THE DEEP WEB
The week of September 28, 2014

Inside the black markets for your stolen credit cards

By Aaron Sankin

The recent, historic Home Depot hack probably left you scrambling to check if your personal information had been compromised. You’re hardly alone.

The hackers reportedly took off with over 56 million credit card numbers, making it one of the largest data breaches of all time. Since 2005, there have been over 4,781 recorded data breaches compromising the personal online privacy of million of Americans, according to the Identity Theft Resource Center. The total number of individual records exposed is over 640 million—more than double the U.S population.

Some of these breaches are harmless—a misplaced thumb drive full of customers’ records, for example—but many are the work of dedicated computer hackers intent on breaking into an organization’s computer systems and absconding with as much personal information as possible.

The Home Depot hack may have been the work of a well-organized group of hackers rather than a single lone wolf, but there’s still no way that even a collection of a few dozen cybercriminals could use all 56 million credit card numbers themselves, even if they spent the rest of their lives doing exclusively that.

Instead, the vast majority of stolen personal data is turned into a commodity and sold on a shadowy network of black market websites that serve as online hubs for hackers, scammers, and other digital ne’er-do-wells.

While scammers looking to prey on other scammers abound, a tour through a handful of these sites reveal a world full of healthy, functioning markets that are shockingly civilized: Not only do they self-regulate, but this shady network offers a suite of services designed to facilitate smooth transactions and pass hard-earned knowledge from one generation of thieves to the next.

In essence, these black market sites represent functioning commercial communities where buying or selling a trove of credit card or Social Security numbers is only slightly more difficult than ordering a package of new socks on Amazon.

Hiding in plain sight

Finding these sites isn’t particularly difficult.

As a way of keeping law enforcement and researchers out, many of them require users to pay a fee before getting any kind of access. However, others are freely accessible to anyone who decides to wander inside. A lot of them are linked through networks of banners ads, and users of bulletin board sites are constantly asking for other users’ experiences on other sites. Poking around on one site can quickly lead down a endlessly twisty rabbit hole to a constellation of similar marketplaces.

Finding these sites isn’t particularly difficult.

“In the beginning when the…[credit card] sales black-market appeared, it was kind of semi-open for anyone on the Internet. So law [enforcement] authorities took [down] and kept taking down many of these markets,” recalled Dmitry Bestuzhev, a director of global research and analytics at cybersecurity firm Kaspersky Lab.

“At the same time, another group of cybercriminals … built a few black-markets with fake stolen [credit card] data, which they used to sell fake data. This made serious cybercriminals move to [Tor-based] online black-market stores.”

Developed by the U.S Navy just over a decade ago, Tor is a system designed to let users surf the Web while largely preventing their browsing activity from being traced back to them. Sections of the Internet that can only be accessed by Tor-equipped browsers have become havens for illicit activity, most notably drug dealing. Silk Road, the notorious, multibillion-dollar online haven for the drug trade that was shuttered by law enforcement officials last year, was only accessible through Tor.

The anonymity offered by the Tor network makes starting a Tor-only black market site a significantly safer proposition, at least in terms of getting caught by police, than running the same operation on the regular Web. However, since the majority of black market credit card sites are on the standard Internet where anyone can access them, their operators generally have to take additional steps to guard against having their sites shut down—or worse.

The solution is to run the sites from “bullet-proofed” servers, which means that the server operators agree not to remove content from them or reveal any information about the people behind that content, no matter who demands they do so.

“Whoever’s behind a bullet-proofed server understands that the nature of the business in most cases will be to host very uncertain content,” Bestuzhev explained. “This is the point of a bullet-proofed host… On the other hand, why host something on a server like this when it’s a lot more expensive than other regular services?

“The owner of a bullet-proofed server at least accepts that the content he hosts could be anything. That’s why there is always a service agreement in the middle, making the owner of the server free of any responsibility.”

Hosting bullet-proof servers can be a lucrative business. When the FBI coordinated with Romanian authorities to bring down the Bucharest-based man whose servers hosted the infrastructure for financially focused Gozi malware—which allowed its creators to steal tens of millions of dollars—it discovered that he was leasing servers for €114 ($114 U.S.) and then leasing that space back out to a legion of shady clients for €330 ($424 U.S.). No questions asked.

While far from being universally true, many of these operations are based in Eastern Europe.

“They have law enforcement protection. They have geographic protection,” noted investigative journalist Brian Krebs. “At the end of the day, the authorities in these countries might find it more expedient to keep these people around for when they need them for certain things. Traditionally, the feeling of law enforcement has been: If they’re not attacking us, they’re somebody else’s problem.”

