http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

State of Black Marketfor Stolen Credit Cards

(2017)

by N. Vlajic

Why Do HackersGo After Credit Cards ?

With more and more businessesas well as shoppers going ‘online’ …

Why Do HackersGo After Credit Cards ?

‘low hanging fruit’ for criminals* C.C. numbers can an be easily stolen from

under-protected e-commerce Web-sites

immediate payoff* stolen C.C. numbers can be used right away,

anywhere in the Internet

low likelihood of capture* it is easy to obscure evidence (e.g., use TOR)

How Do Credit Card NumbersGet Stolen ?

Contactless Scenario 1: Harry the Hacker methods of ‘operation’

* malware installed on a corporate server

* malware installed on a public computer – data skimmed whenever user logs in their bank number,credit card number, email address, password …

* malware installed on a public server – malwaredownloaded to a client machine at every visit of infected Web-site

How Do Credit Card NumbersGet Stolen ?

Contactless Scenario 2: Phishing Phil

method of ‘operation’* malware sent via email as attachment / link

- user must be fooled at opening attachment /link and initiating malware installation

phishing = most common ‘attack vector’ in most (corporate) hacks

How Do Credit Card NumbersGet Stolen ?

Contactless Scenario 3: Smart Junky

method of ‘operation’* look for disposed billing statements

- usually contain complete credit card numbers,address, and other personal information

“Trash bins are a goldmine for identity thieves – make sure you shred personal and financial documents before putting

them in the garbage.”http://www.rcmp-grc.gc.ca/scams-fraudes/id-theft-vol-eng.htm

Examples of ID Theft and FraudWillard C. Smith, the famous actor was a victim of ID theft committed by Carlos Lomax who has also been charged of stealing identity and personal information of famous celebs. Lomax had opened 14 credit cards in Will Smith’s name and racked up a balance of $34,000 in the victim’s name.

Anthony Lemar Taylor impersonated the world famous golfer Tiger Woods and used his SSN and date of birth to get a driver’s license and a credit card in the golfer’s real name- Eldrick T Woods. Taylor went on a shopping spree using the fake credit card, to buy himself a luxury car, a 70-inch TV and other presents worth $17,000.

Luis Flores, Jr., stole Kim Kardashian’s identity and transferred. He had changed the SSN on the account to his own and requested a replacement card to be mailed at his address, where he lived with his mother.

How Do Credit Card NumbersGet Stolen ?

Contact Scenario 1: Waiter/Waitress with Payment Terminal[ dangerous retail insider ]

method of ‘operation’

“The waitress whisks away your credit card and swipes it through the restaurant's register. Then, she pulls out a small device, about the size of an ice cube, from her apron and swipes it through that …”

How Do Credit Card NumbersGet Stolen ?

Contact Scenario 2: Payment TerminalBy ‘Outside Trio’[ dangerous retail outsider 1 ]

method of ‘operation’

“Sally, Simon and Bud walk into a toy store. Bud waits in line to check out. When Bud is at the register, Simoncomes running up to the clerk, screaming that his wifehas fainted. As Sally and Simon distract the sales clerk,Bud switches the credit card reader at the register with a modified one of his own …”

How Do Credit Card NumbersGet Stolen ?

Contact Scenario 3: Credit Card Skimmer(Gas Lass)[ dangerous retail outsider 2 ]

method of ‘operation’

“It's late. There's no one around except a sleepy attendantat the register inside. The Gas Lass attaches a skimmer over the credit card reader at the pump. It's a special skimmer: It emits a Bluetooth signal to alaptop close by. The Gas Lass heads off to the motel nextdoor and sets up her laptop to receive the data …”

Where Do Stolen Credit Card Numbers Go ?

Credit Card

Broker

Credit Card

Carder

Where Do Stolen Credit Card Numbers Go ?

1) Credit Card ‘Brokers’ black market ‘agents’ who buy and re-sell

stolen credit card numbers

Central Shop = Web portal for sale of credit card datahttp://centralshop.cn

What is the selling price forstolen credit card numbers?

http://www.theregister.co.uk/2013/07/02/mcafee_cybercrime_exposed/

http://www.mcafee.com/ca/about/news/2015/q4/20151015-01.aspx

What else can you find onthe black market?

http://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services

2) Credit Card ‘Carders’

criminals that ultimately use/exploit stolencredit card numbers

Where Do Stolen Credit Card Numbers Go ?

ways carders use stolen c. c. numbers

print plastic card with the new number[ not effective in case of EMV/chip cards ]

make online purchases[ not easy on some sites as other user info

may also be required]

Which ‘talents’ shoulda carder posses?

