State of Black Market for Stolen Credit Cards (2015) by N. Vlajic
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Worst Security Hacks of the Last Decade http://www.bloomberg.com/graphics/2014-data-breaches/
Why Do Hackers Go After Credit Cards? immediate payoff * stolen C.C. numbers can be used right away, anywhere in the Internet low hanging fruit for criminals * C.C. numbers can an be easily stolen from under-protected e-commerce Web-sites low likelihood of capture * it is easy to obscure evidence
How Do Credit Card Numbers Get Stolen? Scenario 1: Harry the Hacker methods of operation * malware installed on a corporate server * malware installed on a public computer data skimmed whenever user logs in their bank number, credit card number, email address, password * malware installed on a public server malware downloaded to a client machine at every visit of infected Web-site
How Do Credit Card Numbers Get Stolen? Scenario 2: Phishing Phil method of operation * malware sent via email as attachment / link - user must be fooled at opening attachment / link and initiating malware installation phishing = most common attack vector in most (corporate) hacks
How Do Credit Card Numbers Get Stolen? Scenario 3: Waiter/Waitress with Payment Terminal [ dangerous retail insider ] method of operation The waitress whisks away your credit card and swipes it through the restaurant's register. Then, she pulls out a small device, about the size of an ice cube, from her apron and swipes it through that
How Do Credit Card Numbers Get Stolen? Scenario 4: Payment Terminal By Outside Trio [ dangerous retail outsider 1 ] method of operation Sally, Simon and Bud walk into a toy store. Bud waits in line to check out. When Bud is at the register, Simon comes running up to the clerk, screaming that his wife has fainted. As Sally and Simon distract the sales clerk, Bud switches the credit card reader at the register with a modified one of his own
How Do Credit Card Numbers Get Stolen? Scenario 5: Credit Card Skimmer (Gas Lass) [ dangerous retail outsider 2 ] method of operation It's late. There's no one around except a sleepy attendant at the register inside. The Gas Lass attaches a skimmer over the credit card reader at the pump. It's a special skimmer: It emits a Bluetooth signal to a laptop close by. The Gas Lass heads off to the motel next door and sets up her laptop to receive the data
Where Do Stolen Credit Card Numbers Go? Credit Card Broker Credit Card Carder
Where Do Stolen Credit Card Numbers Go? 1) Credit Card Brokers black market agents who buy and re-sell stolen credit card numbers
Central Shop = Web portal for sale of credit card data http://centralshop.cn
What is the selling price for stolen credit card numbers? http://www.mcafee.com/ca/about/news/2015/q4/20151015-01.aspx http://www.theregister.co.uk/2013/07/02/mcafee_cybercrime_exposed/
What else can you find on the black market? http://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services
Where Do Stolen Credit Card Numbers Go? 2) Credit Card Carders criminals that ultimately use/exploit stolen credit card numbers ways carders use stolen c. c. numbers print plastic card with the new number [ not effective in case of EMV/chip cards ] make online purchases [ not easy on some sites as other user info may also be required]
It is race against the clock to charge as much money to the card as possible before the bank closes the account. carders must quickly extract & convert stolen money into other forms of capital [ process aka as money laundering ] extraction & conversion should be hard to detect or trace back multiple conversion steps often used
Credit to Gift Card Shell Game http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/
Money Mules aka smurfer - serves as an intermediary for criminals & criminal organisations transport fraudulently gained money or goods to fraudsters may or may not be aware of true nature of business http://bambooinnovator.com/2013/11/26/more-singaporeans-succumbing-to-money-mule-temptation/
Money Mules money mule job Ad examples
Money Mules money mule prosecution https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf
Money Mules http://www.antimoneylaunderinglaw.com/2013/06/hk-woman-sentenced-for-being-a-mule-for-laundered-canadian-funds-in-hong-kong.html
Money Mules http://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operation-works.aspx
https://philanthropy.com/article/fraud-alert-criminals-test/233197 How Do Carders Test Stolen C.C. Numbers? stolen credit card numbers not worth much unless verified thieves use online payment websites to test whether c.c. numbers work in some cases verification is done using bots Charity Web-sites are ideal for testing of stolen c.c. due to simple (bot-friendly) design and little built-in security.
http://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/#more-33186 How Do Law Enforcement Officers Discover C.C. Hacks? LAO & anti-fraud specialists purchase batches of c.c. numbers from crime forums / carding sites look for patterns that might help identify who got breached carding site Rescator is now able to detect suspicious transactions done by law enforcement officials purchases get declined
[1] bloomberg.com [2] bankrate.com References http://www.bloomberg.com/graphics/2014-data-breaches/ http://www.bankrate.com/finance/credit-cards/5-ways-thieves-steal-credit-card-data-1.aspx [3] engadget.com http://www.engadget.com/2014/07/28/credit-card-skimming-explainer/ [4] motherboard.vice.com http://motherboard.vice.com/read/weve-never-seen-a-stolen-credit-card-market-as-slick-as-this [5] symantec.com [6] dailymail.co.uk http://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolendata-malware-and-attack-services/ http://www.dailymail.co.uk/sciencetech/article-3276190/how-personal-data-worth-netflixdetails-start-1-hackers-pay-1-200-banking-password.html [7] mcafee.com http://www.mcafee.com/ca/about/news/2015/q4/20151015-01.aspx [8] nerdwallet.com http://www.nerdwallet.com/blog/credit-cards/stolen-credit-card-numbers/
[9] tripwire.com [10] bambooinnovator.com [11] Reuters.com [12] safeinternetbanking.com https://www.safeinternetbanking.be/en/fraud-techniques/money-mules [13] us-cert.gov https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf [14] antimoneylaunderinglaw.com [15] blogs.msdn.com [15] blogs.msdn.com http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-creditcards-are-used-on-the-black-market/ http://bambooinnovator.com/2013/11/26/more-singaporeans-succumbing-to-money-muletemptation/ http://blogs.reuters.com/alison-frankel/2014/12/15/sonys-big-bluff-cant-beat-firstamendment/ http://www.antimoneylaunderinglaw.com/2013/06/hk-woman-sentenced-for-being-a-mulefor-laundered-canadian-funds-in-hong-kong.html http://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operationworks.aspx http://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operation-
[16] philanthropy.com https://philanthropy.com/article/fraud-alert-criminals-test/233197 [17] kerbsonsecurity.com http://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/#more-33186 [18] informationisbeautiful.net http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
Questions 1) What is the most common approach that hackers resort to in order to steal credit card numbers? 2) Define the term broker in the context of credit card fraud chain? 3) Which types of web-sites are commonly used by hackers for testing of stolen credit card numbers?