Cybercriminals have a new tool to make the most of stolen credit card details before payment processors detect the fraud, security researchers warn.
A Web-based application called the Voxis Platform is being advertised on underground forums as a tool for cashing out money from stolen credit cards by automating fraudulent purchases, according to security researchers from cybercrime intelligence firm IntelCrawler.
There are three main parties involved in every online transaction: the buyer, the seller and a payment processing provider that operates a payment gateway. In order to receive money from transactions, the seller needs to have a merchant account registered with the payment gateway.
Cybercriminals can steal merchant accounts or open rogue ones by setting up dummy e-commerce sites and using fake identity documents or money mules. Their main problem, however, is racking up a large number of fraudulent charges before they're detected and their merchant accounts get closed, the IntelCrawler researchers said in a blog post.
The Voxis Platform appears to have been designed specifically to overcome that problem. Its creators claim that it supports 32 different payment gateways and has the ability to emulate human interaction "to make it look like real humans are sending their credit card information to the payment gateways."
The platform started being advertised on underground forums in August and allows cybercriminals to charge predetermined amounts from credit cards loaded into the system at chosen time intervals, emulating real purchases. It even uses people search services like Pipl.com to automatically fill in missing card information.
The large payment card breaches at U.S. retailers like Target and Home Depot have generated demand on the underground market for ways to quickly monetize stolen credit card information. This has led cybercriminal groups to pool their resources in order to build tools like the Voxis Platform, the IntelCrawler researchers said. E-commerce companies and payment gateway operators should revise their merchant account verification practices and fraud-detection methods in light of such changes in cybercriminal toolsets, they said.