High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE
1
Know Your Enemy - A Profile
Profile: Automated CreditCard Fraud
Assessment Date: 6 June, 2003
EXECUTIVE SUMMARY
Automation of Credit Card Fraud
For several years the Honeynet Project and Alliance members have been monitoringindividuals using the Internet to trade or dealin stolen credit card information. In the past,these individuals (commonly called “carders”)typically acted on their own without significantorganization or automation. Recently, theProject has identified an organized exchangefor stolen credit card information linkinghundreds of carders worldwide throughspecialized IRC channels and related websites. This network provides far greater automation of a number of illicit activitiescontributing to credit card fraud and identitytheft, including: compromising merchant sites,validating and verifying stolen credit cardinformation, and the sale or exchange of stolen information. As with the automationand dissemination of exploit code in thevulnerability cycle, this implies a significantcapacity for increased criminal activity.
WHAT IS HAPPENING
Stolen credit cards and related identityinformation (name, address, phone, etc.) havelong been a popular form of illicit “currency”among cyber-criminals and within the blackhatcommunity. However, the skill sets requiredto successfully steal credit card informationonline, and to successfully sell or exchangesuch information, have historically beenlimited to a relatively small number of onlinecriminals possessing the full range of suchskills.Recently, an international network of IRCchannels and related Web sites has arisen tofacilitate credit card fraud and other forms of identity theft and payments fraud. Between 2 April 2003 and 13 May 2003, affiliatedresearchers observed over a dozen such IRCchannels as traffic for these channels passedthrough an IRC proxy on a compromised host.The use of IRC channels and semi-covertWeb sites for illicit activity is nothing new; thiscase, however, has several distinctivefeatures:
Automation of carding activities
:
IRC botswere run on many of the intercepted channelsto enable and facilitate elements of the attackand exploitation process, including: target(merchant site) identification, targetexploitation, card validation, card verification,and accessing open proxies used to concealonline identity during commission of crimes.Users need master only a series of customIRC commands to carry out many keyactivities of credit card / identity theft.
Distribution of carding information
:
Many of the above bot functions leverage extensivedatabases of application-level attacks,merchant sites to target for credit card fraud (avulnerable site is said to be
cardable
), andcredit card data, including card numbers,expiry dates, card validation values (known asCVVs) and associated personal identityinformation. One or more bot functionsappear to draw data from third-party sourcesin real time, determining the validity andavailable credit of cards.
Active participation of channel moderators
:
In addition to their officiallysanctioned duties in assisting new users andpolicy channel activity, several channelmoderators were observed actively facilitatingand participating in illicit behavior.
The end result is that for worldwideparticipants on these IRC channels, many of the technical and logistical barriers to large-scale online identity theft and subsequentcredit card fraud have been removed.
TOOLS AND TACTICS
The IRC channels utilized by carders providea sophisticated set of automated responsegenerators or “bots” to facilitate thecompromise of merchant sites, the validationor verification of card info from merchantrecords, and access to open proxies used toconceal online identity during commission of crimes. The executable for one common botwas downloaded from its author’s public website. This bot is implemented in a monolithicscript, with several associated flat-filedatabases that include a list of exploit URI(universal resource identifier) strings that canbe executed through a Web browser tocompromise a merchant website, a list of stolen identities, and a set of lists of targets(mostly Internet merchant sites) known to bevulnerable to credit card fraud, differentiatedby industry (e.g. clothing, books, electronics).These tools are used in combination with anIRC client, so that text messages exchangedon an IRC channel can be monitored by thetool, which recognizes standard commandsand sends responses to the channel. Such acombination of tool and IRC client functions asa bot. For example, active carders mayremotely access the bot’s databases, usingthe
!cardable
command to identify targetmerchants, and the
!exploit
command toobtain exploit URI strings that they may use tocompromise merchant sites. Carders focuson targets of opportunity, with somevulnerable merchant sites apparently beingcompromised repeatedly. The
!cc
command,the command most often used, returns arandom merchant record from a flat file of stolen credit card and identity information.Channel participants do little to hide their activities. They transmit almost all their trafficclear text across public IRC networks, typicallyleveraging IRC proxies on compromised hoststo obfuscate their entry points into thenetwork. The
!proxy
command requests a botto provide the host name of an open proxyfrom its database and the
!proxychk
command conveniently verifies the availabilityand correct operation of a proxy.
THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE
2
Typically, a prospective seller of stolenidentities posts a sample of stolen informationto a channel, including personal identity andpayment instruments, e.g. credit cardnumbers, expiry dates, and, in some cases,PIN numbers and CVV2 numbers. Thisadvertising/negotiation activity is the principalonline activity, with actual deals beingconcluded via IRC private messages or other out-of-band means not readily susceptible tomonitoring via honeypots. Carders andbuyers alike use a variety of commands toverify that stolen credit card data is valid; for example,
!chk
is used to verify thecorrectness of credit card numbers, while
!bank
decodes the identity of the issuingbank. Of particular interest are the
!cvv2
command, which verifies the card verificationvalue associated with a given card, and the
!cclimit
command, which obtains theavailable credit limit associated with a givencard. The existence of these commandsimplies significant knowledge and/or compromise of credit card networks.
WHO’S INVOLVED
Principal IRC channels used for this activityinclude:#cc#ccards#ccinfo#ccpower #ccs#masterccs#thacc#thecc#virginccPrincipal associated websites include:www.ccpower.infowww. ccpowerforms.orgwww.ccpowerforums.netwww.ccsquad.orgwww.ccworldz.netwww.forum-gs.netMigration between channels and websites isfrequent, complicating efforts to monitor illegalactivities.Preliminary analysis indicates internationalinvolvement in CC fraud, with the bulk of activity concentrated in South Asia and thePacific Rim. There appear to be severaldistinct user groups:
lurkers
, apparently thevast majority of users, who join channels for varying periods but don’t publicly participate;
active participants
, who message the channelfor help using tools or to offer stolen identitiesor other contraband for sale or trade; and
moderators
, who monitor the IRC channelsand offer support to users. Of special note isthe apparent active involvement of moderatorsin the use of the channels for illicit activity. Inaddition to their sanctioned role asgatekeepers and enforcers of channel rules,the moderators facilitate illicit activity byassisting newcomers in using the bots,verifying/vouching for principal actors, andfacilitating offline dealmaking. They may alsohave a commercial interest in the channel,accepting payments or items in trade in returnfor access. Finally, the existence of numerousbots and databases indicates a small, skilledbase of "
power users
" driving tooldevelopment. It appears that this power-user base of moderators and toolmakers is small,probably numbering less than ten individuals.The monolithic nature of bot implementationimplies a sole author, but several functionallysimilar but nevertheless distinct bots havebeen observed on various channels, implyingthe existence of multiple authors.While the IRC channels are ostensiblyestablished for carding, in practice they arealso open forums for exchange of all sorts of stolen information and illicit activity, includingthe fencing of identities stolen offline (e.g.copied from a hotel ledger by a corrupt clerk)and stolen computer equipment. While onlinemerchant customer records are the mostcommon contraband, participants also offer other forms of goods and even services.The chief motive for most participants appearsto be financial gain. Typically, a prospectiveseller posts a generalized description of stolenidentity/card information to a channel, usuallyincluding a sample in the form of acompromised merchant record. Prospectivebuyers may also post requests for specificgoods to the channel. Many sellers arelooking for someone to help them convert their contraband to cash, soliciting access toPaypal or other online payments system thatoriginate payments from credit cards online inreturn for a percentage cut (typically 50-60%of the take). Others are looking to tradecontraband relevant to one instrument or channel (e.g. stolen ATM PINs and accountnumbers) for one more familiar to them (e.g.credit card numbers with CVVs) or for non-financial goods or services (e.g. root shellaccounts on compromised systems). Inalmost all observed cases, deals wereconcluded out of band, presumably via privateIRC messages, or e-mail or other simplemeans.There is also a significant cultural componentto these channels and websites. Lurkers andnewbies are frequently recruited by activeusers and moderators to use the tools tocommit what may be their first financialcrimes. Supporting material found in relatedWeb sites promotes “carding’ as an alternativelifestyle choice rather than criminal activity.
