

The unstoppable Credit Card blackmarket - backslash
http://www.stopthehacker.com/2010/03/03/the-underground-credit-card-blackmarket/

======
ambiate
I remember back in ~2000~2001 there was some popular cart application floating
around. Everyone used it! A google search of "/uri/somecart.cgi?something"
brought up tons of pages... and of course, a vulnerability in the wild put
everyone's information out on a silver plate for these card scavengers.

Well, luckily I was poor and 16 when they bounced and locked my card up right
away(never buying from that tshirt store again).

Years down the line though, I still can find my name, old cc, and address on
these lists. They're all over IRC...

On the topic of scamming, most of them use a reputation based system (ie.
traderx has 60 successful transactions, while traderb has -3 successful
transactions; who would you go with?)

You can also hire moderators to check out some things, iirc. Such as, placing
a $0.03 charge through a merchant and verifying or checking the accounts.

I did a pretty large study of this back in 2003 or so, but really lost
interest once I pissed off the wrong people and they got personal.

~~~
jrp
Would you be interested in elaborating on that last sentence?

~~~
ambiate
Basically a man, "Pablo," figured out what I was doing in his community
because I was being too blunt. Pablo told me to find somewhere else to toy
around. After about another month of my presence, Pablo somehow got my phone
number and called me. He had a strong Romanian accent and quite the vicious
set of vocal cords to accompany his voice.

I'll never forget it, he not only told me my mother's name, but also read off
her social security number and told me it was 'disgusting pig' she was on
welfare. (born with CP)

That shock (the shock of involvement of family) led me to ditching all my
research and moving on to writing papers on Cisco routers.

That was back in 2001, finding identities and ssn's wasn't quite so easy;
especially for an invalid mother who had never ventured near a keyboard. On
reflection, I suppose it wasn't too hard even then to obtain info if you had
money, but still creepy to have some international guy threaten your life/your
mother's life for gathering info.

This actually happened again recently, but the shock wasn't quite there. This
time, my girlfriend was attacked by an angry blackhat SEO because I was
treading on his niche territory. Its not too hard to tie adwords campaigns >
domains > domain whois > real name > facebook/social networking > family and
get info on them these days. This guy contacted me first too, but moved on to
harassing my girlfriend. Domain parking, go go. Its not worth the $15 a month
to get harassed. I'm pretty sure he got my adsense account banned (suspicious
clicks) + had something going on to click my ads automatically and waste my
money (I had a 15% CTR at one point). Also my wordpress had someone logged
into my admin at one point, but I've basically turned my linode into knox
since then.

She didn't quite seem to understand why I was in a panic over the situation...

~~~
vixen99
"Romanian accent"? This suggests to me that either you yourself are Romanian
or you have a rather acute ear. I live in Romania and it seems to me that
almost every Romanian speaks English with a slightly different accent. I'd be
hard put to it to identify a Romanian from his accent if I lived in London for
instance. The same would not be true of an Italian, French or German native. I
have no idea what a 'Romanian accent' is, let alone a 'strong one'.

------
3dFlatLander
The article points out that the "cyber criminals prefer to get paid via
Liberty Reserve and Western Union money transfer services." This is something
I've always been curious about. Getting a credit card number + other info
seems like it would be simple compared to getting those bytes converted into
paper form without getting caught.

~~~
sokoloff
Frankly, I think that Western Union isn't in the business of caring. They make
a healthy margin on every transfer, and serve a segment of the population that
has a strong disinterest in having to extensively document their identity,
source of funds, etc, sometimes because the funds are "dirty" sometimes
because the sender or recipient isn't "fully legal", etc.

It's against Western Union's interest to extensively document everyone and
every dollar that passes through their systems. I'm sure they comply with the
legal requirements placed on them, but I doubt they go WAY beyond that, for
doing so would not be in their best business interests

------
madair
Why isn't there effective enforcement?

Is it:

\-- Incompetence? Leadership, technical, other? \-- Low visibility to law
enforcement? (In which case, why?) \-- Priorities? Well-placed? Misplaced? \--
Strategic? For ethical purposes?

The problem needs fixing, but it seems important understanding why we're at
this point today when enforcement seems to obvious and simple. There's more
than enough enforcement power available, at least in the U.S., to deal with
the brazen criminals and make it much harder for them. Are those honeypots?

~~~
ams6110
At least on the surface, it would seem that the CC companies themselves have
the most motivation to put a stop to this. Why are their anti-fraud
departments not forwarding these sites to the FBI, getting court orders to
shut down the domains (at least those hosted in the USA) working with big ISPs
to get them blacklisted...?

Is there some non-obvious reason that it's in the interest of the CC companies
to let this go? Is there a lot of low-level fraud that customers never notice,
and just keep making those monthly minimum payments?

~~~
ambiate
Ever heard of chargebacks? You use my card, I complain to my cc company, they
refund my money and attack the seller with fees for lack of verification.

So, >CC Thief gets whatever he bought at an empty house >CC holder gets stuck
in an infinite customer service loop >CC company avoids charges >Seller gets
fined

------
rationalbeaver
While this is certainly disturbing, I kinda wonder how much of the info being
sold in this way is legit. I mean, if you scam your buyer by providing false
info, what can they really do about it? Call the cops and tell them you got
scammed while trying to buy stolen CC info online?

~~~
Ennis
CC hackers rely on selling hundreds and thousands of numbers a time to make
any money. It makes sense that most of their business comes from repeat
customers, in which case scamming them isn't in their best interests.

~~~
rationalbeaver
I'm sure that is true for real CC hackers, but it is difficult to tell which,
if any, of the people posting these ads is the real deal. The lack of trust
and transparency is an opportunity for scammers hoping to make a quick buck
before they change usernames/emails and try again.

It would actually be interesting to see how "legitimate" CC sellers try to
distinguish themselves from the fakes. They mention in the article that some
of them are using images to identify themselves, effectively creating CC
hacker brands.

Edit: ambiate makes a good point about reputation systems on the forums they
use. Seems practical and discourages username swapping.

------
elai
Isn't it risky to extract cash/goods from a credit card?

~~~
wmf
Yes, that's why only criminals do it.

------
electromagnetic
Unstoppable, really? Ban credit cards, it's stopped. Seriously, better choice
of word required. Perhaps undefeatable would be more apt.

~~~
philwelch
You've established a very silly standard. Most things we deem "unstoppable"
can, in fact, be stopped with enough nuclear munitions, for instance.

------
sliverstorm
Am I just the only one who finds it strange that people sell credit card info?
I mean, that'd be like if you saw a guy on the street selling dollar bills for
1/100 cent each. Sure, they might be marked bills from the same printing run,
but they are still money being sold for less than their value.

You'd think if the harvester has the ability to harvest, he'd be able to work
out a better way of monetizing credit cards than selling them at $2 a pop.

Or, maybe I just misunderstand how the people who buy the lists monetize the
credit card info.

~~~
philwelch
The problem is that there are so many people who steal mass amounts of credit
cards that there's a glut of them on the market. There's really no other way
for them to protect their liabilities--these guys can sell their data, vanish,
and make another heist without being caught, while someone actually using the
credit card faces a lot more risk.

