Drops for Stuff An Analysis of Reshipping Mule Scams Shuang Hao 1 - - PowerPoint PPT Presentation

drops for stuff
SMART_READER_LITE
LIVE PREVIEW

Drops for Stuff An Analysis of Reshipping Mule Scams Shuang Hao 1 - - PowerPoint PPT Presentation

Jun 11, 2023 290 likes •532 views

Drops for Stuff An Analysis of Reshipping Mule Scams Shuang Hao 1 Kevin Borgolte 1 Nick Nikiforakis 2 Gianluca Stringhini 3 Manuel Egele 4 Michael Eubanks 5 Brian Krebs 6 Giovanni Vigna 1,7 1 UC Santa Barbara 2 Stony Brook University 3 University

slide-1
SLIDE 1

Drops for Stuff

An Analysis of Reshipping Mule Scams

Shuang Hao1 Kevin Borgolte1 Nick Nikiforakis2 Gianluca Stringhini3 Manuel Egele4 Michael Eubanks5 Brian Krebs6 Giovanni Vigna1,7

1 UC Santa Barbara 2 Stony Brook University 3 University College London 4 Boston University 5 Federal Bureau of Investigation

6 KrebsOnSecurity.com 7 Lastline Inc.

slide-2
SLIDE 2

2 ¡

Overview

Prevalence of Data Breaches and Theft

Home Depot breach (2014) 56 million cards Phishing (2013) 37 million users Target breach (2013) 40 million cards 70 million user info Torpig botnet (2008) 0.5 million cards Zeus Gameover (2014) 1 million PCs

slide-3
SLIDE 3

3 ¡

  • Limitation of previous monetization methods

– Direct withdrawal

  • Risk of identity/location exposure

– Money laundry (money mule)

  • Difficult to wire from credit cards to bank accounts

– Direct purchase of high-value products for reselling

  • Usually no direct shipping to foreign countries

Overview

How to Monetize?

slide-4
SLIDE 4

4 ¡

  • Recruit mules to receive and reship packages to

cybercriminals overseas

  • A major monetization scheme

– Bypass embargo policies, and hide traces

  • Goal: Characterize key aspects of the underground

economy behind reshipping scams

Overview

Reshipping Scam

slide-5
SLIDE 5

5 ¡

  • Analysis of log data from reshipping scams
  • Characterization and measurement

– Operation: business model, targeted products, label purchase – Negative effect: scam victims, financial loss – Mule: life cycle, geographical locations

  • Intervention against reshipping scam services

Overview

Our Work

slide-6
SLIDE 6

6 ¡

  • Crime organization

– Site operator – Stuffer

  • Abused parties

– Drop – Cardholder – Merchant

Scam

Roles in Reshipping Scam Ecosystem

: Manage reshipping scam website : Purchase products with stolen cards, and rent mules for reshipping (“Drops for stuff ”) : Reshipping mule : Owner of the stolen card : Online retail company

slide-7
SLIDE 7

7 ¡

Scam

Reshipping Scam Operation

Drop Cardholder Reshipping Scam Site Stuffer

  • 3. Subscribe
  • 1. Apply
  • 7. Reship
  • 2. Data Breach
  • 4. Purchase
  • 5. Ship

Merchant

Checkout Name: Cardholder Address: Drop’s Order summary: ……... ………

User information Reshipping instruction Package

  • 6. Manage
slide-8
SLIDE 8

8 ¡

Data

Data Summary

Site Time Period Reshipping Logs Prepaid Labels Drop Records

Site-A

11 months (2015) 1,960 846 88

Site-B

9 months (2014) 1,493

  • 43

Site-C

9 months (2015) 5,996

  • 106

Site-D

4 months (2014)

  • 613
  • Site-E

12 months (2011)

  • 835
  • Site-F

2 months (2011) 991

  • Site-G

1 month (2013)

  • 54
  • Dataset of 7 reshipping scam sites (site A-G)

(Shared by concerned citizens anonymously) – Reshipping logs, prepaid labels, drop records, messages, rules and disclaimers

  • Address information (city-level) of drops in U.S.

(Shared by the law enforcement)

slide-9
SLIDE 9

9 ¡

  • How to split the illicit profit?
  • What are the main targeted products?
  • How to acquire prepaid shipping labels?

