Jaden Urbi | CNBC Uber driver uses GPS navigation.
Cybercriminals are turning to new technologies to launder their ill-gotten gains, including recruiting fake Uber drivers, shady Airbnb hosts and crypto conversion specialists via the underground dark web, experts say.
Criminals are also ramping up older methods of money laundering, including buying gift cards and reselling them for a fraction of their price on the web, and relying on bank insiders to filter their funds through legitimate accounts and credit lines.
Ziv Mador, who leads cybersecurity firm Trustwave's SpiderLabs research team, said money laundering is essential to allowing cybercrime to proliferate. In fact, if you've ever had money stolen in a cyber scheme or from a hacked credit or debit card, this may be where it ended up.
"Cybercrime headlines tend to focus on new variants of malware or gross negligence resulting in large data breaches. It's a proverbial game of cat and mouse, with white hats fortifying defenses and black hats adjusting to bypass," he said. "However, missing from these stories and just as important for grasping how cybercriminals operate is what takes place post-breach or when funds are acquired illegally."
Fake Uber drivers and the 'acupuncture' scam
Techniques used by cybercriminals often differ from those used for laundering other types of dirty money. That's because techniques and methods for cybercrime are quickly shared and traded via dark web marketplaces, Mador explained. Cybercriminals are already operating fully on these marketplaces, and so it's a natural transition, he said.
For at least the past two years, cybercriminals have used increasingly creative methods centered on "gig economy" apps like Uber and Airbnb, according to Mador. The schemes work to filter dirty money through several automated systems, eventually making their way back to the criminal clean.
In one common scam, criminals recruit Uber drivers to pretend to take them on a ride. The criminal never shows up, but uses illicit money from a stolen credit card to pay for the trip. The driver then wires a portion of the payment for the trip back to the criminal.
Ads seeking help laundering assets by this method can be seen on the dark web, a network of websites outside the established internet only accessible through special applications, Mador said.
Trustwave A dark web ad, provided by security researchers at Trustwave's SpiderLabs, seeks "fake" Uber drivers to help launder illicit cybercrime proceeds.
Uber first learned about the money laundering because it was so prevalent in the Chinese market, according to a spokesperson, and has taken several steps to fight this type of fraud. Uber ramped up its fraud-detection techniques in 2016, around the time the company pulled out of China. It has fallen to "historical lows" since then, the spokesperson said, but acknowledged it remains a problem. To fight it, the company frequently works with U.S. law enforcement, including one case involving a fake-passenger scheme that led to 13 arrests in New York in 2017.
One common technique fraudsters use is known on underground forums as "acupuncture," the spokesperson said, because it involves a criminal overseas — typically in China or India — colluding with a U.S.-based driver by dropping location "pins" in the application along the driver's regular route. The driver collects the earnings, usually from a stolen credit card, then wires a portion of it back to the overseas criminals, who are known as "nurses" in this scheme.
"One reason it's enticing to the real driver is they think 'at least I'm getting paid for driving a route that I'm normally driving anyway.' What they don't realize is it's not just defrauding Uber or our platform, it's wire fraud, it's serious legal liability for the driver," the spokesperson said.
Criminals use a similar scheme with Airbnb hosts, Mador explained. Hosts answer ads, generally posted on the dark web. But instead of hosting an actual guest, with all the work and hassle that might involve, they take payment from a fake guest who never has any intention of showing up. Once the money is processed through Airbnb's system, the host refunds a portion of the nightly bill to the cybercriminal.
In one ad provided by Trustwave, posted on the dark web in May 2018 in Russian, a cybercriminal says he or she is seeking "managers of Airbnb hosts — I'm looking for people who have real hosts from this company," for a money laundering operation.
In a statement, Airbnb said, "Airbnb takes its responsibility as a participant in the financial ecosystem seriously and has developed sophisticated models, systems and processes to detect and prevent all forms of misuse and illegal activity. In addition to our own controls, Airbnb also works with other participants in the financial system including financial institutions, regulatory agencies and law enforcement to spot new trends in potential misuse and illegal activity and share information to combat illicit activity."
Cyber criminals also continue using more "traditional" laundering methods, especially in the form of "bank drops" and gift card purchases. Commodities like iPhones are also popular — criminals will buy them in bulk with dirty money and sell them at a steep discount, pocketing the clean money.
According to the FBI, "Criminals can direct federal or state tax authorities to issue fraudulent tax refunds on prepaid debit cards," according to the Bureau, making it a popular method of executing tax refund scams. Virtual currency payment processors are also popular, as a way to funnel proceeds from cyber schemes like ransomware — which often result in funds paid in cryptocurrency — through several transactional layers in order to mask the origins of the cash.
Cleaning bitcoin with 'mixers' and other techniques
Other professional criminals on dark web chat rooms offer a variety of methods to clean dirty bitcoin.
One of them involves using "mixers," which "divide currency among multiple accounts, transfer bitcoin through several other accounts, and eventually send them to one, external and clean account," Mador said. The mixing service provider collects a fee for this service, making it a lucrative illicit business of its own.
Ziv Mador, Trustwave research leader
In one dark web advertisement provided by Mador, a service provider called "dice456" offers a "way to clean your dirty coins … send me the Bitcoin and I will change it to XMR [the symbol for Monero, another type of cryptocurrency] then convert it back to Bitcoin and send it to a brand new wallet. This will break the chain of a dirty business and you can spend the coin with peace of mind. We charge 5% for this service."
Some cybercriminals claim to have recruited employees of banks in order to help pass illicit funds through real accounts with few geographical boundaries.
Some of those compromised employees even advertise their services — according to one individual purporting to be connected to a bank posting to a forum under the name "slim-shady," "I can get unlimited UK bank drops and are ready for loading. Cashout will be within the same hour of money dropping into account and your cut can be made any way you like."
Mador emphasizes that cybercriminals are relying as much on human weakness and curiosity as on technology to carry out and cover their crimes.
"We see the underground community's strengths in using and abusing the human factor to recruit people who are not deeply involved in dark web operations, turning them into the public face in their illegal activities."