According to a new report from ID Analytics' ID:A Labs, there are more than 10,000 identity fraud rings in the US alone.
Ring members may be either stealing victims' identities or improperly sharing and manipulating personal identifying information such as dates-of-birth (DOB) and Social Security numbers (SSNs) on applications for credit and services, according to the study. Wireless carriers are a top target, for instance, with many rings offering false credentials for people to sign up for mobile service.
“Selling of identities is one of the many services provide by organized cybercrime. Names and credit card numbers being one of the more common forms that can easily be purchased,” explained Richard Henderson, security strategist at FortiGuard Labs, in an email to Infosecurity about the research. He noted that cyber criminals can make upwards of $140,000 a month in the crimeware business – not exactly chump change.
And it’s not just hardened perps at issue. The study found that while many of these fraud rings are made up of two or more career criminals, surprisingly, others are family affairs or groups of friends. Researchers examined some fraud rings in detail, showing the conspirators' locations, ages and relationships. And they found that many groups were bonding over identity manipulation.
“A large number of families are working together in fraud rings, even using each other's SSNs and DOBs,” reads the study. “For example, ID:A Labs identified a family of five in Florida involved in a fraud ring for more than three years. The family, with ages ranging from 24 to 37, had filed at least 130 fraudulent applications, using more than eight SSNs and 11 DOBs during that time period.”
However, rings made up of friends are more common, with the majority made up of members with different last names.
"In this latest research, we have taken a broader approach, looking at connections among bad people rather than studying individual activity," said Stephen Coggeshall, CTO of ID Analytics, in a statement. "This information enables us to build new variables into our fraud models."
The ID Analytics study examined more than a billion applications for bankcards, wireless services and retail credit cards and found identity fraud rings attacking all three industries, with wireless carriers suffering from the most fraudulent activity. Georgia and South Carolina were two noted hotbeds of fraudulent activities across all three industries. Two bankcard fraud rings in Gainesville and Orlando, Florida each filed 200 applications.
Researchers also discovered that many fraud rings are found in rural areas of the country – demonstrating the geo-agnostic nature of online fraud. Henderson pointed out that bigger and better crimeware means that criminals are less often resorting to digging through trash cans or stealing mail in order to capture sensitive data.
“There are many examples of malware (such as ZeuS and SpyEye) that are specifically designed to capture data to facilitate theft of financial data,” he said. “The global nature of online fraud makes it much easier for crime rings to expend resources on gathering reams of data electronically.”
Research from McAfee makes clear that crimeware syndicates aren’t going away anytime soon. Online financial fraud attacks have spread worldwide in Q3, and they're getting more sophisticated, aiming at large targets like banks instead of just individuals. For instance, Operation High Roller, a financial fraud ring identified earlier this year by McAfee Labs and Guardian Analytics, has now spread outside Europe, including to the US and Colombia, the vendor said. Cybercriminals set up an automated transfer system (ATS) that was used to attack European financial institutions, and set out to target a major US multinational financial institution.
“In short, it’s way too profitable – crimeware equals high returns and almost zero risk for its creators,” said Derek Manky, senior security strategist at FortiGuard Labs. “And up until now, approaches to mitigate or prevent crimeware on a grand scale have been insufficient at best.”
He points out that there is no “silver bullet’ or “one-stop shop” approach to defending against identity theft. As with most things in the cyber-security realm, a layered approach is the most effective, with a comprehensive strategy that includes intrusion prevention, application control, web filtering, antispam and anti-virus, at a minimum.