/  4
 
 THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE
1
 
Know Your Enemy - A Profile
Profile: Automated CreditCard Fraud
 Assessment Date: 6 June, 2003
EXECUTIVE SUMMARY
Automation of Credit Card Fraud
 For several years the Honeynet Project and Alliance members have been monitoringindividuals using the Internet to trade or dealin stolen credit card information. In the past,these individuals (commonly called “carders”)typically acted on their own without significantorganization or automation. Recently, theProject has identified an organized exchangefor stolen credit card information linkinghundreds of carders worldwide throughspecialized IRC channels and related websites. This network provides far greater automation of a number of illicit activitiescontributing to credit card fraud and identitytheft, including: compromising merchant sites,validating and verifying stolen credit cardinformation, and the sale or exchange of stolen information. As with the automationand dissemination of exploit code in thevulnerability cycle, this implies a significantcapacity for increased criminal activity.
WHAT IS HAPPENING
Stolen credit cards and related identityinformation (name, address, phone, etc.) havelong been a popular form of illicit “currency”among cyber-criminals and within the blackhatcommunity. However, the skill sets requiredto successfully steal credit card informationonline, and to successfully sell or exchangesuch information, have historically beenlimited to a relatively small number of onlinecriminals possessing the full range of suchskills.Recently, an international network of IRCchannels and related Web sites has arisen tofacilitate credit card fraud and other forms of identity theft and payments fraud. Between 2 April 2003 and 13 May 2003, affiliatedresearchers observed over a dozen such IRCchannels as traffic for these channels passedthrough an IRC proxy on a compromised host.The use of IRC channels and semi-covertWeb sites for illicit activity is nothing new; thiscase, however, has several distinctivefeatures:
 Automation of carding activities
:
IRC botswere run on many of the intercepted channelsto enable and facilitate elements of the attackand exploitation process, including: target(merchant site) identification, targetexploitation, card validation, card verification,and accessing open proxies used to concealonline identity during commission of crimes.Users need master only a series of customIRC commands to carry out many keyactivities of credit card / identity theft.
Distribution of carding information
:
Many of the above bot functions leverage extensivedatabases of application-level attacks,merchant sites to target for credit card fraud (avulnerable site is said to be
cardable
), andcredit card data, including card numbers,expiry dates, card validation values (known asCVVs) and associated personal identityinformation. One or more bot functionsappear to draw data from third-party sourcesin real time, determining the validity andavailable credit of cards.
 
 Active participation of channel moderators
:
In addition to their officiallysanctioned duties in assisting new users andpolicy channel activity, several channelmoderators were observed actively facilitatingand participating in illicit behavior.
 
The end result is that for worldwideparticipants on these IRC channels, many of the technical and logistical barriers to large-scale online identity theft and subsequentcredit card fraud have been removed.
TOOLS AND TACTICS
The IRC channels utilized by carders providea sophisticated set of automated responsegenerators or “bots” to facilitate thecompromise of merchant sites, the validationor verification of card info from merchantrecords, and access to open proxies used toconceal online identity during commission of crimes. The executable for one common botwas downloaded from its author’s public website. This bot is implemented in a monolithicscript, with several associated flat-filedatabases that include a list of exploit URI(universal resource identifier) strings that canbe executed through a Web browser tocompromise a merchant website, a list of stolen identities, and a set of lists of targets(mostly Internet merchant sites) known to bevulnerable to credit card fraud, differentiatedby industry (e.g. clothing, books, electronics).These tools are used in combination with anIRC client, so that text messages exchangedon an IRC channel can be monitored by thetool, which recognizes standard commandsand sends responses to the channel. Such acombination of tool and IRC client functions asa bot. For example, active carders mayremotely access the bot’s databases, usingthe
!cardable
command to identify targetmerchants, and the
!exploit 
command toobtain exploit URI strings that they may use tocompromise merchant sites. Carders focuson targets of opportunity, with somevulnerable merchant sites apparently beingcompromised repeatedly. The
!cc 
command,the command most often used, returns arandom merchant record from a flat file of stolen credit card and identity information.Channel participants do little to hide their activities. They transmit almost all their trafficclear text across public IRC networks, typicallyleveraging IRC proxies on compromised hoststo obfuscate their entry points into thenetwork. The
!proxy 
command requests a botto provide the host name of an open proxyfrom its database and the
!proxychk 
 command conveniently verifies the availabilityand correct operation of a proxy.
 
 THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE
2
 
Typically, a prospective seller of stolenidentities posts a sample of stolen informationto a channel, including personal identity andpayment instruments, e.g. credit cardnumbers, expiry dates, and, in some cases,PIN numbers and CVV2 numbers. Thisadvertising/negotiation activity is the principalonline activity, with actual deals beingconcluded via IRC private messages or other out-of-band means not readily susceptible tomonitoring via honeypots. Carders andbuyers alike use a variety of commands toverify that stolen credit card data is valid; for example,
!chk 
is used to verify thecorrectness of credit card numbers, while
!bank 
decodes the identity of the issuingbank. Of particular interest are the
!cvv2 
 command, which verifies the card verificationvalue associated with a given card, and the
!cclimit 
command, which obtains theavailable credit limit associated with a givencard. The existence of these commandsimplies significant knowledge and/or compromise of credit card networks.
WHO’S INVOLVED
Principal IRC channels used for this activityinclude:#cc#ccards#ccinfo#ccpower #ccs#masterccs#thacc#thecc#virginccPrincipal associated websites include:www.ccpower.infowww. ccpowerforms.orgwww.ccpowerforums.netwww.ccsquad.orgwww.ccworldz.netwww.forum-gs.netMigration between channels and websites isfrequent, complicating efforts to monitor illegalactivities.Preliminary analysis indicates internationalinvolvement in CC fraud, with the bulk of activity concentrated in South Asia and thePacific Rim. There appear to be severaldistinct user groups:
lurkers
, apparently thevast majority of users, who join channels for varying periods but don’t publicly participate;
active participants
, who message the channelfor help using tools or to offer stolen identitiesor other contraband for sale or trade; and
moderators
, who monitor the IRC channelsand offer support to users. Of special note isthe apparent active involvement of moderatorsin the use of the channels for illicit activity. Inaddition to their sanctioned role asgatekeepers and enforcers of channel rules,the moderators facilitate illicit activity byassisting newcomers in using the bots,verifying/vouching for principal actors, andfacilitating offline dealmaking. They may alsohave a commercial interest in the channel,accepting payments or items in trade in returnfor access. Finally, the existence of numerousbots and databases indicates a small, skilledbase of "
 power users
" driving tooldevelopment. It appears that this power-user base of moderators and toolmakers is small,probably numbering less than ten individuals.The monolithic nature of bot implementationimplies a sole author, but several functionallysimilar but nevertheless distinct bots havebeen observed on various channels, implyingthe existence of multiple authors.While the IRC channels are ostensiblyestablished for carding, in practice they arealso open forums for exchange of all sorts of stolen information and illicit activity, includingthe fencing of identities stolen offline (e.g.copied from a hotel ledger by a corrupt clerk)and stolen computer equipment. While onlinemerchant customer records are the mostcommon contraband, participants also offer other forms of goods and even services.The chief motive for most participants appearsto be financial gain. Typically, a prospectiveseller posts a generalized description of stolenidentity/card information to a channel, usuallyincluding a sample in the form of acompromised merchant record. Prospectivebuyers may also post requests for specificgoods to the channel. Many sellers arelooking for someone to help them convert their contraband to cash, soliciting access toPaypal or other online payments system thatoriginate payments from credit cards online inreturn for a percentage cut (typically 50-60%of the take). Others are looking to tradecontraband relevant to one instrument or channel (e.g. stolen ATM PINs and accountnumbers) for one more familiar to them (e.g.credit card numbers with CVVs) or for non-financial goods or services (e.g. root shellaccounts on compromised systems). Inalmost all observed cases, deals wereconcluded out of band, presumably via privateIRC messages, or e-mail or other simplemeans.There is also a significant cultural componentto these channels and websites. Lurkers andnewbies are frequently recruited by activeusers and moderators to use the tools tocommit what may be their first financialcrimes. Supporting material found in relatedWeb sites promotes “carding’ as an alternativelifestyle choice rather than criminal activity.
CONCLUSIONS
By implementing and widely deploying automated aids to website attack and compromise, credit card and personal identity acquisition, concealment of identityduring criminal activity, and exchange of stolen goods and services, power users within the carding community have decreased barriers of entry to the communityand facilitated the commission of crimes by members of the community. The dollar volume of related crime is significant and appears to be on the increase,despite efforts by responsible IRC network operators to curtail illicit and illegal activity on their networks. By presenting their activities as a lifestyle choice rather than criminal fraud, members of the carding community entice others to join them. They pose a growing threat to the financial community, online merchants, andindividual cardholders.
 
 THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE
3
 
IRC COMMANDS IN REFERENCE TO CREDIT CARD EXCHANGE
!cardable
 
classification 
 Returns URLs of sites known to be vulnerable to credit card fraud from adatabase forwarded through the IRC channel. The
classification
 
argumentreturns sites of a particular type, e.g.
electronics
returns the URL of anelectronics vendor.
!cc
 Obtains a credit card number from a database forwarded through the IRCchannel.
!cclimit
card_number 
 Determines the available credit for a specified credit card.
!chk
card_number 
 Checks a credit card for validity.
!cvv2
card_number expiry_date
 Returns a valid CVV2 number for a given card.
!exploit
 Returns an exploit URI string from a database of known application-level Webserver attacks.
!order.log
 Provides transaction detail of compromised website.
!proxychk
 Verifies that an IRC proxy is working.
INTERNET RELAY CHATS, DEMONSTRATING TACTICS & MOTIVES
 A non-online source of credit card information:
#masterccs 02:13:38 Pedro: Hi all, i work in the LaTourista hotel here inPeru and i have access to all ccs with full info, im looking for paypal,anyone interested ??? msg me !!! i verify first!
Carders advertise their trading capacity:
#MasterCcs 12:01:41 BigDealer: ACTION have a drop thrue WU if u guys want to cash out cc on any name u send I’ll cash it out 50/50 msg me I cancash out up to 20 K a week#MasterCcs 08:43:33 BiggerDealer: ACTION has a drop in a bank if u want to cash out stuff up to 100 000K a week msg me
Trading CCs for exploits and tools:
#MasterCcs 12:40:28 Spiner: ACTION wants 0day exploits or Redhat 7.2,7.3 rootkit. msg me for trade … i have root
Solicitation for channel advertisers:
#masterccs 08:00:34 Card-InFo: ACTION Good news For Shell Holder: If u have Shell/hosting and wanna Advertise then msgOp1 and Op2 and Op3 We will adv urs shell/hosting wid Auto msg
Channel ops discuss a difficult newbie:
#masterccs 14:18:40 TheOp: yeah i know AsstOp^- :P#masterccs 14:19:07 AsstOp^-: hehehe#masterccs 14:19:27 AsstOp^-: that bastard is killing me i tried to help him but he wont tell me whats happening on the command i told him#masterccs 14:19:29 AsstOp^-: how can i help him them stupid as#masterccs 14:19:31 AsstOp^-: ass
Solicitation for a bot author or owner:
#MasterCcs 06:58:06 BoogieMan: I need a Chk BOT ! i'll give to the Owner Sop access to the channel
Carder asks operator to banish a ripper, who cheated the carder:
#aimtech 18:23:22 ^Alky^: Vietkey ripped me cc akick him now#aimtech 18:23:32 ^Alky^: ACTION thank TheOp
 A newbie receives instruction and gets his first CC:
#MasterCcs 10:00:49 newbie: what i have to type to get cc info ?#MasterCcs 10:01:15 helper: type !cc#MasterCcs 10:04:04 newbie: !cc#MasterCcs 10:05:33 Ccs`: newbie!cc Name: Yukio XXXXXXXX |Address: X-X-X-XXX |City: Koduru-shi |State: Tokyo |Zip: XXX-XXXX |Phone: N\A|Country: Japan |CardType: American Express |Card Number: XXXXXXXXXXXXXXX XXXX

Share & Embed

More from this user

Add a Comment

Characters: ...

Skimmer Sellleft a comment

i am legit seller atm skimmers and more, verified in carder.su pm for more information , with proofs add me on sleepy-spray@hotmail.com

silk.gip9635829left a comment

Looking for someone honest. First, I want to buy 1 CC w/cvv to see if you are honest and if the cc works. After that I will buy in bulk. I'm tired of being ripped off and scammed. If anyone have info on how to get a legit, working credit card number email me, silk.gip963@gmail.com.

peter wleft a comment

Dormant account bank logins. It is very difficult to retrieve money from an acct with just a login, as before. Having worked in the banking industry, I've been monitoring some accts for a few years, some avg between $100K to $500K. All info included: ssn, d.o.b., maiden name, all codes/passwords, even for original email address & phone number associated with each acct forwarded to to your choosin

peter wleft a comment

Dormant account bank logins. It is very difficult to retrieve money from an account with just a login, as it was before. Having worked in the banking industry, I have been monitoring some accounts for a few years, some averaging between $100,000 to $500,000. I have aquired all info for these accounts ie: ssn, d.o.b., mother's maiden name, all codes/passwords & even the passwords for the

cyber devilleft a comment

Fresh and working logins for the folowing banks are available: BOA, WELLSFARGO and CHASE. Logins include full info on the account owner such as dob, ssn and more(see below). Stock now includes 90+ logins, balances are checked for most of them , they are bertween 2k and 85k, updates on beginning of each week, ask your questions in icq. Also if you require bank login by: gender, dob, state ..these