ABTrevor
Member
- Joined
- January 8, 2026
- Messages
- 15
- Reaction score
- 102
- Points
- 28
- Thread Author
- #1
Plastic payment cards, such as credit and debit cards, are highly popular and convenient cash alternatives, widely accessible to people across most of the world. Their portability and ease of use make them a favored choice for financial transactions. This efficiency is supported by a vast, interconnected network of computers. However, where there's technology, there's also the risk of hacking.
Payment card frauds have raised significant privacy and authenticity issues among users, especially in recent years. Numerous well-known retail chains and brands have fallen victim to these frauds. The lucrative nature of this crime has drawn major cybercriminals, who form sophisticated networks to execute these thefts. These crimes, primarily driven by financial gain, often involve a lengthy process from data theft to actual fraudulent activities. This paper delves into the workings of this fraud network and its significant impact on the electronic payment industry.
Key Terminologies
Credit/Debit Card: A financial tool, often termed as 'plastic cash', utilized for purchasing goods. A Debit card is linked to the user's bank account, allowing purchases up to the account balance. A Credit card, conversely, functions as a short-term loan for purchases, with the bank initially covering costs and later reclaiming them from the user. Credit cards have a predefined spending limit.
PIN (Personal Identification Number): A unique numeric code for verifying the card owner's identity.
CVV/CVV2: A 3 or 4-digit number on the card, serving as an extra security measure for validating the cardholder.
BIN (Bank Identification Number): The initial six digits of the card, identifying the issuing bank and, in some cases, the card type.
Card Brands: These are authorized entities whose networks enable the interaction between acquirer and issuer banks. Notable brands are Visa, Mastercard, and American Express (Amex). Each brand has distinct starting numbers for their cards: Visa cards begin with 4, Mastercard with 5, and Amex (which are 15 digits) with 3. A detailed list is provided later in the document.
Buyer/Consumer: The individual holding the card, who makes purchases and pays through the card.
Merchant: The provider of goods and services who accepts card payments.
Acquirer Bank: The financial institution that processes credit card transactions for merchants.
Issuer Bank: The bank that issues the credit card to consumers.
POS (Point Of Sale): These are the devices used to execute financial transactions between buyers and merchants through card reading.
Magnetic Strip: A black strip on the card's rear, storing essential data for financial transactions.
Tracks: The magnetic strip contains information on Tracks 1, 2, and 3. Tracks 1 and 2 usually hold details like account number and owner name. Track 3, an optional track, is used for additional data storage.
Card Dumps: These are the unencrypted data retrieved from the temporary storage (RAM) of Point Of Sale (POS) devices. Card dumps include information from Tracks 1 and 2, which are read by the POS device during transactions.
Card Reader/Writer: This is a combination of hardware and software used for encoding data onto the magnetic strip of a plastic card. The MSR-206 is a widely recognized encoder for this purpose.
Carder: An individual who engages in fraudulent transactions using stolen credit or debit card information.
Runner: A person or group responsible for using counterfeit cards to withdraw cash from ATMs.
Dropper: The designated location or individual tasked with receiving goods bought online. The Dropper's role is to collect these items and deliver them to the carder, often in exchange for cash or other goods.
Shopper: This refers to individuals or groups who make in-store purchases using counterfeit cards, often accompanied by fake IDs to add legitimacy to their fraudulent activities. Carders themselves can act as shoppers or runners.
EMV (Europay, Mastercard, and Visa): These are Chip-and-Pin cards that represent a more secure alternative to traditional swipe cards, encrypting data on a chip. However, even with encryption, POS malwares can potentially extract this data once it's decrypted in the memory.
Contactless RFID Cards: An advancement over traditional magnetic strip cards. RFID (Radio-Frequency Identification) enabled cards allow buyers to make payments by simply waving the card near a POS terminal.
