Skip to content

Commit 793e90d

Browse files
Added new content - Defensive evasion and Returns Fraud techniques
1 parent e541102 commit 793e90d

29 files changed

+1628
-14
lines changed

src/content/techniques.json

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,14 @@
11
[
2-
{ "pre_compromise": "Reconnaissance", "initial_access": "Shoplifting", "control":"Gift Card Extortion", "monetization": "Resale"},
3-
{ "pre_compromise": "Social Engineering","initial_access": "Social Engineering","control":"Valid Accounts", "monetization": "Checkout" },
4-
{ "pre_compromise": "Fake Pages","initial_access": "Gift Card Extortion", "control":"Gift Card Return", "monetization": "" },
5-
{ "pre_compromise": "Acquire Database","initial_access": "Check Gift Card Balance", "control":"Gift Card Merging", "monetization": "" },
6-
{ "pre_compromise": "Gift Card Number Generation","initial_access": "Valid Accounts", "control":"Gift Card Tampering", "monetization": "" },
7-
{ "pre_compromise": "Password Reset","initial_access": "Password Reset", "control":"Gift Card Redemption", "monetization": "" },
8-
{ "pre_compromise": "Proxy Abuse","initial_access": "Credential Stuffing", "control":"Loyalty Points Abuse", "monetization": "" }
2+
{ "pre_compromise": "Reconnaissance", "initial_access": "Shoplifting", "defense_evasion": "Valid Accounts", "control":"Gift Card Extortion", "monetization": "Resale"},
3+
{ "pre_compromise": "Social Engineering","initial_access": "Social Engineering", "defense_evasion": "VOIP Abuse", "control":"Valid Accounts", "monetization": "Checkout" },
4+
{ "pre_compromise": "Fake Pages","initial_access": "Gift Card Extortion", "defense_evasion": "Digital Wallet Apps", "control":"Gift Card Return", "monetization": "Fraudulent Refund" },
5+
{ "pre_compromise": "Acquire Database","initial_access": "Check Gift Card Balance", "defense_evasion": "Crypto Currency", "control":"Gift Card Merging", "monetization": "Social Engineering" },
6+
{ "pre_compromise": "Gift Card Number Generation","initial_access": "Valid Accounts", "defense_evasion": "Gift Cards As Defense Evasion", "control":"Gift Card Tampering", "monetization": "Crypto Currency" },
7+
{ "pre_compromise": "Password Reset","initial_access": "Password Reset", "defense_evasion": "", "control":"Gift Card Redemption", "monetization": "" },
8+
{ "pre_compromise": "Proxy Abuse","initial_access": "Credential Stuffing", "defense_evasion": "", "control":"Loyalty Points Abuse", "monetization": "" },
9+
{ "pre_compromise": "Third Party Supplier Manipulation","initial_access": "Insider Recruitment", "defense_evasion": "", "control":"Wardrobing", "monetization": "" },
10+
{ "pre_compromise": "Fake Receipt Generation","initial_access": "Impersonation of Retail Employee", "defense_evasion": "", "control":"Item Manipulation", "monetization": "" },
11+
{ "pre_compromise": "Insider Recruitment","initial_access": "", "defense_evasion": "", "control": "Returns Process Exploitation", "monetization": "" },
12+
{ "pre_compromise": "Impersonation of Retail Employee","initial_access": "", "defense_evasion": "", "control":"Marketplace Exploitation", "monetization": "" },
13+
{ "pre_compromise": "","initial_access": "", "defense_evasion": "", "control":"Crypto Currency", "monetization": "" }
914
]
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"code": "FT 1104.03",
3+
"name": "Authorized Account Abuse",
4+
"parent_technique": "Valid Accounts",
5+
"tactics": [
6+
"Defense Evasion"
7+
],
8+
"schemes": [
9+
"Gift Card Fraud",
10+
"Account Take Over"
11+
],
12+
"sub_techniques": [],
13+
"technique_description": [
14+
