Skip to content
.ca
sign in
4 minhigh

The Fraud Ecosystem Has Industrialized. That's Good News for Defenders Who Know Where to Look.

The payment fraud ecosystem has industrialized through Malware-as-a-Service e-skimmer kits, automated card testing, and scalable purchase scams. This standardization allows defenders to proactively detect and map fraudulent infrastructure upstream before monetization occurs, rather than relying solely on reactive transaction monitoring.

Conf:highAnalyzed:2026-04-01reports

Authors: Recorded Future

ActorsMagecartSniffer by FlerasAcceptCar
Scam MerchantsMagecartE-skimmerPayment FraudCard Testing

Source:Recorded Future

Key Takeaways

  • The payment fraud ecosystem has highly industrialized, utilizing Malware-as-a-Service (MaaS) e-skimmer kits like 'Sniffer by Fleras' and 'AcceptCar'.
  • Purchase scam operations have scaled significantly, with over 3,600 scam merchant accounts identified in 2025, utilizing repeatable, low-friction infrastructure setup.
  • Card testing is heavily facilitated by Telegram-based services, abusing over 1,350 legitimate merchant accounts to validate stolen data.
  • Traditional transaction monitoring is insufficient because it is reactive; defenders must shift to proactive, upstream detection of standardized fraud infrastructure.

Affected Systems

  • E-commerce websites
  • Payment processing systems
  • Merchant accounts

Attack Chain

Threat actors deploy e-skimmer kits like Sniffer by Fleras or AcceptCar on compromised e-commerce sites to harvest payment data. Alternatively, they set up purchase scams using online ads and lures to direct victims to fraudulent websites, tricking them into authorizing payments. Stolen card data is then validated using automated Telegram-based card testing services against legitimate merchant accounts before being monetized or sold on dark web markets.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — The attacks target e-commerce web infrastructure, payment gateways, and merchant accounts rather than traditional enterprise endpoints. Network Visibility: Medium — Monitoring outbound traffic from e-commerce servers can identify connections to unauthorized domains used by e-skimmer management servers. Detection Difficulty: Hard — Requires specialized threat intelligence and behavioral analysis of merchant registrations and transaction patterns across multiple acquirers, which is outside standard enterprise SOC capabilities.

Required Log Sources

  • Web Server Access Logs
  • Payment Gateway Transaction Logs
  • Merchant Registration Data

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
E-commerce web pages are loading unauthorized external JavaScript or communicating with unknown domains, indicating potential e-skimmer injection.Web proxy logs, Web server access logsCollectionMedium
High volume of small, rapid, or frequently declined transactions from a single merchant account within a short timeframe, indicating card testing activity.Payment gateway logsCredential AccessLow
Merchant accounts exhibiting recent domain registration combined with category code mismatches or URL mismatches, indicating potential purchase scam infrastructure.Merchant registration dataResource DevelopmentMedium

Control Gaps

  • Traditional transaction monitoring
  • Point-of-payment anomaly detection

Key Behavioral Indicators

  • Recent domain registration for merchants
  • Merchant category code mismatch
  • Merchant URL mismatch
  • Brand abuse in online ads used as sales lures
  • Payment redirects
  • Domain and merchant rotation
  • Access filtering on merchant sites

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Audit e-commerce websites for unauthorized JavaScript, third-party code, or unexpected changes to payment pages.
  • Implement Content Security Policy (CSP) to restrict script execution to trusted domains.

Infrastructure Hardening

  • Integrate proactive threat intelligence into merchant onboarding and monitoring processes.
  • Monitor for merchant category code and URL mismatches during the underwriting and continuous monitoring phases.

User Protection

  • Deploy client-side web security solutions to detect and block e-skimmer activity in user browsers.

Security Awareness

  • Educate consumers on identifying purchase scam lures and verifying merchant legitimacy.
  • Train fraud analysts on upstream detection methodologies rather than relying solely on reactive transaction monitoring.

MITRE ATT&CK Mapping

  • T1189 - Drive-by Compromise
  • T1583.001 - Acquire Infrastructure: Domains
  • T1584.004 - Compromise Infrastructure: Server
  • T1566.002 - Phishing: Spearphishing Link

Related