Processing of Credit Card Payments
Credit card transactions undergo several stages before the completion of payment. These are the key steps involved in a credit card transaction:
Authorization: This step initiates when cardholders opt to make purchases using their credit card. The merchant forwards the transaction request to the acquiring bank. The acquirer then relays this request through the cardholder's card brand network to the issuing bank. The issuer responds with authorization codes, which are sent back through the card brand's network to the acquirer, and then to the merchant. If authorized, merchants proceed to provide the cardholder with the requested goods or service.
Batching: At the end of each day, merchants compile all authorized sales into a batch. This batch is sent to the acquirer through payment service providers, in order to receive payment.
Clearing: The acquirer dispatches the batch through the card brand's network to the issuers, requesting payment. The card brand's network segregates each transaction for the appropriate cardholders. Subsequently, issuers transfer the funds requested through the card brand's network back to the acquirers.
Funding: The acquiring bank transfers the payment to the merchant via the payment service provider. The merchant's account is then credited with the payment amount.
These steps provide a basic framework for how payments are processed using credit cards. Alongside these, there are various other authorization processes involved, but these four stages form the essential components of the transaction phases.
With this foundational understanding of the plastic card payment system and its interconnections, the discussion can progress to more technical aspects such as stolen data dumps, steps in fraudulent transactions, identification of vulnerabilities, etc. Before delving into these, a brief overview of common methods used by hackers to extract critical payment data is also beneficial.
Types of CC Fraud
Credit card theft typically unfolds in three distinct phases:
Reconnaissance
Attack
Selling
In the initial Reconnaissance phase, the perpetrator assesses the environment targeted for attack, seeking vulnerabilities to exploit in crafting their strategy. The Attack phase commences once these vulnerabilities are pinpointed. Key techniques employed in this stage include keylogging, phishing, exploiting vulnerabilities, and using Point of Sale (POS) memory scraping malware, with the latter being particularly prevalent. POS memory scraping directly impacts devices central to processing card-based payments, making it a favored method among attackers.
A delivery mechanism is needed for the POS malware to infiltrate the system. Phishing and exploiting vulnerabilities are commonly used to establish such a mechanism. Additionally, insider threats play a significant role in the infection of POS terminals. Given its prominence in the current fraud landscape, it's important to briefly discuss POS malwares. These are the primary tools empowering cybercriminals to target major retail chains and brands globally.
POS Malware
Point of Sale (POS) terminals serve as the central processing units during card-based transactions between a buyer and a seller. Specialized malware, known as POS malware, is designed to extract data from these terminals' main memory. The objective is to capture the unencrypted data temporarily stored in the terminal's primary memory (RAM) during the processing of a credit or debit card for payment.
A common misconception about POS devices is that data transmission always occurs in an encrypted format. While this is generally true, there is a brief interval when the POS terminal initially reads the card data and stores it in plain text in its primary memory, before re-encrypting it. It is during this critical window that POS malware operates, extracting the information from the memory.
Criminal.jpg
This article briefly outlines the key characteristics and steps of Point of Sale (POS) malware, which are instrumental in facilitating fraud involving plastic cards. A comprehensive analysis of the technical intricacies of POS malware is beyond its scope, but the following points highlight its major features:
1. Basic Malware Functionalities: POS malware encompasses standard malware capabilities like data exfiltration over networks, collecting system information, communication with command and control (C&C) servers, and a kill switch for self-removal from infected systems.
2. Targeted Purpose: The primary objective of these malwares is to scrape memory data from terminals, specifically focusing on card data.
3. Process Identification and Scrapping: The malware scans all processes in the device memory, comparing them against a local database to determine which processes to target or ignore for data scraping.
4. Data Extraction Techniques: After identifying relevant processes, the malware uses custom functions or regular expressions to extract credit card data (Track 1 and 2 information) from the memory.
5. Data Storage and Exfiltration: The scraped data is stored on the disk in a specific location. When the malware detects a live network connection and can reach its C&C server, it transmits the stored file (which may be encrypted or unencrypted) to the server, thereby successfully completing data exfiltration.
