Threat Intelligence

Card fraud in the deep web

The majority of activities related to credit card fraud are made in the underground forums and specialized hidden services in the deep web. These environments allow the streamlining of illegal activities related to the commercialization of stolen credit and debit cards and related data. The underground ecosystem represents a portion of cyberspace that is considered crucial for the business of criminal crews that specialize in fraudulent activities related to payment cards.

Underground communities offer various products and services, including the bulk of stolen card data, malicious codes to compromise payment systems (i.e. PoS, ATM), money laundering services, plastic, and card-on-demand services. In these black markets, criminals can easily acquire and sell tools, services, and data for various kinds of illegal activities.

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Get Started

The offer of criminal activities is extremely variegated, security researchers constantly monitor black markets and their evolution in order to identify noteworthy trends, and this is the purpose of the post.

In recent months, principal actors involved in the sale of payment card data are also offering any kind of documentation that is usually used by crooks in more sophisticated frauds.

Passports, driver's licenses, and utility bills are commonly used by criminal rings for identity theft, an activity that allow them to open a bank account or accounts for other payment services, that are used in the cash-out process.

Banking accounts opened with fake identities are used as payment recipients for the sale of any kind of product and service related to credit card fraud.

Figure 1 - Card frauds (European Central Bank - THIRD REPORT ON CARD FRAUD)

Another element to consider is that online crimes related to payment cards are becoming prevalent with respect to credit card cloning. Criminal organizations that sell products and services related to card frauds in the underground find it more profitable to sell stolen card data than use it by cloning legitimate cards and using them.

This depends strictly on geography. In a country like the US where credit cards are still based on a magnetic strip, it has been observed that an impressive amount of credit card fraud involves malware.

2014 was characterized by an impressive sequence of data breaches that compromised hundreds million payments cards, and the retail industry was the most impacted sector according principal security firms.

The effects the black markets offer are evident. Principal sellers in the underground not only offer stolen card data, but are also focusing their offer for customers that intend to run malware-based attacks against companies operating in the retail industry.

Let's start out tour!

Card frauds - what is possible to buy in the underground?

The credit fraud represents a pillar of the underground economy. The majority of underground markets criminal forums are crowded by sellers that offer products, and services to facilitate, streamline, and industrialize this criminal practice.

Visiting the principal underground communities, it is possible to acquire numerous products and services. For this reason, let's look at the most popular terms used by crooks:

CVV is a term used to indicate credit card records that may contain several bits of data, including the cardholder name, card number, cardholder address, expiration date, and CVV2 (the three digit code reported on the back of a card). A common error is to confuse CVVs with the code composed of the three digits that is on the back of a payment card.

CCVs are used by criminal crews for online purchases that allow them to cash out the stolen data. The prices for this kind of data range from less than $10 (for U.S. cards) up to $25 (for EU cards sold by sellers with high validity rate).

DUMPs is a term used to indicate raw data stored on the magnetic strip of a smart card. A Dump is usually obtained by physical skimming the card or by using a point-of-sale malware that is able to scrape the memory of the payment systems to siphon card data. The DUMPs are used by criminal crews to clone legitimate credit cards; their prices depend on multiple factors, including the nation of the cardholder and the card expiration date. A credit card dump cost around $20 - $125, their prices are usually higher of the CVVs because the payoff is bigger.

FULLZ is a term that refers the full financial information of the victim, including name, address, credit card information, social security number, date of birth, and more. The information could be used by crooks to commit more complex frauds. The availability of FULLZ allows hackers to steal the identity of cardholders. This means that they could open temporary bank accounts to use in the cash-out phase. A common abuse of FULLZ data consists in performing bank transactions that request users to provide financial information as an authentication mechanism.

Some sellers also offer FULLZ belonging to deceased people. Despite the fact that they usually include data related to credit cards that are no longer valid, crooks can still exploit them for various kinds of illegal activities. Dead FULLZ could be sued to order new credit cards on behalf of the victim, or open a bank account used for cash out though money mules, or for tax refund scams. Dead FULLZ usually cost around $1-3 each.

Black markets

There are numerous places in the Internet where it is possible to pay for products and services related to card fraud, hacking forums, carding forums and hidden services in the Tor network are the places where it is possible to buy CVVs, DUMPss, and FULLZs.

Apart from rare exceptions, cyber-criminals prefer to purchase stolen credit card data on the black market because these platforms offer escrowing services and high reputable vendors ranked by efficient mechanism based on feedback.

Everyone that searches for stolen card data will find online the name of one of the most prolific carder, the Rescator, which is considered one of the most important players in the underground community that provides any kind of goods related to card frauds.

Rescator manages one of the most popular online marketplace where users can easily buy dumps and CVVs by using a common e-commerce interface. Rascator offers the possibility to choose the product category, the country, any ancillary information like the type of dump (VISA, MasterCard, AMEX, etc.) and the type of card to retrieve.

As shown in the image below, users can also buy card DUMPs filtering by expiration date and banks; this information is very useful for a buyer to acquire data or to use the stolen data to target users in a specific geographic area. For example, the ability to target bank customers in a specific area makes very difficult to discover card frauds with automatic systems because transactions appear as legitimate and goes undetected since the card owners do not report the crime.

Figure 1 – Rescator Website – Searching for CANADIAN DUMPS

As I have anticipated, the anonymity offered by many black markets in the Tor network are attracting a growing number of sellers and buyers.