“It is race against the clock to charge as much money to the card as possible

before the bank closes the account.

carders must quickly extract & convertstolen money into other forms of capital[ process aka as money laundering ]

extraction & conversion should be hard to detect or trace back

multiple ‘conversion steps’ often used

‘Credit to Gift Card Shell Game’

http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/

Money Mules

http://bambooinnovator.com/2013/11/26/more-singaporeans-succumbing-to-money-mule-temptation/

aka ‘smurfer’ - serves as an intermediary for criminals & criminal organisations transport fraudulently gained money or goods to

fraudsters

may or may not be aware of ‘true nature of business’

Money Mules

money mule ‘job Ad’ examples

Money Mules

money mule prosecution

https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf

Money Mules

http://www.antimoneylaunderinglaw.com/2013/06/hk-woman-sentenced-for-being-a-mule-for-laundered-canadian-funds-in-hong-kong.html

Money Mules

http://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operation-works.aspx

How Do Carders TestStolen C.C. Numbers ?

https://philanthropy.com/article/Fraud-Alert-Criminals-Test/233197

stolen credit card numbers not worth muchunless verified thieves use online payment websites to test

whether c.c. numbers work

in some cases verification is done using bots

Charity Web-sites are ideal for testing of stolen c.c. due to simple (bot-friendly) design and little built-in security.

How Do Law Enforcement OfficersDeal With C.C. Hacks ?

for most cases under $2,000, credit card fraudis investigated by the issuing bank or cardprovider, not the police

in cases where the collar amountexceeds $2,000, local police willget involved and work alongsidethe card issuer to pursue the criminal

How Do Law Enforcement OfficersDiscover and Prevent C.C. Hacks ?

http://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/#more-33186

LE & anti-fraud specialists purchase batches of c.c. numbers from crime forums / carding sites look for patterns that might help identify who

got breached

carding site Rescator is now able to detect ‘suspicious’ transactions done by law enforcement officials purchases get declined

References

[2] bankrate.comhttp://www.bankrate.com/finance/credit-cards/5-ways-thieves-steal-credit-card-data-1.aspx

[1] bloomberg.comhttp://www.bloomberg.com/graphics/2014-data-breaches/

[3] engadget.comhttp://www.engadget.com/2014/07/28/credit-card-skimming-explainer/

[4] motherboard.vice.comhttp://motherboard.vice.com/read/weve-never-seen-a-stolen-credit-card-market-as-slick-as-this

[5] symantec.comhttp://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services/

[6] dailymail.co.ukhttp://www.dailymail.co.uk/sciencetech/article-3276190/How-personal-data-worth-Netflix-details-start-1-hackers-pay-1-200-banking-password.html

[7] mcafee.comhttp://www.mcafee.com/ca/about/news/2015/q4/20151015-01.aspx

[8] nerdwallet.comhttp://www.nerdwallet.com/blog/credit-cards/stolen-credit-card-numbers/

[9] tripwire.comhttp://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/

[10] bambooinnovator.comhttp://bambooinnovator.com/2013/11/26/more-singaporeans-succumbing-to-money-mule-temptation/

[11] Reuters.comhttp://blogs.reuters.com/alison-frankel/2014/12/15/sonys-big-bluff-cant-beat-first-amendment/

[12] safeinternetbanking.comhttps://www.safeinternetbanking.be/en/fraud-techniques/money-mules

[13] us-cert.govhttps://www.us-cert.gov/sites/default/files/publications/money_mules.pdf

[14] antimoneylaunderinglaw.comhttp://www.antimoneylaunderinglaw.com/2013/06/hk-woman-sentenced-for-being-a-mule-for-laundered-canadian-funds-in-hong-kong.html

[15] blogs.msdn.comhttp://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operation-works.aspx

[15] blogs.msdn.comhttp://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operation-works aspx

[16] philanthropy.comhttps://philanthropy.com/article/Fraud-Alert-Criminals-Test/233197

[17] kerbsonsecurity.comhttp://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/#more-33186

[18] informationisbeautiful.nethttp://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks

Questions

1) What is the most common approach thathackers resort to in order to steal credit cardnumbers?

2) Define the term ‘broker’ in the contextof credit card fraud chain?

3) Which types of web-sites are commonly usedby hackers for ‘testing’ of stolen credit card numbers?