Security research, news and guidance

From vulnerability to fraud, how hard is it?

February 9, 2010  |  Written by Security Ninja  |   Data Loss, Hacking, PCI DSS   |   10 Comments

Hi everyone,

The blog I’m writing today is a bit different to the blogs I normally write. I normally discuss application security vulnerabilities or how to write secure code but I wanted to post something different today. I used to write the occasional post which covered a specific issue in security I’d been researching that wasn’t necessarily related to application security. I’m happy to say that I have a new Ninja Research post for you all today!

I was asked to present to the FICASIAN group in November last year and this blog post is based on the findings from the research I conducted for the presentation. FICASIAN is a group of leading anti-fraud specialist from the UK and Ireland which includes Heads of Fraud from banks and gaming companies as well as Compliance Directors and CSO’s.

I’m certainly not a fraud expert so I decided to base the presentation on the things I know rather than trying to pretend I know a lot about fraud. I have seen several fraud presentations and read several fraud papers. These presentations and papers tend to focus on numbers and theory. The numbers and theory are useful for people to know but I prefer to see things for real, we know that people steal data and use it in various different ways so I wanted to show more about that. I wanted to show how easy it is to steal large amounts of data and turn that into cash or goods.

I posed a question to myself that I wanted the research and presentation to answer:

“From vulnerability to fraud, how hard is it?”

I think most readers of this blog will know that vulnerabilities are often easy to find and exploit. There are currently over 230,000,000 websites on the internet and it is estimated that 60% of these sites have vulnerabilities in them.

I used two examples in my presentation of vulnerabilities that directly lead to large amounts of data being lost:

CardSystems (Application – SQL Injection)

TJX (Network – Insecure wireless network)

I won’t go into the details of each data breach here, you can find out more about each breach by clicking on the links above.

So finding and exploiting vulnerabilities can be quite easy and potentially very rewarding if the attacker is able to steal data such as credit card numbers. I knew that much before I began this research, what I really wanted to find out is how hard it is to turn this stolen data into cash or goods.

First you get the data, then you get the money

I had read many reports and new stories which talked about the FBI infiltrating and taking down underground forums which allowed users to buy and sell stolen data. These reports and stories often talk about how hard these forums are to find and how it is even harder to get information from them. I found a forum where stolen data is bought and sold everyday, cardable website lists are traded and cashout services are offered in a matter of minutes using Google.

The rest of this blog post will detail some of the things I found on the forum along with screenshots of forum posts and items being sold. I have blacked out any potentially sensitive data as well as the usernames and the forum name.

Buying and Selling Credit Card Data

The forum I found had a sub-forum dedicated to buying and selling stolen credit card data with new entries every day:

Card Forum

The entries in this forum ranged from a user having one or two credit card numbers to sell through to users who had a wide range of cards which the buyer could select from. These lists often had cards from multiple providers including cards with higher credit limits such as Gold and Platinum cards.

The cards which are likely to have a higher credit limit are sold for a higher price but interestingly you could buy full identities which included the card details for less than the sales prices of individual cards.

I have included a few images below which show the types of adverts sellers are placing for their card data:

CC_Sale1

US_EU_CCs

US_CCs

As I mentioned above some sellers were also selling “identities” which include a lot more information than the card number sales. These identity sales included the card holders name, partners name, employer and bank details amongst other details:

US_FULLZ

UK_FULLZ

Purchasing goods with the stolen cards

We have seen that we can easily buy stolen credit cards and even full identities from this forum so let’s assume we have purchased a stolen credit card, how can we go shopping with this?

You could pay for a second service from some sellers who would produce a counterfeit card for you from the data you buy/provide to them. The majority of the buyers appeared to want the stolen card data to use on “cardable” websites. I did see a few buyers who were interested in having the counterfeit cards produced so they could use them in high street shops. It didn’t take me long to find a seller who linked to his own website where you could purchase the hardware required to produce your own counterfeit cards. The seller would provide blank cards, a magnetic stripe reader/writer, the software required to write track data to the cards and card embossers for Visa and Mastercard for under $1,500.