"The fraudster persuades a legitimate customer to grant access to their account, enabling the fraudster to leverage a seasoned profile with an established purchase history and associated metadata. This tactic helps bypass or weaken fraud detection controls."
15+
],
16+
"mitigation": [
17+
{
18+
"type": "Multi-Factor Authentication",
19+
"details": [
20+
"Before permitting account changes, use multiple forms of authentication such as username and password paired with a Onetime Passcode before permitting access.",
21+
"If relevant, send confirmatory message to the original contact fields (eg., original email address, phone number, street address)"
22+
],
23+
"implemented": false
24+
}
25+
],
26+
"detection": [
27+
{
28+
"type": "Network Traffic Attributes",
29+
"details": [
30+
"Monitor for the Network Traffic Attributes such as IP Address, DNS Name, ASN, and other digital location attributes especially if some of these sources have known fraud activity or has a high risk of fraud activity."
31+
],
32+
"implemented": false
33+
},
34+
{
35+
"type": "Time-Based Attributes",
36+
"details": [
37+
"Based on the location of your operations, monitor for activities that occur during off hours."
38+
],
39+
"implemented": false
40+
},
41+
{
42+
"type": "Device Attributes",
43+
"details": [
44+
"Monitor device factors such as device type, user agent string, operating system, cookies."
45+
],
46+
"implemented": false
47+
},
48+
{
49+
"type": "Velocity Attributes",
50+
"details": [
51+
"Monitor for accounts that are created quickly in succession from the same location or with similar features."
52+
],
53+
"implemented": false
54+
}
55+
],
56+
"references": [
57+
{
58+
"name": "Top 10 Digital Commerce Account Risks & How to Mitigate Them by Gunnar Peterson",
59+
"source": "https://www.forter.com/blog/rh-isac-account-risk-mitigation"
60+
}
61+
],
62+
"hide": false,
63+
"color": "",
64+
"risk_score": 0
65+
}
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
{
2+
"code": "FT 1403",
3+
"name": "Crypto Currency",
4+
"parent_technique": "",
5+
"tactics": [
6+
"Defense Evasion",
7+
"Control",
8+
"Monetization"
9+
],
10+
"schemes": [
11+
"Return Fraud"
12+
],
13+
"sub_techniques": [],
14+
"technique_description": [
15+
"Fraudsters in retail exploit cryptocurrency as a tool to hide their tracks and bypass traditional fraud controls. After committing fraud or policy abuse, they often convert refunds or store credits into crypto through gift cards, prepaid instruments, or resale of goods on secondary markets. Crypto’s anonymity, lack of centralized oversight, and irreversible transactions make it ideal for laundering value obtained from fraudulent returns. Fraudsters also use multiple wallets, peer-to-peer exchanges, and privacy coins to fragment and obscure transaction history. This enables them to quickly move value across borders and outside retailer monitoring systems, making detection and recovery extremely difficult."
16+
],
17+
"mitigation": [
18+
{
19+
"type": "Behavior Prevention",
20+
"details": [
21+
"Do not accept Crypto Currency in your marketplace"
22+
],
23+
"implemented": false
24+
}
25+
],
26+
"detection": [
27+
{
28+
"type": "Transaction data",
29+
"details": [
30+
"Use CTI to correlate and identify crypto wallets that are either suspicious or have been identified as supporting illegal activity or fraud."
31+
],
32+
"implemented": false
33+
}
34+
],
35+
"references": [
36+
{
37+
"name": "Industry Partner Collaboration",
38+
"source": ""
39+
}
40+
],
41+
"hide": false,
42+
"color": "",
43+
"risk_score": 0
44+
}
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
{
2+
"code": "FT 1207.002",
3+
"name": "Damaged Shipment",