CONCLUSIONS
By implementing and widely deploying automated aids to website attack and compromise, credit card and personal identity acquisition, concealment of identityduring criminal activity, and exchange of stolen goods and services, power users within the carding community have decreased barriers of entry to the communityand facilitated the commission of crimes by members of the community. The dollar volume of related crime is significant and appears to be on the increase,despite efforts by responsible IRC network operators to curtail illicit and illegal activity on their networks. By presenting their activities as a lifestyle choice rather than criminal fraud, members of the carding community entice others to join them. They pose a growing threat to the financial community, online merchants, andindividual cardholders.
THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE
3
IRC COMMANDS IN REFERENCE TO CREDIT CARD EXCHANGE
!cardable
classification
Returns URLs of sites known to be vulnerable to credit card fraud from adatabase forwarded through the IRC channel. The
classification
argumentreturns sites of a particular type, e.g.
electronics
returns the URL of anelectronics vendor.
!cc
Obtains a credit card number from a database forwarded through the IRCchannel.
!cclimit
card_number
Determines the available credit for a specified credit card.
!chk
card_number
Checks a credit card for validity.
!cvv2
card_number expiry_date
Returns a valid CVV2 number for a given card.
!exploit
Returns an exploit URI string from a database of known application-level Webserver attacks.
!order.log
Provides transaction detail of compromised website.
!proxychk
Verifies that an IRC proxy is working.
INTERNET RELAY CHATS, DEMONSTRATING TACTICS & MOTIVES
A non-online source of credit card information:
#masterccs 02:13:38 Pedro: Hi all, i work in the LaTourista hotel here inPeru and i have access to all ccs with full info, im looking for paypal,anyone interested ??? msg me !!! i verify first!
Carders advertise their trading capacity:
#MasterCcs 12:01:41 BigDealer: ACTION have a drop thrue WU if u guys want to cash out cc on any name u send I’ll cash it out 50/50 msg me I cancash out up to 20 K a week#MasterCcs 08:43:33 BiggerDealer: ACTION has a drop in a bank if u want to cash out stuff up to 100 000K a week msg me
Trading CCs for exploits and tools:
#MasterCcs 12:40:28 Spiner: ACTION wants 0day exploits or Redhat 7.2,7.3 rootkit. msg me for trade … i have root
Solicitation for channel advertisers:
#masterccs 08:00:34 Card-InFo: ACTION Good news For Shell Holder: If u have Shell/hosting and wanna Advertise then msgOp1 and Op2 and Op3 We will adv urs shell/hosting wid Auto msg
Channel ops discuss a difficult newbie:
#masterccs 14:18:40 TheOp: yeah i know AsstOp^- :P#masterccs 14:19:07 AsstOp^-: hehehe#masterccs 14:19:27 AsstOp^-: that bastard is killing me i tried to help him but he wont tell me whats happening on the command i told him#masterccs 14:19:29 AsstOp^-: how can i help him them stupid as#masterccs 14:19:31 AsstOp^-: ass
Solicitation for a bot author or owner:
#MasterCcs 06:58:06 BoogieMan: I need a Chk BOT ! i'll give to the Owner Sop access to the channel
Carder asks operator to banish a ripper, who cheated the carder:
#aimtech 18:23:22 ^Alky^: Vietkey ripped me cc akick him now#aimtech 18:23:32 ^Alky^: ACTION thank TheOp
A newbie receives instruction and gets his first CC:
#MasterCcs 10:00:49 newbie: what i have to type to get cc info ?#MasterCcs 10:01:15 helper: type !cc#MasterCcs 10:04:04 newbie: !cc#MasterCcs 10:05:33 Ccs`: newbie!cc Name: Yukio XXXXXXXX |Address: X-X-X-XXX |City: Koduru-shi |State: Tokyo |Zip: XXX-XXXX |Phone: N\A|Country: Japan |CardType: American Express |Card Number: XXXXXXXXXXXXXXX XXXX
Add a Comment
Skimmer Sellleft a comment
silk.gip9635829left a comment
peter wleft a comment
peter wleft a comment
cyber devilleft a comment