Scammers are using human farms to steal money online
Scamming humans take over for scam robots who took over for scamming humans.
Lisa Baergen really wants to catch the guy who stole thousands of dollars-worth of stuff the day after Christmas—and used her money to pay for it.
It was “Boxing Day” in Canada, a big shopping day with a reputation for big bargains, like Black Friday in the U.S.
She checked her bank account, and saw someone had used her card to buy expensive laptops, pay for online advertising, and more.
“I couldn’t shop because they maxed my credit. There’s great deals on Boxing Day. Somebody owes me big time,” Baergen told Archer News. “Every part of me wanted to catch the person that did this to me.”
Was it a person, or a computer program?
Cyber criminals have used bots and malware for years. They earned early on that using such tools can do far more damage and rake in far more money than one human at a keyboard.
But Baergen and her colleagues at cybersecurity company NuData say there is a new trend in the works—human farms working on a massive campaign to make fake accounts and steal money from banks and stores.
In other words, scamming humans are taking over for scamming bots that once took over for scamming humans.
“What’s old is new again,” said Robert Capps, vice president of business development at NuData, in an interview at RSA 2017 in San Francisco.
It’s like a call center, with dozens of workers positioned at computer screens.
But instead of taking your calls about customer service, these humans are busy opening fake accounts online.
It could be Target, The Gap, any retail store, or your favorite bank.
“They’re taking some stolen consumer data—might be your name, your e-mail address, your address, your phone number. They’re entering that into a registration page,” Capps said.
They will play with that account and others they’ve created.
“They’re going to come back to it and interact with it occasionally, just to show there’s some activity,” Capps explained. “Do some comparison shopping, throw something into your cart.”
Example of retail account page. Human farm workers create fake accounts at retail stores & occasionally interact with them to make them seem real.
After a few months, the account is ready for the big attack.
During a heavy shopping period, scammers—human or bot—will swoop in and use the fake accounts to buy up stuff with stolen card numbers.
“Creating accounts, aging them out, then using them en masse during high-volume seasons when the fraud teams don’t have the capability to review everything,” Capps said.
Why humans, why now?
Why are online crooks using humans when bots can do the same job? After all, malware and automation don’t need lunch breaks or days off to take care of sick kids.
The answer—cybersecurity companies are getting better at telling the difference between a human signing up for an account, and a bot that’s signing up automatically, Capps said.
“There are telltale signs if you know what to look for,” he said.
For example, if the transaction goes very quickly, faster than a human can type, it’s probably not human.
Example of a retail account page. Bots or computer programs may enter information into an account signup page much more quickly than humans, giving them away.
“We can actually observe when somebody’s actually at a keyboard typing in versus data just being pasted into a form through some sort of automation or manipulation of an end user device,” Capps said.
So, crooks then wrote programs to click through slowly, in the same way a human would.
“We caught onto it because it was still a repeatable pattern,” Capps said. “There’s a subtle difference in the way they do it.”
That’s where the human farms come in. The bad guys are hiring real people to act like real people at the keyboard.
“It’s a really good way to mimic a human because it is a human,” Baergen said.
Humans for hire
Crooks found plenty of willing workers, ready to click for money.
“They figured out they could basically hire these call centers in emerging economies around the world who have Internet access,” Capps said. “They speak English, they read English, they interact just fine. They’ll follow directions and you pay them a wage and they’re happy to do whatever you ask them to do.”
Human farms have been pressed into shady cyber services before.
In 2009, a website called Blackhat SEO described how you can run your own farm to defeat “captchas,” the code at the bottom of some web pages designed to ferret out humans from fakes.
“Finding workers to solve captchas should be fairly easy,” the site said. “There is a more than adequate supply of people that will solve captchas for $0.001 each.”
“You should assign your workers shifts that cover the whole 24 hours, that way you can spread your captcha fetching throughout the day,” the site added. “I think workers would be more comfortable and efficient with two or four-hour shifts.”
Commenters asked for work on the post describing how to set up and/or use captcha evasion teams.
Dozens of people commented on the post asking to do the captcha farming job or to find customers for their own captcha farming teams.
“Hi, there,” one comment reads. ”i would be really grateful to you if u can suggest me some good captcha server where i can work and earn good income.”
Fake ad viewers
Human workers are also earning money by interacting with ads, The Wall Street Journal reported in 2014.
The farms pay people to spend the day watching video ads or clicking, the WSJ said.
Buyers will pay a lot more money if they think real people are viewing the ads, according to the WSJ, and the scheme can be hard to detect.
The fake account farming activity has intensified in the last half of 2016, Capps said.
But the farmers leave a trail that can be detected.
“For us, it’s understanding that same user, that same device, that same IP, that same access pattern across multiple accounts,” Capps said.
“If we had a bank that was having human farm activity, we would see that there’s a bunch of humans that are accessing this page, but the way they’re accessing is very formulaic,” he added. “And so that’s how we’re able to detect those sorts of things.”
Some stores and banks may need to change their approach to ward off the farm attacks. And some are.
But what about customers?
“As a consumer, you may never know that your identity has been used in all or in part at a retail site to create an account,” Capps said.
What can you do?
Protect yourself by keeping an eye on your bank account and your credit report, Capps and Baergen recommended.
Baergen did not have to pay the thief’s charges on Boxing Day. But she believes the crook maxing out her card impacted her credit.
“Get your credit account frozen if you can,” Capps suggested. “Getting your account frozen is actually different that putting a fraud flag on it. I actually had to do this last year. Someone tried to open a visa account in my name.”
“In the U.S., you have the right to freeze your credit if you’re the victim of identity theft—for free,” he added.
Change your passwords so that you have a different password at each website, Baergen advised.
“I had the same password across all my sites. I never checked them. Now I check all my accounts all the time,” she said. “I feel way better.”