One of the great problems I have at Recorded Future is deciding what intelligence to consume on any given day. A favorite read is the monthly report that the Payment Fraud Intelligence (PFI) team produces. The most recent report provided crunchy data points around stolen payment cards, spurious checks, the latest scam sites, common points of purchase (CPP), and breached online merchants (via Magecart groups - therecord.media/russia-…). 

In PFI’s latest report, one of the compromised merchants (observed between July 12th and September 3rd) is a large firearm ammunition (ammo) retailer based in California. Generally, the implications of online merchant breaches equate to stolen (and hopefully bank-reissued) payment cards (debit/credit) and minor subsequent fraudulent transactions. In this case, I have to wonder, if Magecart actors will use the victims' PII (personally identifiable information) to launch tailored social engineering extortion campaigns - therecord.media/russia-…. 

This breached ammo retailer serves roughly 180k average monthly visitors and was compromised for approximately two months, which means that (conservatively) 300k individuals' names, addresses, email addresses, and credit card details were stolen. A clever actor would automate email generation to incorporate personalized victim details and threaten to share ammo orders with spouses or employers or initiate a general public doxing.

The victim engagement rate would likely be low for threats involving spouses or employers, but most firearm owners would prefer that their PII (home address) not end up on the Internet with associated ammunition details (e.g., .45ACP, etc.) less for political reasons, more so for personal security and targeted theft.

Unfortunately, a 5% engagement rate at $200 of crypto per victim is $3M and probably worth the effort (particularly after monetizing the stolen payment cards through the usual fraud channels).