1703635237320.png
Having established an understanding of how POS terminals are compromised and data is stolen, it is now pertinent to examine the nature of the data that POS malware extracts, its appearance, and the manner of its interception. The example provided demonstrates the format of data sent by a POS malware to its Command and Control (C&C) server:
Track 1 Example: An example of Track 1 data is "B4096654104697113^ABHINAV/SINGH^08061012735900521000000".
Track 2 Example: An example of Track 2 data is "361344212572004=0512052335136; ABHINAV/SINGH".
Combined Track 1 and Track 2 Example: An example of combined data is "4411037117155348=14111010000013500000; B4411037117155348^ABHINAV/SINGH^14111010000000135000000?".
Additional Data Formats: Additional data examples include strings like "165430 | 134884 | 2 | 4921817934747226 | 4 | 2008 | 3 | 2010 | | 662 | ABHINAV SINGH | 10 | VARUNA APP | VARANASI | PO139UX" and "468442/ 165337 | 134815 | 2 | 4921817809597243 | 3 | 2008 | 2 | 2010 | | 185 | ABHINAV SINGH | 10 | VARUNA | VARANASI | PR4 3HB | | lancs 01436672207".
At first glance, this data may appear as a random series of numbers and text. However, to properly understand this data, it is essential to delve into the structure of a magnetic strip and the specific format used to store data across its various tracks.
Track 1 and 2 Block Diagram
Magnetic strips are logically divided into tracks or records that is used for storing the data required during financial transaction. The logical placement is shown in the following diagram.
1703635632328.png
Tracks on magnetic strips are arranged sequentially, with Track 1 followed by Tracks 2 and 3, and data reading occurs in this order. Track 1 and Track 2 primarily store vital data, while Track 3 is used for optional data. Depending on the bank's preference, financial details may be stored on either Track 1 or Track 2. Both these tracks adhere to specific formats for data storage. To comprehend how data is stored and read on these tracks, it is helpful to examine the block diagram of both Track 1 and Track 2.
diagram.jpg
Both Track 1 and Track 2 on magnetic strips store information in distinct blocks, each representing a specific value with a particular storage limit, separated by delimiters. Analyzing an example of Track 1 data, based on the fields outlined in the block diagram, provides insight into this structure:
Track 1 Example: "B4096654104697113^ABHINAV/SINGH ^08061012735900521000000?"
In this example, omitting values for SS and FC, the first seventeen characters ("B4096654104697113") represent the Bank Account number, followed by a field separator ("^") and the Account holder’s name ("ABHINAV/SINGH"). The subsequent four characters ("0806") denote the card's expiry date in YYMM format. The following digits are the Service code ("1012735900") and Identification number ("521"), with additional digits filling the remaining bytes.
Track 2 data can be similarly interpreted. Notably, Track 1 data alone is often sufficient in cases involving card dumps, as it contains enough information to be converted into Track 2 data. Tools like Trackgenerator.net provide online services for such conversions. Most online carding forums deal in Track 2 data.
To summarize the discussion so far, the paper has explored how plastic payment networks operate, the various threats posed to electronic payments, and a focus on POS malwares and the type of information they extract. The next section will delve into how this stolen information becomes central to an increasingly profitable realm of cybercrime.
The Carding Ecosystem
The cybercrime ecosystem related to credit card fraud is structured around three major steps:
Attack: This step, already explored in detail, involves malware authors and hackers designing various attack vectors to pilfer crucial customer payment data.
Sell: The next phase involves establishing a marketplace for the stolen data.
Shop: This step will be discussed further in the context of the cybercrime ecosystem.
Having already delved into the intricacies of crafting attack vectors to steal payment data, the focus now shifts to the second step: setting up a virtual 'shopping mall' for the trafficked data. This step is a pivotal component in the cycle of credit card fraud, facilitating the distribution and monetization of stolen data within the cybercrime network.
