When fraud-prevention backfires

Pictured below is one of the oldest and exclusive illicit marketplaces (new users will need to pay a 300$ fee along with the approval of two existing users) on the internet, offering the following: RDPs (these are Windows machines whose remote access protocol, or RDP for short, has been compromised), Check MiniFraud (the focus of this post), Social Security Number lookups (by the first five alone, DateOfBirth Year+Name, and State+Name). The “Check MiniFraud” service recently caught my attention and thought it was noteworthy enough to write up.

As seen above, the “Checker” allows for a criminal to pre-determine the likelihood of fraudulent transaction approval without providing any of the card information (potentially alerting the cardholder/bank). Notice the logo at the top? If you work in cybersecurity, then you know all about MaxMind but if you don’t- they provide a enterprise-grade API that is aimed at eliminating online fraud by looking at IP addresses (and the rest of the information included above as well) to determine the risk associated with processing the transaction.

This functionality is not unique to this marketplace, in fact, is more or less the “gold standard” of checking for anything fraud-related like RDPs, SOCKS5 Proxies, etc. Don’t believe me? Check out another extremely popular online marketplace (that was recently hacked, but that’s for another article…) where SOCKS5 (an IP address and port an attacker uses to match the geolocation of the cardholder, down to the ZIP Code) are sold to carders who use the proxies to aid in attempting fraudulent transactions.

Anyone see the issue?

The reality of the matter is any (moderately intelligent) criminal who is attempting a fraudulent transaction is using a IP Address whose RiskScore and ProxyScore (both proprietary measures of risk MaxMind claims accurately reflect the likelihood that a particular transaction is fraudulent) are 0.00 and 0.00, respectively. The same marketplaces, like shown above, where such data is bought and sold offer the ability to check the proxy, RDP, etc, against MaxMind’s API- effectively rendering it useless.

MaxMind’s risk/rating scores have become such an integral part of the cybercriminal economy they need extra attention as they illustrate the manner in which MINDWISE distinguishes itself from existing fraud-prevention solutions. It’s also worth noting that the criminals operating these sites are conceivably paying MaxMind for the API access, which aside from being extremely ironic is seriously concerning and illustrates a dangerous trend in cybersecurity in general- where criminals and legitimate institutions seem to be mutually profiting at consumers expense.

This is not to suggest that the MaxMind RiskScore’s and ProxyScore’s are not valuable- they are, but can only go so far. MINDWISE seeks to fill in the gaps.
Our API – like all of our solutions – is designed and implemented in a preventative capacity. At the time an online transaction is attempted, our documented and production-ready API provides a convenient programatic means of checking the associated IP Address with any IP’s the platform has identified. In doing so, gateways can reject transactions, even those with a 0.00 RiskScore and ProxyScore from MaxMind, with complete confidence- any IP Address that the platform has identified is, with 100% certainty, being utilized in a fraudulent capacity.

All MaxMind logos, brand-names, etc. are copyright property of their respective owners (please don’t sue me!).

By | 2018-02-07T19:58:40+00:00 February 7th, 2018|offensive-security|0 Comments

Leave A Comment