The blog I’m writing today is a bit different to the blogs I normally write. I normally discuss application security vulnerabilities or how to write secure code but I wanted to post something different today. I used to write the occasional post which covered a specific issue in security I’d been researching that wasn’t necessarily related to application security. I’m happy to say that I have a new Ninja Research post for you all today!
I was asked to present to the FICASIAN group in November last year and this blog post is based on the findings from the research I conducted for the presentation. FICASIAN is a group of leading anti-fraud specialist from the UK and Ireland which includes Heads of Fraud from banks and gaming companies as well as Compliance Directors and CSO’s.
I’m certainly not a fraud expert so I decided to base the presentation on the things I know rather than trying to pretend I know a lot about fraud. I have seen several fraud presentations and read several fraud papers. These presentations and papers tend to focus on numbers and theory. The numbers and theory are useful for people to know but I prefer to see things for real, we know that people steal data and use it in various different ways so I wanted to show more about that. I wanted to show how easy it is to steal large amounts of data and turn that into cash or goods.
I posed a question to myself that I wanted the research and presentation to answer:
“From vulnerability to fraud, how hard is it?”
I think most readers of this blog will know that vulnerabilities are often easy to find and exploit. There are currently over 230,000,000 websites on the internet and it is estimated that 60% of these sites have vulnerabilities in them.
I used two examples in my presentation of vulnerabilities that directly lead to large amounts of data being lost:
CardSystems (Application – SQL Injection)
TJX (Network – Insecure wireless network)
I won’t go into the details of each data breach here, you can find out more about each breach by clicking on the links above.
So finding and exploiting vulnerabilities can be quite easy and potentially very rewarding if the attacker is able to steal data such as credit card numbers. I knew that much before I began this research, what I really wanted to find out is how hard it is to turn this stolen data into cash or goods.
First you get the data, then you get the money
I had read many reports and new stories which talked about the FBI infiltrating and taking down underground forums which allowed users to buy and sell stolen data. These reports and stories often talk about how hard these forums are to find and how it is even harder to get information from them. I found a forum where stolen data is bought and sold everyday, cardable website lists are traded and cashout services are offered in a matter of minutes using Google.
The rest of this blog post will detail some of the things I found on the forum along with screenshots of forum posts and items being sold. I have blacked out any potentially sensitive data as well as the usernames and the forum name.
Buying and Selling Credit Card Data
The forum I found had a sub-forum dedicated to buying and selling stolen credit card data with new entries every day:
The entries in this forum ranged from a user having one or two credit card numbers to sell through to users who had a wide range of cards which the buyer could select from. These lists often had cards from multiple providers including cards with higher credit limits such as Gold and Platinum cards.
The cards which are likely to have a higher credit limit are sold for a higher price but interestingly you could buy full identities which included the card details for less than the sales prices of individual cards.
I have included a few images below which show the types of adverts sellers are placing for their card data:
As I mentioned above some sellers were also selling “identities” which include a lot more information than the card number sales. These identity sales included the card holders name, partners name, employer and bank details amongst other details:
Purchasing goods with the stolen cards
We have seen that we can easily buy stolen credit cards and even full identities from this forum so let’s assume we have purchased a stolen credit card, how can we go shopping with this?
You could pay for a second service from some sellers who would produce a counterfeit card for you from the data you buy/provide to them. The majority of the buyers appeared to want the stolen card data to use on “cardable” websites. I did see a few buyers who were interested in having the counterfeit cards produced so they could use them in high street shops. It didn’t take me long to find a seller who linked to his own website where you could purchase the hardware required to produce your own counterfeit cards. The seller would provide blank cards, a magnetic stripe reader/writer, the software required to write track data to the cards and card embossers for Visa and Mastercard for under $1,500.
The forum had a sub-forum where users traded cardable websites. A cardable website is a site which has weak fraud prevention which allows stolen cards to be used on them.
The cardable websites are normally traded for either card data or other seller’s lists of cardable sites. I didn’t see a seller attempting to sell a list of cardable sites but new users attempting to earn “trust” on the forum would provide some for free.
Taking delivery of the stolen goods
So we have seen that we can buy stolen data and use it on websites which have weak fraud prevention to buy goods. We need to have these goods delivered somewhere though. The forum has sellers who provide a “drop point” service to buyers which will allow the person using the stolen card data to receive the goods without giving their own delivery address.
These drop point services seemed to either have a fixed price or the drop point seller would also use your stolen card data as payment. The approach that most sellers took to the drop point service was to order your goods along with goods for themselves on the stolen card you provide them. The drop point services ranged from a person knowing their neighbour is out all day and using their address through to organised sellers with people working for them inside the local postal service.
One of the most organised sellers provided a service which included the purchasing of goods, a drop point and a cash out/final delivery:
Receiving your cash or goods
The final step in the process is to turn the stolen data into cash/goods. We have bought stolen credit card data, found a cardable website, paid for a drop point service and now it is time to cash out.
There are various ways to end up with cash in your hand or goods in your house by using the services being sold on this (and many others) forum. We can take delivery of goods through a drop point provider who will reship them to us. The goods could also be sold for cash.
The forum I visited has a sub-forum where users take pictures of the money or goods they have received through using the services we have described so far. I have included two pictures from the forum below:
An alternative approach
We have only discussed the use of stolen credit card data so far but we know that forums such as this one also sell stolen online bank account logons.
I saw a lot of online bank accounts for sale on the forum but given that sensitive data is visible in the screenshots posted by the sellers I have refrained from posting any here.
The sale price of the online bank account logons is tied to the amount of money in the compromised account. It is easier to see just how much money is potentially at risk in the bank account sales forum because screenshots of account balances are included. The forum had a wide range of bank account logons for sale from many different countries. The balances of the accounts were often quite low but some sellers were selling the logon details to bank accounts with balances close to $1m.
I have included the balance of three accounts that were for sale along with the sale price below:
- £11,200 – sale price: £100
- $26,100 – sale price: $160
- $328,000 – sale price: $250
When a buyer pays for the account logon details they only have the ability to logon to the bank account. To get the money out of the account they require another service to perform a “bank drop”. I will cover the bank drop services a bit more in the next section of this post.
Turning the stolen bank logons into cash
The buyers of the stolen bank logons will have one main goal – turning their purchase into cash in their hand.
The buyers will either need to know people who are willing to “cash out” the stolen accounts money or to use a cash out/bank drop service from another seller on the forum. To cash out the person who bought the stolen logon must transfer the funds from the stolen account into another account and then withdraw the cash.
There are often a few different routes a person can take when they wish to cash out. The bank drop services offered by sellers on the forum will provide you with bank accounts that you can transfer money into. The sellers don’t have a fixed fee for the cash out service but they normally take around 50% of the money you transfer. The seller will withdraw all of the money and take 50% of it before transferring the remaining 50% to a Liberty Reserve or Western Union account that you own.
The person looking to cash out could of course do this themselves but this doesn’t appear to happen too often. We saw earlier in this blog post that you can buy an identity from the forum so a buyer could use this to setup a fake bank account. They could transfer funds into this account and withdraw the funds themselves which means they receive 100% of funds instead of 50%.
I have included two screenshots below which show bank drop/cash out services for sale on the forum:
It isn’t just underground forums
I think what surprised me most when I was doing this research was how easy it is to find people who are selling stolen data. A simple Google search found card data sellers in some weird places including social networking sites!
I hope you have found this blog post useful and I’m always interested in hearing any feedback you have.