Carding forums
Criminal (1).jpg
Crdpro.cc, ASCarding, Blackbones and Carder are specifically related to carding and/orfraud. Cracked. Nulled, and CryptBB are related but focus more on hacking. Most carding forums are scams.
Dedicated websites for selling credit and debit card data, are essential hubs in the cybercrime ecosystem for credit card fraud. These forums connect a wide range of participants, from novices to seasoned professionals who have embraced carding as a full-time occupation.
The design and format of these forums are generally similar, but they are distinguished by their sources of card data, or 'dumps'. For example, the forum rescator.su gained notoriety for selling data stolen from the Target retail store breach, as reported by krebsonsecurity.com. Following this forum over several months revealed key changes in its selling model in response to customer feedback and process improvement:
Classification by Card Brand: Initially, dumps were categorized by card brands like Visa, Mastercard, Amex, etc.
Additional Filters: Later, more specific filters were added, such as dumps with particular details or from a specific country. Premium card types like Signature and Platinum were priced higher.
City-Specific Filters: The city of origin for card details was also incorporated as a filter, recognizing the importance of localized card usage.
Fraud Detection Countermeasures: Banks and payment networks continuously monitor transactions for fraud, making overseas or out-of-city usage of cards without notification a trigger for detection. Hence, the relevance of buying dumps from specific countries and cities.
Success Rate Feature: An interesting addition was a feature that rates the success chance of a card based on factors like age of the dump, proximity to its expiry date, and card status (e.g., platinum, titanium). Cards with lower success rates were sold at lower prices.
Once stolen card details become available for sale, the focus shifts to the buyers of these details. Key aspects of a buyer's role in this ecosystem include:
Buyer profiles on these forums range from beginners to experienced and regular customers. Both buyers and sellers enhance their reputation through loyalty and frequent interactions.
Buyers have the choice to purchase either individual card details or a collection of multiple, unsorted details known as dumps. There is also a category named “Fullz,” which includes cards with comprehensive details like CVV, country, and city.
Buyers can use various filters previously mentioned (such as card brand, country, city) to select credit cards that meet their specific needs. For example, a fraudster in Singapore might prefer to buy dumps from Singapore or the Asian region to avoid detection for overseas usage.
For payments, buyers commonly use cryptocurrencies, with Bitcoin being the most popular, providing additional anonymity to the parties involved in selling dumps.
The pricing of cards and dumps depends on their freshness and type. On average, a single Mastercard or Visa platinum card can range from $15 to $50. Purchasing dumps, which involves buying in bulk, is usually cheaper. The price for dumps varies between $50 to $200, typically containing about 10 card details. Bulk purchases of multiple dumps can cost between $600 to $5,000, depending on the quantity and quality.
To ensure anonymity and avoid traceability, the download link for the dumps or card details is often provided through a TOR-based onion routing network or via IRC channels.
This is how the buyer gets introduced into this ecosystem and from here on, the buyer is the main driving element of the entire fraud ecosystem. Now the big question comes up is what would buyer do with the raw dumps supplied by the seller. The buyer now has two distinct options:
Online Carding
Offline/In-store Carding
Online Carding
Online carding is the process of using the stolen credit card details for purchasing goods online. This step involves some pre-steps before the buyer can go online and use the purchased card details for shopping. The first and the foremost important thing is knowing the CVV number. Most carding forums usually sell CVV details as well along with the card details. In case the CVV is not present, the buyer will have to follow some additional steps in order to obtain CVV number from the original owner of the card. These steps might include Phone phishing; fake postal mails asking for card verification etc. Buying “Fullz” is the most preferred option for online carding as It has all the required details.
Once the CVV is available to the buyer, he now needs to figure out cardable websites. Cardable websites are those website that meet the following criteria:
Making sure that the website’s terms and conditions do not specifically ship items only to the card’s registered address. It should ship to other shipping address mentioned during purchase as well.
Making sure that International shipping is allowed.
