Credit Card Fraud Investigation: Underground Card Shops
In our latest credit card fraud investigation blog our threat intelligence analysts investigate the current card shop ecosystem, from active shops and the return of Rescator as well as other recently shuttered card shops and credit card fraud to look out for.
In February 2021, shortly after the closure of the once top-tier card shop Joker’s Stash, the Outpost24 Labs team conducted an investigation on the state of underground card shops amidst the closure’s context. A little over a year later, we decided it was time to update the research and investigate what might have changed in this period. This time, also inspired by another major event: in early February 2022, Russian law enforcement agencies seized 4 major card shops – Trump’s Dumps, FERum, SkyFraud, and Ultimate Anonymity Services (UAS). Besides this blogpost, the outcomes of this research were also presented at Botconf 2022 in Nantes, France: the slides of the presentation can be found here; and the presentation recording, here. We also have a live webcast where you have direct access to our panel of threat intelligence experts and latest fraud insights.
To guide our research, we established some criteria to be able to analyze and compare shops – more precisely, automated vending carts. Having established our research methodology (further described below), we reached the following result: as currently active shops, we are analyzing Brian’s Club and Rescator, and as currently inactive shops, FERum and All World Cards. Each one of them provides us with an interesting angle that composes a bigger picture of the current status of the card shop ecosystem.
Before diving into the analysis, a brief timeline of relevant events in the card shop ecosystem in the past two years is provided as an attempt to identify potential trends in the card shop ecosystem:
The methodology developed for this research includes 4 categories that might determine a shop’s popularity, reliability, and distinctness. ·
- The first one is the presence on forums: if the shop is advertised on forums, which forums, the frequency of posts and updates, what is the feedback from forum members, if the threat actor advertising the shop has a good forum reputation or if they respond to questions and comments, if they are involved in arbitration issues, and if the shop is a forum sponsor.
- The second aspect is the communication methods: having a Telegram channel for further advertisement and communication updates is also relevant and makes the shop more trustable. The number of subscribers to a channel is a plus, but is a good indication of the shop’s popularity.
- Furthermore, marketing actions are an interesting way to evaluate if the shop has assets and exclusive features.
- Finally, and most importantly, is the shop’s structure per se: the shop’s layout, the way the products are organized, the refund policy, if the shop is automated or not, if they offer additional tools for the client’s convenience, and what are the contact methods and if they are efficient. All of these elements can make the shop more reliable and tend to attract loyal clients.
Credit Card Fraud Investigation: Active Card Shops
Brian’s Club remains one of the most prominent and long-lived automated vending carts in the ecosystem.
Brian’s Club offers some interesting additional features, such as free and paid tools, for customer convenience, besides a whole section dedicated to tutorials and education about the carding world. All these tools add value to the shop, as it has a robust structure, and allows clients to be safer about their purchases.
As for offered products, the differences in prices comes due to many aspects, as follows: if the product contains more personal data of the affected customer, it is more expensive; if it’s a platinum card over a gold one, it is more expensive; if the expiration date is far from the current date, it is more expensive; if it is a credit card over a debit card, it is more expensive; and the list goes on. As a concrete example: in the case of the US$269 dump, the price is justified by the following reasons: it is a credit card, the expiration date is set to 2023, it has Track1 data, it is ok for international use, it is a refundable product, it was issued by a well-known UK bank – all features that characterize a highly valuable product. In contrast, the US$3 dump is low priced due to the fact that it is a debit card, with the expiration date set for mid-2022, it is a non-refundable product, it was issued by an unknown bank – all features that make a product less valuable.
Brian’s Club also implements a system of customer reputation, named Crab Rating. This rating system aims at encouraging clients to complete more purchases, so they can get better purchase conditions in the next purchase. The highest rating position, named “super crab”, grants the customer a discount worth 15% off in purchases, besides earning a VIP status in the shop.
To increase the shop’s audience, Brian’s Club is a forum sponsor of the following specialized forums: Omerta, Club2CRD, CardVilla, Verified, BlackHatCarding, Carders[.]ws, Darknet Forums, and BPC SQUAD.
