The Evolving Landscape of Cyber Fraud

yeah so today we're going to go over cyber fraud the Cyber fraud guys game and like you mentioned my name is Christopher Del Roa uh yeah so if you hear my son throughout this presentation he's sitting right there so super excited that I'm up here talking um it's the second time I've been here at East sides this the first time I think where he's been able to see me in my environment and what I do as well he's up there on the better Sal bench Albuquerque from Albuquerque um so yeah so let me tell about myself so I'm a cyber threat intelligence Analyst at Target specialized in fraud intelligence my role my RO my role involves around

working with asset protection our cyber fraud team Insider risk teams sotify online threats to the organization such as misuse of a warco fraud um credit card fraud brand protection and cider risk and any types of fraud related activities that threaten the organization they also collaborate with our also collaborate with our social media teams marketing and our legal teams this includes conducting threat assessments and managing brand protection violations such as copyright and intellectual property issues I'm an active contributor in the retail on Hospitality information sharing and Analysis CER Center or help with special interest groups uh we also conduct some top red investigations I've also assisted the national cyber forensics and training Alliance uh by creating intelligence

package and providing o training for the FBI Secret Service and local law enforcement and before joining Target I spent eight years in the manage services at Texas A&M University Ern young and B

so here's what we're going to dive in today here's what here's what we're going to dive in today the top top cber fraud threats in the retail World we're going to cover refund as a service a threat actor profile and personing websites and reward cud you can kind of think of this as Frost's Greatest Hits up so today we're going to talk about some of those fra that I that impact the retail world and some of them have been for some of them have been around for a while it's not necessarily anything that's new uh but their but the execution has definitely changed we talk about refund as a service and person domains every more

code FRS and again this isn't in any particular order but I think refund as a service is a really big deal as a member of the retail and Hospitality ISAC I've SE a lot of companies get caught off guard by this thre and even though the companies that are aware of this they still struggle to deal with this because it's something that's ongoing every day you wouldn't think that refund as a service is something that's happens because typically when you think of Ras you think of refund you think of Ransom service but in my world of fraud intelligence you think of refund is a service okay so the first thing I want to talk about is refund as a service

it's a real headache for resale companies and here's the gist it works because these Fosters typically have these Fosters typically have insiders working with them and it's usually customer service reps to help process these fake refunds one tactic they use is LinkedIn to find these refunds sometimes customer service perhaps will will some on these posts of these job opportunities on telegram Reddit social media you know once it kind of gets out there then everyone starts advertising like hey on telegram we have these job openings if you're interested and you're looking to make some money reach out to us now once the the frosters have these Insiders on board that's when they can start doing these refund Services um

with the Insiders helping them out these operations they run like legitimate businesses they got customer service teams telegram channels where customers can leave reviews or vouches these Fosters also keep a list of companies with insiders so if you want to use their service you check to see if that company's listed on their website and and then you make the purchase and then you fill out the form on the frosters guy on the froster website and and and they use this information to dot you so if you don't pay a portion of their of the refund that they get for you they'll dot you I've seen different I've seen different thread actors will they'll post your

information all in telegram they like hey they sort of like put you on like do not fly this when it comes to dealing with fra dealing with with other frauders that offer this service at the iders they process the refund and once it's done you pay the frers or third actors a portion of the cut and usually it's somewhere between 10 to 20% it's a pretty slick operation that retail companies need to be aware of and guard against okay so today I want to put a spotlight on Arrow refund um they're a notorious refund as a service group and you don't have to worry about anything we going over right now we've been active for a while so putting a

spotlight on them isn't going to disrupt any ongoing investigations that there might be so Arrow was all over the place using platforms that n and cracked criminal forums and even telegram they offered their services and even had users leave glowing reviews now here's like the here's the wild part that we found with this particular threat actor is they s a $500 guide on how to commit refund fraud yourself it's like a frosters DIY guide for how to commit crimes the guide included the the guide included everything from put out fake police reports for high ticketed items like iPads MacBooks ps5s Xboxes you name it they had something for that and we I got our hands on this guy and what we

