Cyber criminals who have acquired stolen payment card information and wish to make the most of them can now simply buy professional-looking software that will automate the sending of stolen card charges to muliple gateway processors.
What’s more, the tool will also emulate human behavior and buying patterns, upping the probability that the charges will be authorised.
It’s called Voxis Platform, and it was developed by an organized crime group called Voxis Team (click on the screenshot to enlarge it):
Ads for the tool have been spotted on underground carder forums.
“The black market has money mules and stolen identities which allows bad actors the necessary resources to open merchant accounts. They can easily build fake web sites and turn in stolen documents to get approved merchant accounts,” Intercrawler researchers pointed out, and noted that “the issue for them has always been hammering the merchant accounts with stolen cards before the account gets cut off.”
The Voxis Platform does that for them and can target 32 different payment gateways, including Coinbase and PayPal.
Card information is loaded into the tool, which is also apparently capable of filling in missing information about the credit card holder by pulling it from the Pipl people search engine by using its API.
Users can select several payment gateways at a time, and opt to emulate human behaviour by using predefined templates. There are also templates for automating the amounts charged per credit card at a given time or in a given period.
“Past breaches of retailers like Target and Home Depot have created a demand in the underground to quickly try and monetize the stolen cards. Groups of cyber criminals actually pool their programming resources to build tools like the Voxis Platform,” the researchers noted.
Of course, we don’t yet know whether the tool works as advertized. But even if it doesn’t, it’s only a matter of time before a similar one is put on the underground market.
So what can online-processors, payment gateways and e-commerce companies do to prevent this type of fraud? IntelCrawler recommends strengthening know-your-customer due dilligence procedures when it comes to newly issued merchants accounts and transaction scrubbing thresholds.