The Weekly Geek

I'm the Geek so you don't have to be!

The Weekly Geek random header image

Delivering Fraud-as-a-Service (FaaS)

June 14th, 2010 · 1 Comment

It was bound to happen: on-demand, web-based fraud that mirrors the efficiency, sophistication, and universality of Software-as-a-Service (SaaS).

In his recent white paper, entitled “Fraud Trends in 2010,” Rick Van Luvender, Director of First Data’s InfoSec Incident Response Center, has forever characterized this thriving underground economy as Fraud-as-a-Service, or FaaS.

Here, RRN.Com excerpts an overview of the threat from Van Luvender’s presentation, which may be downloaded in its entirety by clicking here.
“At the center of FaaS are the online fraud forums, where individuals, groups, and organizations active in the trade of fraudulent goods and services gather to collaborate, offer their skills, and buy and sell stolen goods,” Van Luvender writes. “A popular means of trading stolen information, web-based forums post advertisements that are visible to anyone visiting and often only require registration with a user name. In order to attract visitors, many forums even offer tutorials, how-to guides, or even specialized venues for goods from specific countries or regions.”

“In the FaaS model, the forums provide the opportunity for access to specialists who can help design methods for harvesting (or stealing) data such as malware, skimmers, and botnets,” Van Luvender continues. “Because no fraudulent act is finished until there is a cash-out on the stolen data, to help complete the transaction, ‘cashiers’ and ‘money mules’ are available for hire to act as intermediaries in converting information into true currency. These contractors will transfer funds from stolen accounts into legitimate currency for a commission on the amount transferred, or will help validate CVV2 numbers against their corresponding credit card number and expiration dates for nominal fees. Criminals can even request cashiers for specific locations, nationalities, or gender to match the identity of the victim in order to minimize suspicion when withdrawing funds.”

Tags: Internet · Security

1 response so far ↓

Leave a Comment