4+
"parent_technique": "Returns Process Exploitation",
5+
"tactics": [
6+
"Control"
7+
],
8+
"schemes": [
9+
"Return Fraud"
10+
],
11+
"sub_techniques": [],
12+
"technique_description": [
13+
"A fraudster orders multiple items in one shipment and then falsely claims that damage to one item rendered the entire order unusable (e.g., leakage, shattered glass, food contamination). They request an order level refund or reshipment rather than a partial remedy, exploiting lenient damage policies and limited evidence requirements.",
14+
"One example is when a fraudster orders printer ink toner and a laptop, then claims the toner exploded during shipping and damaged the laptop. The fraudster requests a refund for all items while keeping them."
15+
],
16+
"mitigation": [
17+
{
18+
"type": "Proof of Damage",
19+
"details": [
20+
"Require customers to submit photos or video evidence of damage.",
21+
"Require the physical return of damaged goods before issuing a refund."
22+
],
23+
"implemented": false
24+
},
25+
{
26+
"type": "Enhanced Packaging",
27+
"details": [
28+
"Isolate items that could leak or cause contamination into separate packages",
29+
"Use waterproof packaging or tamperproof seals."
30+
],
31+
"implemented": false
32+
},
33+
{
34+
"type": "Return Limit",
35+
"details": [
36+
"Limit the amount that can be refunded without requiring the item to be physically returned."
37+
],
38+
"implemented": false
39+
}
40+
],
41+
"detection": [
42+
{
43+
"type": "Behavioral Attributes",
44+
"details": [
45+
"Flag customers with repeated claims tied to specific accounts, addresses, and/or payment identities.",
46+
"Monitor for claims made on first-time orders by new customers."
47+
],
48+
"implemented": false
49+
},
50+
{
51+
"type": "Velocity Attributes",
52+
"details": [
53+
"Monitor for frequent damage claims of specific items."
54+
],
55+
"implemented": false
56+
}
57+
],
58+
"references": [
59+
{
60+
"name": "Industry Partner Collaboration",
61+
"source": ""
62+
}
63+
],
64+
"hide": false,
65+
"color": "",
66+
"risk_score": 0
67+
}
Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
{
2+
"code": "FT 1402",
3+
"name": "Digital Wallet Apps",
4+
"parent_technique": "",
5+
"tactics": [
6+
"Defense Evasion"
7+
],
8+
"schemes": [
9+
"Return Fraud",
10+
"Gift Card Fraud"
11+
],
12+
"sub_techniques": [],
13+
"technique_description": [
14+
"Digital wallet applications (such as Apple Pay, Google Pay, and PayPal) are mobile or web-based platforms that store payment credentials and enable electronic transactions without physical cards. Fraudsters exploit these wallets to evade detection by creating multiple accounts under different identities, masking the original payment source, and requesting refunds to wallet balances instead of the original payment method, making it easier to convert funds into cash, gift cards, or resale value. In addition, Fraudsters may load stolen credit, debit and gift cards onto the wallet for reuse."
15+
],
16+
"mitigation": [
17+
{
18+
"type": "Identity Verification",
19+
"details": [
20+
"Verify the person's identity matches what is on the card in the wallet."
21+
],
22+
"implemented": false
23+
},
24+
{
25+
"type": "Behavior Prevention",
26+
"details": [
27+
"Do not permit multiple use of the same credit, debit, or gift cards within a defined period"
28+
],
29+
"implemented": false
30+
}
31+
],
32+
"detection": [
33+
{
34+
"type": "Location Attributes",
35+
"details": [
36+
"Identify impossible travel transactions for the same credit, debit, or gift card"
37+
],
38+
"implemented": false
39+
}
40+
],
41+
"references": [
42+
{
43+
"name": "Industry Partner Collaboration",
