Fraud as a Service Examples
FaaS Attacks You Need to See to Believe
Theory is one thing. Seeing how FaaS actually plays out in the real world is another.
FaaS often manifests as either infostealing or so-called “chargeback-as-a-service” schemes targeting high-end retailers. Such real-world attacks do measurable harm to merchants… and you could be next.
The clearnet — the legitimate, publicly-accessible web — is being ravaged by FaaS-enabled scams. In this article, I’ll highlight some FaaS attacks as they appear in the wild, and discuss why eCommerce merchants are uniquely vulnerable to these threats.
Fraud as a Service (FaaS)
Similar to software as a service (SaaS), buyers who purchase Fraud as a Service (FaaS) products don’t need to understand the inner workings of program how to carry out the fraud themselves. That’s a big problem for legitimate merchants and consumers: it means that even the least sophisticated bad actors can launch complex and large-scale attacks with nothing more than an internet connection.
FaaS Cybercriminals Steal 2 Million Card Numbers
Research published by Kaspersky Digital Footprint Intelligence revealed that FaaS “infostealers” injected malware into as many as 21 million devices between 2023 and 2024.
The outcome? Nearly 2 million primary card numbers were stolen from unsuspecting victims and dumped onto darknet marketplaces for sale. In fact, illegally-obtained payment information is so abundant that on underground marketplace B1ack’s Stash, FaaS scammers gave away 1 million debit and credit card numbers for free.
Any individual in possession of a leaked entry containing a card’s primary account number, expiration date, and CVV can use the information to carry out third-party fraud.
Need a Victim’s Health Records? That’ll Be a Hefty $1,000
Financial services firms are prime targets for hackers, accounting for 22% of all cyberattacks in 2024. But, there’s one industry that’s even more vulnerable to cybercrime: healthcare.
According to research from Kroll, healthcare providers suffered 23% of all data breaches last year, edging out financial industry firms by one percentage point.
The reason? Stolen health records are a cash cow for FaaS criminals. On the dark web, a single set of personal health records can fetch up to $1,000. By contrast, stolen card details sell for a mere $5 per set.
FaaS Criminals Sell Stolen Small Business For Just $600
Today, an estimated 16% of businesses are fully-remote. These digital-first businesses often take the form of eCommerce stores, consultancies, marketing agencies, development studios, and professional service firms.
Although these small and midsize businesses have few physical assets, they have plenty of data in the form of client lists, legal documents, employee social security numbers, payment card information, and bank account numbers.
For FaaS cybercriminals, these details are a digital treasure trove that can be stolen, exported, and resold to illegal buyers; sometimes for as little as $600.
The bigger the threat, the more comprehensive your fraud and chargeback prevention needs to be.
We have the answers you’re looking for.
Request a Demo
Industry-Specific Vulnerabilities to FaaS
FaaS fraudsters target industries with fast payouts and repeatable profits, especially digital goods, subscription services, and high-ticket retail. Within these verticals, automation simplifies scaling and chargeback abuse by bypassing controls before merchants can react.
Not every business is equally exposed to Fraud as a Service. The professionalized nature of the FaaS industry can produce high ROI, under the right circumstance. It only makes sense that bad actors would tend to gravitate toward verticals where the path to profit is shortest and most repeatable.
So is your business overly exposed? Take a look at a few of the more vulnerable verticals, and why they’re targets of FaaS fraudsters:
These attacks, sometimes called “bust-out” fraud, also commonly plague card issuers that extend credit to borrowers.
