‘To The Point’ Bonus Episode: Insights into the Criminal Fraud Ecosystem

Criminal Fraud Ecosystem

In this bonus episode recorded at the Point Predictive 2023 Auto Lending Fraud Roundtable, Dr. David Maimon, professor at Georgia State University, examines the intricate supply chain of producers, distributors, and diverse customers engaging in various fraudulent activities.

Dr. Maimon advocates for incorporating these insights into the criminal ecosystem in order to develop effective prevention strategies.

Click below to listen to the full episode or read the full transcript.

This is To the Point a podcast from Point Predictive.

Bill Hall:
I do want to bring up, Dr. David Maimon, to talk about identity theft and the underground fraud ecosystem, David?

Dr. David Maimon:
Good morning, everyone. Hopefully everybody’s doing okay. thank you so much for the opportunity to be here and talk about the work we do. Let me just, start by saying that, that, I’ll be talking about, the identity theft, ecosystem, the online fraud ecosystem. And, the first few slides, I’ll talk a little bit about how I know what I know. Because in these kind of conferences and roundtables, you get all kind of people, saying that they’re experts in all kinds of things. And as an academic, to me, it’s very suspicious. So I like to set the ground, just telling you how I know what I know, and then I’ll show you some really cool stuff, that we collect with my groups, both in, Georgia State University and GeoComply from the ecosystem, try to understand, the identity, theft supply chain that, we have out there.

So, as an academic, and a scholar, what I’m trying to do, my main goal in life is really to understand what work and what doesn’t in the context of crime, prevention, online crime prevention. We do a lot of work in the context of cybersecurity, but even more work in the context of online fraud. the gist of it is really try to understand how many of the products, how many of the policies that we are all use in the context of our organization really work and achieve their goals. We like to test the effectiveness of those policies and tools in the field, with the actual actors who make this online fraud, ecosystem.

So, four major actors, offenders, guardians, CISOs, and all those companies who, are responsible for helping us protect our organization from fraud or cybersecurity, incidents, targets, and victims, of course. And then enablers, enablers are those individuals who support the fraudsters, support the offenders in their operations. The enablers are folks who, at the end of the day, write the malicious software, put together the platform which allow the offenders to, post, whatever kind of commodity they would like to sell or purchase, promote, the offender’s operation. These are the enablers. And so the groups I direct, are heavily embedded in the field, both in the darknet and the clear net, collecting information in a systematic manner on a daily basis, and simply try to answer, this question I presented in, the previous slide.

There’s a lot going on on the junctions you’re seeing right now on the slides, in terms of projects, but I think the most relevant junction for our conversation today is the top junction. that is, the junction that, the offenders and enablers form, on online environments. the junctions in which folks are offering for sale all kind of illegal commodities, and offer it to different types of actors in the ecosystem.

So we spent a lot of time in this junction in the past. it was the Darknet nowadays is more on encrypted communication platforms and you can think of us as folks who simply collect all the information, sort it and analyze it in a systematic manner. We do that with the hope to really understand what works and what doesn’t, as well as ways we could potentially disrupt the ecosystem. I just showed you because there’s a lot of fraud in our society and ah, we want to make sure that we at least mitigate or prevent some of it. So in the past we spent a lot of time on the Darknet. we still have a fairly large operation there as well. The darknet, for those who are not familiar with, is essentially similar internet to the one we’re familiar with. All you need to have in order to access the Darknet is a different browser, Tor browser. Once you download it to your computers freely, and you have the correct URLs, which look different than the URLs that you’re familiar with, you can go and browse any type of website, on the clearnet.

Many of the websites that are hosted on the Darknet are very similar to Amazon, and Ebay, with the only difference that they sell elicited commodities, they support the sales and purchases of elicited commodities. This is one example of one of the markets we used to monitor in the past, empire Market. As you guys can see from the layout, very similar to any online retailer that you’re familiar with. the guy in the vendor in this market offer for sale, stolen credit card, CVVs. you see the price there and then you see a slew of reviews, which at the end of the day, tell the customers, and tell potential customer of the vendor how the vendor essentially did how the product was, how fast was the delivery. Some really important information that will guide consumers decision making with respect to whether they want to place a purchase with this vendor or not.

