In this webinar, we provide insights on some of the most relevant underground card shops, which types of products are offered, their prices, and related threat actors and business models.
2. 2
BLUELIV
Blueliv is Europe’s leading cyberthreat
intelligence provider.
We continuously search the open, deep,
and dark web to discover customer-
specific threat information, using
automated technology for speed and scale.
We retrieve and deliver this intelligence in
a modular format, giving customers a
straightforward way to confront external
cyberthreats and manage their digital risk.
3. 3
AGENDA
1. Introduction: underground card business models
a. Types of products offered, how these markets work
2. The card shop ecosystem
a. Methodology
b. Major card shops currently active
c. Closed and seized card shops
3. Fighting credit card fraud (advice and prevention)
4. Conclusive remarks
4. 4
“we wish all young and
mature ones cyber-
gangsters not to lose
themselves in the pursuit of
easy money. Remember,
that even all the money in
the world will never make
you happy”
END OF JOKER’S STASH
5. 5
WHERE ARE CARDS SOLD?
AUTOMATED VENDING
CARTS (AVCS)
MARKETPLACES SPECIALIZED FORUMS
AND CHATS
6. 6
PRODUCTS – HOW ARE THESE OBTAINED?
• Dumps - payment card
information (track data)
7. 7
PRODUCTS – HOW ARE THESE OBTAINED?
• Dumps (track data)
• Point-of-Sales (PoS) malware: dump process memory, extract track data,
exfiltrate stolen information
• Skimmers
ATM skimmer
8. 8
PRODUCTS – HOW ARE THESE OBTAINED?
• CVVs - also known as “cards”
• Phishing pages;
• Digital skimmers;
• Leaked databases;
• Information-stealing malware.
9. 9
HOW BUYERS CASH OUT?
• Card-present fraud
• Uses counterfeit cards created with dumps
• Card-not-present fraud
• Employs CVVs data
11. 11
METHODOLOGY
• How to identify and select important shops?
• Advertisement in forums (threads and sponsorship);
• Reactions and feedbacks;
• Telegram channels + subscribers (plus);
• Marketing actions;
• Shop's structure.
12. 12
TIMELINE: WHAT HAPPENED SINCE JS' CLOSURE?
Late 2019/early 2020
Rescator closure
January 15, 2021
Joker's Stash closure notice
February 15, 2021
Joker's Stash closure
Late May 2021
All World Cards creation
August 2021
Rescator return
February 2022
The seizure of
Ferum Shop, SkyFraud, Trump's
Dumps, and UAS Shop
13. 13
• Bitcoin, Litecoin, Dash, and Cryptocheck;
• Free registration; add balance within 5 days.
• Checkers ($0.5 per check).
• SSN / Date of Birth lookup service (offline).
• Free tools: bins lookup, zip lookup, track1 generator.
• Education Blog, Knowledge Base, Tutorials
and Guides + FAQ + Rules
DUMPS
Prices: US$3 - US$269.6
CVVs
Prices: US$8.4 - US$84
15. 15
THREAT ACTOR PROFILE – BRIAN KREBS (NOT THE JOURNALIST)
Forums
• First seen: March 25,
2015
• Omerta, Club2CRD,
Blackhat Carding,
CardVilla, BPC SQUAD
Communication
methods
• Forums
• Shop tickets
Brian Krebs
22. 22
INACTIVE CARD SHOPS
• Organized closure: early warnings, justification;
• Seized by law enforcement;
• Exit scam.
23. 23
FERUM
• English-language card shop active since 2013;
• It used to include a banner ad for competitor Trump's Dumps,
possibly indicating a link between the two shops;
• Seized by the Russian Ministry of Internal Affairs in early February
2022.
26. 26
CARD SHOPS SCAM
• Thousands of phishing cards shops with typosquatting domains
similar to popular card shops.
• Whois registry ~March 2022.
• All phishing card shops have listed the same fake cards.
• "Receive card" section downloads clipboard hijacker malware.
29. 29
CONCLUSIONS
• The card shops landscape is highly fluctuating, as it is impacted by
momentum.
• The importance of continuously monitoring the status of the
landscape.
• Future trends: card-not-present > card present.
