The documents clearly show the amounts, the specific merchants, dates, and places where the transaction was made and more. The documents include a complete Microsoft Office Excel breakup of the charges, with account numbers and other details. These documents were not password protected or on a protected website, they were completely in the open, no authorization needed.

We notified American Express of these details of via their online contact form (which is available after you log into their system), at approximately on June 7th, 2010, at 9:17 AM PDT. The files were still available on the American Express website as of June 7th, 2010, at 9:28 AM PDT.

We’re curious if these are fake documents deliberately put out on the site. If they are, it would be interesting to know why they have chosen to do so.

We hope someone at American Express will take notice of this important issue. As previously mentioned, American Express was contacted prior to this posting. (Edit: See the reply from American Express below.)

The reply from American Express:

Thank you for your email.

I have forwarded your comments regarding this situation to our concerned department, so that they may look into this issue. During this review, we may contact you if additional information is required.

Be assured that the feedback we receive from Card members plays an important role in enhancing your customer experience

We take our Cardmembers’ security concerns very seriously. We hope that if you suspect the legitimacy of an e-mail you receive in the future, you will forward a copy to us, so we can investigate it for you.

We very much appreciate your vigilance on our behalf. If we can be of assistance to you in the future, please contact us.

We value the relationship built with you and we hope that you will continue to allow us to meet your Card needs for many more years.

Have a wonderful day!

Update: American Express replied on June 7th, 2010, at 9:51 AM PDT.

Obfuscated screenshot below:

Update: Screenshot removed.

In this article we show that, unlike what you might think, the credit card black-market operates very much in the open. Below we point out websites, which can be used to tap into the cyber black-market and find stolen credit card numbers and the associated credentials to purchase for any purpose they desire. We also show instant messenger handles, emails and details of what cyber criminals are selling on the Internet.

We analyzed 429 unique domains and 615 unique URLs. Each of these URLs contained information about buying stolen credit card information. Each URL lead to a web page where cyber-criminals have posted details about how to interact with them and buy stolen financial credentials. In the majority of cases, cyber criminals who are selling this information can provide one of the following types of data.

The data for this article was collected between February 27th and March 2nd, 2010.

Basic Credit Card Information Offers:

Usually consists of credit card number, type, expiration date and CVV.

USA & CANADA CCV2

VISA/Mastercard ~ 2USD/each
AmEX/Discover   ~ 4 USD/each

UK & WU CVV2

VISA/Mastercard ~ 3USD/each
AmEx/Discover   ~ 5USD/each

Premium Credit Card Information Offers:

Usually consists of credit card number, type, expiration date, CVV, SSN, Home Address, Full Name, Date of Birth and much more.

USA & CANADA CCV2

VISA/Mastercard ~ $35/each

UK & EU

VISA/Mastercard ~ $40/each

ACCOUNT INFORMATION:
First Name: xxxxx
Last Name: xxxxx
Address: xxxxx xxxxx xxxxx xxxxx
Apt:
City: Homestaed
State: FL
Zip: xxxxx
Home Phone: (xxxxx)xxxxx-xxxxx
Work Phone: (xxxxx)xxxxx-xxxxx
Email: xxxxx@yahoo.com
SSN: xxxxx-xxxxx-xxxxx
License Number: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
License State: FL
DOB: 09/xxxxx/xxxxx

PAYMENT INFORMATION:
Credit Card Type: VISA
Number: xxxxxxxxxxxxxxx
CCV: 889
Expiration Date: 11/2008
Name: xxxxx xxxxx
Card Name First: xxxxx
Card Name Last: xxxxx

PayPal Information Offers:

Verified account                 ~ 20USD/each
Verified account with email pin  ~ 25USD/each
Verified acccount with full info ~ 35USD/each
unverified account               ~ 10USD/each

Some domains host multiple instances of stolen Credit Card Ads, (CC-Ads). We present the frequency distribution of CC-Ads on each unique domain below.

Frequency of CC-Ads on each unique domain.

Interesting Highlights:

• None of the websites advertising stolen credit card data were blacklisted by Google’s Safe Browsing List. This could potentially indicate that cyber criminals are conscientious of not discouraging visitors to these sites.
• Cyber criminals prefer to get paid via Liberty Reserve and Western Union money transfer services.
• Some cyber criminals have used images to provide quotations [img].
• Yahoo.com seems to be the email and instant messaging service preferred by cyber criminals.
• Nearly 75% of sites with CC-Ads are located in the US (see graph below).

IP Geo-location for websites with CC-Ads.

Conclusion:

It is clear from the current state of the credit card black-market that cyber criminals can operate much too easily on the Internet. They are not afraid to put out their email addresses, in some cases phone numbers and other credentials in their advertisements. It seems that the black market for cyber criminals is not underground at all. In fact, it’s very “in your face.” Clearly a more concerted effort is required to clamp down on this problem. Simply tying up loose ends on the enterprise side is not enough to combat this problem when there is virtually nothing to stop criminals from touting their stolen wares freely in the Internet.

Editor’s Note: We are providing a limited list of sites as an example of the brash lawbreaking behavior of these cyber criminals. We believe it is important for the purpose of this article that the reader be able to verify our statements. Additionally, we believe that consumer awareness of the problem can only serve to reduce the ease with which these criminals operate.

Forums used to buy and sell stolen credit card information:

*hxxp://ghostmarket.net
*hxxp://gayatheists.2.forumer.com
*hxxp://www.pakbugs.com/sell
*hxxp://forums.lava-carding.com
*hxxp://www.offcarding.forums-free.com
*hxxp://hack0rz.forums-free.com
*hxxps://security-shell.ws
*hxxp://silverspam.net
*hxxp://sellcvv2.forums-actifs.com

Various instant messenger credentials [1] [2] [3] used by cyber criminals:

People who interacted with “ubuntu_kana” (Yahoo messenger):

• ahmadshrief11@yahoo.com, davidlindon1@gmail.com, frankykkk@yahoo.com, suzannasuro@gmail.com, alexgenieve@hotmail.com, dave3331@gmail.com, ccvhack21@yahoo.com, trungtuyen68@yahoo.com, XUAN_CCS@YAHOO.COM, niklasjulius@rocketmail.com, boy_magnanimous@yahoo.com, FRESH_HACK2002@YAHOO.COM, vic.sell@yahoo.com

People who interacted with “peeseller” (Yahoo messenger):

• aloopapa@yahoo.com, dumpsfresh@yahoo.com, ug.tsunami@yahoo.com, sellrep@yahoo.com,

People who interacted with “bagiabancc” (Yahoo messenger):

• WorkusaJob@yahoo.com, david_cuong_85@yahoo.com, salulynho@yahoo.com, vang_kiban@yahoo.com, pro.cv2er@gmail.com, pro.cv2er@hotmail.com

• Reuters via Threat Level | Wired.com

Users were targeted via a vulnerability in Internet Explorer when they visited websites infected with the malware. Spanish authorities shutdown the Mariposa bot-net on December 23, 2009 although the details of what is being called the “largest cyber-raid to date” are just being released.

Infection Statistics:

• 190 countries
• 40 of the largest financial institutions
• 50% of 1,000 largest companies