Since the beginning of the pandemic, Group-IB experts fix a sharp increase in fraud using card-to-card transfers: from April to June 2020, the number of such transactions increased by more than six times.
Fraudsters lure users to phishing sites where victims enter their payment information on the fake payment pages, thinking that they are making a purchase. This data is used by attackers to access public P2P services of banks for transfers to their accounts. The average check of one transfer is more than 7,000 rubles.
Several large Russian banks, representative offices of international banks and payment services immediately received complaints about fraudsters who stole funds from customers' bank cards using fake payment pages on online store sites. So, according to Group-IB, at the moment, one bank on average records 400-600 attempts of this method of fraud per month.
Researchers have identified a fraudulent scheme by which attackers circumvented existing protection measures for online payments, namely, an additional authentication step in the form of a code from an SMS message sent to a phone number attached to the card (3D Secure, 3DS authorization procedure).
Typically, the scenario for using 3D Secure is as follows: the user enters the details of his payment card on the payment page of the online store. From this page, a request is made to the service of the acquiring bank (Merchant Plug-In, MPI), which serves this store. In response, the page receives encoded data about the payment and its recipient (PaReq). They contain information about the merchant, which is then displayed on the 3DS page, and the address of the 3DS page of the issuing bank that issued the user card. The response also contains the URL of the page to which the user will return after confirming the payment with a one-time code from SMS.
The problem is that 3DS technology version 1.0, which is used everywhere today, although it protects payments from an "external" fraudster and prevents attempts to use the data of stolen cards, does not provide protection against fraud from online stores.
The incidents studied by researchers show that attackers created phishing resources, such as online stores with fake payment acceptance pages. For example, scammers especially enjoyed the goods demanded during the pandemic — masks, gloves, and sanitizers — in search of a “deficit” the victims themselves fell into the hands of criminals.
In this scheme, the data provided by the buyer on a fake payment page was used in real time to access public P2P services of banks. So, by entering a confirmation code on the 3DS page, the user did not confirm the purchase in the online store, but the transfer to the attacker's account. To hide traces of the use of third-party P2P services from the user, the criminals changed the URL of the authorization result return and merchant data in PaReq – the payee, so that on the 3DS page for entering the SMS code information not causing the suspicion of the victim was displayed, for example, “Oplata ".
To prevent such attacks, Group-IB recommended that banks switch to 3DS 2.0, where this vulnerability was fixed. The problem can also be solved by using an additional authentication step in the form of captcha or technologies based on behavioral analysis, which would provide control over the integrity of the page, collecting additional information about it – on which domain it is located, what content it has, forms and elements.
“P2P payment fraud has been reinvigorated during the global pandemic. The widespread use of 3DS protocol version 1.0 indicates that this type of fraud is most likely to receive further distribution, ”said Pavel Krylov, head of product development for Secure Bank and Secure Portal.