By Brittany Allen, Trust and Safety Architect at Sift
The dark web: it’s a mystery to many, and a near-mythical place that’s often (inaccurately) painted as a search engine for hitmen and human trafficking. And while it may not truly host storefronts for assassins, it is an environment ripe with exploitation—somewhere fraudsters can test strategies, technologies, and tools in order to build criminal business models that are both scalable and extremely effective.
This leaves e-commerce merchants with an important, if sometimes obscure, responsibility to defend customers’ information from being traded, bought, and sold on the internet’s underbelly—ultimately keeping their businesses safe from fraudsters on the hunt for confidential data that’s worth its weight in bitcoin.
What Fraudsters Want (and How They Get It)
With infinite, unique bits of information being proffered on the dark web, and just as many ways to take advantage of it, this online flea market for fraudsters is basically an illicit mirror image of digital e-commerce. Valuable data is often available at bargain prices. Vendors request feedback and offer customer service. Competition is healthy; if one shop gets taken down or goes out of business, another will quickly take its place. And, it operates just as strategically and efficiently as any legitimate business network. That’s what makes it so incredibly dangerous.
Anyone looking to peruse the dark web can access it via the The Onion Router (Tor), an anonymous browser platform that hides users behind multiple layers of connections. Once inside, a would-be fraudster has the opportunity to purchase everything they need to attack a vulnerable business and mine its users’ accounts and servers for resellable data, with some sellers even offering malicious, organized attacks as a service. If they’re the DIY type, a fraudster can buy templates for fake online storefronts that include built-in malware to capture personally identifiable information (PII data), or grab some free, easy-to-download commodity malware that they can then customize depending on where they want to strike.
For many seasoned dark web patrons, the purchase of proprietary data is an investment. Access to a set of legitimate credentials could potentially allow them to buy thousands of dollars worth of goods to use, trade, or sell as they please. More sophisticated attacks, of course, often result in financial and identity theft, enabling large-scale, repeat fraud across the accounts and websites associated with those credentials. Layer on the use of cryptocurrencies—untraceable, digital-only currencies that are not owned, traded, or controlled by a centralized government or bank—and the well-equipped fraudster can perform multiple, highly-profitable online heists before anyone is the wiser.
A Roaring Digital Trade
When it comes to an online merchant’s trust and safety strategy, it’s practical to have a passing knowledge of how cryptocurrencies work and how they enable fraudsters to cover their tracks. Although they’re perfectly legal, the Bitcoins and Ethereums of the world aren’t burdened by the traceability or red tape of regular money; instead, records of exchange are stored in a digital ledger or database using strong cryptography, making them incredibly tough to follow, and an ideal form of payment on the dark web. Because these funds are designed to leave no trail, a fraudster could convert stolen funds (or profits resulting from the sale of hijacked data) to cash, and ultimately move them to a bank account—leaving virtually nothing behind to connect them to their crimes. That’s not the end of it, either; cryptocurrencies are a popular target for skilled hackers, who collectively filched $4.2 billion from crypto-related crimes in 2019.
For fraudsters, the real gems of the internet underground are valuable collections of personal details that are linked across merchants and accounts, creating a passable disguise that can then be used to steal from a single person in multiple ways. With a handful of identifiers bought for cheap (e.g., a specific individual’s name, email address, phone number, and the last four digits of a credit card), digital criminals are armed with enough information to masquerade as a legitimate user and successfully bypass verification steps. Account takeover, credential stuffing, promo abuse, stolen rewards points, phishing campaigns, gift card fraud—the list of resulting threats goes on. But every merchant’s worst nightmare is that any one of those smaller attacks could open the door to a system-wide data breach, exposing enough company and customer information to render a business and its community defenseless against continuing and worsening fraud. Scarier still is the likelihood of bad password hygiene, where even the most secure of credentials gets reused by someone for multiple accounts—leaving all of them vulnerable if even one of them is hacked.
E-commerce vendors should always prioritize the security of the data they’re responsible for. And to proactively keep the wide spectrum of online fraud from destroying hard-earned growth and credibility, a thoughtful trust and safety strategy is crucial. But finding a solution that delivers pinpoint accuracy and real-time fraud prevention is the key to getting that strategy to work.
Defending Business and Customer Data
With the world currently locked in a pandemic-driven state of inertia, e-commerce businesses are experiencing dramatic fluctuations in traffic, transactions, and overall fraud. Without long-tail, historical data to help navigate dips and swells in volume or predict where fraudsters might focus, trust and safety teams can’t depend on patterns and predictability to help them make decisions—and the brands they’re defending are more vulnerable than they’ve ever been.
According to the new E-Commerce Fraud Tracker from Sift, the leader in Digital Trust & Safety, there are two verticals that fraudsters are now targeting because of massive upswings in user and order volume, and two more that are simply getting kicked while they’re down. The first are digital e-commerce and online education; as a result of global quarantine orders, both have ballooned with new users, and fraudsters are using this influx as cover to sneak past overwhelmed systems and security teams. At this time, online education shows the highest fraud rate across the entire Sift network.
But the bigger threat is being posed to those merchants whose numbers have been decimated by the public’s response to sheltering in place: travel and events. With thousands of accounts and their corresponding rewards points, payment information, and other private data more or less abandoned, fraudsters are quick to attempt account takeovers, promo and rewards abuse, and payment fraud—driving already-climbing fraud rates through the proverbial roof. That’s exactly what happened to hotel giant The Marriott just a few weeks ago, when—for the second time in two years—hackers managed to breach a third-party services system. They initially compromised only two employee accounts, but were subsequently able to expose the personal details of over 5.2 million guests.
Virus or no virus, organized attacks by experienced fraudsters have the potential to bring digital criminals immediate and sustained wealth via the dark web. And, as the aforementioned hotel giant found out, it only takes a very small percentage of jeopardized data to do considerable damage to a brand and its business. With that in mind, e-commerce merchants should make vigilant fraud prevention a core focus across every level of customer or user interaction.
To gauge the health of your company’s fraud-fighting strategy and get tailored recommendations from fraud prevention experts, request a free Digital Trust & Safety Assessment from Sift.
Brittany Allen has more than a decade of experience combating e-commerce marketplace fraud at companies such as Etsy, Airbnb, 1stdibs, and letgo. Her expertise in fraud mitigation, policy leadership, and dispute management has led her to speak at industry numerous conferences and join Sift as their newest Trust & Safety Architect, a role focusing on trust and safety education, developing industry best practices and strategies, and being the voice of Sift.