.
4. They bring food back and so on in a circle.

Naturally, I described the scheme as a first approximation, and scammers change restaurants, shops and delivery addresses, but the essence of this does not change.

Disclaimer and conclusions

This publication does not intend to show vulnerabilities in a particular food delivery service or housing reservation. It does not claim to be a comprehensive guide to the protection and prevention of fraudulent activities. It cannot be interpreted as a call or a guide to action. Credit card fraud, using someone else’s data when booking hotels or delivering food are completely illegal and are a criminal offense.



The comprehensive conclusion is that the creators of antifraud systems, directors responsible for risks and architects sometimes need to go down to the “dungeon” to see how else you can use the services they developed. Now, during the same social engineering testing ( social engineering ), we and other companies offer customers to test their services also for fraud with business logic. Today, even penetration testing without checking business logic is already becoming incomplete. A business does not buy template services, sales are more likely through business analysts to help improve a particular process and prevent risks. When creating a delivery service, you need to consider not only the main risks, such as “but will they deliver drugs through us”, but also other risks of the illegal use of the service in illegal activities.