Fraud-as-a-Service (FaaS) is rapidly transforming the landscape of cybercrime, offering tools and services that make fraudulent online activities easier for criminals. In a blogpost, Thomas Wilson, a research analyst at Juniper Research, “FaaS schemes are almost indistinguishable from legitimate businesses, constantly optimising their return on investment through scalable tactics.”
Key elements of FaaS include:
- Commodification of Cybercrime: FaaS turns traditional hacking methods into purchasable services, akin to legitimate Software-as-a-Service (SaaS) offerings. This model provides cybercriminals with an array of tactics and personal information necessary for committing fraud.
- Accessibility: By offering user-friendly interfaces and support, FaaS lowers the entry barriers for cybercrime, enabling individuals with minimal skills to engage in fraudulent activities through prepackaged scams.
- Diversity of Services: FaaS facilitates various types of fraudulent attacks, including credit card fraud, identity theft, and DDoS (Distributed Denial of Service) attacks. High-end FaaS providers often offer custom tools tailored to specific criminal needs, focusing on high-value targets.
While executing a single act of eCommerce fraud may be relatively straightforward, establishing a large-scale operation requires significant resources and expertise. FaaS providers typically operate in the dark web, where they can use illicit forums to advertise their services. “These schemes function much like legitimate businesses, complete with customer support and user reviews,” notes Wilson.
Tools of the FaaS trade
- App Cloners: These allow multiple instances of an app on one device, bypassing security features that detect multiple accounts.
- Image Injection: This technique inserts doctored images to spoof verification processes, aiding in fraudulent transactions.
- Emulators: Used to simulate legitimate device activity, helping fraudsters avoid detection.
- Application Tampering: Techniques that alter collected information, such as location spoofing, to evade services reliant on accurate location data.
- Botnets: Networks of infected computers that can execute DDoS attacks or generate fraudulent ad clicks.
FaaS has made committing fraud more accessible than ever, democratizing online financial crime for individuals lacking technical expertise. The model’s similarity to SaaS means that fraud tools are readily available on the dark web, increasing the risk to businesses.
The financial repercussions of FaaS-supported attacks can be severe, not only causing direct losses but also damaging consumer trust. To combat these threats, businesses must adopt proactive fraud prevention strategies, including velocity checks and geolocation monitoring. “It's imperative that the fraud prevention strategies employed by merchants evolve continually to keep pace with the emerging threats that FaaS enables,” concludes Wilson.