When Target was breached in 2013, it didn’t take long for credit and debit card data stolen from its systems to start flooding the underground forums and storefronts that trade in such merchandise.
One was Rescator – a black market outpost that former Washington Post reporter-turned-cybersleuth Brian Krebs discovered was selling more than 1 million of the stolen cards at prices ranging from $20 to $100.
Unlike the hundreds of other forums and shops selling stolen payment card data in the digital underworld, Rescator was different. Apart from the sheer quality of its “dumps,” or data from the magnetic stripe of cards, Mr. Krebs found Rescator’s website to be remarkably efficient and customer friendly.
The site offered potential buyers an opportunity to search for cards by the banks that issued them, by card type, expiration date, country, and by the type of data stored in different tracks in the magnetic stripe on the back of credit and debit cards. It offered buyers a way to check the validity of the stolen cards and claim refunds on cards that didn’t work.
Rescator even included a search feature by ZIP code and location of the stores from which the cards were stolen, a feature that Krebs found especially fascinating. It meant that Rescator was offering buyers a way to make same-state purchases using stolen cards without tripping typical fraud defenses where a financial institution might block transactions made from unfamiliar locations, especially after a major breach.
Rescator is one of many hundreds of increasingly sophisticated sites and forums where people can hawk stolen cards and other illegally obtained goods to those who want it. There are others, as well, with names such as the Republic of Lampeduza, McDumpals, and Blackstuff. These are the places where your stolen Social Security Numbers, bank account information, credit card data, and personal identity information are sold so thieves can use the data on your behalf – and leave you holding the bag.
A recent RAND Corp. study of the market for cybercrime tools shows that such markets are growing in size and complexity. A market that was once characterized by small networks of individuals fueled mostly by ego and notoriety has transformed into a playground for financially driven, highly organized cyber criminals, according to RAND. The profits to be made from these markets are potentially greater than the illegal drug trade with little of the associated risks.
The sheer number of players, their geographic spread, and the increasing use of encryption technologies and anonymizing services such as Tor make it hard to get a handle on the true size and scope of the market. But what is evident is that they pose a growing threat to governments, businesses, and average Internet users.
“These markets are rapidly growing and maturing,” says Lillian Ablon, coauthor of the RAND report. “They are continuously innovating and are full of increasingly sophisticated people largely tied to traditional crime organizations.”
What you can get in these markets depends on what you want to do with it – and how much exactly you are willing to pay for it.
Here, stolen credit cards are a commodity. Everyone sells them. They are available on carding forums, bulletin boards, and via storefronts where you can conduct business like you would at any Web store. Often all it takes to get started is a simple Web search. There are sites that tell you how to purchase stolen cards safely and there are sites that explain how to use them.
All you need to do to find them is plug in search terms such as “carder sites” or “carding sites.”
Carder sites are the barely underground places where the tens of millions of cards stolen from data heists such as those at Target and Home Depot end up being bought and sold. A lot of the supply also comes from countries such as Canada, Britain, Brazil, Argentina, and the country of Georgia, security researchers at Dell’s SecureWorks discovered when scoping out the underground market last year.
Individual cards used to be somewhat more valuable once. These days there are so many of them floating around that prices have come down a bit. Still there’s plenty of money to be made selling stolen debit and credit cards so long as you have enough of them. Prices start at less than $5 per card and go up to around $40 for the premium cards with high credit limits.
Priced to sell
Dell’s SecureWorks team, which has been tracking these markets for about three years, has a sampling of current prices. The typical US Visa and MasterCard currently retails in these markets for about $4 a card, which was what they used to fetch a year ago as well. But prices for US-issued Discover and American Express cards have come down by 25 percent and 15 percent, respectively. Last year you would have had to pay $7 for a stolen American Express and $8 for a Discover card. Now you can get them both for $6.
Cards issued outside the US cost substantially more. Dell pegs the price of the average Visa and MasterCard from the EU and Asia at between $18 and $20 per card, up from $15 a year ago. That’s a 15 to 25 percent hike in just a year. Underground markets are clearly not immune to inflation.
