Threat Intelligence Blog

Posted November 20, 2019

In 2019, U.S. and EU law enforcement authorities cracked down on some of the biggest Dark Web marketplaces in the world.  Investigators targeted the notorious drug trafficking shops “Wall Street Market,” “Valhalla,” and “Dream Market,” shut down the black market advertising forum “DeepDotWeb,” and arrested 337 users of the world’s largest child pornography website “Welcome to Video.” While authorities work to dismantle and deter online criminal enterprises, this ecosystem is proving resilient.

Halting the distribution of contraband on the Dark Web continues to be a resource-intensive challenge of the highest priority for many governments around the world. This reality means that other cybercriminal forums face far less police pressure, particularly those specializing in the sale of hacking tools and stolen sensitive data, including compromised card credentials and personally identifying information (PII). Much of the onus remains on the private sector to detect and investigate these kinds of online threat actors.

LookingGlass contributed to this effort in its recent independent research and analysis of the largest compromised card shop in the world – “Joker’s Stash” – which sells millions of cards from thousands of compromises through a sophisticated sourcing and marketing operation. Determining how these cards end up in such marketplaces poses many investigatory challenges for financial service providers. This type of investigation often requires dedicated monitoring and intelligence analysis capabilities.

In this blog, LookingGlass presents one application of these capabilities using a high volume of compromised card data collected in May 2019. The findings demonstrate both the scale of financial fraud targeting the U.S. banking sector and the value of actionable intelligence to deter suspected threat actors.

Monitoring for Compromised Card Credentials

Stolen financial data is disseminated across the Deep, Dark, and Open Web in various forms, including login-based carding shops, cybercriminal forums, social media, instant messaging platforms, and public pasting sites. Monitoring for compromised card credentials is possible across these online environments, but one of the most effective methods of entry is through card checker services, particularly in underground open source chat environments. Specific chat channels are used for “checking” compromised cards to test the card’s validity by making small transactions on e-commerce websites. In these channels, would-be cybercriminals often fully expose the number, expiration date, security code, and issuing institution of stolen debit and credit cards.

For this study, LookingGlass assessed five of the top U.S.-operating financial institutions over a two-week period based on the high volume of card checking activity observed on multiple chat channels targeting these institutions. From May 13, 2019 to May 26, 2019, LookingGlass collected 866 compromised cards issued by the five selected banks anonymized with the letters A, B, C, D, and E. Table 1 details the breakdown of the number of exposed credit and debit cards, unique Bank Identification Numbers (BINs) targeted, threat actors involved, and the card checker rate of validity for each bank. This data is a slice of a larger set of sensitive data collected, including cardholder information and threat actor communications that enable the identification of possible organizational breaches, location of suspected carding operations, and naming of suspected threat actors.


Figure 1. Collection of Compromised Cards Issued by Five U.S. Banks (May 13 – 26, 2019)

Identifying Possible Organizational Breaches

The presence of compromised cards in these channels may indicate a wider system or network breach. During this study, LookingGlass identified four possible attempts to breach U.S. organizations by correlating dumped cardholder data to business locations. The potential victims include: a California-based health care company, a Florida-based defense contractor, a New Jersey-based chimney business, and a Vermont-based restaurant. Discovering a company credit or debit card online may indicate unauthorized access was already established in a company network, and sensitive data was directly stolen and leaked. It may also indicate a theft of financial credentials, potentially through a compromised payment terminal or unsecured public network, which may result in an attempt to compromise an organization.

In particular, the compromised Bank C credit card associated with the health care company also contained data about how the card was obtained: “MIX_SNIFF_P2”. This shorthand denotes the name of the dump being sold on the black market and indicates that a “sniffer” was likely used to intercept financial data being transferred over a network. Additional open source research reveals that this dump was first advertised back in May 2018 on multiple Russian-language hacker forums and on the pasting site Pastebin. The compromised card appears to be old and recycled for sale on the Russia-hosted carding shop “Ferum Shop”, which explains why this card was “DECLINED” upon checking for validity.

Locating Suspected Carding Operations

Depending on the source of the compromise, distributors expose different data associated with stolen cards. For example, “Joker’s Stash” indexes each card by the city or ZIP code of the location from which the card was stolen. In other cases, such as with the cards dumped in chat channels, residential addresses tied to the cardholder’s account are listed next to each exposed card. In this investigation, LookingGlass found that 22 percent of observed compromised cards in multiple checker channels were linked to residential addresses. Figure 1 below is a geographic map displaying the number of these compromised cards by cardholder location for Banks A, B, C, D, and E.