• Scamming is a part of the ecosystem, taking advantage of the
fluctuating scenario.
30. 30
FIGHTING CARD FRAUD
• Implement EMV 3-D Secure (3DS2) protocol;
• Stay on top of the latest standards (e.g. PCI DSS v4.0);
• Keep all hardware and software up to date;
• Active scanning for skimming equipment and devices at ATM.
31. 31
THREAT INTELLIGENCE DELIVERED BY BLUELIV
Retrieve compromised
credentials in real-time
Recover stolen card
information in real-time
Track malicious activities in
the cybercriminal
underground
Discover sensitive data
leaked in the wild
Be armed with continuously
updated, intuitive threat
intelligence
Detect malware & analyze
suspicious executable files
Detect and monitor false,
infected, modified or
copied apps
Monitor your
organization’s digital
footprint
Monitor global social-
borne hacktivist operations
CREDIT CARD THEFT DARK WEB
DATA LEAKAGE
SOCIAL MEDIA ROGUE MOBILE APPS
MALWARE THREAT CONTEXT
CREDENTIALS
HACKTIVISM
Track illegitimate entities
and domains
DOMAIN PROTECTION
32. 32
THANK YOU!
FIND OUT MORE
WWW.OUTPOST24.COM
FREE DEMO
• Detect: The broadest threat
collection on the market, delivered
in real-time
• Analyze: Actionable and
trustworthy information for faster
decision-making
• Respond: Timely and dynamic
intelligence simplifies the
remediation process
Hello everyone. I am Lidia López and I am here today with Beatriz Pimenta. We work as Threat Intelligence Analysts at Blueliv, a Spanish-based threat intelligence company, part of the Outpost24 Group. Today we are presenting about our research on the underground card shop ecosystem.
Nosotros nos dedicamos a proporcionar inteligencia sobre ciberamenazas EXTERNAS frescas que puedan sufrir (o que ya estén sufriendo) las organizaciones con las que trabajamos, de forma muy efectiva: solo lo que les afecta, mostrado de forma sencilla para que se puedan mitigar o neutralizar. Como empresa española, somos los líderes europeos, dado que el resto de actores son americanos, israelís o incluso rusos, con implicaciones complicadas.
First of all, we are going to speak about underground card business models, explaining which types of products are offered, how the buyers can use them to earn money, and overall, how these markets work. Then we are going to show our research on the most important card shops out there, analyzing them and explaining our methodology to select them. Lastly, we will be sharing some advice on how to fight credit card fraud.
Our research interest arose when Joker's Stash, one of the major carding shops until last year, announced its closure. We were left wondering how such an event could impact the carding landscape, so we decided to investigate more in-depth the cyclical nature of this sector. Our objective was to try to understand what makes a shop successful, and we were curious to see how Joker's Stash closure would support the growth of other shops.
So we decided to investigate this ecosystem from the very beginning, trying to understand which kinds of shop there are, how do they obtain their products, and so on, before analyzing their rise to prominence.
There are different venues in which one can find available cards to buy. Why choosing one option and not others? Well, different choices involve different levels of trust, interaction with sellers, and sale policies.
The first venue, which is our main focus today, is automated vending carts – here, there's no need for buyer-seller interaction. As the name indicates, the platform is completely automated and the sale doesn't require any sort of negotiation. It's simply choose and buy.
The second type are marketplaces, where multiple vendors offer their products and the buyer can choose amongst the available options. Here, the buyer can interact with the seller – and there are different levels of trust that come into play in these transactions.
Finally, there are specialized forums and chatting platforms such as Telegram, where the transaction is basically manual. Many forums also count with a marketplace section within the forum, but it is not mandatory.
So, how the stolen card end up in the card shops? Card shops have two main selling sections; one for buying dumps and another for buying CVVs. Dumps are payment card information used in card-present fraud. This information is available on the magnetic stripe of a card and it is called track data. The track data contains sensitive information such as the account number, expiration date, CVV, and the cardholder name, that is used to create counterfeit cards. Dumps can be obtained with PoS malware, which basically infects a Point-of-Sales machine, dumps the process memory, extracts the track data and exfiltrates it.