So what we are doing, and we were doing more intensively in the past, we’ve been doing this for the last five years or so, is downloading this information, downloading the ads, downloading the reviews, and simply try running analysis that will tell us something about the ecosystem. With the Darknet information we collected, there was the limit to what we could have done. So this is just one slide, describing the number of driver licenses and Social Security numbers we’re able to find on the ads that I just showed you in a short period of time. as you guys can see, there’s some fluctuation, but there was really a limit to what you can do with respect to data that you can fetch from those specific markets. as I mentioned, we’ve been doing this for five years and we grow with the criminal, so to speak, in.

And so three years ago or so, we realized, that folks are leaving the darknet, still have operation there, but they are more heavily focused nowadays in text message applications. they like to use those text message applications to sort of open shops and sell their commodities there. When we talk about text message applications, we talk about applications such as WhatsApp, signal, Jabar ICQ. ICQ is fairly old but it’s still very popular among criminals. And so when you think about those text message apps, they look like this. This is the layout of Telegram with the interface where you can interact with clients, you can interact with, anyone you would like to interact with, and a list of groups, ah, on your left, this is the screenshot of a legitimate conversation. Folks who are legitimate, not criminals. But when you think about the criminal markets, you can think about a slew of criminal groups on the left with a lot of really cool information that I will talk a little bit about in just a second that we are seeing on a daily basis. So what I do with my groups is essentially spend a lot of time on thousands of those shops, as I just showed you. those shops include counterfeit products. If someone is on the market for a Fendi bag, I mean, I’m more than happy to sort of facilitate an introduction.

There several really cool vendors out there. Guns, a lot of guns. All sizes from all over the place. Different prices. Many, many guns that we see out there being shipped, being sold, being purchased. a lot of drugs sky’s the limit with respect to the type of drugs you can get nowadays illegally. I’m m not even talking right about the traditional marijuana and crack and cocaine. And we’re talking about hardcore medication like testosterone and abortion pills and so on, that you can simply purchase on those markets, with no issue at all.

And of course markets which support the sales of fraudulent of frauduleated data in that sense, there are different types of information that we find on those markets. Compromised bank accounts, stolen, checks, fake driver licenses, stolen driver licenses, identities, information from scheming devices. All is available out for ah, sale over there. And what we do in a systematic manner, IDs man, is download the information from these channels, from those thousands of channels to our servers in order to really try and make sense out of this. So this is at the end of me setting the ground with respect to how I know what I know. Okay? So now hopefully you believe that I’m legit in this business, right? And that I’m not just talking out of books. Now, based on everything that I just showed you, and the three years of research that we’ve been conducting during, on the platforms, both the darknet as well as our encrypted communication, there’s one important conclusion that, we can come up with. And that is that at the moment and during the last five years or so, a very sophisticated and elaborated supply chain of stone identities have been developed. this is something that we are able to surmise from the list of data and the list of channels that, we collect. and what I would like to do today is essentially walk you through the evidence we have which pinpoint to the evidence of this supply chain, right? So the supply chain, I assume that everybody sitting in this room know what it is. you can think about it in the context of, the car industry, where a car start and the process it needs to go through till it gets to the customer. In a very similar manner, criminal, operations, criminal organizations have supply chain which allows them to sell all kind of illegal commodities. There are different types of illicit supply chain. I’m not going to get into the interesting differences between illicit and legal supply chain. But one important thing to understand is that the major difference is that illegal supply chain are way more resilient to changes, and adopt quickly to changes than legal supply chains.

So in the context of our discussion today, let me walk you through the evidence we have which pinpoint to the existence of a very sophisticated supply chain of stolen identity, on those markets I just told you about. So let’s start with suppliers. suppliers for those identities come from different sources, different places. the first is theft and burglaries. I don’t know how many of you watch, you better call Soul. But the last, season, I’m not going to ruin it to everyone, but there’s a scene where folks are actually infiltrating to someone’s, house in order to steal their identities and they simply take pictures. Once they find the driver’s licenses and other important information, they take images of the identities in order to start using the identities to open credit lines and open bank accounts and so on and so forth.

