Yandex ignores the 3D Secure check when paying for advertising in Yandex.Direct using bank cards
Approximately half a year ago in the publication on Geektimes “Cheap air tickets ... Or a network of fraudulent sites stealing money from cards. My investigation ” , I described the case, as my friend, in addition to money for“ fake tickets ”, additionally stole 35,200 rubles from the card, which went to replenish the account of fraudsters in the Yandex.Direct advertising network. The stolen amount was limited only by the balance on the card. If there were more money left on the card, they would have stolen more. In the comments write-off funds was indicated "YM * Yandex.Direct". Below is a fragment of a bank statement taken from the mentioned publication:
In the case described, the number of the “victim” bank card was stolen, more precisely obtained by fraud on a fraudulent website. The victim confirmed the transfer of funds for fake tickets with the help of 3D Secure codes that came to the SMS from the bank. However, funds for Yandex.Direct opalat went away at different times without any additional requests to the cardholder, without 3D Secure checks and so on.
Although fraudsters wrote in the shadow forums that Yandex really does not use 3D Secure when paying for Yandex.Direct, this did not work out. With own testing of the Yandex.Direct balance replenishment through the site, an additional check was always carried out using SMS codes from the bank. I even thought that Yandex, as a result of the first publication, quickly corrected its services. For me and, I think, for many, it was not clear for a long time how the fraudsters bypassed this check. And then I accidentally found this simple way, which lay on the surface, and which still works. Anyone who, in the comments to the first article, praised the “super-security” of their cards and praised their banks, I suggest we check them for strength when paying with Yandex. Direct.
Before we continue, under the spoiler, you can see what the form of payment looks like if you top up the balance through your Yandex.Direct account using a browser and the full version of the site. There are no questions to the full version of the site.
')
I can't even say that I discovered something. The method is extremely simple and to use it you only need to install the Yandex.Direct application for mobile phones and pay with bank cards through this application. It is likely that a large number of respectable Yandex.Direct users used this method of recharging the balance, but did not pay attention to the lack of checks, or left this moment on the developers' conscience. The following describes a simple sequence of payment for the example of a mobile application for IOS.
Click on the inscription "to replenish the total account."
Enter the amount and choose payment by card.
Enter the card data.
Card data saved. When you first save for verification, 2 rubles are automatically debited from the card, and then the same amount is returned back.
All this happens without using 3D Secure! No SMS is coming. To pay, it is enough to know the card number, its term and CVV. When testing, a Sberbank card was used, according to which for any other purchases over the Internet, SMS with verification codes always come.
Screenshot with SMS card verification and first payment.
Card data by default is stored in the phone. At the same time, the mobile application does not even ask the user if he really wants to store card data in the phone. With subsequent payments using a previously verified card, the process of replenishing the balance in Yandex.Direct is even faster. Simply select a previously saved card and click the Pay button at the bottom of the screen. The default amount is already entered the same as it was in the previous payment. Money fly away instantly. The user doesn’t even get an additional question whether he really wants to transfer the amount.
In the Yandex.Direct personal account, in the payment journal, card payments using 3D Secure and payments without full validation are signed differently. Payments through the form in the personal account in the full version of the site are signed “Bank Card”, payments through the mobile application are signed by “Trust, bank card”. “Trust” here has nothing to do with the name of the bank.
In order for any fraudulent site to exist, it must in any way lure visitors to it, some of whom may become victims of deception. Fraudulent sites do not live long because they are calculated and closed over time. New scam sites are almost impossible without ads in an honest way to get more traffic from search engines. Even if such sites promote an entire year, they usually do not get on the first pages of the issue. It remains the only way to attract visitors - to place paid advertising. Advertising by polar requests (for example, “cheap flights to Anapa”) is expensive and fraudsters will not spend their money. To do this, they have the data of stolen cards, from which you can easily transfer tens and hundreds of thousands of rubles to the Yandex advertising network. Other people's money is not a pity, and in order to get to the first place in the issuance, fraudsters can pay any click cost to Yandex: 100 rub., 200 rub. I think that no advertising network will object that someone wants to share money with it.
Yandex has created a program that is ideal for inclusion in the arsenal of scammers. It is enough to buy an old used smartphone and the "left" sim card. The application is installed on the smartphone. The number of the stolen card is entered into it. And from any corner of the globe where there is a mobile network or wifi, you can steal money with one click. For those who are especially suspicious in a week or a month, you can change the smartphone and the sim card. Tracking such scammers is almost impossible.
Everyone is happy, except for holders of cards that are being withdrawn. Based on the real case described in the first article, even if hot on the heels of contacting Yandex in less than 12 hours after transferring funds to Direct, Yandex promptly responds: “At your request, we conducted an investigation and took all necessary measures. Unfortunately, the money has already been spent, and we were unable to return it ... ". If you quickly contact your bank, then you can try to return the funds, especially considering that they were written off without checking 3D Secure. As the first article showed, the money in a single case was even returned after the application to the sender’s bank. But before the money comes back, the victims of the scammers are forced to write to Yandex, to their bank, to the police and so forth, and wait a month for a return, hoping for a miracle. Meanwhile, fraudsters for a couple of clicks enter the stolen data of the next card into the application and launch a new series of endless series.
