Visa, one of the world’s largest payment processors, has released a report on payment fraud disruption in the past six months. The report revealed that threat actors have been using novel technologies and techniques to conduct fraudulent schemes, particularly in the area of transaction authentication.
The report also highlights the vulnerability of token bridges to theft, which has become a major concern for the cryptocurrency community.
Visa’s findings
One of the top threats in the consumer space is the use of social engineering to obtain card data or to take over an account. In many cases, threat actors claim to be an employee from the cardholder’s bank and ask for sensitive information.
These schemes often result in the compromise of one-time-passwords (OTPs), tokenized/one-time use PANs, or sensitive user account data such as bank login credentials (username/password).
Threat actors also use custom phishing kits that facilitate the bypassing of multi-factor authentication (MFA). These phishing kits employ the use of reverse proxies, allowing the fraudster to act as a man-in-the-middle (MiTM) between the legitimate consumer and the legitimate website.
This approach presents the legitimate website to the consumer and operates as an invisible intermediary, which decreases suspicions from the consumer.
The actor can then harvest any information that is entered into the website by the consumer, including OTPs, usernames, passwords, and session cookies.
Threat actors exploit token bridges to steal millions
Visa’s report shows that token bridges have become a favored target for thieves in 2022. The report identified techniques such as social engineering, advertising fraud, bots, and phishing kits used to obtain OTPs from cardholders, issuer-targeted malware to access and change customer contact details, and the use of social engineering to conduct token fraud.
The report also highlights an incident in late March 2022, in which an organization was attacked by threat actors who used an unidentified malware variant to infect user endpoints.
The actors eventually moved laterally in the victim’s environment and compromised the credentials for an administrative user of a mobile banking application portal.
This access was then used to edit the contact information of specific customers, as well as increase the limits on the customer accounts. The information changed included mobile device numbers, which enabled the threat actors to bypass one-time-password (OTP) authentication, as the OTPs were sent to the new mobile devices.
The actors used the increased account limits and changed customer information to monetize their illicit access through fraudulent funds transfers in a short amount of time.
Similar tactics, techniques, and procedures (TTPs) are often utilized by actors to conduct ATM cashout attacks, by deploying malware on a victim issuer network, accessing the cardholder data environment, and increasing limits on a select number of payment accounts.
These accounts are then used by mule networks to withdraw significant amounts of cash from ATMs. Additionally, threat actors use similar methods to take over a customer account and change contact information, which enables the threat actors to bypass OTP authentication during a transaction.
Threat actors are using increasingly sophisticated methods to conduct fraudulent schemes, and the vulnerability of token bridges has become a major concern for the cryptocurrency community.