The next thing to look for is weather the website has Visa verification code or Mastercard secure code enabled. This is a two-step authentication where the payment gateway asks for a secure code before proceeding with payment. The card owner only knows this secure code.
Check for additional security measures like card scans, delivery at door even when there is no one home, call backs to confirm item payment etc.
Thanks
Payment card frauds have raised significant privacy and authenticity issues among users, especially in recent years. Numerous well-known retail chains and brands have fallen victim to these frauds. The lucrative nature of this crime has drawn major cybercriminals, who form sophisticated networks to execute these thefts. These crimes, primarily driven by financial gain, often involve a lengthy process from data theft to actual fraudulent activities. This paper delves into the workings of this fraud network and its significant impact on the electronic payment industry.
Key Terminologies
Credit/Debit Card: A financial tool, often termed as 'plastic cash', utilized for purchasing goods. A Debit card is linked to the user's bank account, allowing purchases up to the account balance. A Credit card, conversely, functions as a short-term loan for purchases, with the bank initially covering costs and later reclaiming them from the user. Credit cards have a predefined spending limit.
PIN (Personal Identification Number): A unique numeric code for verifying the card owner's identity.
CVV/CVV2: A 3 or 4-digit number on the card, serving as an extra security measure for validating the cardholder.
BIN (Bank Identification Number): The initial six digits of the card, identifying the issuing bank and, in some cases, the card type.
Card Brands: These are authorized entities whose networks enable the interaction between acquirer and issuer banks. Notable brands are Visa, Mastercard, and American Express (Amex). Each brand has distinct starting numbers for their cards: Visa cards begin with 4, Mastercard with 5, and Amex (which are 15 digits) with 3. A detailed list is provided later in the document.
Buyer/Consumer: The individual holding the card, who makes purchases and pays through the card.
Merchant: The provider of goods and services who accepts card payments.
Acquirer Bank: The financial institution that processes credit card transactions for merchants.
Issuer Bank: The bank that issues the credit card to consumers.
POS (Point Of Sale): These are the devices used to execute financial transactions between buyers and merchants through card reading.
Magnetic Strip: A black strip on the card's rear, storing essential data for financial transactions.
Tracks: The magnetic strip contains information on Tracks 1, 2, and 3. Tracks 1 and 2 usually hold details like account number and owner name. Track 3, an optional track, is used for additional data storage.
Card Dumps: These are the unencrypted data retrieved from the temporary storage (RAM) of Point Of Sale (POS) devices. Card dumps include information from Tracks 1 and 2, which are read by the POS device during transactions.
Card Reader/Writer: This is a combination of hardware and software used for encoding data onto the magnetic strip of a plastic card. The MSR-206 is a widely recognized encoder for this purpose.
Carder: An individual who engages in fraudulent transactions using stolen credit or debit card information.
Runner: A person or group responsible for using counterfeit cards to withdraw cash from ATMs.
Dropper: The designated location or individual tasked with receiving goods bought online. The Dropper's role is to collect these items and deliver them to the carder, often in exchange for cash or other goods.
Shopper: This refers to individuals or groups who make in-store purchases using counterfeit cards, often accompanied by fake IDs to add legitimacy to their fraudulent activities. Carders themselves can act as shoppers or runners.
EMV (Europay, Mastercard, and Visa): These are Chip-and-Pin cards that represent a more secure alternative to traditional swipe cards, encrypting data on a chip. However, even with encryption, POS malwares can potentially extract this data once it's decrypted in the memory.
Contactless RFID Cards: An advancement over traditional magnetic strip cards. RFID (Radio-Frequency Identification) enabled cards allow buyers to make payments by simply waving the card near a POS terminal.
Processing of Credit Card Payments
Credit card transactions undergo several stages before the completion of payment. These are the key steps involved in a credit card transaction:
Authorization: This step initiates when cardholders opt to make purchases using their credit card. The merchant forwards the transaction request to the acquiring bank. The acquirer then relays this request through the cardholder's card brand network to the issuing bank. The issuer responds with authorization codes, which are sent back through the card brand's network to the acquirer, and then to the merchant. If authorized, merchants proceed to provide the cardholder with the requested goods or service.