Dumps can also be obtained with skimmers. Skimmers are hardware devices that are inserted or laid over at ATMs, gas pumps, and other physical payment terminals, to extract the track data from the card.
So, how the stolen card ends up in the card shops? Card shops have two main selling sections: one for buying dumps and another for buying CVVs. Dumps are payment card information used in card-present fraud. This information is available on the magnetic stripe of a card, and it is called track data. The track data contains the sensitive information needed to create counterfeit cards such as the account number, expiration date, CVV, and the cardholder name. Dumps can be obtained with PoS malware, which basically infects a Point-of-Sales machine, dumps the process memory, extracts the track data and exfiltrates it.
Dumps can also be obtained with skimmers. Skimmers are hardware devices that are inserted or laid over at ATMs, gas pumps, and other physical payment terminals, to extract the track data from the card.
The other main type of product available are CVVs that are used in Card-not-Present (CNP) fraud, to conduct online fraudulent transactions. There are several ways how CVVs can be obtained. Threat actors can create a phishing website mimicking the e-commerce of a retailer to steal the information introduced in an online purchase. Magecart threat actors can also compromise shops created with e-commerce platforms such as Magento or Shopify, injecting JavaScript-based web skimmers.
Other ways to obtain CVVs are leaked databases and information stealers with the capability of stealing cards. Information stealers can be easily bought for prices starting as low as US$10 per month (as is the case of Bloody Stealer, for instance).
The possibility of monetizing card data is a crucial step to look into, as it may take place in different ways.
There are two categories of unauthorized transactions: Card-present fraud and Card-not-present fraud.
Card-present fraud is a physical transaction in a store in which the threat actor pays with a counterfeit card to the merchant.
Card-not-present fraud can happen through internet, phone, and mail-order transactions.
Now that we have established the functioning logic behind the card shops, we're going to take a look at shops that are relevant in the cybercriminal landscape, despite their current status – if online or offline. Today, we're analysing 4 shops: Brian's Club, Rescator, All World Cards, and Ferum. Each one of them offers us an interesting angle that compose a bigger picture of the current card shop ecosystem.
We established some criteria to guide our research and allow us to compare shops. The first aspect is the presence on forums: if the shop is advertised on forums, which forums, the frequency of posts and updates, what is the feedback from forum members, if the threat actor advertising the shop has a good forum reputation or if they respond to questions and comments, if they are involved in arbitration issues, and if the shop is a forum sponsor.
A second aspect is related to other methods of communication: we established that having a Telegram channel for further advertisement and communication updates is also relevant and makes the shop more trustable. The number of subscribers to a channel is a plus, but is a good indicative of the shop's fame.
Furthermore, we believe marketing actions to be an interesting way to evaluate if the shop has assets and exclusive features.
Finally, and the most important aspect, is the shop's structure per se – the layout, the way the products are organized, the refund policy, if the shop is automated or not, if they offer additional tools for the client's convenience, and what are the contact methods and if they are efficient. All of these elements make the shop more reliable and tend to attract loyal clients.
Here's a brief timeline of major events of the card shops ecosystem ever since the closure of Joker's Stash. The timeline is interesting so we can try to identify potential reactions to the shop's closure, with other shops coming along trying to fill the void.
Joker's Stash announced its closure on early January 2021 and a month late, it finally shut down. Only 3 months after that, with a huge marketing action to promote the opening, All World Cards came into play. In August 2021, after a year and a half closed, Rescator is back to the ecosystem, trying to take back their place as one of the most relevant card shops.
Finally, and more recently, on February 2022, major card shops such as Ferum and Trump's Dump are seized by Russian law enforcement agencies. This event impacts the ecosystem as other shops seem to be careful not to be the next ones seized. For instance, All World Cards announced that, "due to recent events", they would take a break from their activities – most likely to let things cool down. However, they didn't come back ever since, raising the possibility that they used the opportunity to do an exit scam.
As our first active card shop, we have Brian's Club.
Brian's Club is one of the most prominent and long-living card shops in the ecosystem. The registration is free, but users must add balance within 5 days or the account is deleted. Payments can be done in different cryptocurrencies for customer convenience.