learned is that they would with these guides they had had it built out for every specific retailer that was out there whether it was you know a retail company a grocery store company even hotels they had scripts that they would use that you could use when you would talk to customer service so one thing that was was really interesting to me is if it was like your anniversary you would call customer service and be like hey it's my wife's anniversary we bought her this new gift but it got destroyed or it didn't get her on time I'm really upset like what can you do help me you ruined my anniversary and so customer service reps they're always want to make

things better they want to they want to make the customer you know feel good and there's that always saying in retail that customer is keing and queen and so that is something that that the retailers struggle with because there there's just so many more there's just so many clever ways that you can get away with this and some of the stuff I'm going over right now I'll just say I don't explicitly say this in my talk but but don't do this stuff tomorrow we're doing a tomorrow we're doing a workshop to go over this stuff and I'll say the same thing I'll show you and go over the different you know ttps and techniques that these

directors do to commit fraud but don't just saying that you know you have the you can learn the skill set here but I would very much recommend not doing that uh I'm speaking solely from Target we're very good at our jobs catching fraad so just don't do it if you want to get practical about it then you know maybe test it but never actually go through that stuff yeah so that's that's Arrow refund in nutsh and again the play might be out there but for the most part a lot of retailers are aware of what this is of what is going on and we share this stuff across the different you know rhis members members that we have because we

want to we want other members to be informed because that's what it is at the end of the day sharing this information to make sure that that gets out there to where we slow down these s actes so right here so so so this document right here this is pretty interesting uh so this list of companies where El has had successful successfully scammed it's about all that juicy information that's on there which companies they target how much you can spend to get a refund how fast they can make it happen where the company is located and all the other information you need to to process uh refund FR and for some retailers arrow bragged that

they could handle purchases up to $25,000 or 10 items with refund processes with just one to two days and they even had the nerves to suggest for signing for these deliveries with fake names to cover those tracks which was pretty absurd whenever you're going through these these these orders and it's like okay I see an order from Taylor Swift I see an order from kendri lar Michael Jordan is placing a bunch of order for Stanley mugs like it's just all over the place you can tell that they're using these fake names it's like okay I guess maybe Taylor S does need 50 Stanley mugs but Michael Jordan likely doesn't need this many Stanley mugs and so see these are some of the

posts that we were able to get from Arrow's telegram Channel if you look at some of these posts you know you got guides list of companies that they scam they even had Amazon refund tricks they're listed on the right uh it's like a weird version of a customer testimonial it's like thanks Arrow uh thank you for helping me scam Amazon it's like yeah you know thanks I'm good thank you though and so up next is imp personing website I'm sure everyone is pretty much familiar with this if you shop online but pretty much third actors they clone these websites and they register typle domains to lure unsuspecting customers they offer crazy discounts on seasonal items so sort of like imagine going to

buy a baseball bat on sale in the summer and buying bikes in the fall and once come you know once customers try to go pick up their orders in store uh they realize that they've been tricked and then they end up having to go to their bank because now they're the credit card information has got stolen and the personal information has got stolen so it's it's always just like a real pain the customers you always kind of feel bad because sometimes people just really want views and so when you identify these patterns with these domains you can set up Google Alerts and specific search queries to track them and the these DIY hent methods are great for

monitoring and a learning the one thing I will caveat and again we're going to go over this tomorrow it's a Shameless bug for my my workshop but I will say you can do all this with o it doesn't really you don't have to be a large organization you you you don't necess you can't necessarily have the refund or have the funding as like Amazon or Target or Walmart or Nike of these other big retail companies but you can get creative what you with what you have when it comes to OS it's like everyone has free access to Google Alerts and and Gmail so you can set these alerts up and it'll help you bring these story actors

down or at least slow them down because that's what we're trying to do at the end of the day we're just trying to slow them down and so when I look into some of these these domains with a BM I found that they were fully functional websites you can add items to your cards you can even pay with PayPal and managed to get the threat actor's PayPal ID for one specific website and I contacted PayPal directly and I was like hey payp can you please get this shut down and while this won't stop the thre actors entirely it can at least slow them down and cause some headaches for them because that's all that's all we're doing at the end of

