Holiday Season 2022: Attack of the Master Manipulators

A complex, multi-layered fraud attack has been unfolding since mid-September 2022. It started small, attacking one contained cluster of merchants (often in related industries) before moving on to another. As this played out over weeks, two things became clear:

1. This is a highly organized fraud ring.
2. The small scale attacks were a trial, to test their methods and retailers’ systems. This group was just getting started. 

As the 2022 holiday season kicked into gear, experienced fraud prevention leaders started to realize that they were up against more than they’d expected to face even during the famously challenging holiday period. A group of them reached out to one another and to Karisse Hendrick, who has been facilitating collaborative discussions for expert merchant fraud fighters for years. 

This was not a problem best tackled alone. Working together through discussion after discussion, the fraud strike force began piecing together pieces of the puzzle to unravel the stages, tactics and context of this methodical, determined and aggressive fraud ring. The picture that emerged was not pretty, even by the standards of online fraud.

This is what they found. 

What’s Going On?

A large-scale attack across merchants and industries in the USA, particularly based in triangulation attacks but also using a combination of other techniques including mules, account takeover and address manipulation. 

The attackers appear to have a coordinated process with a number of stages. If the first stage of the attack fails, they move on to the next, and so on. 

There was an initial phase of the attack:

• Focusing on small groups of merchants in clusters loosely grouped by industry or, possibly, the fraud prevention providers they use. 
• This made the fraud ring seem smaller than it was, and concealed the need for collaboration between fraud fighters during the beginning stages. 
• This initial phase appears to have been in the nature of a scouting mission, checking out various processes and protections and testing the attackers’ own flow to ensure all was in place for the large attack.
• Merchants and solution providers who took action after the first small wave had a head start on identifying some of the methods used in the attack, such as address manipulation (see below) and sending orders to re-shipping mules, as some of these were used in the initial phase.   

We’ve fallen into the habit of referring to these attacks as the Manipulators, or the Master Manipulators, because they not only play around with data points like address, email and so on as a part of their attacks, but they also manipulate customer service agents into helping them, and adapt their attack to overcome the defenses raised against them. Additionally, if the MSHT (Modern Slavery & Human Trafficking) connections that have appeared can be confirmed, this fraud ring also manipulates people to coerce them to become part of the attack. 

Who’s Being Attacked?

So far, physical goods retailers, mostly in the USA. Physical goods retailers based outside the US are affected, but mostly through their US sites. The specific nature of the target is required by the method, which relies on shipping via a carrier and seems to be based on US norms.

After the initial testing phase, the attack seems to have been carried out against well over 60 merchants during the same short period. 

What are They Stealing?

The majority of orders, especially those placed since the holiday season kicked off, are popular gifting/wish list items, often name brands. This makes sense given the triangulation context in which this operation is largely occurring. 

Typically baskets fall within the $50-$300 sweet spot; valuable, especially at scale (which this is) but not so high value that extra friction or investigation is likely to be required. 

In a few cases, especially for retailers with higher price point items such as high-value electronics and luxury goods, the basket size is larger.

How Does it Work?

The majority of attempts are based in triangulation, and the fraud ring is taking advantage of the self-perpetuating nature of this attack type (see the final bullet point in the list below). The fraud ring is stealing to order:

• The fraudsters take orders from consumers who believe they are making a legitimate purchase of a new product at an exceptionally low price, most often from a third party marketplace seller
• The fraudsters then place the order on a real merchant’s site using Account Takeover and/or using non-stored stolen payment information
• They have the item shipped directly to the consumer
• The consumer, who has received both a great deal (the prices are cheap, since the fraudsters are not paying for anything) and great service (benefiting from the fulfillment capabilities of the merchant), may leave positive feedback for the seller, enhancing their seller reputation

In parallel, packages are also being sent to reshippers associated with Southeast Asia, or to specific addresses, often near such reshippers, which are sometimes connected to small businesses, some of which are of the type frequently associated with MSHT concerns (see the “Who Are the Attackers” section below for relevance of this point). The use of address manipulation (see below) makes the identification of the repeated use of these specific addresses much harder to identify automatically. 

With that context, here’s how the attack often plays out:

1. Attempt standard guest checkout using stolen details. Try to use address manipulation to confuse systems, often tricking or bypassing link analysis with past fraudulent orders on the address, while looking comprehensible and legitimate to the human eye for delivery purposes, e.g.:

• Putting the first line of the address in the name field
• Adding additional letters before or after the street
• Inserting fictional units
• Using non-ASCII characters that closely resemble English characters

2. ATO, using exposed credentials and credential stuffing. Will try to change details like address, email and phone number within the account. Will first attempt to use stored payment methods, if there is one.

3. If address change within the ATO’d account was challenged, call customer service as soon as the order has been placed to request the package be routed to the customers “new address”

4. If using the payment method stored in the account was prevented by the merchant’s fraud protections, the fraud ring will attempt to add a new stolen payment method to the account.

There are additional stages beyond this, but these vary far more depending on the fraud prevention mechanisms in place. By contrast the stages listed above are quite consistent. 

Adaptive Flow - on the Fraud Side

This is not an appropriate forum to share details about device intelligence, behavioral analytics, IP addresses, and so forth. It is worth noting, however, that the attackers were learning as they went along. Their actions were textbook minimalist, based on their observations and tests; they would aim to use only as much effort and complexity as was necessary in each case. 