The forum had a sub-forum where users traded cardable websites. A cardable website is a site which has weak fraud prevention which allows stolen cards to be used on them.

The cardable websites are normally traded for either card data or other seller’s lists of cardable sites. I didn’t see a seller attempting to sell a list of cardable sites but new users attempting to earn “trust” on the forum would provide some for free.

Taking delivery of the stolen goods

So we have seen that we can buy stolen data and use it on websites which have weak fraud prevention to buy goods. We need to have these goods delivered somewhere though. The forum has sellers who provide a “drop point” service to buyers which will allow the person using the stolen card data to receive the goods without giving their own delivery address.

These drop point services seemed to either have a fixed price or the drop point seller would also use your stolen card data as payment. The approach that most sellers took to the drop point service was to order your goods along with goods for themselves on the stolen card you provide them. The drop point services ranged from a person knowing their neighbour is out all day and using their address through to organised sellers with people working for them inside the local postal service.

One of the most organised sellers provided a service which included the purchasing of goods, a drop point and a cash out/final delivery:

Card_Drop2

Receiving your cash or goods

The final step in the process is to turn the stolen data into cash/goods. We have bought stolen credit card data, found a cardable website, paid for a drop point service and now it is time to cash out.

There are various ways to end up with cash in your hand or goods in your house by using the services being sold on this (and many others) forum. We can take delivery of goods through a drop point provider who will reship them to us. The goods could also be sold for cash.

The forum I visited has a sub-forum where users take pictures of the money or goods they have received through using the services we have described so far. I have included two pictures from the forum below:

wares6

wares3

An alternative approach

We have only discussed the use of stolen credit card data so far but we know that forums such as this one also sell stolen online bank account logons.

I saw a lot of online bank accounts for sale on the forum but given that sensitive data is visible in the screenshots posted by the sellers I have refrained from posting any here.

The sale price of the online bank account logons is tied to the amount of money in the compromised account. It is easier to see just how much money is potentially at risk in the bank account sales forum because screenshots of account balances are included. The forum had a wide range of bank account logons for sale from many different countries. The balances of the accounts were often quite low but some sellers were selling the logon details to bank accounts with balances close to $1m.

I have included the balance of three accounts that were for sale along with the sale price below:

  • £11,200 – sale price: £100
  • $26,100 – sale price: $160
  • $328,000 – sale price: $250

When a buyer pays for the account logon details they only have the ability to logon to the bank account. To get the money out of the account they require another service to perform a “bank drop”. I will cover the bank drop services a bit more in the next section of this post.

Turning the stolen bank logons into cash

The buyers of the stolen bank logons will have one main goal – turning their purchase into cash in their hand.

The buyers will either need to know people who are willing to “cash out” the stolen accounts money or to use a cash out/bank drop service from another seller on the forum. To cash out the person who bought the stolen logon must transfer the funds from the stolen account into another account and then withdraw the cash.

There are often a few different routes a person can take when they wish to cash out. The bank drop services offered by sellers on the forum will provide you with bank accounts that you can transfer money into. The sellers don’t have a fixed fee for the cash out service but they normally take around 50% of the money you transfer. The seller will withdraw all of the money and take 50% of it before transferring the remaining 50% to a Liberty Reserve or Western Union account that you own.

The person looking to cash out could of course do this themselves but this doesn’t appear to happen too often. We saw earlier in this blog post that you can buy an identity from the forum so a buyer could use this to setup a fake bank account. They could transfer funds into this account and withdraw the funds themselves which means they receive 100% of funds instead of 50%.

I have included two screenshots below which show bank drop/cash out services for sale on the forum:

Bank_Drop1

Bank_Drop2

It isn’t just underground forums

I think what surprised me most when I was doing this research was how easy it is to find people who are selling stolen data. A simple Google search found card data sellers in some weird places including social networking sites!

Facebook Credit Cards1

Facebook Credit Cards2

I hope you have found this blog post useful and I’m always interested in hearing any feedback you have.