the day we're really just trying to slow them down to make things a little bit more challenging and difficult for them because at least for me you know I I have like older parents and so that's one thing that I always worri about is is my family memb is going to fall for this stuff and you see there isn't much difference between the legitimate website and the fake website and if you're someone who likes a really good deal like my brother Pablo who's super cheap he will he will go towards the shirt that's $20 oppos to The $99 one um and and a lot of times people are tempted by these low PRC items in these

F website so it's always best to use caution when you're on a website offering deals it's too good to be true all right so so the next thing I want to dive into is the wild world of reward code FR it's a Retailer's real nightmare companies are stuck trying to fix this mess without making life harder for the loal customers it's a double we because stores get hit and honest customers who earn these awesome rewards like coupons or discounts they end up losing out on that I don't me personally I lose my target my target reward card or my wife would lose uh that sweet discount we would be incredibly upset and disappointed you know so retailers

they're often hesitant to hit that big reset button because when they when when customers find out that their passwords have been breached and they got to reset their P you know their passwords all the sudden there's just like this mass panic and they think there's just big breach that's happened and panic typically ensues so with the the use of social media everyone can get online and start Shing like hey I think my account got breach GE breach but then it sort of starts spreading but most of these time these breaches they start with a classic fishing it's promising discounts too good to resist you know you click on that and then bam You Know M sneaks in stealing log login

information person information it's a really messy situation it ends up dragging teams from digital fraud cyber security and customer service to clean up all this game chos if you don't get better at stopping reward code abuse you know scamers going to keep lying their pockets at the expense of of of retailers the Cyber teams will just end up pulling their hair out and customers will miss out on those great rewards and let's be honest no one wants to miss out on their heart own reward codes so for the world of the story you know stay Vision don't fall for those Shady emails problemy in the de of the century and your rewards in your sanity will thank

you so some Recaps and takeaway you know thank you so much for sting for sticking with me today I know we're at the the end of the the day and you know I kind of want to go over this pretty quick but you know quickly we'll go over what we covered so major cyber security threats you know refund the service impersonating websites and reward code fraud the sophistication operations that have been run by cyber criminals like Arrow refund and tomorrow can maybe go over a different one um but there are there are ways that companies have been getting together so for like an example is Rex refund and for those not familiar they were causing millions of dollars of

loss to Amazon so Amazon invested $1.2 billion dollar to fight fraud not everyone has access to that much money but what we're going to go over tomorrow again sh's plug what we're going to go over tomorrow is going to be ways that you can use free o and techniques to find this stuff do some reverse lookups and see if you can identify who those thread actors really are and the important and again the importance of staying proactive with oen techniques and Industry collaborations and some final thoughts so so in a nutshell staying alert is very important cyber threats are always changing so staying informed being proactive is the best defense getting involved with industry groups coming to conference

like bides and sharing intelligence can really boost our efforts all right so now we'll go up to question so I would love to hear from yall have any questions or thoughts on what cover today uh feel free to ask anything share experience uh and T so we can tackle these cyber security threats together the young lady in front who's

my yeah so for this one right here so it's kind of a run I've actually reached out and talked to the how Brothers uh Team and what ends up happening is they'll post these on social media so they'll post this stuff on social media like on Instagram so the example that I saw so on the bottom that was the imperson website and then this this snapshare is what they were were what they had on there and so what they did is they posted this on on social media on like a stories and if you see how there's like a countdown right there it's like okay when you have like8 hours before you missed this and so they're

starting to use you know even fish emails cuz what they'll do is they'll potentially breach the company and get that mailing list on there then send out these emails cuz I remember this was a couple years ago at di sporing go y'all have all probably got those Yeti uh email those getting emails offering if you do this this survey then you get you get free um you get a discounted Yeti email and again it's seasonal so sometimes we were seeing you know baseball bats in the spring and then golf clubs and so it really just depends on the season and that's what they're doing so right now some of this stuff that we're seeing with how

