• The “Underground” Credit Card Blackmarket

    Credit card data has been traded on the cyber black-market for a number of years. The relatively recent breaches of TJX Companies (owner of T.J. Maxx) and Heartland Payment Systems show the extent to which criminals will go in order to harvest credit card numbers, social security numbers, names, addresses and more. All this legitimate (but stolen) information fuels a world of cyber crime.

    In this article we show that, unlike what you might think, the credit card black-market operates very much in the open. Below we point out websites, which can be used to tap into the cyber black-market and find stolen credit card numbers and the associated credentials to purchase for any purpose they desire. We also show instant messenger handles, emails and details of what cyber criminals are selling on the Internet.

    We analyzed 429 unique domains and 615 unique URLs. Each of these URLs contained information about buying stolen credit card information. Each URL lead to a web page where cyber-criminals have posted details about how to interact with them and buy stolen financial credentials. In the majority of cases, cyber criminals who are selling this information can provide one of the following types of data.

    The data for this article was collected between February 27th and March 2nd, 2010.

    Basic Credit Card Information Offers:

    Usually consists of credit card number, type, expiration date and CVV.

    USA & CANADA CCV2
    
    VISA/Mastercard ~ 2USD/each
    AmEX/Discover   ~ 4 USD/each
    
    UK & WU CVV2
    
    VISA/Mastercard ~ 3USD/each
    AmEx/Discover   ~ 5USD/each
    

    Premium Credit Card Information Offers:

    Usually consists of credit card number, type, expiration date, CVV, SSN, Home Address, Full Name, Date of Birth and much more.

    USA & CANADA CCV2
    
    VISA/Mastercard ~ $35/each
    
    UK & EU
    
    VISA/Mastercard ~ $40/each
    
    ACCOUNT INFORMATION:
    First Name: xxxxx
    Last Name: xxxxx
    Address: xxxxx xxxxx xxxxx xxxxx
    Apt:
    City: Homestaed
    State: FL
    Zip: xxxxx
    Home Phone: (xxxxx)xxxxx-xxxxx
    Work Phone: (xxxxx)xxxxx-xxxxx
    Email: xxxxx@yahoo.com
    SSN: xxxxx-xxxxx-xxxxx
    License Number: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
    License State: FL
    DOB: 09/xxxxx/xxxxx
    
    PAYMENT INFORMATION:
    Credit Card Type: VISA
    Number: xxxxxxxxxxxxxxx
    CCV: 889
    Expiration Date: 11/2008
    Name: xxxxx xxxxx
    Card Name First: xxxxx
    Card Name Last: xxxxx
    

    PayPal Information Offers:

    Verified account                 ~ 20USD/each
    Verified account with email pin  ~ 25USD/each
    Verified acccount with full info ~ 35USD/each
    unverified account               ~ 10USD/each
    

    Some domains host multiple instances of stolen Credit Card Ads, (CC-Ads). We present the frequency distribution of CC-Ads on each unique domain below.

    Frequency of CC-Ads on each unique domain.

    Frequency of CC-Ads on each unique domain.

    Interesting Highlights:

    • None of the websites advertising stolen credit card data were blacklisted by Google’s Safe Browsing List. This could potentially indicate that cyber criminals are conscientious of not discouraging visitors to these sites.
    • Cyber criminals prefer to get paid via Liberty Reserve and Western Union money transfer services.
    • Some cyber criminals have used images to provide quotations [img].
    • Yahoo.com seems to be the email and instant messaging service preferred by cyber criminals.
    • Nearly 75% of sites with CC-Ads are located in the US (see graph below).
    IP Geo-location for websites with CC-Ads.

    IP Geo-location for websites with CC-Ads.

    Conclusion:

    It is clear from the current state of the credit card black-market that cyber criminals can operate much too easily on the Internet. They are not afraid to put out their email addresses, in some cases phone numbers and other credentials in their advertisements. It seems that the black market for cyber criminals is not underground at all. In fact, it’s very “in your face.” Clearly a more concerted effort is required to clamp down on this problem. Simply tying up loose ends on the enterprise side is not enough to combat this problem when there is virtually nothing to stop criminals from touting their stolen wares freely in the Internet.

    Editor’s Note: We are providing a limited list of sites as an example of the brash lawbreaking behavior of these cyber criminals. We believe it is important for the purpose of this article that the reader be able to verify our statements. Additionally, we believe that consumer awareness of the problem can only serve to reduce the ease with which these criminals operate.