So in a similar manner, we see many criminals, engaged in theft, pickpocketing and burglaries, getting this information and simply uploading the information, as you guys can see on the screen, up for sale on the platforms we oversee. the information includes Social Security cards, driver licenses, health insurances, everything you need in order to start using the identity and apply, for a new credit line, so that’s one source, another source, where the identities are coming from, are data leaks.

We all are familiar with target breaches and other breaches. the breaches, unfortunately, data breaches in our society, still takes place. the example you’re seeing here on the screen is from a data breach which occurred in, Florida a couple of months ago. this is part of a ransomware attack that the medical center in Florida experienced. What the criminal did was, they, encrypted all the information from the hospital, and then once the ransom was not paid, they simply leaked all the information on the platforms we oversee. Okay, so this is just an example, for the data we get.

There you see the image of the individual, you see the date of birth, the name, Social Security number, everything you need in order to start working with, the identity checks. stolen checks are another very important source for identities. We’re experiencing a pandemic right now in our society where USPS simply cannot protect our mail. So, we see a lot of, individual checks, business checks, ah, being uploaded for sale on those platforms. The identities from those checks are being used to, engage in all kind of frauds. Right? We’re seeing that, and we’ll talk about that in just a second. And the last source, are schemers ATM skimmers. Folks, simply use them in order to fetch information about the credit cards, stolen credit cards, but also about individuals, as you guys can see in the screen here, taken directly from a skimmer software. The identities are there, so, the criminals can start using them, to engage in all kind of fraud.

Now, one important thing to understand is that in some cases, like in the cases of checks, like in the cases of skimmers, you don’t have the complete image, of the identity you’re trying to work with. Fear not, because these guys offer for sale services that will allow you to complete the picture. Right? This, information usually comes from insiders. what you’re seeing on the screen right now is a, ah, screenshot taken by an insider in one of the financial institutions we work with. The insider fetch the information, and the insider also offer, a lookup service, for anyone interested on the platform. Right? So, $100, you can get all the information you need on a potential victim. Right? what’s interesting is that on the platforms, there’s actually a menu with respect to what you’re going to get for different types of searches, right? So you can get someone driver, license information for $30. You can get someone full credit report. I don’t know if I have it here. For $80 you get background check, Social Security number and date of birth for $35.

And these guys deliver unfortunately all this information is available. Folks will be able to fetch the information for you and send it to you, simply because they have access to all the tools you guys are using when you’re trying to validate someone information. and they brag about this, right?

 So what you guys are seeing on the video right now is a criminal bragging about their access to the TLO tool. you will see that after the guy typed in the password and username his in and he can fetch all the information you need on a specific identity you would like to work with. One important thing that is very relevant to your operation. We find a lot of insiders working in dealership and car shops.

Unfortunately I can’t show that evidence, but we are seeing a lot of checks being sent to specific agencies and insiders on those agencies taking images and uploading those on the markets as well. So imagine how much information they can share in addition to the check, with respect to identities, if they have access to this tool. so we talked about supplier that is the first important actor in the supply chain.

Let’s move on to talk about producers in terms of production, the criminals are very sophisticated nowadays. so they have access to software and hardware that allows them to work with the identities they have. First of all, databases. They need to be able to maintain databases because they have access to large number of identities. so of course they have the relevant software actually brag about those software and their access to the software in the markets we oversee as well of course to manufacture some of the fake driver licenses. they also work with different type of software like Photoshop that allows them to doctrine the documents. So as you guys can see an example here for ah, criminal using Photoshop to manufacture a Georgia driver license and Social Security card. And ah, of course those software allows them to manufacture all those documents that we need in order to establish identities like utility bills and bank account statements and all those important documents that allows you to then go to the DMV office and establish a new driver license.