Rescator is a carding automated vending cart active since 2013. Rescator used to be one of the biggest card shops until 2019, then it went offline, and unexpectedly came back in mid-2021. Rescator’s case demonstrates how this landscape can be highly volatile and that inactive card shops are not always permanently gone.
Back in 2013 and 2014, media and security blogs reported big data breaches involving card theft reported from popular retailers that end up sold in Rescator, such as in the case of Target, Home Depot and Sally Beauty, P.F. Chang’s, and Harbor Freight. For instance, the 2013 data breach on North American giant department store chain Target affected 56 million debit and credit cards after being compromised with the BlackPOS malware.
Rescator offers cards (aka CVVs), dumps, wholesale, as well as its own checker (a tool for checking the validity rate of compromised cards). Different from Brian’s Club, it only accepts payment in Bitcoin, but registration is also free. They provide daily updates on the new dumps and CVV products they offer on sale, indicating they likely have many providers constantly handling them access to compromised card data.
A distinguishing feature of Rescator is that they assign a rating or motivation ratio to the buyers, allowing the clients with the highest rating to get a 12% discount on some basis and to see new products an hour earlier than the rest of the clients. This rating is calculated from the sum of deposits minus the sum of refunded purchases; therefore, this feature incentivizes clients to deposit higher amounts without asking for refunds.
In terms of products: dumps are sold for prices ranging between US$6.07 and US$69.3; cards for US$10 – US$36; wholesale for US$3 per dump. Like other analyzed card shops, Rescator offers a higher number of cards and dumps from the United States than from any other country, and US prices tend to be lower as well, with many CVVs offered for US$15 and dumps for around US$12. In contrast, data from smaller countries with fewer offerings typically starts at a price of US$24 in the case of CVVs, and US$25 for dumps.
Outpost24 analysts have observed Rescator advertisement banners in many forums, such as Club2CRD and Black Bones. Sponsoring underground forums is a popular way to attract new customers and recover the old ones after approximately two years of inactivity. Along with the banners, the card shop operators post frequent updates about Rescator products in the cybercriminal underground using the moniker “LegendaryRescator”.
Regarding the feedback in LegendaryRescator threads, Outpost24 analysts found a significant number of posts complaining about the prices, where alleged buyers state these are not competitive and should be lowered, especially in the case of “old bases” – referring to dumps from 2019.
Credit Card Fraud Investigation: Inactive Card Shops
Card shops can go offline for 3 main reasons:
- Organized closures: the shop’s administrators give early warnings and may or may not justify the shop’s closure. Shop customers are given time to withdraw funds and make final purchases.
- Shop seizure by law enforcement. Earlier this year, at least 4 major shops were seized by Russian law enforcement agencies, and more and more governments and multilateral organizations are engaged in this type of operation. After the seizures, we have observed compromised card data providers attempting to sell dumps and CVVs directly in underground forums, as well as forum members asking for recommendations on alternative card shops after their go-to card shop went offline.
- Exit scams: upon collecting a certain amount of funds, a shop administrator simply vanishes and keeps the money. The first hypothesis raised when a shop goes offline is the possibility of an exit scam: customers start complaining in forums, manifesting their concerns about their funds. Yet, one may never know what truly happened, as a shop going offline may also be a consequence of an undisclosed law enforcement action.
FERum was one the biggest card shops from at least 2013 until the Department “K” of the Russian Ministry of Internal Affairs took down the shop last February. Interestingly, the shop used to include a banner ad for the competitor Trump’s Dumps, which was seized on the same occasion by the Russian authorities.
According to metrics provided by the shop, FERum had millions of compromised cards made available to customers – but it did not have advanced features and the design was very basic. The card shop used to offer CVVs for prices ranging between US$6.90 and US$16.80 and allowed prospective clients to filter by BINs, location, and card type (Visa, Mastercard, etc.).
Interestingly, the law enforcement agency left the following message in the source code of the page “КТО ИЗ ВАС СЛЕДУЮЩИЙ?”, which translates to “Which one of you is next?”.
