View
215
Download
0
Category
Preview:
Citation preview
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
State of Black Marketfor Stolen Credit Cards
(2017)
by N. Vlajic
Why Do HackersGo After Credit Cards ?
With more and more businessesas well as shoppers going ‘online’ …
Why Do HackersGo After Credit Cards ?
‘low hanging fruit’ for criminals* C.C. numbers can an be easily stolen from
under-protected e-commerce Web-sites
immediate payoff* stolen C.C. numbers can be used right away,
anywhere in the Internet
low likelihood of capture* it is easy to obscure evidence (e.g., use TOR)
How Do Credit Card NumbersGet Stolen ?
Contactless Scenario 1: Harry the Hacker methods of ‘operation’
* malware installed on a corporate server
* malware installed on a public computer – data skimmed whenever user logs in their bank number,credit card number, email address, password …
* malware installed on a public server – malwaredownloaded to a client machine at every visit of infected Web-site
How Do Credit Card NumbersGet Stolen ?
Contactless Scenario 2: Phishing Phil
method of ‘operation’* malware sent via email as attachment / link
- user must be fooled at opening attachment /link and initiating malware installation
phishing = most common ‘attack vector’ in most (corporate) hacks
How Do Credit Card NumbersGet Stolen ?
Contactless Scenario 3: Smart Junky
method of ‘operation’* look for disposed billing statements
- usually contain complete credit card numbers,address, and other personal information
“Trash bins are a goldmine for identity thieves – make sure you shred personal and financial documents before putting
them in the garbage.”http://www.rcmp-grc.gc.ca/scams-fraudes/id-theft-vol-eng.htm
Examples of ID Theft and FraudWillard C. Smith, the famous actor was a victim of ID theft committed by Carlos Lomax who has also been charged of stealing identity and personal information of famous celebs. Lomax had opened 14 credit cards in Will Smith’s name and racked up a balance of $34,000 in the victim’s name.
Anthony Lemar Taylor impersonated the world famous golfer Tiger Woods and used his SSN and date of birth to get a driver’s license and a credit card in the golfer’s real name- Eldrick T Woods. Taylor went on a shopping spree using the fake credit card, to buy himself a luxury car, a 70-inch TV and other presents worth $17,000.
Luis Flores, Jr., stole Kim Kardashian’s identity and transferred. He had changed the SSN on the account to his own and requested a replacement card to be mailed at his address, where he lived with his mother.
How Do Credit Card NumbersGet Stolen ?
Contact Scenario 1: Waiter/Waitress with Payment Terminal[ dangerous retail insider ]
method of ‘operation’
“The waitress whisks away your credit card and swipes it through the restaurant's register. Then, she pulls out a small device, about the size of an ice cube, from her apron and swipes it through that …”
How Do Credit Card NumbersGet Stolen ?
Contact Scenario 2: Payment TerminalBy ‘Outside Trio’[ dangerous retail outsider 1 ]
method of ‘operation’
“Sally, Simon and Bud walk into a toy store. Bud waits in line to check out. When Bud is at the register, Simoncomes running up to the clerk, screaming that his wifehas fainted. As Sally and Simon distract the sales clerk,Bud switches the credit card reader at the register with a modified one of his own …”
How Do Credit Card NumbersGet Stolen ?
Contact Scenario 3: Credit Card Skimmer(Gas Lass)[ dangerous retail outsider 2 ]
method of ‘operation’
“It's late. There's no one around except a sleepy attendantat the register inside. The Gas Lass attaches a skimmer over the credit card reader at the pump. It's a special skimmer: It emits a Bluetooth signal to alaptop close by. The Gas Lass heads off to the motel nextdoor and sets up her laptop to receive the data …”
Where Do Stolen Credit Card Numbers Go ?
Credit Card
Broker
Credit Card
Carder
Where Do Stolen Credit Card Numbers Go ?
1) Credit Card ‘Brokers’ black market ‘agents’ who buy and re-sell
stolen credit card numbers
Central Shop = Web portal for sale of credit card datahttp://centralshop.cn
What is the selling price forstolen credit card numbers?
http://www.theregister.co.uk/2013/07/02/mcafee_cybercrime_exposed/
http://www.mcafee.com/ca/about/news/2015/q4/20151015-01.aspx
What else can you find onthe black market?
http://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services
2) Credit Card ‘Carders’
criminals that ultimately use/exploit stolencredit card numbers
Where Do Stolen Credit Card Numbers Go ?
ways carders use stolen c. c. numbers
print plastic card with the new number[ not effective in case of EMV/chip cards ]
make online purchases[ not easy on some sites as other user info
may also be required]
Which ‘talents’ shoulda carder posses?
