Cybercrime service automates creation of fake scanned IDs, other identity verification documents

The service produces high-quality fake scans that can be used in fraud attacks to impersonate victims, Group-IB researchers said

A new Web-based service for cybercriminals automates the creation of fake scanned documents that can help fraudsters bypass the identity verification processes used by some banks, e-commerce businesses and other online services providers, according to researchers from Russian cybercrime investigations firm Group-IB.

The service can generate scanned copies of passports, ID cards and driver's licenses from different countries for identities supplied by the service users, fake scanned utility bills from various companies, as well as fake scanned copies of banking statements and credit cards issued by a large number of banks, said Andrey Komarov, head of international projects at Group-IB, via email.

It is common practice for banks, payment and money transfer providers, online gambling sites and other types of businesses that engage in money transactions via the Internet to ask their customers for scanned copies of documents in order to prove their identities or verify their physical addresses, especially when their anti-fraud departments detect suspicious account activity.

Using image manipulation software to change the photo, name and other details on a scanned ID is obviously not a new practice, but services like the one identified by Group-IB that automate the whole process and produce high-quality results are new on the cybercriminal market, Komarov said.

According to Group-IB, the service is provided through a website hosted on a server in Germany. The domain name was registered in May, but the service was launched in mid-August, Komarov said.

Independent cybercrime researcher Dancho Danchev described a very similar service in a July blog post; however, Komarov could not confirm whether it is the same one because there was no reference to the service's domain name in Danchev's report.

The service found by Group-IB has templates for passports, ID cards and driver's licences for the U.S., Canada, Russia, the U.K., Germany, the Netherlands and other European Union countries. It also has templates for bank statements, credit cards -- front and back -- and utility bills from banks and utility companies operating in those countries.

The templates are for documents and cards that show signs of use and are scanned at different angles and different positions on the canvas. This makes the resulting image appear more authentic.

Using the service, a cybercriminal can get their desired counterfeit scanned document in JPG or PNG image format in around 40 seconds, Komarov said.

Scans of U.S. passports are the most expensive product and cost US$11 each. Other scanned documents are priced at $7.99 or $9.99 each.

Cybercriminals can pay using several online payment services and virtual currencies including WebMoney, Perfect Money, Bitcoin, Paymer and a new payment service called papogo.com that caters to the black market, Komarov said.

Some companies that use scanned documents for identity verification have specialized systems and tools that can detect image modifications, Kamarov said. When there is suspicion about the authenticity of a scan, the anti-fraud teams will request images with better quality to verify that they are really created by the user, he said.

However, sometimes companies don't have the resources to perform detailed checks of incoming scans and criminals are exploiting this, Komarov said.

Tags: Group-IB, security, Identity fraud / theft, fraud

Near field communication – the security risks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get Powerful Protection for All of Your Mobile Devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.