44+
"source": ""
45+
}
46+
],
47+
"hide": false,
48+
"color": "",
49+
"risk_score": 0
50+
}
Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
{
2+
"code": "FT 1304.002",
3+
"name": "Double Refund",
4+
"parent_technique": "Fraudulent Refund",
5+
"tactics": [
6+
"Monetization"
7+
],
8+
"schemes": [
9+
"Return Fraud"
10+
],
11+
"sub_techniques": [],
12+
"technique_description": [
13+
"Fraudsters refund the same item multiple times either in multiple stores, online or some combination of both."
14+
],
15+
"mitigation": [
16+
{
17+
"type": "Return Limit",
18+
"details": [
19+
"Link each order to an individual refund.",
20+
"Restrict how many times a refund can be requested per order."
21+
],
22+
"implemented": false
23+
},
24+
{
25+
"type": "Escalation",
26+
"details": [
27+
"Escalate repeat attempts to return the same item to manager."
28+
],
29+
"implemented": false
30+
},
31+
{
32+
"type": "Behavior Prevention",
33+
"details": [
34+
"Stop refunds if the same order ID is already refunded."
35+
],
36+
"implemented": false
37+
}
38+
],
39+
"detection": [
40+
{
41+
"type": "Transaction Data",
42+
"details": [
43+
"Identify multiple refund requests for the same order.",
44+
"Identify the same return in multiple stores and online."
45+
],
46+
"implemented": false
47+
},
48+
{
49+
"type": "Behavioral Attributes",
50+
"details": [
51+
"Flag accounts doing frequent gift card refunds.",
52+
"Identify in person or Online Identities attempting gift card refund."
53+
],
54+
"implemented": false
55+
},
56+
{
57+
"type": "Device Attributes",
58+
"details": [
59+
"Detect repeat attempts from the same computer or phone submitting duplicate requests."
60+
],
61+
"implemented": false
62+
},
63+
{
64+
"type": "Velocity Attributes",
65+
"details": [
66+
"Identify accounts requesting several refunds in a short time"
67+
],
68+
"implemented": false
69+
}
70+
],
71+
"references": [
72+
{
73+
"name": "Industry Partner Collaboration",
74+
"source": ""
75+
}
76+
],
77+
"hide": false,
78+
"color": "",
79+
"risk_score": 0
80+
}
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
{
2+
"code": "FT 1009",
3+
"name": "Fake Receipt Generation",
4+
"parent_technique": "",
5+
"tactics": [
6+
"Pre-Compromise"
7+
],
8+
"schemes": [
9+
"Return Fraud"
10+
],
11+
"sub_techniques": [],
12+
"technique_description": [
13+
"A fraudulent receipt created by a fraudster that appears legitimate. The primary purpose is to fabricate proof of purchase or transaction to deceive systems, individuals, or institutions and often to claim refunds, reimbursements, or validate false returns."
14+
],
15+
"mitigation": [
16+
{
17+
"type": "Behavior Prevention",
18+
"details": [
19+
"Validate the receipt with store records (preferably by electronic scan). Do not permit use of receipts without validation of store-controlled records."
20+
],
21+
"implemented": false
22+
},
23+
{
24+
"type": "Training and Awareness",
25+
"details": [
26+
"Identify fake receipts, which may appear visually different."
27+
],
28+
"implemented": false
29+
}
30+
],
31+
"detection": [
32+
{
33+
"type": "Transaction Data",
34+
"details": [
35+
"Identify refunds that do not have proper proof of purchase."
36+
],
37+
"implemented": false
38+
},
39+
{
40+
"type": "Velocity Attributes",
41+
"details": [
42+
"A large volume of receipts may obscure or overlap with a genuine receipt.",
43+
"A large number of items on the receipt."
44+
],
45+
"implemented": false
46+
}
47+
],
48+
"references": [
49+
{
50+
"name": "Industry Partner Collaboration",
51+
"source": ""
52+
}
53+
],
54+
"hide": false,
55+
"color": "",
56+
"risk_score": 0
57+
}

0 commit comments

Comments
 (0)