In preparation for the upcoming Black Friday and Cyber Monday events, DarkOwl analysts wanted to identify how this was being addressed on the dark web and if there were any emerging scams in relation to the years biggest sales. Analysts used DarkOwl Vision to determine mentions of either Black Friday or Cyber Monday on authenticated forums like XSS, Exploit, carding forums, carding stores, marketplaces, and Telegram channels.
Black Friday and Cyber Monday advertisements on the dark web are expected in the weeks leading up to the holiday, however, DarkOwl analysts also predict an increase in various types of e-commerce fraud during the same time period due to the high volume of consumers taking advantage of November’s deals. In this blog, we first take a quick look at some of the “Black Friday” dark web deals followed by an overview of various types of fraud typically perpetrated against e-commerce companies like Amazon, Ebay, and Shopify.
At this time of year most of us expect a rise in the commercials we see advertising the latest technologies, gifts and household goods with deals associated with them culminating in Black Friday deals. The dark web is no different with vendors and marketplaces using Black Friday discounts to entice consumers to buy their goods.
On the well-known Russian language credit card fraud forum WWH Club, dark web vendors are advertising discounts for hacked accounts associated with a wide range of companies from fintech, crypto exchanges, rental property platforms and more. They claim that everyone has discounts for Black Friday and that they will give big discounts although they don’t stipulate what the discounts are. These type of Black Friday discounts are common across other credit card fraud forums and marketplaces like: Carding Store, Ascarding, Shadowcarder, and others.
The carding forum, Shadowcarders, also have Black Friday deals, providing up to a 50% discount for credit card databases in several jurisdictions. The vendor shares the data has a 96% validity rate and includes the following PII (personal identifiable information): names (first/last), addresses, and phone numbers.
DarkOwl analysts identified another Black Friday “deal” on a darknet marketplace called Kingdom Marketplace. The product listing provides some more details than the previously mentioned advertisements. The post states that the vendor is selling verified PayPal accounts, but also offers methodologies and tutorials to teach a prospective threat actor how to engage in this sort of fraud. These types of offers are commonly observed across various darknet and deep web marketplaces.
The dark web economy is known to be reliant on reputation and reviews, as this is one of the only recourses that consumers have against the rampant scams and exits. Although it is clear that threat actors also seek to entice potential customers with discounts and deals just as the mainstream stores do.
More and more these days, consumers will conduct their shopping online rather than venturing into busy stores. In recent years this has led to the advent of Cyber Monday for customers to take advantage of online deals. But as more of us move to online shopping, online fraud also continues to rise.
E-Commerce fraud comes in various different forms. Some of the most common methodologies DarkOwl have observed on the dark web are the selling of refunding tutorials/methodologies, hacked accounts, stealer logs, credit card information with fullz, as well as gift card fraud, and the sale of verified seller stores from sites like Shopify and Ebay.
Refund fraud is one of the most prevalent types of fraud as it does not take a high degree of technical sophistication to successfully defraud the target. Refund fraud is “the act of abusing a return or refund process for monetary gain. There are many types of return fraud, but most commonly, it consists of obtaining an item from a store (through purchase or theft), and then defrauding the store by returning it for a refund.” This is also a common money laundering tactic.
Refunding services and refunding methodologies are very common on various Telegram channels as well as marketplaces and forums like Kingdom Marketplace, Abacus Market, XSS, Exploit, Cracked, and Nulled.
DarkOwl analysts discovered a Telegram user known as Bam or Amazon God that both sells refunding services as well as methodologies and mentorship for a consulting fee.
In the below image, this user advertises Amazon refunding for various domain locations, including amazon.com/.ca/.co.uk/.nl/.de/.pl/.be (United States, Canada, United Kingdom, Netherlands, Denmark, Poland, Belgium).
The user also provides evidence of the methodologies that they use as well as success rates and the period of time that it will take for the refund to be returned.
DarkOwl analysts discovered a user advertising hacked Amazon Prime accounts that are allegedly valid for one year and include a warranty. These sorts of advertisements are commonly seen across Telegram fraud channels. Amazon Prime accounts offer a large number of services which can be used by actors to conduct ongoing fraud, as the account is not associated with their personal information. This can include purchasing goods as well as streaming services.
eBay is another e-commerce vendor that is commonly targeted by fraudsters on Telegram as well as darknet and deep web forums and marketplaces.
The following screenshot is from a Telegram fraud channel showing eBay gift cards being sold at significantly discounted rates, 89 USD for a 200 USD gift card.
In another post mentioning eBay on a Telegram fraud group chat, DarkOwl analysts discovered a user advertising hacked accounts with logs and additional PII like SSN and bank accounts, for eBay, PayPal, and Skype.
A user is looking to sell counterfeit gold through a verified eBay seller posted across multiple darknet forums seeking a partner to sell his counterfeit goods as he had had issues setting his own accounts as they had been shut down by eBay. DarkOwl analysts discovered the below post on the well-known hacking forum, Breach Forums.
One of the more unique fraud offerings was discovered on the famous Russian hacking forum, Exploit. A user posted on the site in both Russian and English, advertising claiming to offer a Shopify vendor investigative service. The poster indicated that they would be able to provide details of the store including their customer information and revenue. It is likely that this information is provide so threat actors can target the most profitable store. The poster is charging $5k for this service.
Furthermore, DarkOwl analysts identified a user claiming to sell well reviewed Shopify stores with sales over 100K Euros for 3,000 USD on the well-known Russian hacking forum, XSS:
Dark web vendors see the value of discounting their products for Black Friday in much the same way that legitimate stores do, multiple advertisements have been identified across our monitored marketplaces which would indicate that these deals are popular and successful. We expect to see an increase in these advertisements in the lead up and proceeding the Thanksgiving holiday.
As consumers also endeavour to take advantage of Black Friday and Cyber Monday deals from legitimate stores they should be vigilant to the ever increasing e-commerce fraud which can take a variety of forms.