- Researchers have uncovered a widespread credit card scheme that has gone undetected since 2019.
- Amazon Web Services, Mastercard, and Visa could potentially be unknowingly participating in the scheme, the firm says.
Cybersecurity researchers say they have uncovered a massive, multi-million dollar credit card scheme, and major companies like Amazon Web Services, Mastercard, and Visa are all potentially unwitting participants.
Consumer-facing cybersecurity firm ReasonLabs exposed the scheme, which they said has flown under the radar for years by charging small enough monthly subscription fees for generic-sounding services to go undetected by scores of victims in the US.
ReasonLabs says the scam has been operating without notice since 2019 and has reaped fraudsters between $10 million to $50 million per year.
How the scheme works
The operation appears to have gone undiscovered largely due to its complexity. Scammers allegedly created a network of more than 200 fake dating and adult websites that are functional but have no real users or website traffic, ReasonLabs said.
The firm says these cybercriminals used hundreds of stolen credit card numbers, likely purchased from the dark web, and charged the cards monthly. Typical of many sites in the adult dating industry, the charges showed up on credit card bills with generic or official-sounding names, obscuring their origin.
The charges usually range from $29.95 to $49.95, ReasonLabs cofounder and chief technology officer Andrew Newman, told Insider.
In addition to the adult dating sites, the fraudsters allegedly set up a network of functional customer support sites to service complaints and issue legitimate refunds. Newman said the scammers processed refunds in order to avoid raising alarm bells with legitimate credit card companies.
He says he believes the scheme is operated from the middle of Europe or Russia, but the firm hasn't been able to fully verify the scammers' location.
Big companies' involvement
ReasonLabs says a number of major companies are unwittingly implicated in the ongoing scheme, including Amazon Web Services, Visa, Mastercard, and GoDaddy.
"We reached out to all the companies involved, so we were able to understand who was doing the hosting, who is doing all the domain registration. To date, not a single company returned or responded," Newman said.
He said ReasonLabs' next step would be to contact authorities via Fraud.org, a nonprofit that shares consumer complaints with law enforcement partners.
AWS told Insider it received the email from ReasonLabs, but it did not provide sufficient details about the alleged misuse of AWS services to investigate the matter. AWS says it has requested additional information from ReasonLabs but has yet to receive a response.
GoDaddy told Insider it is looking into the issue, and MasterCard said it doesn't have a record of being contacted regarding the scheme.
Visa did not immediately respond to comment.
How to protect yourself
"For this particular scam, what's crazy about it is there's really very little protection in the way of technology," said Newman.
"Something we preach all the time is really just education. If you see something odd, make sure you do something about it because it's not going to go away on its own," he added.
He advised people to be proactive about analyzing their credit card statements for unfamiliar charges. If people suspect a charge is fraudulent, they should contact their credit card companies directly because the companies can open internal investigations, Newman said.
"If you see something odd, make sure you do something about it because it's not going to go away on its own," he warned.