Using fictitious and fraudulent document hardware is also very important in this sense. We showed you the software, there’s a lot of really cool technology folks are using nowadays. This is just three examples of three types of printers they’re using to manufacture the fake driver licenses. those printers could be purchased in AliExpress, Amazon, all over the place. So the printers are available also ah, the papers, the cards on which the criminals are printing the important information. We see birth certificates, utility bills or security cards and of course a lot of vehicle titles as well. We have folks manufacturing vehicle titles. The examples you see here are from New York, Alabama and Louisiana. But we see the titles being manufactured for all states in very, very high quality, ah, as I’ll show in just a second.

So I assume we all remember those times where we needed a fake driver license to get into a bar, right and get some drinks with our friends. And we remember the quality of those driver licenses. I wanted to forget about those driver licenses, because the driver licenses folks are manufacturing now are very high. as you guys can see, the driver licenses could pass UV rays, check out the stack of driver licenses the guy is able to manufacture. those driver licenses could be scanned and fetch all the information they need to present to a police officer or whoever is taking your driver license. So, very high quality documents which could definitely bypass a lot of the security controls that we have which at the end of the day, we want to think will allow us to detect fraud.

So we talked about suppliers, producers. Let’s move on to talk about distributors. This is how things look like on the markets we oversee. So you see, information is being offered for sale, on individual, along with their images, with their driver licenses, Social Security numbers, everything you need. I had to redact some of the information. in some cases, we can also see routing and bank account number. This information come from checks. we got lucky. And this person lives in Texas. So you see that it’s relevant to where we at right now as well. the distributors are there they post the ads and we see many customers reaching out to them in order to purchase this information.

One important aspect that I would like to sort of emphasize, we’re not going to sort of talk a whole lot about are the credit privacy numbers folks are using in order to fix their bad credit scores. Those are essentially stolen Social Security numbers that you have the distributors selling out there to potential customers. We see a lot of those being offered by the distributors as well with very good credit scores. some of the scores are aged. Meaning the criminals opened the CPN five, years ago. So very very complicated and difficult to detect this kind of fraud in terms of customers. The last actor in this long supply chain chain.

We see people coming from all aspects of life. We see male, we see female. So people actually sending their images on the platforms we oversee in order to ask the vendors to print the, fake driver licenses for them. We see young, folks and I’m not going to play this video, maybe God pulls a card drop. The young boy here is essentially looking for someone to loop him in the fraud world. He wants to do fraud. We see a lot of people like that, right? I mean, a lot of young kids, 13 to 18 years old, simply want in. It’s easy money, and it’s very difficult to prevent this, right? and folks are essentially very proud, of what they do. I don’t have, too much time, so I’m not going to play the video on the top. But the guy is essentially rapping about how good it is to be a scammer and how proud he is about being a scammer. So folks come from all aspects of life.

So, the one important point, I would like for you guys to take from this talk is that we are definitely talking about a very sophisticated supply chain with different actors across different junctions, helping facilitate identity m theft. In our society, at this point, we have the suppliers, we have the producers, we have the distributors, we have the customers, all working together in order to push fraud, in our society. And we know that, they’re very successful. We see them brag, we see them being very successful, accomplishing all kind of fraud.

Let me just mention few that we see. as I mentioned earlier, check theft is huge in our society right now. So we see many of those criminals manufacturing the fake driver licenses with the identities to simply cash the checks. as you guys can see in the picture, the name on the driver license matches, the name, on the check. This is a criminal, right? trying to cash the check. we see them use the identity to connect phone line. so this is a video of a criminal getting into TNT, T Mobile, I’m sorry and purchasing, three SIM cards under his identity. We see them take the information I just showed you, go to the local DMV office, and simply create a real driver license, which will definitely bypass any type of security control that you can imagine. this guy is bragging about this, in Chicago, Illinois. we see them, of course, opening credit lines. and as you guys can see here, you see a good credit score. You see how old the credit score is, and you see, the criminal providing, the actual screenshot from the credit card statement, on your left we see them using those identities to lease apartments, this is an apartment which was leased here in Dallas, Texas a couple of months ago using fictitious identity, using those CPN, those CPN numbers I talked about.

