Fraud-as-a-Service: Inside the Dark Web's Booming Business Model

September 2024

Fintech & Payments

Thomas Wilson

Senior Research Analyst

Fraud-as-a-Service is a cybercrime business model where an individual bad actor provides the necessary tools and services to other bad actors in order to make their fraudulent online activity easier. FaaS schemes are almost indistinguishable from how normal, level businesses - constantly optimising their return on investment through scalable tactics.

Some of the key elements of FaaS include:

• Commodification of Cybercrime: FaaS transforms traditional hacking and fraud methods into services that can be easily purchased or subscribed to; similar to legitimate SaaS (Software-as-a-Service) offerings. FaaS offers a wide range of tactics and personal information that can be used by cybercriminals to commit fraudulent activities.
• Accessibility: FaaS lowers the entry barrier for engaging in cybercrime by providing user-friendly interfaces, tutorials, and customer support. This enables fraudsters of any skill level to successfully commit fraud by purchasing prepackaged scams.
• Diversity of Services: FaaS is not limited to a single tactic, and can facilitate a multitude of different fraudulent attacks. These platforms offer a wide range of services, including but not limited to the tools to commit credit card fraud, identity theft, and DDoS (Distributed Denial of Service) attacks. High-end FaaS providers will offer custom-built tools which are tailored towards a client’s specific needs, often focusing on high-value targets.

Typical FaaS Business Structure

Source: Juniper Research

While it's relatively easy in an online world to attempt a single act of eCommerce fraud anonymously, creating a fraud operation large enough to make it worth the risk requires time, money, and technological expertise. FaaS providers operate beyond the scope of conventional search engines, existing on the dark web which requires specific software for which to gain access. This part of the internet houses illicit forums and marketplaces where FaaS providers can advertise and sell their services to novice fraudsters. This is also accompanied by customer support and user reviews; ensuring customer satisfaction and illustrating how these FaaS schemes operate much like a legitimate business.

What Tools Do FaaS Providers Use?

FaaS providers utilise a vast array of different tools to create their prepackaged schemes and will even rent out the use of these tools to other fraudsters. Some common FaaS tools include:

• App Cloners allow for multiple instances of the same app to be created on the same device and change its source code to enable relevant features. This allows for the bypass of security features that detect multiple account creation.
• Image Injection allows for the inserting of doctored/fraudulent images to spoof verification processes designed to identify new users. This can also be used to submit fraudulent proofs of purchase or delivery confirmations.
• Emulators simulate different devices and environments; helping to mimic legitimate device activity at scale, avoiding detection.
• Application Tampering Techniques enable individuals to change certain information that is collected from them on an application. For instance, things such as location spoofing can be used to manipulate the geographical location of a device to evade services that rely on location data.
• Botnets leverage up to thousands of infected computers to conduct DDoS attacks or leverage clicks on ads that are placed on fraudulent websites for example.

Tools such as the aforementioned are used to enable fraud attacks such as ATO (Account Takeover) fraud, refund fraud, online payment fraud, and synthetic identity fraud. They are either used by the FaaS provider to create fraud packages to sell, or are rented out to individual fraudsters on a subscription basis.

Furthermore, FaaS providers may have access to stolen payment card information, healthcare records, or social media accounts. They can use this data to create fake users, which are then sold or rented to subscribers, or they simply sell the raw data to fraudsters to create their own fake accounts. FaaS has democratised online financial crime for fraudsters that do not possess the necessary technical knowledge and has made committing fraud more accessible than ever before.

How Much of a Threat Does FaaS Pose to Businesses?

The FaaS model is akin to the SaaS (Software-as-a-Service) model, meaning that fraudulent information and tools are easily accessible to dark web users. By lowering this barrier for entry, businesses are at an increased risk of fraud attacks. This, in addition to the employment of artificial intelligence and machine learning amongst fraudulent methods, has resulted in bad actors being able to focus on the rapid execution of attacks. 

The financial damage caused by FaaS-supported attacks can be devastating, and further potential revenue can be lost through consumer trust in the business being spoilt. In order to defend against FaaS tactics effectively, proactive fraud prevention strategies are essential. Things such as velocity checks, which analyse the rate at which users are completing transactions, and geolocation, which monitors the location from which a user is attempting their transaction, can help to accurately determine whether a user’s behaviour is illegitimate or not. App tampering and device emulation are also metrics that merchants can analyse in order to halt attacks with greater accuracy.

Therefore, it is possible for merchants to defend against the threats that FaaS poses, but it is imperative that the fraud prevention strategies they employ continually evolve in order to keep pace with the emerging threats that FaaS enables.