Some interesting additional features of the shop are the availability of some paid tools, such as checkers, for instance, which are used to check dumps quality before purchasing them. There are also free tools such as Bank Identification Number lookup, to validate cards. There is also a section dedicated to tutorials and education about the carding world. All these tools add value to the shop, as it has a robust structure, and allows clients to be more safe about their purchases.
Speaking of products: dumps can be purchased for prices that range between 3 and 269 US dollars, while the price range for CVVs is between 8 and 84 US dollars. The difference in prices comes due to many aspects, but it tends to be intuitive. If the products contains more personal data, it is more expensive; if it's a platinum card over a gold one, it is more expensive; if the expiration date is far from the current date, it is more expensive; and the list goes on.
Most expensive dumps – credit, the expiration date is set to 2023, it has Track1 data, ok for international use, refundable, which is highly valuable
Lowest dumps – debit cards, expiration date 2022, non-refundable, unknown bank
Brian's Club is a great example of an automated vending cart – as you can see, sales are automated in a way that you can simply use the filters to SORT OUT preferences, select desired products, add them to the cart and complete the purchase.
Here we have a screenshot of the dumps section, and we see that there are many filter categories: if it's Visa, Mastercard or other; Debit or Credit cards; Expiration Date; Country; Bank; Price, and others.
Brian's Club owner is a threat actor that goes under the moniker "Brian Krebs" - of course, not the journalist. Brian Krebs is active in different specialized forums such as Club2Card and Cardvilla, for instance, since early 2015, where they advertise the shop via threads and forum sponsorship, update their threads with new additions to the shop, and interact with forum members. Besides the forum, the only way to communicate with Brian Krebs is through shop tickets in Brian's Club.
In this screenshot we have an example of a thread started by Brian Krebs that aims to advertise their shop, highlighting the shop's strong aspects and providing all available and trustable domains. Similar threads are found in multiple other forums.
Here's an interesting finding, more of a fun fact: while conducting the research for this presentation, we spotted that the threat actor behind the famous card shop Rescator has been checking Brian Krebs' profile on the BPC forum. It highlights that, as in any other conventional market, competitors keep an eye on their peers to keep their shops, products, and prices relevant and up to date.
As we just mentioned, Rescator is a competitor of Brian's Club, and it is also an automated vending cart. Rescator used to be highly active until late 2019, then it went offline, and came back in mid-2021, which is an interesting case that demonstrates how this landscape can be highly volatile.
Differently from Brian's Club, it only accepts payment in Bitcoin, but registration is also free. Similarly from Brian's Club, Rescator also provides paid tools to the customers, but there are less tools available. An interesting feature of the shop is that VIP customers get the shop's updates 1 hour before the rest of the customers, which is a nice incentive.
In terms of products:
In this screenshot, we see the CVV section of Rescator. There are different filter categories, similar to the ones found in Brian's Club, but Rescator has additional categories, such as Phone number and Birthday. The more detailed the product, the more interesting it can be to buyers – and the more pricey it is. Of course, prices depend on different criteria – expiration date, country, card type, etc. - but the amount of information is also relevant.
The current moniker advertising Rescator in forums is LegendaryRescator. Interestingly, in the early of the shop, the owner used the moniker "Rescator" (or also the alias "Hellkern") in underground forums such as Lampeduza and used they 4 different card shops brands, which eventually all merged into Rescator. Blueliv analysts haven't been able to verify if the account was managed by the same person using the LegendaryRescator moniker.
Card shops can become inactive for various reasons. The first one is exemplified by what happened with Joker's Stash: an organized closure. In this case, the shop's administrators give early warnings and may or may not provide justification for the shop's closure. Shop's customers are given time to withdraw funds and make final purchases.
The second option is seizure by law enforcement. Earlier this year, we saw the seizure of at least 4 major shops by Russian law enforcement, and more and more governments and multilateral organizations are engaged in this type of operations.
Finally, we have exit scams. Upon collecting a certain amount of funds, a shop administrator simply vanishes and keeps the money. The first thing that comes to mind when a shop goes offline is the possibility of an exit scam, with customers complaining in forums, worried about their lost money. Yet, one may never know what truly happened, as a shop going offline may also be a consequence of a non-public disclosed law enforcement action.