Operation

Operation Policies

slide-10
SLIDE 10

10 ¡

  • Reshipping as a service

– Percentage cut: up to 50% value (high-value products) – Flat rate: $50-$70 per package (lower-priced products)

  • “Customer service” and compensation

– Drop status (“active” or “problematic”) – 15% compensation for lost packages, or free shipping

Operation

Agreement and Profit Split

slide-11
SLIDE 11

11 ¡

  • Category prices and proportions

Operation

Products

Product Category Median Price (Site-C)

Apple Products

$750

Camera Related

$500

Computer related

$1,030

Other Electronics

$550

Fashion and Apparel

$1,000

Nutrition

$1,050

Miscellaneous

$689

Site-C Site-B

Electronics

Above 70% of the products are electronics and luxury clothing

slide-12
SLIDE 12

12 ¡

  • Move from fraudulent labels towards “white labels”

– Paid with cybercrime-funded bank accounts

Operation

Label Purchase

The “white labels” have relatively cheap prices, less than $100 per package

slide-13
SLIDE 13

13 ¡

  • Who are negatively affected?
  • How much is the financial loss?

Victims & Loss

Negative Effect

slide-14
SLIDE 14

14 ¡

  • Main victims

– Merchant: Liability to reimburse cardholders, loss of products, chargeback (up to $100) – Drop: Fake job with no payment, identity fraud

  • Other victims

– Cardholder – Card issuer – Destination country

Victims & Loss

Victims

slide-15
SLIDE 15

15 ¡

Victims & Loss

Revenue Estimate

  • From packages to revenue
  • Estimated package number per year
  • Revenue = # packages x

average product price

Site-C 9,009 Site-F 6,673 Site-B 3,541 Site-A 1,911

Site-specific revenue is up to $7.3 million per year

slide-16
SLIDE 16

16 ¡

Victims & Loss

Overall Revenue Estimate

  • Capture-recapture to infer the number of total

cardholders

Overall estimated revenue is $1.8 billion per year

Site-A Site-C Entire population of cardholders in reshipping scams

  • Population estimate

|A| x |C| = |A∩C| ≈ 1.6 million victim cardholders per year

slide-17
SLIDE 17

17 ¡

  • How long do drops remain active?
  • Where are the drops?

Drop

Drop Recruitment

slide-18
SLIDE 18

18 ¡

Drop

Life Cycle of Drops

Drops are abandoned without getting paid after about 30 days

I know the pay is only

  • nce a month so

when will I receive my first check!? What time will I be paid!? When will my check be deposited!?

33 days 33 days Package assignment Idle period before first assignment

slide-19
SLIDE 19

19 ¡

Drop

Locations of Drops

  • Drop likelihood = # drops in state ⁄ population of state

Scammers target unemployed or underemployed groups to recruit drops

State Drop likelihood Diff to US 2014 US Annual Unemployment Rate

Georgia

0.01099% +1.0%

Nevada

0.01011% +1.6%

Delaware

0.00951% –0.5%

Florida

0.00919% +0.1%

Maryland

0.00868% –0.4%

North Carolina

0.00710% –0.1%

Mississippi

0.00674% +1.6%

Arizona

0.00667% +0.7%

Illinois

0.00608% +0.9%

Virginia

0.00599% –1.0%

1 2 3 4 5 6 7 8 9 10

slide-20
SLIDE 20

20 ¡

  • Vantage points at shipping service companies

– Patterns in package tracking – Accounts of label purchases – Shipping destinations

Intervention

Intervention Approaches

slide-21
SLIDE 21

21 ¡

Intervention

Reshipping Destinations

Site Destination Label Percentage

Moscow area, Russia* 85.89% Site-A Claymont, DE, US 6.08% Dover, DE, US 2.43% Moscow area, Russia* 89.07% Site-D Kiev, Ukraine 10.11% Nikolaev, Ukraine 0.49% Moscow, Russia 91.14% Site-E Krasnodar, Russia 4.36% Stavropol, Russia 1.45%

At least 85% packages are shipped to Moscow and its suburbs

  • Top destination cities from reshipping scam sites

* Including Moscow, Balashiha, and Zheleznodorozhnyj

slide-22
SLIDE 22

22 ¡

  • Reshipping scam is prolific: Yearly revenue up to $7.3

million of a single site, and overall estimated $1.8 billion

  • We provided detailed analysis on operation policies,

targeted products, “white labels”, and drop recruitment

  • We proposed approaches to intercept reshipping

packages

Conclusion

Conclusion

http://www.cs.ucsb.edu/~shuanghao