The reason that American-issued cards are cheaper is because there’s a lot more of them than are Chip and PIN cards used abroad, says David Shear, security researcher at SecureWorks. Data stored on the small microchips embedded in Chip and PIN cards is harder to steal and use fraudulently than data contained in magnetic stripe cards.
Thieves can also buy in bulk. Buy 10 cards and get them for $13 a piece. Buy 2,000 and get them for $9 a card. Some even throw in a free hacking tutorials for bulk buyers.
Then there are the options for those who really want to live on someone else’s dime. For between $4,200 and $9,000, blackmarket buyers can purchase credentials that give them access to high quality account with a verified balances of between $70,000 and $150,000. Then, it’s up to the crook to figure out how to siphon the money off without getting caught. And there’s even training for that. Tutorials are available for everything from basic carding to figuring out how to clean out a bank account. A full carder how-to manual costs around just $30, according to SecureWorks.
Then there’s the “fullz.” This is a record that gives a criminal everything you need to assume someone’s identity – their full name, date of birth, address, bank account information, and banking credentials. It costs just $30 for an American fullz and between $40 and $45 for a similar record from other parts of the world, according to Dell. That’s cheaper even than what a premium EU credit card would cost.
But that’s only because using fullz is riskier than using stolen credit cards, says Shear of SecureWorks. “It becomes a lot more personal, and the payoff is not as quick as you have to apply for a credit card, a loan, do other types of more complicated fraud,” he says. With one premium card you have the chance to make at least $1,000, usually by buying high-value items and then fencing them for 75 percent of the market value.
In recent months, many more types of counterfeit documents that have started becoming available in the underground market, Shear and fellow researcher Joe Stewart discovered. Examples include complete identity kits, passports, fake driver licenses, and counterfeit utility bills. Anyone who wants to assume a new identify can buy a scan of a Social Security Number with name and address for $250. For an additional $100, they can get a fake utility bill as a second form of authentication.
The documents enable someone to apply for a fake bank loan, commit check fraud, file fraudulent tax returns, and other kinds of nefarious activity, the researchers say.
Because of the many breaches in the past two years, retailers and banks have become stricter about IDs. So there’s growing demand for hard credentials such as a driver’s license, passport, and Social Security cards, Shear says.
The mall of malware
The larger storefronts and forums don’t just sell credit card data and identity credentials. They also offer malware or hackers for hire. The RAND survey found a staggering list of tools available in the black market, including security flaws for which there are no fixes available, ready-to-launch attack kits, and software for concealing and encrypting malicious software so they can’t be easily detected by security tools.
You can get pretty much everything you need to conduct a malware campaign without knowing a single thing about how the products work, says Ablon of RAND. “It’s easy for anyone to get involved. All you need is an Internet connection. It’s like going to Amazon and clicking and putting the items you want into your shopping cart.”
Prices for malware depend on a variety of factors, she says. Credentials for a Twitter account, for instance, can sometimes garner a better price than a stolen credit card because of the access it provides to the account owner’s contact list and the potential it offers for phishing them. Similarly, credit cards that are fresh off a large breach typically command a higher price because those are likely still active and can be used for fraudulent purchases.
In the same way, prices for exploit or attack kits can vary based on whether the kit is purchased or leased, what exploits are included and what kind of support services are provided, the RAND report noted.
SecureWorks pegs the current prices for tools that allow hackers to remotely control a compromised computer at between $20 and $50. Just a year ago, these same tools sold for $50 to $250. The surplus is driving down the price.
But exploit packs continue to be profitable. The Sweet Orange Exploit Pack, which is used to distribute various malicious tools that target browsers, costs $450 to lease for a week or $1,800 for a full month’s use. That’s peanuts compared to the Cool Exploit Kit from 2013, which together with encryption software and malicious payload cost buyers $10,000 per month to rent, according to RAND.
