One of the more popular and profitable crimes involved one of Silicon Valley’s Darlings, Stripe.com.

Scores
of cyber crooks were relentlessly robbing Stripe of thousands of dollars per week. Stripe’s vulnerability was
so popular that a cottage industry had sprung up around supplying criminals with the means to maximize
profits when targeting the company. Sellers provided tutorials, both live and written formats. They provided
bank accounts and prepaid debit cards to use with Stripe, ready to operate websites, initial funding
services, no IP panels so the location of charges couldn’t be determined, specific credit card BINs that
worked well with the payment processor, cash out services, and whatever else a burgeoning criminal might
need in order to bring home close to $20k per week in stolen funds.
Payment processor fraud was popular up until the day the Feds closed AlphaBay down, July 5th, 2017. No
payment processor was more popular among cybercriminals than Stripe. Stripe was the easiest to set up,
the easiest to rip off, and it provided the most profit. Though AlphaBay may be gone and its owner dead–a
victim of suicide in a Thailand jail—Stripe processor fraud is still alive and well. Speaking to a few of the
popular stolen credit card information sellers previously vending on AlphaBay,
GGMcCloud1,CashoutMoney, Gaia88, and Ston3d, they all confirmed that Stripe fraud is alive and well
and reported continuing strong sales concerning “Stripe Friendly BINs”.

I’ve been asked by a couple of firms to send details on how criminals were ripping off Stripe. What follows
is the meat of that report along with suggestions on how to curtail the fraud.

THE WALKTHROUGH: First, the thief must acquire an identity. The identity should be of a living person
with a high credit score, but not someone who employs credit monitoring services. The identity will be used
to set up a fraudulent bank account and also a Stripe Account. For Stripe to work properly it is important
that the bank account details match the Stripe details across the board. The criminal will need a complete
“Fullz”: Name, Address, SSN, DOB, DL#, Credit Report, and Background Check. On various Dark Markets,
“Fullz” sell for $30-$100 and allow for the buyer to request gender, age, credit score range, and location.

At the time of AlphaBay closure targeted banks easiest for a criminal to open an account included Suntrust,
B of A, Regions, and Capital One. Typically, the thief would apply for an account online, using all of the
victim’s real information, including the address. The thief would choose paperless billing and usually not
request a debit card. Accounts such as these are used as a dump. Stripe sends the stolen funds to this
account and then the thief transfers the funds elsewhere to cash out. If the crook does intend to use this
bank account to cash out as well, then it works a bit differently. The “Fullz” the thief uses should be local to
the criminal. The criminal WILL order a debit card and will either steal it directly from the victim’s mailbox,
will have the mail redirected, or will add a “Drop” address to the victim’s credit report and set the bank
account up using the Drop Address once it is reflected on the credit report.
The next step in this fraud involves setting up an ecommerce store selling a low-risk item. A paid domain is
a necessity, and it is better if it has some age to it. The crook will buy the domain under the victim’s name,
using a prepaid debit card. He will also buy the most expensive WordPress package, and any additional
bells and whistles. Setting up a webstore is an important part of this crime. If the fraudster isn’t comfortable
building his own webstore, there are a variety of vendors on Dark Markets offering such services. Prices
range from a couple of hundred dollars to well over $1000 if the buyer needs to have his Stripe account
“Charged”.

The crook likes to set up Stripe using third party systems, such as Shopify. Or they spoof the victims phone
number and call in to register. Why? Going this route defeats any security measure Stripe has in place
when registering direct.

Which brings us to the next step in defrauding Stripe, “Charging”. When someone opens a Stripe account,
Stripe pays out all credit card charges to the account owner in 7 days. Once the account has a legitimate
charge ran through it, Stripe pays out in 2 business days. “Charging” is the criminal running one or more
legitimate charges through Stripe in order to get the payout down to two business days. At one point, this
was possible using prepaid debit cards. It still is to some extent, but is hit and miss. So the fraudster needs
a way to run a charge through that won’t result in a chargeback. That can be difficult. After all, the fraudster
doesn’t want to use his own credit card or that of his friends to charge the account. That story only ends
with cuffs and jailtime. Our fraudster may try to run through stolen credit card information and hope that a
chargeback is delayed long enough for him to start running through dozens of stolen cards. That is the
whole basis of “Stripe Friendly BINs”, BINs which typically take a long time to initiate chargebacks. The
fraudster might actually sell some items to collect legit payments. Or he might be too scared that such an
action might later be linked to him. To address the problem of “Charging”, several Dark Market vendors
offer “Charging” Services. At a cost of $500, a vendor name “Vusion” will fund your stripe account with
$300 in chargeback free funds.

Once the account is charged and aged a bit, usually a bit more than 30 days, then the crook can start
running stolen credit card data through. Depending on the age of the Stripe account and how much
legitimate looking traffic has went through determines how long the fraudster can run stolen cards through
the account. A newly opened account will only support two fraud tickets before it is closed. An older
account with more traffic will support more tickets and live longer. Amounts ran through the Stripe system
don’t really matter. To Stripe, $50 or $500 are treated exactly the same. As such, criminals try to run each
stolen card for as much as possible.

The fraudster runs the cards through. The funds are deposited to the bank account set up earlier.
Depending on how the bank account was set up, the fraudster may then cash out through that account,
send funds to another account, or use a variety of other methods to obtain the cash Stripe sent out.

There are a variety of tools available which might aid in defrauding Stripe:

No IP Panel. The ability to run credit card data through the Stripe system without associated IP addresses.
This is accomplished either by using a third-party payment app in conjunction with Stripe or by purchasing
such a panel developed by hackers for specifically that purpose. Price to purchase? $1200

Antidetect 7.1 or similar. A software tool which prevents device fingerprinting. Prices vary.

Socks5 Proxy. Provides a clean residential IP within 25 miles of the actual account holder. Price $.30

RDP. Remote Desktop. Provides a residential, clean, computer and IP address within 25 miles of the actual
account holder. Remote controlled by the criminal. Price: $5-$30

Phone Spoofing. The ability to mimic the actual account owners phone number when phoning in to banks,
Stripe, etc. Price: Roughly $.15 per minute

Using the above process, countless members such as lewisdool, JohnDoett,CashoutMoney, m0zz,
FraudGod, SxurceForge, and others were and are continuing to defraud Stripe for more than $20,000 USD
per week.