We see them, of course, using those identities to finance new cars. This is again legit information of a real person financing or submitting an application to finance a car with Chevrolet, I think it was Chevrolet. it’s up there for us to grab and sort of work with. The identity is there. the application number is there. So that’s part of the things they’re doing, of course, targeting the government. They submit unemployment benefits, requests. This was an unemployment benefit request, which was submitted in Utah. starting 2020, we see a huge increase in the volume of fraudulent unemployment benefits request. There’s a drop in those.

But we are seeing still folks using those identities to submit those requests. Folks are using those identities to submit SBA loans requests. So we see those as well. and open, drop bank accounts, mule accounts. So we see a lot of those accounts, being open on a daily basis. In fact, we track several vendors and the volume of accounts they’re able to open on a monthly basis. And we’re talking about hundreds of accounts every month. They’re showing here in this image, a screenshot of the account they were able to open with one of the brands, as well as the plastic card they were able to get, eleven days after they opened the bank account. So a lot of that this is again another example of a fraudster bragging about the fact that they were able to use one image with two different identities to open several bank accounts with the same brand. Which is really interesting and really cool. they create businesses. And that is to me, one of the most important thing that we need to understand. They create fictitious businesses. They open bank accounts for those businesses. And once they open those bank accounts to those businesses, they start laundering money. this is a screenshot that one of the criminals we monitor, ah, uploaded. You see prospect, life, science inc. It doesn’t exist. You see the zero balance. That’s an indication that we’re talking about a mule account. Think about how much money and what the criminal can do with this type of money with this type of account.

One of the things we’re seeing them doing with these type of accounts is essentially registrating them with all kind of money transactions services like square up. So what you’re seeing on the screen right now are the names of fictitious companies which are signed up with Square, Ups. And what we are seeing the criminals do is essentially using the individual accounts to transfer money to the business account in order to make sure that the banks does not flag those accounts and believe that those accounts are legit. as you guys can see, the receipts, the, payment receipts in this, image, in these two images, two fictitious, identities sent money to these, two entities which really do not exist. the last point I want you guys to take from my talk is that those online fraud market I just discussed are way more active than the drug markets, the guns markets that I just showed you, right?

As I mentioned earlier, we monitor those markets on a systematic manner, on a weekly basis, we download information. And, so what you’re seeing here is essentially a diagram describing, the number of messages on 100 m, fraud markets we monitored over a period of, six weeks. Okay? So we see some fluctuations, but we see that the, number of messages could reach into, way over 10,000 messages a month.

Check out the comparison with respect to the level of activity, number of messages we, observe on drugs markets and weapons markets. It’s just mind boggling to me how active those markets are in comparison to other markets. this last, slide talks about or shows the number of images that the criminals feel comfortable to disclose with identities and with other type of commodities they offer to sale on the financial markets, the fraud markets, in comparison to the drugs and the weapons markets. So, to conclude, and hopefully I’m doing good on time, right?

Identity theft, has become another line of production from crime, ah, syndicates in our society. At this point, we’re not talking about lone actors. We’re talking about very sophisticated, very organized, crime groups. they know exactly what they’re doing. They are embedded heavily, in the ecosystem. We’re not talking about the Russian and the Chinese and North Korean, right? I mean, those are still active, but there’s a very active local domestic, groups, who are doing a lot of damage, able to, establish many identities, synthetic identities, stolen identities, and steal a lot of money. And so, I believe that in order to prevent and mitigate, effectively, solution any kind of solution, should incorporate information that comes directly from the ecosystem. Because everything I showed you come from the ecosystem. It’s all legit, it’s all real. and so this information should be used for prevention purposes. And with that in mind, hopefully, I’m, doing well on time, right? Yeah.

Bill Hall
Thank you, Dr. Maimon. Thank you.

Visit pointpredictive.com for the latest insights on lending fraud and much more from Point Predictive.