Somewhat surprisingly, there’s not a whole lot of protected health information on these sites – yet. Despite spiraling fears of medical identity theft and insurance fraud, that information continues to be a rare commodity in underground stores, says Ablon. But that could change. The recent massive breaches at Anthem and Premera Blue Cross suggest that attackers have turned their attention to healthcare data in a big way.
The marketplace itself is fast evolving. There are stores dedicated to a single product or service while others offer a full gamut of stolen identity information, malware and hacking services. Many are online forums where individuals gather to either buy or sell stolen identity and card data or just talk shop. Quite a bit of selling takes place on forums. But usually they are more about exchanging tips, meeting other like-minded people, asking questions and networking with others, Shear says.
Some of these marketplaces have an enormous footprint and can reach tens of thousands of buyers from around the world. Finding them is often just a single Google search away. But breaking in can be tricky. Many require newcomers to have someone vouch for them, or they are limited in what they can do at least until they establish their credibility.
What’s remarkable about the black markets are their meticulous organization. RAND found that site and forum administrators are at the top of the pecking order and are responsible for ensuring that business is conducted in a professional and discreet manner between buyer and seller.
Some of the bigger stores have intermediaries who act like an escrow service in holding buyers’ money until the buyer receives the promised product and has had an opportunity to test it. In other places, administrators hold the money till the buyer approves the transaction.
But these are still criminal forums and, well, run by crooks. Shear recounts a recent incident where the administrators of the Evolution Market, one of the largest and best organized carding site, suddenly closed shop and disappeared with over $10 million in customer money.
Rippers and the feedback loop
Because there’s little way to enforce contractual guarantees and promises, the cyber underground is infested with so-called “rippers” who promise buyers goods and services that they never end up delivering.
But feedback mechanisms on forums and stores ensure that such fraudsters are quickly removed from the marketplace. Though there are no formal dispute resolution services for buyers, the forums allow buyers plenty of opportunity to provide feedback about their experience with a seller, says Thomas Holt, associate professor at the School of Criminal Justice at Michigan State University.
Holt was the coauthor of a 2014 report funded by the Department of Justice on the structure and organization of the international market for stolen data. Negative feedback, he says is an effective mechanism in the cyber underground for keeping rippers somewhat at bay.
A large proportion of the forums and websites appear to be operated by East European gangs including those from countries like Ukraine, Romania, and Russia. Close to 20 percent appear to be operated by US-based groups.
Generally, the forums that are conducted in English tend to have a much greater proportion of negative feedback compared to Russian forums, indicating lower quality products and buying experience, Mr. Holt said.
Establishing a reputation can take time. Often, new sellers have to provide samples of their wares so buyers can test them before negotiating a purchase. Word of mouth validation and personal introductions are huge.
Forum members typically use e-mail, private Twitter accounts, Internet Relay Chat, and services such as Jabber to communicate and transact business. Stores give buyers an opportunity to browse through the store’s catalog of goods, choose what they want and pay using digital currency like bitcoins all without interacting with anyone.
Taking on the Dark Web
Law enforcement has had its share of successes in taking down some of these sites in recent years. The best known example is the taking out of Silk Road, a massive operation that dealt in narcotics trafficking, money laundering, and stolen documents.
But the fallout from these takedowns has been transitory at best, according to RAND. For instance, the 2013 takeout of Liberty Reserve, the digital currency service used widely in the underground, only spawned other currencies. Similarly, the shuttering of various carder forums resulted in others quickly moving in to take their space.
From a law enforcement standpoint, carding forums are hard to stop, Holt says. “If you were to take out a single person, that individual can easily be replaced by other vendors.”
But the payment mechanism present an opportunity for law enforcement, he says. The goal should be to make it harder for criminals to pay or receive money for stolen merchandize, he said.
Holt and others say that law enforcement can be effective if they can are sly enough about trapping criminals by seeing up their own forums or infiltrating existing ones. That approach has worked before. In 2004 the Secret Service successfully infiltrate an operation called ShadowCrew and nabbed its leaders.
“Something like that is extremely effective,” says Holt. “It creates a great degree of distrust between buyers and sellers.”