Threat Actors Discuss Circumvention Techniques Against “Bank Drop” Detection

The ubiquity of cybercrime has given rise to the widespread implementation of robust security measures across all sectors. While cybercriminals are often known for their ability to adapt and carry out their malicious campaigns despite increased security, they have also recognized that collaborating and sharing information pertaining to tactics, techniques, and procedures (TTPs) are integral to supporting these efforts. Indeed, one cybercriminal’s recent attempt to bypass stringent security measures as part of a scheme involving a “bank drop” serves as a case in point.

In March 2017, Flashpoint analysts observed threat actors on dark web forum AlphaBay discussing methods for circumventing financial institutions’ newly-employed security measures aimed to detect and prevent bank drops. Otherwise known as fraudulent bank accounts created using stolen credentials, bank drops have long played a role in supporting “cash-outs” and other fraud schemes. They are also relatively common, which is likely why new security measures targeting bank drops were quickly noted and addressed among members of Alphabay.

Indeed, one user posted to AlphaBay’s general forum requesting help from fellow members after recognizing that a bank had been closing his bank drops shortly after he had created them. He explained that while financial institutions rarely detect bank drops created using a “clean” RDP [Remote Desktop Protocol]” that are linked to individuals with good credit profiles, this instance was unusual.

Shortly thereafter, various other members of AlphaBay replied to the thread and discussed ways in which financial institutions detect this type of fraud, whether there were other methods by which the actor could keep his accounts viable for longer, and if it was possible to reactivate the accounts that had already been flagged.

Another user on the forum provided particularly useful insights and advice regarding indicators allegedly used by some financial institutions to detect fraudulent accounts, including:

• Banks often flag accounts that do not request a debit card and/or a PIN

•Many banks consider verbal verification via telephone to be a reliable measure for restoring bank accounts that had been flagged or closed previously

•As such, phone calls to reactivate bank drops may be the best way for cybercriminals to restore their accounts

Indeed, the original poster responded to the thread by stating his intention to continue using bank drops with “super clean everything, high credit level fullz [full packages of personally identifiable information], and request debit card to a drop.” He then stated his plans to reactivate the account verbally by telephone in the event that the bank flagged it.

Assessment

These actors’ discussions on AlphaBay reinforce a notion that many cybercriminals have long recognized: that collaboration and information-sharing can make their illicit schemes more effective. And especially when security measures threaten to compromise integral components of these schemes, other cybercriminals will always be willing to help.

As financial institutions and other organizations continue to implement and adjust security measures as a means of preventing bank drops and other fraudulent schemes, cybercriminals will not only be aware, they will be actively working with one another to determine how to bypass and undermine these security measures. It is also crucial to recognize that some cybercriminals’ efforts to gain an advantage may be helped by former bank employees or current insiders with direct knowledge of institutional fraud prevention techniques and procedures. Indeed, one of the actors we examined in this blog indicated that his knowledge of fraud detection came from “someone who worked at a bank once.”

Flashpoint assesses with high confidence that bank drops will remain both a popular method for supporting cash-out schemes and an area of active interest in the Deep & Dark Web. It is also likely that AlphaBay will continue to serve as a large cybercrime nexus in which actors share anecdotes and tactics, techniques, and procedures (TTPs) in order to advance their overall capabilities. After all, the advice offered by actors such as these is of immense value to other cybercriminals – both novice and experienced – who are seeking to enhance their operational tradecraft and circumvent the latest security measures.