Indiana University’s Chatbot Sheds Novel Intel Regarding Dark Web's E-Commerce Fraud Supply Chain
Read the original text here: https://www.ndss-symposium.org/wp-content/uploads/2020/02/23071-paper.pdf
How many times have you wondered, why that particular SKU? Why those peculiar patterns? Why place these fraudulent orders at all, and who is gaining from it? Is the risk worth the gains? Researchers at Indiana University Bloomington created a chatbot named Aubrey based off of her acronym, “AUtonomous chatBot foR intelligencE discoverY” (Wang, Liao, Qin & Wang, 2020 p.1) and deployed it into the depths of the Chinese dark web posing as a job-hunting fraudster. While their paper focuses on China-based e-commerce fraud, it’s hard to imagine the system being much different domestically. What they discovered is completely enlightening and unprecedented.
First of all, we know the dark web is involved in these fake orders we see, but perhaps we don’t all know the extent of how much. We know this much - that’s where the stolen payment credentials, names, phones numbers, and addresses come from, right? This is true, but is just the tip of the iceberg. Using dark web forums and instant messaging, these details are exchanged, along with a lot more.
Researchers Pang Wang, Xiaojin Liao, Yue Qin, and XiaoFeng Wang start this stunning paper off by describing the differences between what they term the upstream and downstream jobs of the dark web e-commerce fraud supply chain (fasten your seatbelts, because this is going to get wild).
According to their paper, upstream markets “provide attack assets (e.g., fraud accounts)” (Wang, Liao, Qin & Wang, 2020 p. 2)– via SIM farms for proving phone numbers to set up fake accounts (rather than stealing real, leaked phone numbers) and fraud account merchants, who bypass CAPTCHAs to create and sell these accounts in bulk. These account merchants are closely tied to both upstream and downstream activities, needing contact with the SIM farmers to create the accounts, and contact with the fraud order operators (downstream workers) to sell the tasks for hire.
Downstream markets “supply illicit affiliate networks (e.g., order scalping platforms)” (Wang, Liao, Qin & Wang, 2020 p. 2). Here’s where we enter the picture. Order scalping artificially inflates the sales of a product by hiring workers to place fraudulent orders – which begs the question, who is the driving force behind this plot? When a product announces on an advert, “Over 1 million copies sold!” how many of those were artificially inflated? Are the developers/authors aware that this is happening? Are they in on it?! (I wasn’t kidding you when I said this was going to be a wild ride.) These questions still beg to be answered.
While the logistics of Aubrey’s chatting skills are worth geeking out on, (for the sake of brevity I will allow you the pleasure of exploring that in the original paper), her results are spellbinding – She/it/they discovered 323K fraud phone numbers, 38 fraud account marketplaces and 65 fraud order affiliate networks (Wang, Liao, Qin & Wang, 2020 p. 9).
Essentially, to my understanding (and some extrapolation), the underground supply chain goes as follows:
SIMs are farmed (and I believe leaked data would belong here as well) --> Account merchants create fake accounts (or I would surmise, collect placeholder data for guest checkouts) --> fraud order affiliate networks distribute tasks (more info on p.3) --> fraud order operators execute tasks --> fraud analyst either blocks fraudulent order thanks to efficient rules or a keen eye OR we discover it in the form of a chargeback (least preferable outcome). Who knew so many parties were involved?
According to the authors, this is their proposed solution based off their finding:
“We found that account trading lies at the center of the fraud ecosystem, with both SIM farmers and fraud order operators extensively working with the account merchants. Hence, to mitigate and further stop the threats in e-commerce fraud, intervening at account trading can be an effective way to break the criminal value chain. One possible approach is to use multi-factor authentication and human-robot recognition to raise the bar for account registration.” (Wang, Liao, Qin & Wang, 2020 p. 13)
But wait, there’s more! Bonus hunters, fake reviews, Amazon and eBay account trading after fraudulently establishing a positive reputation, their income from such activities (if they hustle, yes, they can quit their day job). See on the details in the original work, cited below.
Questions, comments, concerns? Let’s bring it to the forum!
Wang, P., Liao, X., Quin, Y., & Wang, X. F. (2020, February). Into the Deep Web: Understanding E-commerce Fraud from Autonomous Chat with Cybercriminals. https://www.ndss-symposium.org/wp-content/uploads/2020/02/23071-paper.pdf