Credit card data has been traded on the cyber black-market for a number of years. The relatively recent breaches of TJX Companies (owner of T.J. Maxx) and Heartland Payment Systems show the extent to which criminals will go in order to harvest credit card numbers, social security numbers, names, addresses and more. All this legitimate (but stolen) information fuels a world of cyber crime.

In this article we show that, unlike what you might think, the credit card black-market operates very much in the open. Below we point out websites, which can be used to tap into the cyber black-market and find stolen credit card numbers and the associated credentials to purchase for any purpose they desire. We also show instant messenger handles, emails and details of what cyber criminals are selling on the Internet.

We analyzed 429 unique domains and 615 unique URLs. Each of these URLs contained information about buying stolen credit card information. Each URL lead to a web page where cyber-criminals have posted details about how to interact with them and buy stolen financial credentials. In the majority of cases, cyber criminals who are selling this information can provide one of the following types of data.

The data for this article was collected between February 27th and March 2nd, 2010.

Basic Credit Card Information Offers:

Usually consists of credit card number, type, expiration date and CVV.

USA & CANADA CCV2

VISA/Mastercard ~ 2USD/each
AmEX/Discover   ~ 4 USD/each

UK & WU CVV2

VISA/Mastercard ~ 3USD/each
AmEx/Discover   ~ 5USD/each

Premium Credit Card Information Offers:

Usually consists of credit card number, type, expiration date, CVV, SSN, Home Address, Full Name, Date of Birth and much more.

USA & CANADA CCV2

VISA/Mastercard ~ $35/each

UK & EU

VISA/Mastercard ~ $40/each

ACCOUNT INFORMATION:
First Name: xxxxx
Last Name: xxxxx
Address: xxxxx xxxxx xxxxx xxxxx
Apt:
City: Homestaed
State: FL
Zip: xxxxx
Home Phone: (xxxxx)xxxxx-xxxxx
Work Phone: (xxxxx)xxxxx-xxxxx
Email: xxxxx@yahoo.com
SSN: xxxxx-xxxxx-xxxxx
License Number: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
License State: FL
DOB: 09/xxxxx/xxxxx

PAYMENT INFORMATION:
Credit Card Type: VISA
Number: xxxxxxxxxxxxxxx
CCV: 889
Expiration Date: 11/2008
Name: xxxxx xxxxx
Card Name First: xxxxx
Card Name Last: xxxxx

PayPal Information Offers:

Verified account                 ~ 20USD/each
Verified account with email pin  ~ 25USD/each
Verified acccount with full info ~ 35USD/each
unverified account               ~ 10USD/each

Some domains host multiple instances of stolen Credit Card Ads, (CC-Ads). We present the frequency distribution of CC-Ads on each unique domain below.

Frequency of CC-Ads on each unique domain.

Interesting Highlights:

• None of the websites advertising stolen credit card data were blacklisted by Google’s Safe Browsing List. This could potentially indicate that cyber criminals are conscientious of not discouraging visitors to these sites.
• Cyber criminals prefer to get paid via Liberty Reserve and Western Union money transfer services.
• Some cyber criminals have used images to provide quotations [img].
• Yahoo.com seems to be the email and instant messaging service preferred by cyber criminals.
• Nearly 75% of sites with CC-Ads are located in the US (see graph below).

IP Geo-location for websites with CC-Ads.

Conclusion:

It is clear from the current state of the credit card black-market that cyber criminals can operate much too easily on the Internet. They are not afraid to put out their email addresses, in some cases phone numbers and other credentials in their advertisements. It seems that the black market for cyber criminals is not underground at all. In fact, it’s very “in your face.” Clearly a more concerted effort is required to clamp down on this problem. Simply tying up loose ends on the enterprise side is not enough to combat this problem when there is virtually nothing to stop criminals from touting their stolen wares freely in the Internet.

Editor’s Note: We are providing a limited list of sites as an example of the brash lawbreaking behavior of these cyber criminals. We believe it is important for the purpose of this article that the reader be able to verify our statements. Additionally, we believe that consumer awareness of the problem can only serve to reduce the ease with which these criminals operate.

Forums used to buy and sell stolen credit card information:

*hxxp://ghostmarket.net
*hxxp://gayatheists.2.forumer.com
*hxxp://www.pakbugs.com/sell
*hxxp://forums.lava-carding.com
*hxxp://www.offcarding.forums-free.com
*hxxp://hack0rz.forums-free.com
*hxxps://security-shell.ws
*hxxp://silverspam.net
*hxxp://sellcvv2.forums-actifs.com

Various instant messenger credentials [1] [2] [3] used by cyber criminals:

People who interacted with “ubuntu_kana” (Yahoo messenger):

• ahmadshrief11@yahoo.com, davidlindon1@gmail.com, frankykkk@yahoo.com, suzannasuro@gmail.com, alexgenieve@hotmail.com, dave3331@gmail.com, ccvhack21@yahoo.com, trungtuyen68@yahoo.com, XUAN_CCS@YAHOO.COM, niklasjulius@rocketmail.com, boy_magnanimous@yahoo.com, FRESH_HACK2002@YAHOO.COM, vic.sell@yahoo.com

People who interacted with “peeseller” (Yahoo messenger):

• aloopapa@yahoo.com, dumpsfresh@yahoo.com, ug.tsunami@yahoo.com, sellrep@yahoo.com,

People who interacted with “bagiabancc” (Yahoo messenger):

• WorkusaJob@yahoo.com, david_cuong_85@yahoo.com, salulynho@yahoo.com, vang_kiban@yahoo.com, pro.cv2er@gmail.com, pro.cv2er@hotmail.com

News, Report, Security blackmarket, card skimming, credit card, cvv, hackers, hacking