Brothers is they're selling all old they're having deals for the old inventory so customers are thinking like hey I'm getting all these really great deals that are coming out right now but they're trying to like slip in uh when it comes to this stuff and one thing to to keep an ey out is these survey websites are coming out you'll get an email for hey do this email you get like a 70 7 $750 reward reward code or discount code and you have to just fill out all this information what they're trying to do is Harvest your pi and harvest your PCI so it's like well why would you need my credit card information if you're going

to give me um a gift card so hopefully that answer your question

right hey so do you see a lot of crossover between the the Cyber criminals that do refunds theft and those that do other types of cyber criminal activity like bot Farmers D service r yeah so not so much the ransomware just because like a lot of times these aren't really sophisticated threat actors I can tell you that like lockit again another Sheamus PL for tomorrow we'll go over lock bit's telegram Channel but a lot of these a lot of these s actors are not going to operate in the dark web we're going to do it in telegram Discord Facebook I've seen people post on LinkedIn opportunities to work with these SP actor so sometimes what we have seen is

organized retail crime so it's not necessarily the traditional cyber security criminals that you would think of but it is some form of like retail organized retail crime that we have seen and what we have seen is they're starting to use spring forwarders for these addresses for these these orders that they place and it's like a really big organized crime organization to where you know we have some of the cartel getting involved uh some of the mafas getting involved so we've had we've had some experience with looking at shipping manifest where you can see where uh the logistics company shipping stuff all over the world um so there is some overlap but a lot of times there's

not going to be like threat like I think the most with the denial of service is or Bots is going to be whenever they had these high ticket items like I don't know if you remember when the PS5 when the Xbox came out people were using bxs and were just constantly hitting the websites even with shoes Jordans will come out people were you know using Bots to hit that a lot of that has valued down now because of the security measures that retail companies put in place but for the most part like there's some overlap

not can you talk a little bit about how um this specific um know TTP is used by by these types of organizations have changed the way you detect respond to to the activity maybe some significant changes in your process maybe or something like that yeah so like what I mentioned before so companies will actually block for the most part they'll try to block addresses that are associated with fright forwarding companies therez like nothing good like I mean if I order something and I ship it to a fright forwarding company realistically why would I do and so one thing that we have noticed is they'll add like just random items in the order just to make it kind of

blend in and one thing that we've seen some some of the ttps that we've seen is they'll order like an iPhone and they'll put nail polish in it and then when you get the order the nail the nail polish will know quote unquote break and then you start noticing that so what the customer service does a really good job of is they start noticing a pattern when they're doing the chats or what they'll do is they'll see like you know the staning bugs for example they'll start seeing like okay somehow we're losing like hundreds of thousands of dollars for a guest can keep with staning bugs and then you start noticing that pattern or they're start sending it to a

specific address but they're sort of offis scating the address in the sense that it's like a typo address so where like it's like you know it's 1 2 3 4 5 Avenue 1 2 3 4 5 b Avenue but it's still the same like sift code it's still it's still the same general area and I think what we do is we try to notice patterns on the the Cyber fraud side it's like okay we're noticing like one thing for Give an example is like Nutella was like a really big thing a couple weeks ago and even like Harry's razor so you could buy these Harry's razors and there's a certain threshold for you know guests

can keep and so what we were noticing is that they would buy all these razors and bulk and then they would use these spright forwarding companies to ship them outside of the United States and you just because the companies handle all the import fees and taxes and everything like that like that's how we could tell it was likely connected to like organized retail crime and that's when we try to work with law enforcement to to see if we can do anything to to to Really least stop them or slow it down hope think that answer the

question cool yeah thanks and again tomorrow we're we're going to be I think we're going to have a a workshop going over this stuff I'll go over first domains ransomware or I'll go over some ransomware uh as a service you know channels that you can look into and yeah I think it'll be fun so thank you for this and enjoy the rest of the conference