All World Cards
All World Cards was created in May 2021, but it rose to prominence in August of the same year, as its operators did a huge marketing campaign to promote the shop: they announced the release of 1 million free cards for their clients.
To increase the visibility of the campaign, All World Cards became a sponsor of many specialized forums, such as Black Bones, BlackHat Carding, and Carders[.]ws. Back in August 2021, the Outpost24 Labs team wrote a All World Cards blogpost about this campaign, analyzing the published credit cards. In short, despite the fact that these cards were compromised between 2018 and 2019, clients could still find active cards amongst these in 2021 – which put the shop in evidence and provided it with a certain level of credibility.
In February 2022, when the Russian Ministry of Internal Affairs announced the seizure of 4 major shops, other card shops tried to keep a low profile, in an attempt to avoid being targeted by law enforcement operations. In this context, “due to recent events”, they said, All World Cards’ operators announced they would take a 2-week long break. The shop went offline in mid-February 2022, but up to early May 2022, it did not come back. Therefore, in underground specialized forums, the rumour is that the card shop operators used this context as an excuse to do an exit scam. For that reason, All World Cards’ representatives (“AW_cards” and “AW_support”) were banned from the specialized forum Club2CRD and were labelled as rippers. On other forums, the representatives were last seen on February 09, 2022.
In the constant effort to monitor card shops, the Outpost24 Labs team has recently encountered a card shop that looked suspicious. Upon further investigation, we identified hundreds of thousands of domains that mimicked (in domain names and often in page layout) legitimate card shops and distributed a file containing a clipper malware. Amongst these over 600,000 phishing pages, the team was able to spot pages that mimicked All World Cards, Brian’s Club, Trump’s Dumps, FERum, and many other prominent card shops. A more in-depth and technical blogpost detailing the findings of this operation is to follow shortly.
Outpost24 analysts believe this to be one major operation divided into different campaigns over time, as we were able to identify pages created between at least 2015 and 2022. This operation highlights the fact that the carding ecosystem does not only impact the retailing sector, financial institutions, and clients; instead, it also affects the cybercriminals involved in these activities. This phishing scam uncovered by our team emphasizes the dynamics in which cybercriminals target other cybercriminals. Thus, the analysis of the current status of the card shops ecosystem involves not only researching shops, price competition, law enforcement operations, and exit scams – equally important is scamming, as it impacts the reliability of legitimate shops and the overall functioning of the card shops ecosystem.
Since our last blogpost about the card shop ecosystem, a lot has changed. Some card shops remained as prominent as they once were, such as Brian’s Club, while some others went offline due to unspecified reasons, like the case of All World Cards. Interestingly, other shops came back to the landscape, such as Rescator, proving once again that the card shop ecosystem is highly fluctuating, and nothing can be taken for granted. The card shop ecosystem is deeply impacted by different actors, events, historical moments, the adoption of security policies, and other factors. Law enforcement agencies have a huge impact on the landscape, but personal reasons might lead criminals to withdraw from the carding scene. The political momentum also plays an important role in the fluctuation of shop’s activities. Additionally, security policies might impact the availability of products for the shops, which also impacts the landscape.
Therefore, it is crucial to continuously monitor sources such as specialized forums, Telegram channels and groups, and card shops to be up to date with developments. This non-stop effort may lead us to the discovery of new trends for the future, such as the rise of the importance of CVVs over dumps as more and more countries adopt security chips instead of magnetic stripes in their payment systems, and card-not-present fraud becomes more frequent than card-present fraud. Moreover, online retailers and card issuers can use threat intelligence solutions like Outpost24’s Outpost24 Credit Card module to detect compromised cards in real-time to prevent fraud and mitigate potential damage, while the Threat Context module provides in-depth intelligence for a comprehensive understanding of the threat landscape.
Finally, as illustrated by the example of the phishing pages mimicking card shops, scamming is also an imminent part of the card shops ecosystem. Carding impacts not only card users, but also the cybercriminals involved in it. Thus, it is important for the security community to consider scamming as an inherent part of the ecosystem, to better comprehend the functioning logic behind it.