The constant hustle and bustle of underground fraudster markets is a bountiful source for any and all types of fraud commodities and partnerships formed between seemingly anonymous criminals in the virtual world. And yet, one very prominent vertical, if we may, stands far out from the rest—credit card shops and just about everything that has to do with them.
What feeds credit card shops? What has been happening with these platforms through the past year? And what is the most recent novelty further popularizing this overflowing source of card fraud?
Why is it that CC Shops, as coined by residents of the underground, are one of the hottest black market subjects at any given time? CC shops are also the one fraud commodity to have developed as much, if not more than malware when it comes to the ways it is traded in the underground.
Is it possible that CC Shops are where fraud worlds collide? Compromised credit card data touches many aspects of the fraud cycle, and thus touches almost every cybercriminal and fraudster in that food chain. One cannot ignore the fact that many times a CC Shop does not only sell card data; many shops sell much more elaborate sets, including the type of victim information which can facilitate identity theft, thus being sought-out by an ever larger crowd of criminals.
Let’s see what ‘feeds’ CC Shops and keeps this vertical going. The biggest source feeding CC shops is hacked merchants (dubbed ‘shop-admins’), at times a one-time-hit type of a hack, grabbing the shop’s database; other times an ongoing data leak stealing daily feeds of incoming payment data from the hacked shop.
On the cybercrime and malware side, Trojan horses are made to recognize credit card numbers and parse them into a separate file for the botmaster to then use or sell them. Take SpyEye for instance, this Trojan has a CC Grabber module programmed precisely for that purpose.
Malware infections and the resulting botnets also feed CC Shops. Every computer infected is likely to supply botmasters with more than one credit card number. One cannot ignore the aggressive increase in unique Trojan variants over the past year, which also means more credit card data is stolen and more of it is liquidated through CC Shops.
What else feeds CC shops? Well, the real world! POS Skimmers, ATM Skimmers, compromised payment processors – credit card data flows from just about every direction, and at that rate, someone has to sell it and someone is always buying. Good old supply and demand.
Before CC shops existed, fraudsters had to advertise and sell cards in forums. Only vendors with a good reputation were allowed to sell to others. When e-currency became reality, and e-currency APIs allowed for e-payment, cybercriminals were jolly to automate the whole card selling process on a web-based interface.
The essential nature of today’s CC shop is designed to operate like an ecommerce site and automate the purchase of compromised information by aspiring fraudsters. These platforms have been around for years and while they used to be operated by the more advanced criminals in the past, today anyone can buy a CC-Shop-Platform, off the shelf with a friendly GUI and support team.
Have a look at this rent-a-shop platform; in this case, fraudsters were even invited to ask for the customization options they would need for their shop, along with an embedded card-checking gate.
Underground vendors have turned the sale of CC Shop platforms into a child’s game. Comparable to the sale of ready-made phishing kits, underground vendors offer both CC-shop-kits and platforms for rent. Anyone can buy or even rent a shop, pay for set up and hosting and begin selling the card data they have in stock.
Like any shop, fraudsters assumed: if we build it, they will come. “They” being their fellow fraudster buyers are coming. A recent count of active CC shops operating underground today can easily surpass 100 shops. The next step up, as it looks, is making fraud endeavors even easier!
Since almost all fraudsters know what they are looking for (cardholder gender, billing address area (Zip code), issuer/type of card, BIN), how about helping them find what they need – and faster? How about eliminating the need to register to a bunch of shops where they won’t even find the BIN they are after? What if they could access one search engine which would point them in the right direction?
And so, in a novel nefarious venture, one underground vendor decides to advocate to aggregate. The vendor reached-out to large CC Shop operators with an interesting offer – aggregation of the cards in their shop’s database which will allow fraudsters to query BINs on his site, without the need to register. Result? More fraudsters, more visits, more new customers for each shop, more cards sold… Everybody wins, well, except for global economy that is.
The new CC Shop aggregator was launched and advertised on every carding forum in sight, advocating its easy use, friendly interface and soliciting other shop owners to join the revolution. Introducing “MegaSearch” – a compromised payment card data aggregator.
Using the new search site, instead of having to login to multiple different CC shops, card-buying fraudsters will have the aggregator access different shops’ databases, pull the available cards and display a collection of results for each query. Since each CC shop differs in the types of information it offers and allows for varying search criteria, at this time the MegaSearch interface will provide card searches by BIN – the common denominator to all CC shops.
Evidently, no card information is shown in the search results which are very basic, only showing the name of the shop where the card can be purchased, the source shop’s URL, the card’s BIN and corresponding financial institution and the number of such available cards in that shop’s inventory. Fraudsters would be able to search up to 50 different BINS in a single search.
This novel idea will facilitate the search for compromised cards to cash out and most likely increase the sale of the cards through the different shops. Beyond the fraud potential of this particular finding, the MegaSearch engine fits very well with the ongoing FaaS trend in underground markets, making fraud commodities easily accessible to fraudsters, meeting demand with supply, creating collaborations, and devising easier ways to buy, sell, pay and monetize.
Cybercriminals appear to be keeping the wheels of the underground economy turning in full speed and on time for the busy Holiday season.
Have a look at the MegaSearch website, apparently accessible to anyone with an Internet connection.
Figure 1: MegaSearch Aggregator – Welcome Page
Figure 2: MegaSearch Aggregator – Search Results Page