“It is race against the clock to charge as much money to the card as possible
before the bank closes the account.
carders must quickly extract & convertstolen money into other forms of capital[ process aka as money laundering ]
extraction & conversion should be hard to detect or trace back
multiple ‘conversion steps’ often used
‘Credit to Gift Card Shell Game’
http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/
Money Mules
http://bambooinnovator.com/2013/11/26/more-singaporeans-succumbing-to-money-mule-temptation/
aka ‘smurfer’ - serves as an intermediary for criminals & criminal organisations transport fraudulently gained money or goods to
fraudsters
may or may not be aware of ‘true nature of business’
Money Mules
money mule ‘job Ad’ examples
Money Mules
money mule prosecution
https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf
Money Mules
http://www.antimoneylaunderinglaw.com/2013/06/hk-woman-sentenced-for-being-a-mule-for-laundered-canadian-funds-in-hong-kong.html
Money Mules
http://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operation-works.aspx
How Do Carders TestStolen C.C. Numbers ?
https://philanthropy.com/article/Fraud-Alert-Criminals-Test/233197
stolen credit card numbers not worth muchunless verified thieves use online payment websites to test
whether c.c. numbers work
in some cases verification is done using bots
Charity Web-sites are ideal for testing of stolen c.c. due to simple (bot-friendly) design and little built-in security.
How Do Law Enforcement OfficersDeal With C.C. Hacks ?
for most cases under $2,000, credit card fraudis investigated by the issuing bank or cardprovider, not the police
in cases where the collar amountexceeds $2,000, local police willget involved and work alongsidethe card issuer to pursue the criminal
How Do Law Enforcement OfficersDiscover and Prevent C.C. Hacks ?
http://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/#more-33186
LE & anti-fraud specialists purchase batches of c.c. numbers from crime forums / carding sites look for patterns that might help identify who
got breached
carding site Rescator is now able to detect ‘suspicious’ transactions done by law enforcement officials purchases get declined
References
[2] bankrate.comhttp://www.bankrate.com/finance/credit-cards/5-ways-thieves-steal-credit-card-data-1.aspx
[1] bloomberg.comhttp://www.bloomberg.com/graphics/2014-data-breaches/
[3] engadget.comhttp://www.engadget.com/2014/07/28/credit-card-skimming-explainer/
[4] motherboard.vice.comhttp://motherboard.vice.com/read/weve-never-seen-a-stolen-credit-card-market-as-slick-as-this
[5] symantec.comhttp://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services/
[6] dailymail.co.ukhttp://www.dailymail.co.uk/sciencetech/article-3276190/How-personal-data-worth-Netflix-details-start-1-hackers-pay-1-200-banking-password.html
[7] mcafee.comhttp://www.mcafee.com/ca/about/news/2015/q4/20151015-01.aspx
[8] nerdwallet.comhttp://www.nerdwallet.com/blog/credit-cards/stolen-credit-card-numbers/
[9] tripwire.comhttp://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/
[10] bambooinnovator.comhttp://bambooinnovator.com/2013/11/26/more-singaporeans-succumbing-to-money-mule-temptation/
[11] Reuters.comhttp://blogs.reuters.com/alison-frankel/2014/12/15/sonys-big-bluff-cant-beat-first-amendment/
[12] safeinternetbanking.comhttps://www.safeinternetbanking.be/en/fraud-techniques/money-mules
[13] us-cert.govhttps://www.us-cert.gov/sites/default/files/publications/money_mules.pdf
[14] antimoneylaunderinglaw.comhttp://www.antimoneylaunderinglaw.com/2013/06/hk-woman-sentenced-for-being-a-mule-for-laundered-canadian-funds-in-hong-kong.html
[15] blogs.msdn.comhttp://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operation-works.aspx
[15] blogs.msdn.comhttp://blogs.msdn.com/b/tzink/archive/2010/12/23/graphic-how-a-money-mule-operation-works aspx
[16] philanthropy.comhttps://philanthropy.com/article/Fraud-Alert-Criminals-Test/233197
[17] kerbsonsecurity.comhttp://krebsonsecurity.com/2015/12/when-undercover-credit-card-buys-go-bad/#more-33186
[18] informationisbeautiful.nethttp://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
Questions
1) What is the most common approach thathackers resort to in order to steal credit cardnumbers?
2) Define the term ‘broker’ in the contextof credit card fraud chain?
3) Which types of web-sites are commonly usedby hackers for ‘testing’ of stolen credit card numbers?
Recommended