As our first inactive card shop we have Ferum. Ferum was one the biggest card shops since 2013, until the Russian Ministry of Internal Affairs took down the shop last February. Interestingly, the shop included a banner ad of the competitor Trump's Dumps, which was seized by the same Russian authorities.
According to metrics shared provided at the shop, FERum Shop had millions of compromised cards, but it didn't have advanced features and the design was very basic.
All World Cards went offline in late February 2022, as I've mentioned earlier, and ever since rumours around the closure point to the exit scam direction. On the Club2Card forum, the threat actor behind All World Cards has recently been banned and classified as a "ripper".
But before all that happened, All World Cards became rapidly prominent due to a marketing action. To promote the shop, they announced on multiple forums the release of 1,000,000 credit cards for free on August 2021. According to the forum posts, the cards in question were compromised in 2018 and 2019, but many forum members claim having found active cards amongst these still on 2021. We assess that these 1 million cards were obtained in card-not-present transactions, which implies that most probably they were obtained through phishing, digital skimmers, and even social engineering.
When researching card shops, we often encounter phishing websites from scammers. The Blueliv Labs team recently found a card shop that looked suspicious. Upon investigation, we found hundreds of thousands of domains hosting alleged card shops that were in fact phishing pages, using very similar domain names to the All World Cards shop, Ferum, Trump's Dump, Brian's Club, and many others.
All of these phishing shops have listed the same fake cards and when the client clicks on the section "receive card", they are redirected to an onion site to download a file that is, in fact, a clipper malware.
Analyzing some of these domains, we found pages created between 2015 and 2022, so probably this is one operation with different campaigns, and maybe the newer ones (dated from early March 2022) are indeed influenced by recent events such as the takedown of major shops like All World Cards.
This is how one of the shops looked. This domain mentioned the name Ferum, but the shop does not mimick the legitimate layout of the defunct Ferum, therefore we decided to investigate.
If the visitor clicked at the "Receive card" section to get a free card, it asked them to go an Tor mirror of the site, which contained a malicious download link. Our malware reversing team analyzed it and found out it is a clipper malware, which replaces cryptocurrency addresses in the clipboard by an address of the attacker.
This was an interesting finding not only due to the magnitude of the campaign, but because we see cybercriminals trying to infect other cybercriminals. Apparently, as the saying goes, it's no crime to steal from a thief.
The conclusion we hope is clear now is that the card shops landscape is highly fluctuating, as it is impacted by different actors, events, historical moments, adoption of security policies, etc. Law enforcement agencies have a huge impact on the landscape, but personal reasons might lead criminals to withdraw from the carding scene. The political momentum also plays an important role on the fluctuation of shop's activities. Additionally, security policies might impact the availability of products for the shops, which also impacts the landscape.
Therefore, it is crucial to continuously monitor sources such as forums, Telegram, and shops to be up to date with developments. This non-stop effort may lead us to the discovery of new trends for the future, such as the rise of the importance of CVVs over dumps as more and more countries adopt security chips instead of magnetic stripes in their payment systems.
Finally, as we saw with the example of the phishing pages mimicking card shops, scamming is also an inherent part of the card shops ecosystem. Scammers also attack other cybercriminals and take advantage of their behaviour to profit from it.
Additionally to our conclusions, we wanted to offer some brief advice on ways to fight card fraud. The first one is that online retailers should implement the 3-D Secure protocol to secure Card-not-Present transactions; this protocol was set in place by card issuers to implement an additional security layer to online transactions. Therefore, it reduces the risk to the consumer, to the retailer, and presents a challenge to cybercriminals attempting to steal cards.
Second, staying on top of the latest global security standards is highly recommended. One example is the adoption of the global data security regulatory standard.
More general advice include keeping all hardware and software up to date, which reduces the threat surface and allows for quick patches of vulnerabilities.
Finally, the physical scanning of equipment to detect skimming devices is also an important step in fighting card fraud.
Download our Follow the Money whitepaper and visit our blog for more informations
If you have any questions, any comments, or simply want to get in touch, please feel free to reach out to us!
Thanks for your attention.