By Isaac Palmer
In Inside Payment Card Fraud: Part 1, we examined why carding remains pervasive despite ongoing efforts to quash it, identified key intelligence requirements for teams tasked with fighting payment card fraud, and provided an overview of how criminals obtain victims’ card data. In this follow-up blog, we’ll look at what criminals do with stolen card data after obtaining it, the abundance of carding tutorials within online threat-actor communities, and the implications for defenders.
What Happens After Card Data is Obtained
Once obtained, stolen payment card data can be monetized in a number of ways:
Some criminals use stolen card data to clone cards with specialized software, blank cards, and card-writing equipment. These cloned cards are then sold on illicit marketplaces or used to cash out at ATMs. Criminals have been known to copy compromised data on simple, blank white cards, but Flashpoint analysts have observed discussions indicating increased interest in creating more realistic cards featuring bank logos to avoid suspicion. Since only the magstripe data can be cloned onto a working card, attackers often seek out specific ATMs that still allow magstripe cards. In some cases, criminals enlist a money mule to carry out an ATM withdrawal using the cloned card to avoid being caught.
Card-cloning software typically runs at a price of around $1,500 USD. Fraudsters can also purchase batches of pre-made cards on illicit marketplaces, with cards containing data for high-value accounts selling at a higher price.
Given the authentication-related challenges and physical security risks of cashing out cards at ATMs, some criminals have discovered an alternative way for reaping the profits of credit card fraud: online shopping. Flashpoint analysts have observed criminals exchanging advice within DDW communities on using mobile shopping or wallet applications to lower the risk and increase the success rate of making online purchases using stolen cards.
Card Shops Profiting From Stolen Data
Threat actors often sell compromised card data on illicit card shops, finding it easier and more profitable to sell the data to other criminals than attempt to carry out fraud themselves. Some card shops such as Joker’s Stash—which specializes in selling cards and dumps—are expansive, well established, and allow customers to filter card data by regions and other criteria. Joker’s Stash has been a major supplier of cards and dumps for the past four-and-a-half years and is known for its flexible refund policy and reliable support.
Cybercrime Groups and Financial Data Theft
Advanced cybercriminal groups with APT-like capabilities, such as FIN7, have been associated with capturing financial details in order to create more income and disposable profit. FIN7 is a notorious cybercrime group that targets many financial institutions, payment processors, and restaurants. The group is alleged to have stolen more than 15 million credit cards and attacked more than 3,600 locations. The group monetizes the pilfered data via underground services such as the top-tier card shop Joker’s Stash.
Flashpoint analysts have seen a proliferation of carding tutorials across illicit communities spanning numerous regions and languages, often offered as a bonus to customers who purchase skimmers, shimmers, cards, or other related goods and services.
Such tutorials are also advertised individually—particularly within the Chinese-language underground—claiming to offer insight into carding TTPs, such as the use of proxies and proxy configuration, clearing of web browser history, reputable vendors of payment card information, web browser add-ons, email address set-up, and cashing out. Flashpoint analysts have observed some criminals offering carding tutoring services, where experienced cybercriminals will, for a fee, run online courses for inexperienced fraudsters. Such courses are especially popular within Russian-language communities.
The global scope of illicit carding activity is noteworthy due to the relative weakness of payment card security in some countries compared to others. For example, the mandate of EMV chip technology has not been enforced in some areas of the world; therefore, carding guides that would be considered outdated in some parts of the world may allow criminals to profit in others.
To protect against ongoing efforts to steal payment card data and reap profits from it, financial institutions and retailers should make a priority of ensuring they are up to date with the latest point-of-sale and payment-card security technologies. Moreover, these organizations should have visibility into activity on illicit card shops to identify and quickly mitigate breaches and card dumps.
To learn more about how Flashpoint helps organizations combat carding activity and other types of fraud, request a demo.
Senior Analyst II
Isaac Palmer is a Senior Analyst II on Flashpoint’s Hunt Team who has more than 20 years of experience in computer security. He has advised multiple U.S. government agencies in various capacities and has been featured in major online media outlets around the world including Infosecurity Magazine, SC Magazine, and SecurityWeek, among many others. Isaac was a noted contributor to the DGA Archive project presented in Paris, France during BotConf2015.