Fig 2_Map

Figure 2. Compromised Cards of Five U.S. Banks by Cardholder Location Data (N=193)

From May 13, 2019 to May 26, 2019, LookingGlass recorded 193 compromised cards of cardholders with listed addresses in 38 U.S. states. Over 78 percent of this total are debit cards issued by either Bank C or Bank D. The top U.S. states based on compromised cardholder location data are: California (37), New Jersey (21), New York (18), Florida (12), North Carolina (12), and Pennsylvania (11). This data may suggest the presence of criminal financial operations in these areas.

U.S. banking customers have faced an increasing threat of this type of financial fraud in recent years. According to the data analytics company Fair Isaac Corporation (FICO), the rate of debit card compromise has almost doubled year over year in the United States based on publicly reported data for the years 2015 to 2017. The majority of compromises occurred at non-bank ATMs followed by ATMs and point-of-sale (POS) devices at merchant locations. Threat actors are exploiting increasingly sophisticated and readily available “skimming” technology to implant devices that intercept card data during transactions.

As part of this study, LookingGlass successfully correlated the geographic locations of multiple compromised debit cards in checker channels to recent police reports of skimming operations in proximity to those areas. For example, during the two weeks of collection in May 2019, an assessed 15 debit cards were compromised within 30 miles of Philadelphia, PA. On June 8, 2019, a victim of a likely card skimming scheme posted on Facebook that they received intelligence about an ongoing criminal financial operation directly from authorities in Gloucester Township, NJ, which is located eight miles east of Philadelphia. The victim noted that this was the latest in a string of incidents reported in the area during the last week due to a suspected skimmer or a remote device stealing financial credentials at ATM machines.

Fig 3_Map

Figure 3. Proximity of Criminal Operation to Compromised Cardholders Near Philadelphia (N=15)

It is difficult to determine based solely on location data dumped with a compromised card if the associated address is in the vicinity of the point of compromise. However, the above example is notably corroborated with a social media report of criminal activity on the ground. Figure 2 displays the proximity of this reported carding operation to nearby residential addresses of compromised cards found in monitored chat environments.

Moving Toward Threat Actor Attribution

Continuous and consistent monitoring of checker channels not only enables the above analysis, but also offers insights into the characteristics of threat actors. The top 10 threat actors out of over 200 accounted for 40 percent of all compromised cards. Threat actor moniker tracking allows for a risk-based approach to determining which online adversaries to devote the most resources to for response and mitigation.

Threat actor communications between piecemeal card checking may also divulge useful information for attribution investigations. LookingGlass observed threat actor disclosures of their locations and the use of various foreign languages, including Bangla, Cebuano, English, French, Hindi, Portuguese, Slovenian, and Spanish, to communicate in checker channels, indicating the global swathe of adversaries engaged in buying and selling compromised credentials of cardholders in the United States. Certain threat actors exhibited less operational security awareness than others. For instance, conversations like in Figure 3 often progressed into disclosing social media accounts and other personal information that an investigator may exploit to identify fraudsters involved in carding against U.S. financial institutions.


Figure 4. Threat Actor Communications Posted Between Card Checking (May 17, 2019)

Building Capabilities to Counter Carding Threats

As U.S. law enforcement authorities prioritize other concerns, financial service providers should build their intelligence capabilities and leverage cyber expertise through vendors to counter such carding threats and other information security risks. A monitoring program for compromised credentials distributed across the Deep, Dark, and Open Web is essential in reacting quickly to the targeting of customers and employees. Insights into the exposure of cardholders, geographic localization of card compromises, and characteristics of the most active threat actors guide the allocation of limited resources to execute risk-based audits of specific ATMs and other payment terminals, grow relationships with law enforcement authorities in high-threat areas, and initiate targeted attribution investigations against specific threat actors, potentially assisting in the neutralization of the threat.

Note: LookingGlass establishes access to online environments assessed to pose information security threats and conducts automated collection of posts containing specific threat terms. All data collected for this study was sourced from high-risk channels hosting bot-based card checker services utilized by online actors exposing compromised credentials. LookingGlass did not engage in any activity on these forums. If you are interested in learning more about LookingGlass threat intelligence services, contact us here.

Additional Posts

Cyber Threats to the Financial Sector

Financial services firms are a top target of cyber attacks by everything from profit-oriented cyber ...