Batching: At the end of each day, merchants compile all authorized sales into a batch. This batch is sent to the acquirer through payment service providers, in order to receive payment.
Clearing: The acquirer dispatches the batch through the card brand's network to the issuers, requesting payment. The card brand's network segregates each transaction for the appropriate cardholders. Subsequently, issuers transfer the funds requested through the card brand's network back to the acquirers.
Funding: The acquiring bank transfers the payment to the merchant via the payment service provider. The merchant's account is then credited with the payment amount.
These steps provide a basic framework for how payments are processed using credit cards. Alongside these, there are various other authorization processes involved, but these four stages form the essential components of the transaction phases.
With this foundational understanding of the plastic card payment system and its interconnections, the discussion can progress to more technical aspects such as stolen data dumps, steps in fraudulent transactions, identification of vulnerabilities, etc. Before delving into these, a brief overview of common methods used by hackers to extract critical payment data is also beneficial.
Types of CC Fraud
Credit card theft typically unfolds in three distinct phases:
Reconnaissance
Attack
Selling
In the initial Reconnaissance phase, the perpetrator assesses the environment targeted for attack, seeking vulnerabilities to exploit in crafting their strategy. The Attack phase commences once these vulnerabilities are pinpointed. Key techniques employed in this stage include keylogging, phishing, exploiting vulnerabilities, and using Point of Sale (POS) memory scraping malware, with the latter being particularly prevalent. POS memory scraping directly impacts devices central to processing card-based payments, making it a favored method among attackers.
A delivery mechanism is needed for the POS malware to infiltrate the system. Phishing and exploiting vulnerabilities are commonly used to establish such a mechanism. Additionally, insider threats play a significant role in the infection of POS terminals. Given its prominence in the current fraud landscape, it's important to briefly discuss POS malwares. These are the primary tools empowering cybercriminals to target major retail chains and brands globally.
POS Malware
Point of Sale (POS) terminals serve as the central processing units during card-based transactions between a buyer and a seller. Specialized malware, known as POS malware, is designed to extract data from these terminals' main memory. The objective is to capture the unencrypted data temporarily stored in the terminal's primary memory (RAM) during the processing of a credit or debit card for payment.
A common misconception about POS devices is that data transmission always occurs in an encrypted format. While this is generally true, there is a brief interval when the POS terminal initially reads the card data and stores it in plain text in its primary memory, before re-encrypting it. It is during this critical window that POS malware operates, extracting the information from the memory.
Criminal.jpg
This article briefly outlines the key characteristics and steps of Point of Sale (POS) malware, which are instrumental in facilitating fraud involving plastic cards. A comprehensive analysis of the technical intricacies of POS malware is beyond its scope, but the following points highlight its major features:
1. Basic Malware Functionalities: POS malware encompasses standard malware capabilities like data exfiltration over networks, collecting system information, communication with command and control (C&C) servers, and a kill switch for self-removal from infected systems.
2. Targeted Purpose: The primary objective of these malwares is to scrape memory data from terminals, specifically focusing on card data.
3. Process Identification and Scrapping: The malware scans all processes in the device memory, comparing them against a local database to determine which processes to target or ignore for data scraping.
4. Data Extraction Techniques: After identifying relevant processes, the malware uses custom functions or regular expressions to extract credit card data (Track 1 and 2 information) from the memory.
5. Data Storage and Exfiltration: The scraped data is stored on the disk in a specific location. When the malware detects a live network connection and can reach its C&C server, it transmits the stored file (which may be encrypted or unencrypted) to the server, thereby successfully completing data exfiltration.
1703635237320.png
Having established an understanding of how POS terminals are compromised and data is stolen, it is now pertinent to examine the nature of the data that POS malware extracts, its appearance, and the manner of its interception. The example provided demonstrates the format of data sent by a POS malware to its Command and Control (C&C) server:
Track 1 Example: An example of Track 1 data is "B4096654104697113^ABHINAV/SINGH^08061012735900521000000".
