How Does Fraud as a Service Work?How FaaS Operates in the Underworld
How Does Fraud as a Service Work? Common Tactics & Practices
Fraud as a Service potentially enables any would-be fraudster to function as a solo act in a dark basement somewhere. On the other hand, it’s also streamlined and corporatized the fraud business by buying and trading fraud tools using SaaS-like elements such as money-back guarantees and tiered pricing.
While this is happening, FaaS products themselves, are growing more sophisticated by the day. From pre-packaged phishing kits to botnets-for-hire, today’s FaaS allows even amateurs to launch professional-grade attacks at scale. In this article, we’re looking at how FaaS works and what potential threats it will likely pose in the future.
Fraud as a Service (FaaS)
Similar to software as a service (SaaS), buyers who purchase Fraud as a Service (FaaS) products don’t need to understand the inner workings of program how to carry out the fraud themselves. That’s a big problem for legitimate merchants and consumers: it means that even the least sophisticated bad actors can launch complex and large-scale attacks with nothing more than an internet connection.
How Does FaaS Work?
Fraud as a service occurs on darkweb marketplaces where cybercriminals offer phishing kits, card testing, synthetic identity creation, and other tools and services on a subscription or pay-per-use basis.
Obviously, both FaaS providers and the clients that pay for them are committing illegal acts. So, most transactions occur on underground platforms and darknet marketplaces, where they can take advantage of the lack of oversight and scrutiny.
You’ve probably somewhat familiar with how the dark web works. Using anonymous network layers like I2P and the Tor browser, criminals can access illicit marketplaces to contract all manner of illegal activities. Bad actors can order assassinations, sell stolen information, ship drugs, and distribute illegal paraphernalia.
It’s on these underground marketplaces that FaaS providers find customers willing to buy and sell fraudulent services. And, they work in a manner that’s disturbingly similar to above-ground, legal businesses.
FaaS is insidious because it functions exactly like a legitimate business. The only real difference is that the services offered for sale are scams.
This setup enables “ordinary” criminal buyers to carry out sophisticated attacks against unsuspecting victims with the backing and support of expert scammers working for FaaS providers.
All these transactions take place on the dark web. This makes FaaS operations especially difficult to trace and disrupt. While you might be able to intercept an individual fraud attack, the service provider is still out there, offering the same tools and services to other fraudsters.
FaaS attacks come from many angles at once.
Shouldn’t your chargeback management be the same? Talk to us about our end-to-end management platform.
Request a Demo
Key Components of FaaS
Most FaaS providers fit into one or more of the following categories:
What is it?
Online platforms, often within darknet or encrypted forums, that facilitate the buying and selling of compromised data.
Includes
- Credit card dumps
- Stolen personally identifying information
- Compromised login credentials
How Does it Work?
Data is obtained via malware infections, data breaches, phishing campaigns, and even insider threats.
Marketplaces may feature escrow systems, reputation ratings, and sometimes even "warranty" periods on data validity.
What is it?
Comprehensive tools and resources that allow unskilled bad actors to create and execute sophisticated phishing and social engineering campaigns.
Includes
- Ready-made templates
- Fake website generators
How Does it Work?
Pre-built email templates, realistic fake website replicas, malware payloads, and automated delivery systems allow buyers to launch streamlined attacks at scale.
Social engineering modules, meanwhile, will often incorporate psychological manipulation tactics and use social media platforms heavily.
What is it?
Software designed to automate and increase the throughput of brute-force scams.
Includes
- Credential stuffing
- Done-for-you account takeovers
- Card testing attacks
How Does it Work?
Botnets or cloud-based infrastructure are used to launch high-volume attacks.
Penetration techniques, API manipulation, and reverse engineering tactics are used to discover vulnerabilities and bypass CAPTCHAs, multi-factor authentication, and other security measures.
What is it?
Services that facilitate the concealment of illicitly obtained funds so that they appear legitimate.
Includes
- Cryptocurrency mixing
- Mule network
How Does it Work?
Money is “cleaned” by layering transactions through multiple accounts, exploiting mule networks (individuals who transfer funds on behalf of others), and via the use of cryptocurrency mixers (tumblers).
Also entails conversion to other forms of assets like equities, real estate, or art.
Emerging Trends in FaaS
Emerging trends in FaaS, like the use of LLMs, deepfakes, and cryptocurrencies, will demand an aggressive, international strategy by law enforcement.
FaaS is not static. New technologies emerge constantly, and many are co-opted by FaaS criminals, either to enhance the effectiveness of their scam services or to make them more accessible or affordable for buyers. Here are a few trends to be on the lookout for:
AI-Powered Fraud
Deepfake and Voice Cloning
Cryptocurrencies
Ransomware-as-a-Service (RaaS)
The development of scam-enhancing technologies will almost certainly outpace regulators. Governments will need to play catch-up by enacting stricter laws targeting FaaS providers, their clients, and darknet transactions at large.
Law enforcement agencies, meanwhile, will need to invest heavily in specialized cybercrime units with expertise in cryptocurrency tracking, darknet investigations, and AI-driven threat detection.
Still, the internet’s borderless nature will render domestic regulation alone hopelessly ineffective. Instead, a coordinated global effort that involves intelligence sharing and joint investigations will become table stakes; anything less is unlikely to be sufficient.