Retailers with less robust protections in place, saw a flood of the simplest levels of the attacks. Retailers who adapted to the attack as it unfolded saw the attackers evolve in turn, trying another way around the obstacles in their path. And so on.   

There are some early reports that the attackers might be adding in more technical aspects to their attack as well (the kind we’d more associate with hackers/cybercrime than with fraud) but this is too early so far to confirm or detail. 

Who Are the Attackers?

All the signs suggest that this fraud ring is based in Southeast Asia, and that they are both well-funded and extremely organized. 

The level of preparation, from gathered data sources to scouting out merchants’ vulnerabilities and systems to the tiered stages of the attack, suggests that they have been planning this attack for quite some time. 

Some merchants have noted that when they dive into their own data from the last year with the perspective and knowledge from the recent attacks, they can see signs that the same group had been testing out various methods and feeling out merchant processes for some time, in slow, small and subtle ways. 

The scale and speed at which they have worked during the holidays is reminiscent of a medium-sized business. Between this and certain other factors, it seems likely that the operation is made possible in part by MSHT (Modern Slavery & Human Trafficking). For more information on this distressing element, this article from ProPublica, this article from Vice and this podcast episode from the UKFIU give insightful context. 

Why Now?

Holidays. The holidays are always popular with fraudsters, because the increase in good traffic and transactions, combined with the slightly altered consumer behavior (e.g. buying gifts from stores they don’t usually visit, shipping gifts to addresses different than their own billing address) makes it easier for fraudsters to hide.

Pressure on fraud teams. Additionally fraud prevention teams are under extra pressure to provide good customer experience that could drive loyalty, and to provide decisions quickly so that they don’t impact fulfillment times. 

Triangulation fraud is particularly apposite during this year’s holiday season because with economic uncertainty in the air consumers are looking for deals even more than usual, to be able to get the perfect gift at a discounted price.  

All of this makes it an excellent time for a serious coordinated attack. 

Carry-over from Covid?

• The scale in terms of human participation has likely been enabled by the shift in direction in the MSHT world. During the pandemic, human trafficking for sex became a poor investment. The criminals engaged in this practice looked for alternative ways to use and abuse the human beings who were being trafficked, and appear to have found some lucrative ones. It was already becoming known that people were being coerced into creating and maintaining “pig butchering” scams. The work of an online fraudster, as part of a fraud ring like the Manipulators, is a natural extension of that.
• Purely speculatively, it is also possible that the well-funded appearance of this group has been made possible by money stolen from Covid relief programs - what NBC News referred to as the “biggest fraud in a generation.” Effectively, fraud rings such as this one could be using the money stolen then as seed capital to build larger and more complex operations such as the one behind the Master Manipulator attack. 

What it Means

It’s too early to be talking about the attack being in the past, because it isn’t, but that doesn’t mean that we shouldn’t start thinking about what it might mean for the future. 

It’s possible that this is a fraud ring of intelligent and focused bad actors who want to make a fortune and retire. In which case this is a one-off and, taking the long-term view, the holidays of 2022 will simply provide memorable war stories for the fraud fighters who experienced this attack.

• Watch this space. What may be more probable, unfortunately, is that the success of their debut into the fraud scene will incentivize this fraud ring to continue to invest in their operations. In which case they will presumably plan for the holidays of 2023 with the same eye to detail, preparation and scale. Copycat groups, or spin-off groups, are also possibilities. 
• Outgrowth. This fraud ring may well also aim to take advantage of other busy times of the year - particularly those affecting sites which have been less impacted by the current attack. Perhaps they will start to explore other types of goods, and other geographies. 
• Plan for scale. If the MSHT connection is indeed a reality, then the scale and organization of this attack may well be a harbinger for attacks of the future. When fraud fighters start to review the holiday period of 2022 and the lessons learned from it, and begin to plan for 2023 and beyond, this possibility is one that should be taken into account. 
• Collaborate. If large, coordinated attacks like this are going to become a factor in the world of fraud prevention, then one thing is clear. Fraud fighters need to make collaboration and knowledge sharing part of their jobs. 

Identifying and combating an attack like this is best done not only cross-merchant but cross-industry. Fraud prevention leaders and analysts who have strong, trusting relationships with their industry peers will be able to draw on those relationships when necessary to work out what’s going on, and what to do about it. 

• Innovate. Lastly, if this kind of attack and evolution is more than a one-off, innovation in fraud prevention will become need-to-have, not nice-to-have - and that’s something that’s true for both merchants and solution providers. To combat a group like this you need to invest in staying agile, exploring new ideas, and incorporating new technologies that keep your system up-to-date and multi-layered. The attackers already are. 

More Information 

The article you’ve just read was written to spread awareness of this fraud ring and its implications without disclosing sensitive information.

If you work for a retailer, and are interested in the merchant collaboration group led by Karisse Hendrick’s consultancy, Chargelytics Consulting, you can email info@chargelyticsconsulting.com and request to be included in retailer education on this fraud ring. 

At the request of the retail members of this collaboration group, and to avoid revealing any specific information on how these bad actors are being identified and linked to each other, access to more detailed information is reserved for the target companies themselves. 

If you’re interested in more discussion of this fraud ring, its attack and what it means, you can listen to the Fraudology podcast episodes from November 28th and December 1st, in which Shoshana and Karisse talk more in depth about this group, their general attack methods, and why it’s different from the e-commerce fraud we’ve seen before.