Ghost shopping and cyber extortion – the case of Pay2us.biz

One of the most well-known perpetrators in this area is the website pay2us.biz. For a long time its operators used affiliate transaction cleansing to covertly facilitate credit card payments for content that violated card scheme rules or was simply illegal. Now they have found an even more insidious way of making money, turning the card schemes’ test transactions against unsuspecting victims.

Ghost shopping gone bad

In 2011, VISA and MasterCard, together with the AntiCounterfeiting Coalition IACC, started to actively fight back against online shops selling illegal goods while offering credit card payments. They instructed investigators to look for relevant sites and place test purchases, which would eventually lead back to the merchant account of an acquiring bank. Acquirers who got caught would then be punished with hefty fines by the card schemes, terminating fraudulent merchant accounts in the process. This measure was termed mystery or ghost shopping.

Unfortunately, the cybercriminal underground is ingenious in adapting to new circumstances and ghost shopping was no exception. Pay2us.biz found a creative way to practically weaponise test transactions and use them for their own devious purposes.

How did they accomplish this? First, the fraudsters set up websites with unnecessarily long and complicated URLs, which are not indexed by any search engine and purport to sell illegal products, for example generic Viagra. In the next step, an anonymous tip is placed with the card schemes. Because of the arcane nature of the sites, the perpetrators can be sure that the only website visitors will be card scheme ghost shoppers. When a test purchase is conducted, the transaction does not go into interchange but all information is stored for further mischief: the fraudsters use the data to buy an item or service with the same or similar price point at another shop – and the card schemes are altered. For them, it now seems like the attacked entity sells generic Viagra and their seemingly innocuous website is just a front for their illegal operation. This can have disastrous consequences for the affected merchant, ranging from punishing fines to the termination of their account.

Cyber extortion as a business model

During a lengthy investigation, starting with the first incident in October 2012, Web Shield uncovered more than 5000 of similar bait sites, all with the sole purpose of capturing card scheme test transactions. Research in dark web forums revealed that the miscreants offered their “competitor takedown attacks” as a service, with prices ranging from EUR 100.000 to EUR 500.000, payable in Bitcoin. But this was not enough for the entrepreneurial fraudsters behind pay2us. In an effort to boost profit margins, they adapted a far more aggressive “marketing” strategy.

.

The first signs of their changing modus operandi were strange emerging fraud attack patterns. Some merchants were hit several times in a row in predictable intervals, while the attacks suddenly stopped for others. The reason was revealed when Web Shield investigators were contacted by affected merchants. Immediately after being hit with a transaction laundering attack they were contacted by pay2us with a special service proposition: If the merchant would rout all credit card transactions through their system and pay a small insurance sum of USD 1 per transaction, the attacks would stop. Merchants who declined their offer were attacked until they went bankrupt or lost their accounts. The cyber-extortionists even refused generous one-time bribes. The reason is simple: Every implementation of their “service” is at the same time a massive account data compromise. For pay2us it is killing two birds with one stone: making money with a digital protection racket while stealing credit card data for sale on the dark net.

What can be done?

On a technical level, these attacks are practically undetectable. Nonetheless it is important for acquiring banks to know that competitor takedown attacks exist. In a non-compliance case, they should not blindly punish merchants right away, but first investigate what exactly happened. The merchant on the other hand has to document any communication attempts by the perpetrators.

In addition to these short-term remedies, it seems inevitable that we have to amend the way test transactions are currently conducted to keep them out of the hands of fraudsters who would abuse them.

About Christian Chmiel

Christian Chmiel is the CEO of Web Shield. He is responsible for the development and implementation of new investigation techniques and research tools to identify fraudulent or brand damaging online merchants. Before he served as the Deputy Head of Compliance with Wirecard Bank in Germany, and specialized in online fraud investigations, credit card compliance and underwriting for acquiring banks. Christian is a Certified Fraud Examiner (ACFE) and a Certified High-Risk Underwriter (WSA). As a lecturer at the Web Shield Academy he has written and co-written a series of publications about various aspects of risk management, fraud detection and investigative methodology.

About Web Shield

Web Shield equips the payments industry with tools that protect your business from merchants involved in illegal or non-compliant activities. Our highly precise, software tools provide you with the information you need to make valuable decisions about prospective clients, and alert you when existing clients behave dubiously. Keeping your business out of risky situations – and saving you time and money.