Honor among thieves?

“You have to think about these sites kind of like medieval castles for crooks,” Krebs explained. “[If] you operate within their walls and play by their rules, you’re probably going to be OK. But if you don’t, you’re probably going to get scammed.”

“You have to think about these sites kind of like medieval castles for crooks.” —Brian Krebs

If anyone would know about the inner workings of these markets, it’s Krebs. For over a decade at the Washington Post, and then for years afterward on his independent blog, Krebs has been documenting the world of cybercrime—an interest sparked after his own personal computer was infected by a virus in the early 2000s. He’s done everything from uncovering a massive data breach that had exposed the personal information of over 40 million Target customers to helping disconnect a California-based Web-hosting company that was reportedly responsible for sending out over 40 percent of the world’s spam email.

For his trouble, Krebs has been repeatedly attacked by the users and operators of these forums. In July 2013, he foiled a coordinated effort to get him arrested for a package of heroin sent to his home.

In a post on the black market site Lampeduza Republic earlier this year, an administrator decided to target Krebs by laying out a long list of websites where users could open credit cards and take out bank loans in Krebs’s name as part of an effort to wreck the journalist’s credit score. “Truth is,” the post reads, “they don’t understand who they are dealing with and got nothing to do but post bullshit stories in their blog, which make you, our clients to suffer in the end.”

Attacking Krebs, who has made a career of drawing unwanted attention to the Internet’s seedy underbelly, is just part of the way these sites police themselves. Operating entirely outside the legal system, the people running these institutions institute a bevy of self-regulatory mechanisms to keep themselves and their users safe. Without some semblance of trust, the market would collapse. The site operators have to ensure those users are able to feel relatively confident they they aren’t about to get scammed every time they put their money or hard-earned stolen credit card numbers on the line.

There are basically two types of black market sites for personal data: bulletin boards and storefronts.

The storefronts basically work like any other Web store: Users can select what they want and buy directly from the operator of the site. While the actual transactions themselves generally take place over online chat programs like ICQ or Jabber, the sites themselves provide basic procedures for transactions and give lists of pricing with ads like this one, which appeared on a site called Rescator, where credit card information from the Home Depot hack first appeared online:

Screen_shot_2014-09-16_at_6.56.38_PM

Many storefront sites, Rescator included, allow prospective customers to do customized searches for credit card data that fits a specific criteria. Looking for a platinum Bank of America Visa cards from people living in San Francisco, Calif.? It’s just a search away:

Screen_shot_2014-09-16_at_7.00.42_PM

Other sites, like Royal Dumps, have standard pricing charts for different types of credit card numbers, although discounts can often be obtained for users buying wholesale:

Screen_shot_2014-09-18_at_4.00.28_PM

On these types of sites, buyers know they’re directly transacting with the site’s operators and, as a result, those operators work to engender trust by doing things like posting refund policies. This one is from a black market site named after the legendary hip-hop artist 2pac:

Screen_shot_2014-09-18_at_4.13.29_PM

These sites often take payment in Bitcoin, the digital cryptocurrency first popularized by Silk Road, but also accept transfers via Webmoney, MoneyGram, and Western Union, among others. Since such payment methods aren’t reversible like credit card transactions, the storefronts rely heavily on their reputations. They can also use third-party services that add an additional level of security, an act that’s become necessary with the recent surge in sites selling fake credit card numbers across the stolen personal data industry.

“This is an interesting element that was created not too long ago that basically allows for a transaction to be made secure,” Bestuzhev noted. “The intermediary/broker makes sure the seller has the goods and the buyer has [the] money. The broker also gets a fee from each transaction and if something goes wrong, the broker may fill in the name of the failed part, creating a record of it called ‘rippers’ or not [a] trusted person.”

There are basically two types of black market sites for personal data: bulletin boards and storefronts.

It’s often not particularly difficult to put together a cybercrime scheme without anyone meeting anyone else face-to-face, something that reduces risk across the board.

On the other type of black market site—effectively bulletin boards where users buy and sell stolen data, and trade hacking/social engineering tips—the operators provide the mechanisms for ensuring the confidence of users.

For example, Lampeduza Republic, which professes to employ a complex hierarchical moderation system modeled off of the ancient Roman Senate, is one of the longest running and most high-profile black market sites. It uses a system where people selling over the site can become “verified” by following a certain set of procedures:

Screen_shot_2014-09-16_at_3.54.19_PM

To become verified with the site, vendors have to prove themselves in a variety of different ways. For example, people selling personal data have to deposit $25,000 with the site’s administrators as a show of good faith and provide evidence of at least 500 discrete, functional credit card records. People selling distributed denial-of-service (DDoS) attacks—where hackers use a network of computers to barrage a given Web server with requests, thereby rendering it completely inoperable—have to bring the entire site down for a certain period of time, agreed to in private, to prove they’re legit.