SN

This entry was posted on February 9, 2010 at 3:00 pm and is filed under Data Loss, Hacking, PCI DSS . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

10 comments   >

  1. Pingback: uberVU - social comments

  2. Beef says:

    Fantastic post! Definately not enough general knowledge out there about how this all works. I think most important is the underlying fact about just how much Black Market trade is actually happening around stolen information. The press usually focuses on how many accounts are compromised in a breech, and very rarely do you actually hear what happens to those accounts after a breech has been discovered.

    I think to add to the information you are presenting about the fraud marketplaces:

    A good share of the results you will find from a google search fall into one of two categories. A) Government run honeypot or B) Amateur Market. Even though it seems like some of the accounts you found were fairly “High Roller” (250K-1M) in the grand scheme of things, this is still pretty small potatoes, and you can pretty much be assured that the people on the other end are amateurs that may have stumbled across some pretty sizeable accounts.

    Conversely, all it takes is one bad guy having a lapse in judgement to get what would otherwise be a “hidden” or “underground” site indexed.

    The more organized fraud rings are far more careful and far more difficult to discover. And the information they are selling is likely to be both exponentially more valuable and expensive. As we all know, having a website that google can’t crawl is really not that difficult. Simply requiring http-auth over your site renders that site invisible to google. These sites have the same big security hole that any other system in the world has though – humans.

  3. Security Ninja says:

    Hi Chris,

    I’m glad you liked the post and thanks for leaving such a great comment.

    I agree with what you say about finding these types of sites through Google. These places aren’t the forums that hardcore sellers/buyers use but there was certainly a significant amount of fraud being committed by the forum users. The things I included in the blog post were the things I felt comfortable posting, I saw a lot of things that I just couldn’t post because it would have been irresponsible of me to do so. A part of me really wanted to post them to show people just how bad things can be if companies and end users don’t take security more seriously. Whether it is through blogs like this or mainstream media we need to make people aware that data breaches do have an impact on individuals. I think this is a far more important thing for people to be discussing rather than the size of the fine the breached company has to pay.

    I’m sure you can imagine the kinds of things I found but couldn’t post :)

    SN

  4. Christian says:

    Awesome post David!

    Thought it might be worth mentioning money mules. In the section on “Turning the stolen bank logons into cash”, you mention that: “To cash out the person who bought the stolen logon must transfer the funds from the stolen account into another account and then withdraw the cash.” More often then not, people who are acquiring stolen credentials won’t just transfer money into their account, to avoid detection they will employ money mules, who are another link in the scam-chain, who will transfer money into their account, keep a small percentage, then forward the rest on.

    Once again, enjoyed the post :)

  5. Security Ninja says:

    Hi Christian,

    I’m glad you enjoyed the post :)

    The mules side of things I didn’t really know much about until I was educated by the FICASIAN group but it is very important. I know I discussed how they will employ students, people who really need money etc as mules but somehow it didn’t make it into the blog!

    Thanks again,

    SN

  6. d0s says:

    Great read, thank you.

  7. Mr_Bonkers says:

    Excellent read!

  8. ethicalhack3r says:

    It seems if I’m not mistaken that the particular forum you used in your examples has now been shut down.

  9. Troy Hunt says:

    This is an excellent article which very clearly bridges the gap between website exploit and financial impact. For many people, it’s difficult to monetise the risk of website vulnerabilities and seeing the process laid out so clearly really brings the message home.

    Regarding suggestions the resources you mentioned are amateurish, the real message here is that there are individuals out there with the audacity to offer services like these openly to the public domain. It shows how fraud itself has been commoditised to the extent that an entire sub-culture has emerged – rather publicly – with the intent of turning it into a service industry. That in itself is a fascinating observation.

  10. me says:

    the bit I cannot grasp on the bank accounts for sale is…..

    why sell them ?

    $328,000 dollar account…..sell acces for $250 ?

    as if…gotta be a scam…!!! why the hell sell $328,000 for $250 when they could use the same drop service themselves and walk away with over $160,000 or….as mentioned, move it themselves for 100%……sensationalism sounds more like. fools are buying these “accs” and getting nothing. nobody would pass up $328,000 !!!

Leave a comment

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers