Australians are being urged to look out for suspicious credit and debit card charges labelled ‘Jet Frog’ that could precede major fraudulent transactions by criminals.
A Sydneysider took to Reddit at the weekend to warn of a suspicious pending transaction they spotted on their online banking statement.
It was for zero dollars – indicating a ‘hold’ attempt that’s typically used to verify card details – from an unknown organisation called Jet Frog.
“Never heard of them, nor had ordered anything at the time of the charge,” they wrote. “Googled it and the first result was a scam … they test your card and if it works, start blasting charges to it.”
After contacting their bank, the card was cancelled and reissued.
Inquiries by news.com.au indicate the criminals behind Jet Frog fraud attempts have only been active in Australia fairly recently.
There are no registered companies with that name.
A financial news site describes Jet Frog as a third-party payment processor but there are few signs that the operation is legitimate.
Posts on X, formerly Twitter, and Reddit from those who were hit with Jet Frog charges say they hadn’t made any recent purchases that could be linked to the company.
One victim wrote about a charge for 99 cents, followed shortly after by the purchase of a necklace for $1000.
Another spotted a charge for 14 cents and then multiple attempted transactions for Uber services, before contacting their bank and cancelling the card.
Social media posts about suspicious charges from Jet Frog stretch back to late 2021, however most seem to be confined to the United States or Europe.
Most of the reported amounts are less than $1. Some are for zero dollars and others for as little as 14 cents.
News.com.au understands several major Australians banks are aware of fraud attempts involving Jet Frog and have flagged any future attempted transactions.
That makes the likelihood of major fraud much lower – but not impossible.
“At ING, we continually monitor accounts for suspicious and fraudulent activity,” an ING spokesperson said.
“As in this instance, we spotted the transaction, cancelled the customer’s card and reissued them with a new one. While we do everything we can to protect customers from fraud, we also encourage customers to diligently review their transaction records and contact us immediately on 133 464 if they ever spot anything that doesn’t seem right.”
Anyone who notices a transaction from Jet Frog should immediately contact their financial institution so the card can be cancelled and reissued.
Those already affected are encouraged to speak with their bank and make a report with ScamWatch, a division of the National Anti-Scam Centre.
“If you’ve lost money or personal details to a scammer, you’re not alone,” ScamWatch states. “Hundreds of thousands of Australians are scammed out of their money or personal information every year.
“Contact your bank or card provider immediately to report the scam. Ask them to stop any transactions.
“Once you have secured your details, you can help us try to stop the scam or to warn others by reporting the scam to us.”
In the past, criminals have relied on physical skimming devices attached to ATMs or EFTPOS machines to swipe credit card details and PIN codes.
Hackers have also infiltrated legitimate websites to fleece stored payment details, which are sold on the dark web in bulk.
But an emerging trend doesn’t involve skimming or hacking at all – but rather, ‘brute force’ efforts using computing technology that essentially guesses card details in a matter of seconds.
NordVPN recently conducted analysis of four million credit cards listed for sale on the dark web and found most were obtained via brute force.
“That means that criminals basically try to guess the card number and CVV,” Marijus Briedis, chief technology officer at NordVPN, said in a report.
“The first six to eight numbers are the card issuer’s ID number. That leaves hackers with seven to nine numbers to guess because the 16th digit is a checksum and is used only to determine whether any mistakes were made when entering the number.”
Guessing those nine digits requires a computer to run through one billion possible combinations, which can be done on a typical computer with fairly simple software, Mr Briedis said.
That takes about a minute on a standard computer, which is capable of running 25 billion combinations over the course of an hour.
“However, depending on the card issuer, a criminal may need only seven digits to make a correct guess. In this case, six seconds would be enough.”
When cyber criminals have the correct combination, they can sell verified card data for as little as $10 on the dark web, he said.
“And hackers have millions of these ready to sell.”
Of the four million stolen cards available for sale analysed by NordVPN, more than 419,000 belonged to Australian victims.
Across the board, the NordVPN analysis found Visa cards were most commonly found among caches of stolen card details, followed by MasterCard and American Express.
“Debit cards were more common than credit cards in the markets the independent researchers surveyed. Hacked debit cards put their victims at greater risk because there tend to be less protections in place for debit.”