A new Web-based service for cybercriminals automates the creation of fake scanned documents that can help fraudsters bypass the identity verification processes used by some banks, e-commerce businesses and other online services providers, according to researchers from Russian cybercrime investigations firm Group-IB.
The service can generate scanned copies of passports, ID cards and driver's licenses from different countries for identities supplied by the service users, fake scanned utility bills from various companies, as well as fake scanned copies of banking statements and credit cards issued by a large number of banks, said Andrey Komarov, head of international projects at Group-IB, via email.
It is common practice for banks, payment and money transfer providers, online gambling sites and other types of businesses that engage in money transactions via the Internet to ask their customers for scanned copies of documents in order to prove their identities or verify their physical addresses, especially when their anti-fraud departments detect suspicious account activity.
Using image manipulation software to change the photo, name and other details on a scanned ID is obviously not a new practice, but services like the one identified by Group-IB that automate the whole process and produce high-quality results are new on the cybercriminal market, Komarov said.
According to Group-IB, the service is provided through a website hosted on a server in Germany. The domain name was registered in May, but the service was launched in mid-August, Komarov said.
Independent cybercrime researcher Dancho Danchev described a very similar service in a July blog post; however, Komarov could not confirm whether it is the same one because there was no reference to the service's domain name in Danchev's report.
The service found by Group-IB has templates for passports, ID cards and driver's licences for the U.S., Canada, Russia, the U.K., Germany, the Netherlands and other European Union countries. It also has templates for bank statements, credit cards -- front and back -- and utility bills from banks and utility companies operating in those countries.
The templates are for documents and cards that show signs of use and are scanned at different angles and different positions on the canvas. This makes the resulting image appear more authentic.
Using the service, a cybercriminal can get their desired counterfeit scanned document in JPG or PNG image format in around 40 seconds, Komarov said.
Scans of U.S. passports are the most expensive product and cost US$11 each. Other scanned documents are priced at $7.99 or $9.99 each.
Cybercriminals can pay using several online payment services and virtual currencies including WebMoney, Perfect Money, Bitcoin, Paymer and a new payment service called papogo.com that caters to the black market, Komarov said.
Some companies that use scanned documents for identity verification have specialized systems and tools that can detect image modifications, Kamarov said. When there is suspicion about the authenticity of a scan, the anti-fraud teams will request images with better quality to verify that they are really created by the user, he said.
However, sometimes companies don't have the resources to perform detailed checks of incoming scans and criminals are exploiting this, Komarov said.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.