“The owner of a bullet-proofed server at least accepts that the content he hosts could be anything.” —Dmitry Bestuzhev

Lampeduza also offers an escrow service “offered free of charge for those … who didn’t yet go through verification process or [if] there’s no way for reviewers to verify vendor’s services, products and/or abilities.”

Escrow is useful when two parties want to transact with each other but don’t necessarily trust each other. They can hire a neutral third party to hold on to the money and only turn it over when the respecified goods or services are received.

In a marketplace where almost everyone is transacting anonymously—and are probably only there in the first place because they’ve stolen something or are looking to purchase something stolen—offering escrow is a way for Lampeduza to avoid having to definitively answer the age-old question, “Is there honor among thieves?”

Scam or be scammed

In the real world, ratings sites like Yelp offer a checks and balances between a company and its customers. Positive experiences and reputable customer service, at least in theory, engender brand loyalty and higher ratings. It’s the same thing on the Deep Web.

“Buyer beware always, but it’s like eBay,” Krebs said, noting that many sites maintain public ratings of buyers and sellers. “You can see vendors’ transaction histories. You can see if they’ve done business with people and gotten bad reviews. If you transact with someone on eBay, or on one of these sites, with zero reviews, then that’s on you.”

If moderators identify a user as having a history of not living up to his or her end of a deal, they can slap that person with a “ripper” tag, forever labeling them someone who isn’t to be trusted. To continue Krebs’s medieval metaphor, it’s like being taken out to the stocks.

Bulletin board services like Lampeduza aren’t just about buying and selling, they’re also a training ground for people involved in “carding,” the shorthand for credit card fraud. Users often freely share the tricks of the trade.

“Typically the most active users are the moderators and the new guys,” Krebs explained. “The new guys often need a lot of help getting their cybercrime operations started and maybe they don’t have the best grasp of how to do it. They’re looking for tutorials, they’re looking for help on getting their operations going, and they’re often willing to outsource the parts they don’t know how to do themselves.”

One recent post on Lampeduza offered one-on-one carding lessons for anyone willing to pay $800, but there’s also a considerable amount of advice doled out for free. A user posted a question about using stolen airline gift vouchers to score free flights:

lampeduza-flying-question

Someone quickly responded with some advice:

thisonething

And another user told a personal story:

thistwothing

Similar bulletin board site, BlackStuff, is packed with entry-level tutorials about how to get started in carding and long threads of sage wisdom. One such thread explained why the best time of year to make illegal bank transfers with someone’s stolen account information is around Christmas because the increased volume of legitimate transfers that occur around the holiday season may help to obscure any fraudulent activity.

There’s an underlying “scam or be scammed” mentality that permeates these black markets.

The user communities on these sites also help people avoid getting scammed elsewhere on the Internet. There are threads dedicated to listing which other carding sites are run by scammers just looking to charge potential users a fee for access and give nothing in return. Often sites pop up designed to look exactly like longstanding carding sites. Those sites are attempts to trick users into entering their login into for the legit carding sites or convince users into paying for access to carding information that doesn’t exist.

Even still, there’s an underlying “scam or be scammed” mentality that permeates these black markets.

Upon viewing some of them, visitors are often briefly greeted by a loading screen informing them they are in the process of being screened by a DDoS attack prevention system.

cloudflare

DDoS prevention mechanisms, offered by oft-idealistic companies like CloudFlare, check each incoming bit of traffic coming into a website to determine if that traffic is part of DDoS attack. They effectively put up a shield against someone trying to take the server offline.

That this sort of DDoS protection is rampant across these black market sites shows that their operators are seriously concerned about being attacked.

“These sites are constantly hacking each other,” Krebs explained, noting that the desire to knock one’s competitors at least temporarily offline is likely a good bit more complicated than trying to get more business by making one less site available for people to use.

“Usually it’s mainly ego-based,” he noted. “You hear this a lot from law enforcement people about how it’s no longer about notoriety, it’s about money. Yeah, it’s about money, but that doesn’t mean it isn’t also about notoriety. A lot these guys have tremendous egos.”

For the people who managed to set up these thriving communities outside the law and operate them for long periods of time without being nabbed, those big egos may be well-earned.

 

Illustration by Max Fleishman