Fraudsters Learn to Bypass 3-D Secure, Stealing 3.15 Billion Rubles in a Year

According to Group-IB, a new scheme for stealing money from citizens relies on spoofing payment system pages that banks use to confirm customer consent for P2P transfers (card-to-card payments). In Russia, fraudsters have been using this method since late last year and have already managed to steal 3.15 billion rubles from online shoppers.

The P2P payment confirmation system, based on the 3-D Secure authorization protocol, is designed to increase the security of CNP (card-not-present) transactions when paying for goods and services online. All major international payment systems—Visa, MasterCard, JCB, AmEx, as well as the Russian MIR—support this technology.

Criminals are constantly looking for ways to bypass 3-D Secure, but most attempts involve stealing one-time codes through social engineering or malware. The creators of this new scam have taken a different approach: they use fake 3-D Secure pages, complete with logos of reputable payment systems.

How the Scam Works

The attack unfolds in several stages. First, a buyer who has the misfortune of dealing with a fake online store or web service is redirected to a phishing payment page. The payment details entered there are intercepted and used to initiate a transfer to the fraudster’s card.

In response, the bank sends the cardholder an SMS with a one-time code, which is supposed to be entered on the 3-D Secure page to confirm the payment. Since the fraudsters have swapped out this page in real time, the additional identifier also falls into their hands, allowing them to successfully complete the transfer in their favor.

Why This Scheme Is Dangerous

Experts say this scheme is complex to execute and difficult to detect with traditional anti-fraud solutions. However, when carried out properly, the payment appears legitimate to the issuing bank, making it extremely hard for the victim to recover their money after discovering the fraud.

Group-IB estimates that Russians deceived by this scheme make over 11,700 payments daily, totaling 8.6 million rubles. Not only account holders suffer, but also issuing banks and the owners of brands whose names are misused by scammers—such as online stores and payment systems.

“This scheme is truly dangerous and is spreading and evolving extremely quickly,” comments Pavel Krylov, head of Group-IB’s online fraud prevention division. “Currently, only a handful of the largest banks in Russia and the CIS have protection against this type of fraud. Their defenses are based on behavioral analysis and the ability to track each session and user behavior on both web resources and mobile apps in real time.”

Group-IB does not rule out that this fraudulent scheme could soon spread beyond Russia.