Track 2 Example: An example of Track 2 data is "361344212572004=0512052335136; ABHINAV/SINGH".
Combined Track 1 and Track 2 Example: An example of combined data is "4411037117155348=14111010000013500000; B4411037117155348^ABHINAV/SINGH^14111010000000135000000?".
Additional Data Formats: Additional data examples include strings like "165430 | 134884 | 2 | 4921817934747226 | 4 | 2008 | 3 | 2010 | | 662 | ABHINAV SINGH | 10 | VARUNA APP | VARANASI | PO139UX" and "468442/ 165337 | 134815 | 2 | 4921817809597243 | 3 | 2008 | 2 | 2010 | | 185 | ABHINAV SINGH | 10 | VARUNA | VARANASI | PR4 3HB | | lancs 01436672207".
At first glance, this data may appear as a random series of numbers and text. However, to properly understand this data, it is essential to delve into the structure of a magnetic strip and the specific format used to store data across its various tracks.
Track 1 and 2 Block Diagram
Magnetic strips are logically divided into tracks or records that is used for storing the data required during financial transaction. The logical placement is shown in the following diagram.
1703635632328.png
Tracks on magnetic strips are arranged sequentially, with Track 1 followed by Tracks 2 and 3, and data reading occurs in this order. Track 1 and Track 2 primarily store vital data, while Track 3 is used for optional data. Depending on the bank's preference, financial details may be stored on either Track 1 or Track 2. Both these tracks adhere to specific formats for data storage. To comprehend how data is stored and read on these tracks, it is helpful to examine the block diagram of both Track 1 and Track 2.
diagram.jpg
Both Track 1 and Track 2 on magnetic strips store information in distinct blocks, each representing a specific value with a particular storage limit, separated by delimiters. Analyzing an example of Track 1 data, based on the fields outlined in the block diagram, provides insight into this structure:
Track 1 Example: "B4096654104697113^ABHINAV/SINGH ^08061012735900521000000?"
In this example, omitting values for SS and FC, the first seventeen characters ("B4096654104697113") represent the Bank Account number, followed by a field separator ("^") and the Account holder’s name ("ABHINAV/SINGH"). The subsequent four characters ("0806") denote the card's expiry date in YYMM format. The following digits are the Service code ("1012735900") and Identification number ("521"), with additional digits filling the remaining bytes.
Track 2 data can be similarly interpreted. Notably, Track 1 data alone is often sufficient in cases involving card dumps, as it contains enough information to be converted into Track 2 data. Tools like Trackgenerator.net provide online services for such conversions. Most online carding forums deal in Track 2 data.
To summarize the discussion so far, the paper has explored how plastic payment networks operate, the various threats posed to electronic payments, and a focus on POS malwares and the type of information they extract. The next section will delve into how this stolen information becomes central to an increasingly profitable realm of cybercrime.
The Carding Ecosystem
The cybercrime ecosystem related to credit card fraud is structured around three major steps:
Attack: This step, already explored in detail, involves malware authors and hackers designing various attack vectors to pilfer crucial customer payment data.
Sell: The next phase involves establishing a marketplace for the stolen data.
Shop: This step will be discussed further in the context of the cybercrime ecosystem.
Having already delved into the intricacies of crafting attack vectors to steal payment data, the focus now shifts to the second step: setting up a virtual 'shopping mall' for the trafficked data. This step is a pivotal component in the cycle of credit card fraud, facilitating the distribution and monetization of stolen data within the cybercrime network.
Carding forums
Criminal (1).jpg
Crdpro.cc, ASCarding, Blackbones and Carder are specifically related to carding and/orfraud. Cracked. Nulled, and CryptBB are related but focus more on hacking. Most carding forums are scams.