Or maybe still add a 3D Secure check when replenishing the balance in Yandex.Direct?
In the case described, the number of the “victim” bank card was stolen, more precisely obtained by fraud on a fraudulent website. The victim confirmed the transfer of funds for fake tickets with the help of 3D Secure codes that came to the SMS from the bank. However, funds for Yandex.Direct opalat went away at different times without any additional requests to the cardholder, without 3D Secure checks and so on.
Although fraudsters wrote in the shadow forums that Yandex really does not use 3D Secure when paying for Yandex.Direct, this did not work out. With own testing of the Yandex.Direct balance replenishment through the site, an additional check was always carried out using SMS codes from the bank. I even thought that Yandex, as a result of the first publication, quickly corrected its services. For me and, I think, for many, it was not clear for a long time how the fraudsters bypassed this check. And then I accidentally found this simple way, which lay on the surface, and which still works. Anyone who, in the comments to the first article, praised the “super-security” of their cards and praised their banks, I suggest we check them for strength when paying with Yandex. Direct.
Before we continue, under the spoiler, you can see what the form of payment looks like if you top up the balance through your Yandex.Direct account using a browser and the full version of the site. There are no questions to the full version of the site.
')
Deposit Yandex.Direct through the site
I can't even say that I discovered something. The method is extremely simple and to use it you only need to install the Yandex.Direct application for mobile phones and pay with bank cards through this application. It is likely that a large number of respectable Yandex.Direct users used this method of recharging the balance, but did not pay attention to the lack of checks, or left this moment on the developers' conscience. The following describes a simple sequence of payment for the example of a mobile application for IOS.
Click on the inscription "to replenish the total account."
Enter the amount and choose payment by card.
Enter the card data.
Card data saved. When you first save for verification, 2 rubles are automatically debited from the card, and then the same amount is returned back.
All this happens without using 3D Secure! No SMS is coming. To pay, it is enough to know the card number, its term and CVV. When testing, a Sberbank card was used, according to which for any other purchases over the Internet, SMS with verification codes always come.
Screenshot with SMS card verification and first payment.
Card data by default is stored in the phone. At the same time, the mobile application does not even ask the user if he really wants to store card data in the phone. With subsequent payments using a previously verified card, the process of replenishing the balance in Yandex.Direct is even faster. Simply select a previously saved card and click the Pay button at the bottom of the screen. The default amount is already entered the same as it was in the previous payment. Money fly away instantly. The user doesn’t even get an additional question whether he really wants to transfer the amount.
In the Yandex.Direct personal account, in the payment journal, card payments using 3D Secure and payments without full validation are signed differently. Payments through the form in the personal account in the full version of the site are signed “Bank Card”, payments through the mobile application are signed by “Trust, bank card”. “Trust” here has nothing to do with the name of the bank.
In order for any fraudulent site to exist, it must in any way lure visitors to it, some of whom may become victims of deception. Fraudulent sites do not live long because they are calculated and closed over time. New scam sites are almost impossible without ads in an honest way to get more traffic from search engines. Even if such sites promote an entire year, they usually do not get on the first pages of the issue. It remains the only way to attract visitors - to place paid advertising. Advertising by polar requests (for example, “cheap flights to Anapa”) is expensive and fraudsters will not spend their money. To do this, they have the data of stolen cards, from which you can easily transfer tens and hundreds of thousands of rubles to the Yandex advertising network. Other people's money is not a pity, and in order to get to the first place in the issuance, fraudsters can pay any click cost to Yandex: 100 rub., 200 rub. I think that no advertising network will object that someone wants to share money with it.
Yandex has created a program that is ideal for inclusion in the arsenal of scammers. It is enough to buy an old used smartphone and the "left" sim card. The application is installed on the smartphone. The number of the stolen card is entered into it. And from any corner of the globe where there is a mobile network or wifi, you can steal money with one click. For those who are especially suspicious in a week or a month, you can change the smartphone and the sim card. Tracking such scammers is almost impossible.
Everyone is happy, except for holders of cards that are being withdrawn. Based on the real case described in the first article, even if hot on the heels of contacting Yandex in less than 12 hours after transferring funds to Direct, Yandex promptly responds: “At your request, we conducted an investigation and took all necessary measures. Unfortunately, the money has already been spent, and we were unable to return it ... ". If you quickly contact your bank, then you can try to return the funds, especially considering that they were written off without checking 3D Secure. As the first article showed, the money in a single case was even returned after the application to the sender’s bank. But before the money comes back, the victims of the scammers are forced to write to Yandex, to their bank, to the police and so forth, and wait a month for a return, hoping for a miracle. Meanwhile, fraudsters for a couple of clicks enter the stolen data of the next card into the application and launch a new series of endless series.
Or maybe still add a 3D Secure check when replenishing the balance in Yandex.Direct?
Source: https://habr.com/ru/post/401937/
All Articles