The principal black market places in the Tor network are:

Black Markets Onion address Card Fraud Listing (%)

Abraxas abraxasdegupusel.onion

0,79%

Agora agorahooawayyfoe.onion

0,33%

AlphaBay pwoah7foa6au2pul.onion

4,55%

Nucleus nucleuspf3izq7o6.onion

0,46%

Italian DarkNet Community 2qrdpvonwwqnic7j.onion

26,92%

Dream Market ltxocqh4nvwkofil.onion

1,45%

Haven havenpghmfqhivfn.onion

1,39%

Middle Earth mango7u3rivtwxy7.onion

0,42%

Every black market has its specialization; some marketplaces mainly sell products like drugs and weapons, other host communities of carders and hackers that offer many products for card frauds.

In the above table the attribute "Card Fraud Listing %" indicate the percentage of card fraud products respect the overall products offered on the black market. AlphaBay appears to be one of the best marketplace where to buy credit fraud products.

The AphaBay Market has a specific section dedicated to Frauds; this category includes payment card fraud, account frauds, personal information, and generic services.

Products and services for Payment cards account for nearly 25 percent of the "fraud listing."

Fraud Percentage

Account & Bank Drops

48,52%

CVV & Cards

19,90%

DUMPs

4,60%

Personal Info & Scans

11,70%

Other

15,27%

The black market offers card data of any country, the majority of which come from UK, US, Australia and Germany.

US stolen Credit card data goes for $6-$25, European CVVs are offered for higher prices ranging from $14 to $45. The price of credit card DUMPs is higher than CVVs, US and UK collections of data are sold at prices which start at about $ 10 up to $ 100.

Figure 2 – Alpha Bay CCV listing

Numerous sellers offer FULLZ belonging to bank customers of every country. European FULLZ are more expensive than US ones, their price varies from $15 up to $45 dollars.

Another black market that appears very popular is Nucleus Marketplace (http://nucleuspf3izq7o6.onion/).

The majority of CVVs and DUMPs related to US and UK payment cards, US Credit card data costs $6-$18, their low price is a consequence of the availability of a large amount of card data compromised in the numerous data breaches occurring overseas. European CVVs are sold for higher prices; the market offers credit card data from UK, France, Spain, and Netherlands for a price that ranges from $9 to $25.

Figure 3 - CC data available in the Nucleus black market

The price of Credit card DUMPs is higher than CVVs, US and UK collections of data are sold at prices which start at about $ 20 up to $ 60.

Figure 4 – Card DUMPs available in the Nucleus black market

A limited number of sellers on Nucleus also offer Relodable card, a precious commodity for card fraudsters that need to cash out their efforts. The criminals use to recharge these cards with illegal profits and cash out by withdrawing at bank ATMs or by acquiring luxury objects and electronic equipment.

Figure 5 - Reloadable Visa Debit Cards offered on Nucleus

Another interesting community is the Italian Darknet Community; it is a small black market with a good propensity to the carding activities.

Figure 6 - Italian Darknet Community

US Stolen card data (CVV) are offered for prices that range from 5 up to 15 EUROS meanwhile European records are sold for 13 – 25 euros.

A limited number of sellers offer FULLz that goes for nearly 25-45 EUROs for European cards, meanwhile US ones are offered for a starting price of 25 Euros.

Among the services offered in the Italian Darknet Community are also carding and full drop services.

Another interesting underground community is "THE HELL" (hell2bjhfxm77htq.onion), is includes a carding section in which sellers offer any kind of product and services for card frauds.

The majority of vendors offer credit card data related to US cards at very cheap prices, US CC CVVs go for $3 - $10; meanwhile US card DUMPs start from $15 and go up to $35. FULLZ data related to US card can reach $100 if it is offered with a high validity rate.

Figure 7 - The Hell Black Market

The last market that we will visit in this short tour in the carding forums and market is Agora (agorahooawayyfoe.onion). Agora is a very popular black market that is specialized in the sale of drugs, but that also includes several sellers offering credit card data. The prices are aligned with the ones offered by other marketplaces, USA and Canadian CVVs go for $10-$20, and meanwhile the prices for DUMPs are higher and start from $25.

Figure 8 - Agora Dark Marketplace

Conclusions

Let's close this rapid tour of the principal black markets that offer products and services for card fraud reviewing prices for the goods we have found.

Prices reported in the following table are related to the various offers in the black marketplaces visited during our quick investigation. We have to consider that many sellers allow negotiating the cost per each item and selling sets of hundreds of CVVs and DUMPs at lower prices.

The prices are extremely variable and depend on multiple factors. The trend in the diversification of the offer relies on the availability of a wide range of services, which can induce a buyer to choose a particular seller.

Among these services the escowing, the cash out through custom carding services, and the personalization of the offer according to various parameters, including geography, minimum amount guaranteed and expiring date of credit card data.

Product Price

CVVs

Vista and Master Card CVV (US) $3-$20

American Express CVV (US) $5-$20

Vista and Master Card CVV (EU) $15-$30

Vista and Master Card CVV (Australia) $8-$10

Vista and Master Card CVV (Canada) $6-$15

DUMPs

Vista and Master Card Dump (US) $20-$45

American Express DUMP (US) $25-$50

Vista and Master Card DUMP (EU) $35-$60

Vista and Master Card DUMP (Australia) $45-$50

Vista and Master Card DUMP (Canada) $35-$50

FULLz

US FULLz $25-$100

EU FULLz $30-$125

I will continue to monitor the evolution of the dark communities in order to report any phenomena of interest.

Stay tuned …

A special thanks to an anonymous informer that uses the pseudonymous of "ping," which supported me during the investigation and provided precious suggestions on dark communities.

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Get Started

Sources

• https://www.ecb.europa.eu/pub/pdf/other/cardfraudreport201402en.pdf
• http://venturebeat.com/2015/02/08/FULLZ-dumps-and-cvvs-heres-what-hackers-are-selling-on-the-black-market/