Dedicated websites for selling credit and debit card data, are essential hubs in the cybercrime ecosystem for credit card fraud. These forums connect a wide range of participants, from novices to seasoned professionals who have embraced carding as a full-time occupation.
The design and format of these forums are generally similar, but they are distinguished by their sources of card data, or 'dumps'. For example, the forum rescator.su gained notoriety for selling data stolen from the Target retail store breach, as reported by krebsonsecurity.com. Following this forum over several months revealed key changes in its selling model in response to customer feedback and process improvement:
Classification by Card Brand: Initially, dumps were categorized by card brands like Visa, Mastercard, Amex, etc.
Additional Filters: Later, more specific filters were added, such as dumps with particular details or from a specific country. Premium card types like Signature and Platinum were priced higher.
City-Specific Filters: The city of origin for card details was also incorporated as a filter, recognizing the importance of localized card usage.
Fraud Detection Countermeasures: Banks and payment networks continuously monitor transactions for fraud, making overseas or out-of-city usage of cards without notification a trigger for detection. Hence, the relevance of buying dumps from specific countries and cities.
Success Rate Feature: An interesting addition was a feature that rates the success chance of a card based on factors like age of the dump, proximity to its expiry date, and card status (e.g., platinum, titanium). Cards with lower success rates were sold at lower prices.
Once stolen card details become available for sale, the focus shifts to the buyers of these details. Key aspects of a buyer's role in this ecosystem include:
Buyer profiles on these forums range from beginners to experienced and regular customers. Both buyers and sellers enhance their reputation through loyalty and frequent interactions.
Buyers have the choice to purchase either individual card details or a collection of multiple, unsorted details known as dumps. There is also a category named “Fullz,” which includes cards with comprehensive details like CVV, country, and city.
Buyers can use various filters previously mentioned (such as card brand, country, city) to select credit cards that meet their specific needs. For example, a fraudster in Singapore might prefer to buy dumps from Singapore or the Asian region to avoid detection for overseas usage.
For payments, buyers commonly use cryptocurrencies, with Bitcoin being the most popular, providing additional anonymity to the parties involved in selling dumps.
The pricing of cards and dumps depends on their freshness and type. On average, a single Mastercard or Visa platinum card can range from $15 to $50. Purchasing dumps, which involves buying in bulk, is usually cheaper. The price for dumps varies between $50 to $200, typically containing about 10 card details. Bulk purchases of multiple dumps can cost between $600 to $5,000, depending on the quantity and quality.
To ensure anonymity and avoid traceability, the download link for the dumps or card details is often provided through a TOR-based onion routing network or via IRC channels.
This is how the buyer gets introduced into this ecosystem and from here on, the buyer is the main driving element of the entire fraud ecosystem. Now the big question comes up is what would buyer do with the raw dumps supplied by the seller. The buyer now has two distinct options:
Online Carding
Offline/In-store Carding
Online Carding
Online carding is the process of using the stolen credit card details for purchasing goods online. This step involves some pre-steps before the buyer can go online and use the purchased card details for shopping. The first and the foremost important thing is knowing the CVV number. Most carding forums usually sell CVV details as well along with the card details. In case the CVV is not present, the buyer will have to follow some additional steps in order to obtain CVV number from the original owner of the card. These steps might include Phone phishing; fake postal mails asking for card verification etc. Buying “Fullz” is the most preferred option for online carding as It has all the required details.
Once the CVV is available to the buyer, he now needs to figure out cardable websites. Cardable websites are those website that meet the following criteria:
Making sure that the website’s terms and conditions do not specifically ship items only to the card’s registered address. It should ship to other shipping address mentioned during purchase as well.
Making sure that International shipping is allowed.
The next thing to look for is weather the website has Visa verification code or Mastercard secure code enabled. This is a two-step authentication where the payment gateway asks for a secure code before proceeding with payment. The card owner only knows this secure code.
Check for additional security measures like card scans, delivery at door even when there is no one home, call backs to confirm item payment etc.
Thanks