    Forums used to buy and sell stolen credit card information:

    *hxxp://ghostmarket.net
    *hxxp://gayatheists.2.forumer.com
    *hxxp://www.pakbugs.com/sell
    *hxxp://forums.lava-carding.com
    *hxxp://www.offcarding.forums-free.com
    *hxxp://hack0rz.forums-free.com
    *hxxps://security-shell.ws
    *hxxp://silverspam.net
    *hxxp://sellcvv2.forums-actifs.com
    

    Various instant messenger credentials [1] [2] [3] used by cyber criminals:

    People who interacted with “ubuntu_kana” (Yahoo messenger):

    • ahmadshrief11@yahoo.com, davidlindon1@gmail.com, frankykkk@yahoo.com, suzannasuro@gmail.com, alexgenieve@hotmail.com, dave3331@gmail.com, ccvhack21@yahoo.com, trungtuyen68@yahoo.com, XUAN_CCS@YAHOO.COM, niklasjulius@rocketmail.com, boy_magnanimous@yahoo.com, FRESH_HACK2002@YAHOO.COM, vic.sell@yahoo.com

    People who interacted with “peeseller” (Yahoo messenger):

    • aloopapa@yahoo.com, dumpsfresh@yahoo.com, ug.tsunami@yahoo.com, sellrep@yahoo.com,

    People who interacted with “bagiabancc” (Yahoo messenger):

    • WorkusaJob@yahoo.com, david_cuong_85@yahoo.com, salulynho@yahoo.com, vang_kiban@yahoo.com, pro.cv2er@gmail.com, pro.cv2er@hotmail.com
      • Wow! these guys are not bothered about any consequences. Where are these hackers based?

        Posted by anonymous on March 3rd

      • A lot of these people are based in the US, Eastern Europe and some in South-east Asia.

        Posted by anirban on March 3rd

      • Are people paying stolen credit cards with stolen credit cards? ;-)

        Posted by Shungaeslagente on March 3rd

      • All those links are now dead.

        Posted by asv on March 4th

      • Couple of quick suggestions.

        1. Make the company logo at the top of the page a clickable link that takes you to the homepage (I know there is a home button but the former is really a standard practice these days).

        2. This is very general but have you thought about expanding to the mobile browsing market. An iphone app could be a good start.

        - A friend

        Posted by Anon on March 6th

      • Thank you very much for the comment, we will definitely pay attention to this.

        Posted by anirban on March 7th

      • @Anon
        We appreciate your suggestion and have updated our website with a click-able logo area in the upper-left. The link will take you right to our homepage!

        We take our visitor’s comments seriously. I wish you’d left an email so we could reach you with questions in regard to your second comment.

        I am interested in your thoughts: what features would you be looking for in an iphone app?

        Posted by admin on March 14th

      • i recently got scammed when someone used my creditcard!
        and i dont know how they succeeded to change my Verified by visa password!!
        when i where buying a domain name i got my ordinary window up but my personal message where changed to “NaqZoCorporation” and when i googled it seem to be a scam site one of those. But these guys are pro because they succeeded to change my verified by visa and my billing adress!!

        Posted by Phil on March 20th

      • [...] Credit Card Data Traded on the Black Market I am a firm believer in checking my data every few days, because I have seen it all. No matter what the situation, you never know when or where your information could have been leaked. A hacker could tap into the SQL database of some website where you made a purchase 6 months ago…or a year ago… And then there is skimming. It is hardly possible to keep your eye on your card 24/7 without looking like a nut, especially if you are in a high priced restaurant where it is customary to hand over your card to the waiter who walks away with it in order to process the charges. They also say that some skimming devices can be placed at gas pumps and ATM's so that users don't even noticed they have been installed over(on top of) the actual processing device you use everyday. I haven't seen these things, possibly its just a small metallic strip that is placed inside there and then retrieved later. I pay at the pump all the time so I can't imagine a device that could fool me. It would have to be quite small. Anyay. My point is, rather than trying to combat the situation, my best advice is to just use one bank, say B of A or HSBC and have your checking savings and credit cards with that one bank….so you only have to log in to or call one bank. and every 3 days check your acconts. Or every 2 days. Here is a link everyone should read [...]

        Posted by Credit Card Data Traded on the Black Market – Credit Forums – Loans, Debt, and Credit Discussion on April 17th

      • Sadly, fraud and crime are fairly rampant on the internet. Some of the biggest threats come from scammers, who will just try to rip you off, and other groups, who trade in stolen credit card and bank information. StopTheHacker.com did a study in early …

        Posted by Varnes Computers Blog on July 9th

      • Wow. Good article. Makes me want to never buy anything else on the internet ever again. Makes you wonder how long until we all go back to strictly paper money where you actually know if someone is taking it from you.

        Posted by dcrockett on October 11th

      • [...] called stopthehacker.com recently analyzed the black market and was able to find examples of how this information is present online. Through simple online web portals, you can find credit card data on anything from basic accounts [...]

        Posted by Credit Card Numbers for Sale on the Black Market | MyBankTracker.com on December 9th

      • i recently got scammed when someone used my creditcard!
        and i dont know how they succeeded to change my Verified by visa password!!

        Thats as easy as finding your DOB and resetting it?:/

        Posted by clarck on June 2nd

      • for example this file
        http://upload ing.com/files/34a cb2m7/BinChecker.e e/

        They use it to check first 6 digits of creditcard and tells which bank and which branch , they have really stealing our financial data

        Posted by sean on October 29th