Combating the Surge in Retail Theft and E-Commerce Fraud With Open Source Intelligence

Retailers have recently experienced a significant increase in the theft of goods from their physical locations. The leaders of these organizations believe the thefts have been fueled by online marketplaces that allow criminals to create and maintain seller accounts under fake identities and under a veil of anonymity.They believe these accounts provide an easy channel to resell stolen goods without oversight or legal accountability.

At the end of last year, 20 retail leaders, including the CEOs of Best Buy, CVS, Home Depot, Nordstrom, and Target, sent a letter to Congress. These leaders are calling on legislators to enact laws that address this growing fraud by requiring the identification of sellers, making it more difficult for criminals to transact and maintain their anonymity as they sell stolen goods.

While Congress attempts to craft legislation to protect merchants from in-store theft - and consumers from online fraud, the retailers themselves also need to take action. They need to use their intelligence teams to engage in investigations to make these crimes more expensive and less attractive for the criminals.

The Role of “Boosters”

According to the FBI, the retail industry has lost billions of dollars from the sale of goods obtained through theft and robbery in the past year. The ‘shadow’ e-commerce retail marketplace that resells these goods relies on an ecosystem built off of boosters. ‘Boosters’ refer to the first link in the chain, an orchestrated group of thieves hired by organized crime rings to steal from brick-and-mortar retailers and then provide the stolen property to street-level “fences” for 5-10% of retail prices. Those fences then sell the goods to distributors and ultimately, those goods are offered for sale in online stores and marketplaces. The retailer’s desire is for Congress to bring more accountability to these third-party online marketplace

Beyond Transparency. Into Accountability

While retailers wait for Congress to enact laws that bring accountability, verification, and diligence to third-party online marketplaces, companies need to do their part by making the transaction of stolen goods more costly for fraudsters. Similar to investigations that disrupt cyberattacks on retailers, the same tactics, techniques, and procedures (TTPs) can be leveraged against those that sell counterfeit or stolen goods. Retailers typically have systems in place that provide the provenance of consumer goods.

With these systems in place, a security team should be able to investigate widespread theft, track stolen property to online marketplaces, build proper controls to legally remove them, and coordinate with law enforcement to implement processes that disrupt organized criminal elements before they profit.

Tracking the Record of Ownership: Retail Data Provenance

A key component of online crime investigation is techniques to identify stylometric attributes of the criminal infrastructure. These attributes can reveal the provenance of retail data stolen by the malicious actor and enable victims and authorities to take action.

Security practitioners often look for lapses in operational security by the threat actors. These operational mistakes combined with retailer systems for tracking merchandise can provide the point of origin of stolen goods. Examples of operational mistakes include, but are not limited to the following:

● An actor forgot to use their VPN or proxy to connect to their fraudulent online infrastructure and revealed their source IP range.

● An actor reused certificates on different infrastructure or failed to properly encrypt their fraudulent marketplace traffic.

● An actor used mailing/email addresses and phone numbers to register their marketplace or hosting service that can be unmasked.

By combining technical analysis with open-source intelligence (OSINT), analysts can add valuable context to the crime. The additional technology-enabled OSINT findings can help determine the motivation and sophistication of the threat.

WIth this analysis, a retailer may be able to interact with the threat actors in a “controlled buy” operation that verifies the stolen goods and documents the payment chain (if applicable). Conducting the aforementioned operations at scale and in a timely manner is achievable with proper focus and resources.

As a result, companies have several options:

● Working with the cryptocurrency or hosting providers to remove marketplace infrastructure.

● Collaborating with law enforcement to determine the amount of loss, resulting in prosecution.

● Publicly exposing criminals to deter future crime.

● Engaging the perpetrator and the perpetrator’s associates to facilitate cooperation without legal recourse.

● Removing the anonymity of the fraud actors and criminal conspirators.

The actions and outcomes described in this article are both necessary and complementary to any legislative action that may be undertaken by Congress. These actions by retailers themselves will help protect their businesses and inventory and ensure a fair marketplace for themselves and their customers.