Fraud is one of the most prevalent activities on the darknet, threat actors will buy and sell fraudulent goods as well as providing tips on tricks on how to how to conduct fraudulent activities. There are many different types of fraud that are conducted against many industries, and events, although financial gain is the overriding incentive, with actors often being opportunistic in who they target and when.
Here we will explore some of the types of fraud DarkOwl analysts have observed on the darknet.
The targeting of e-commerce businesses such as Amazon, PayPal and Shopify is widespread on the darknet. Criminals will use a range of techniques such as refund fraud, hacked accounts and gift card fraud in order to obtain funds.
The dark web adjacent platform, Telegram is used extensively to advertise fraud and scam markets. Users are able to search for channels which provide them with ways to conduct fraud, groups that will provide fraud services for you sell you fraudulent goods.
Refunding fraud is when a user will obtain a cash refund for goods that they have not purchased or for goods the buyer had already received a legitimate refund for. Refund fraud can have significant financial implications for businesses, leading to monetary losses and potential damage to their reputation.
A user knows as Bam or Amazon God offers refunding services for Amazon goods in a range of jurisdictions. They provide the refund service as well as offering methodologies and mentorship as a consultant.
Hacked accounts often come from stolen credentials, or through credential stuffing attacks allowing criminals to access legitimate accounts to purchase goods. This is also known as Account Takeover (ATO). These accounts are often sold on the dark web and dark web adjacent sites.
Many organizations are targets of these types of account takeovers, with threat actors becoming more successful at obtaining credentials which can be used on multiple accounts. However, we do see many accounts being made available for streaming service accounts such as Netflix or Hulu, usually for very low prices.
This is why it is very important for individuals to practice good password hygiene – not only in their professional life, but also in their personal life. Password reuse can lead to multiple of your accounts being stolen. DarkOwl recommends the use of a password manager and routine changing of passwords.
Although not a fraudulent activity in its own right, DarkOwl analysts note that threat actors are increasingly selling tutorials and guidance on how to conduct different types of fraudulent activity on the darknet. This means that actors do not necessarily have to have skills or sophistication in order to be successful – they are able to purchase this knowledge and carry out the fraudulent actions themselves. Because of this sharing of knowledge, the number of individuals committing fraud can grow at a pace it might not have done or have been able to beforehand. Cracking tutorials in the darknet cover all matters of illegal “cracking” including passwords, wi-fi routers, commercial accounts, and software. For obvious reasons, we’ll not detail any of the cracking tutorial methods that we’ve spotted across popular hacking forums and Telegram channels.
Although the majority of fraud is committed for the purposes of financial gain, it does not always target the financial sector directly. However, there are multiple types of fraud that do. This continues to be a trend DarkOwl has observed on the dark web and we do not expect it to decrease.
Gift card fraud refers to the unauthorized acquisition, use, or manipulation of gift cards for financial gain. Gift cards are prepaid cards issued by retailers, restaurants, or other businesses, and they are commonly used as presents or convenient forms of payment. However, criminals have developed various schemes to exploit vulnerabilities in the gift card system.
Gift cards are often used as a way to launder money, allowing users to purchase goods with funds which have been illicitly obtained. Gift cards can be purchased with cash and can therefore also be used to obfuscate the purchase of illicit goods.
Fullz is a dark web term which refers to a complete set of personal information that cyber criminals often seek to steal and sell on the dark web for fraudulent purposes. This information typically includes a person’s full name, social security number, birthdate, address, phone number, email address, financial account details (such as credit card numbers, bank account information, and associated security codes), and other sensitive data.
This information can be used to steal a person’s identity, conduct social engineering attacks, and conduct account takeovers. Most commonly we see fullz being sold on the dark web for the purposes of conducting financial fraud, with actors using the details to open fraudulent bank accounts to be used for other scams.
Credit card fraud is common on the dark web, with many marketplaces and vendor stores exclusively selling stolen and or cloned credit cards. WWH Club us an example of a marketplace which is set up exclusively to cater to the carding community.
Credit cards will be sold with varying balances or credit limits on them, the more cash available the more expensive that they will be. Threat actors have been able to create cards, which they have cloned, and they create on mass and sell on the dark web.
Users will purchase these cards to cash out the funds or purchase illicit goods and obfuscate their identity.
Another item that is very popular on the dark web is the sale of counterfeit goods. While these can vary in type, from designer goods to sporting ware, the majority of items we have seen advertised on the dark web are counterfeit documents. Passports from a variety of countries, driving licenses, birth certificates and immigration documents are available for purchase on the dark web.
Again, there are marketplaces and vendor stores that are dedicated to the sale of these goods as well as being made available on the majority of high-profile marketplaces within their own area.
DarkOwl has not verified the quality of any of these goods, and it is unclear whether the sale of these is a scam in and of itself. However, it is possible that some threat actors do have access to the materials to create these. The price of the document is usually a good indication of the quality. Some of the documents sold also appear to be legitimate, likely stolen from the original owner for the purpose of selling on the dark web.
Healthcare fraud became increasingly mainstream as a result of the 2020 pandemic, with actors selling vaccination cards and PPE (personal protective equipment). However, this has continued as the pandemic has subsided. Although vaccination cards are still available, we have seen a move towards Medicare fraud in the US as well as the sale of medical information in leaks and breaches. Mentions on the dark web related to 1095A Forms, healthcare agent credentials, and Medicare / Medicaid. We assess that this information is being made available on the dark web so that criminals can use it to conduct healthcare fraud and claim benefits which they are not entitled to. DarkOwl will continue to monitor this trend into 2024.
Threat actors use the dark web to conduct, learn and sell activities relating to many different types of fraud. The primary reason for this activity is financial gain and we do not expect this to change, however new trends and types of fraud continue to emerge. DarkOwl will continue to monitor these trends into 2024.
Products
Services
Use Cases