Keypoints
- Dark web carding shops posted ~119 million stolen payment cards in 2023, creating large preventable losses for issuers and merchants.
- Magecart e-skimmers remained active and commonly abused Google Tag Manager, Telegram, and attacker-controlled domains to deliver and host malicious scripts.
- Phishing and scam pages grew as a prominent vector for card compromise alongside direct web skimming on merchant checkout flows.
- Threat actors increased card-testing activity and adopted workflows to bypass 3‑D Secure (3DS) protections, improving transaction success rates.
- Fraud operators began integrating AI-driven workflows and more sophisticated social engineering to refine attack chains and evade rules-based detection.
- Most e-skimmer and card compromise incidents targeted U.S. merchants, with significant impacts also observed across other developed e-commerce markets.
- The report recommends stronger coordination between cyber threat intelligence (CTI) and fraud teams to address hybrid technical and social-engineering threats.
MITRE Techniques
- [T1566] Phishing – Use of phishing and scam pages to harvest payment data and perform social-engineering-driven card compromise (‘…Fraudsters refined their techniques, using sophisticated social engineering tactics, phishing, scams…’).
- [T1190] Exploit Public-Facing Application – Injection and deployment of Magecart e-skimmers via compromised merchant sites and third-party scripts (including Google Tag Manager) to capture payment details (‘…Magecart actors continued to use Google Tag Manager… for e-skimmer infections…’).
- [T1078] Valid Accounts – Use and validation of stolen payment credentials through card-testing workflows and transaction trials to confirm usable card data (‘…Threat actors engaged in card-testing activity, and workflows for 3DS bypass gained popularity…’).
- [T1110] Brute Force – Automated card-testing and trial transactions against merchant payment flows to enumerate valid cards and payment combinations (‘…Threat actors engaged in card-testing activity…’).
- [T1583] Acquire Infrastructure – Use of dark web carding shops, attacker-controlled domains, and Telegram channels as infrastructure for distribution and sale of stolen full-card data (‘…dark web carding shops saw a rebound… Telegram sources became increasingly important for free full card data…’).
Indicators of Compromise
- [URL] Report PDF – https://go.recordedfuture.com/hubfs/reports/cta%20-2023-1221.pdf
- [URL] Original article/source – https://www.recordedfuture.com/annual-payment-fraud-intelligence-report-2023
- [Platform/Distribution] Card data marketplaces and channels – dark web carding shops (119 million cards posted), Telegram (used for free/full-card data sharing)
- [Third-party Service] Script/tag hosting abused in e-skimming – Google Tag Manager used by Magecart actors to deliver e-skimmer scripts
Fraud operators in 2023 combined client-side web skimming (Magecart) with social engineering and automated testing to increase successful card fraud. Attack chains frequently involved compromising merchant web pages or third-party script containers (notably Google Tag Manager) to inject e-skimmer JavaScript that captures checkout data, while attacker-controlled domains and Telegram channels hosted or distributed the malicious payloads and stolen full-card records.
Concurrently, attackers automated large-scale card-testing against merchant payment endpoints to validate stolen numbers and refined multi-step workflows to bypass 3‑D Secure, raising transaction approval rates. Phishing/scam pages supplemented these technical controls to harvest credentials and payment data via user interaction, and actors began integrating AI-driven steps for scaling and evasion.
Defensive recommendations emphasize detecting and hardening third-party script usage, monitoring for unexpected Google Tag Manager changes or new external script loads, instrumenting transaction analytics to spot card-testing patterns, and improving information sharing between CTI and fraud teams to disrupt the hybrid fraud infrastructure (dark web shops, Telegram channels, attacker domains) used to sell and distribute compromised cards.
Read more: https://www.recordedfuture.com/annual-payment-fraud-intelligence-report-2023