Notes from the underground: The next generation of carders

One of the most notable increases in cybercrime is in credit card fraud, according to the most recent annual report by the FBI's Internet Fraud Complaint Center. Cybercrime in itself is a booming business, having grown to $240 million in reported crimes to law enforcement in 2007 -- up $40 million from the year before.

The first part of this series covered the secret history of one group of credit carders -- online crooks who deal in stolen credit and debit card account information -- and their flamboyant leader who turned from wanted online fraudster to Ukrainian politician.

And now there's a new generation of carders on the prowl that operate far below the public radar. Dumpster divers (people who dig out personal information from discarded receipts and mail) and skimmers are yesterday's news. Today, credit carders are launching "full-fledged online bazaars full of stolen personal and financial information," says Brian Nagel, assistant director of the U.S. Secret Service's Office of Investigations.

As more people report getting ripped off online, crooks are finding more ways to rip us off. Let's see what they're doing.

Part 2 - Notes from the underground: The next generation of carders

Screenshot of counterfeiting site (Click to enlarge)

It's a lot easier to counterfeit a credit or debit card than to counterfeit currency. From die cutters to embossers to hologram makers to blank plastic cards, credit card counterfeiting tools are readily available for purchase online. (See screenshot.)

Javelin Strategy & Research released a forecast for identity fraud in May 2008. After collecting data for three-month periods from 2003 to 2007, the company studied trends to predict the future of credit card and debit card fraud.

As a result, the study predicts debit-card fraud will likely rise in the future. This is a pretty scary fact. Whereas credit cards protect cardholders when fraud occurs, there is no such insurance for debit cards.

Debit cards are much easier to counterfeit, too. Unlike credit cards, debit cards require only two features: a plastic card and magnetic stripe containing digital information for the account number, name of cardholder and card expiration date.

If a user knows your PIN, then he or she can withdraw money using the counterfeit card.

The Department of Justice's (DOJ) Computer Crime and Intellectual Property Section released a report this week on data breaches, specifically carding, entitled "Data Breaches: What the Underground World of 'Carding' Reveals." The document, which is forthcoming in the Santa Clara Computer and High Technology Journal, studies several now-extinct forums to find some commonalities in the carding underworld.

Debit card fraud is more damaging to consumers, yet protections are not as codified as credit card fraud (Click to enlarge)

Five of the sites used as case studies were shadowcrew.net, carderplanet.com, iaaca.com, cardersmarket.com and ccpowerforums.com. Each was organized almost identically. According to the study, each offered five basic roles for its members:

- "Administrators" governed the criminal Web site.
- "Moderators" oversaw a forum (which generally covered their area of expertise, such as counterfeiting or writing computer viruses, or the moderator's geographic location).
- "Reviewers" tested the illicit products or services before they were advertised to be sold.
- "Vendors" sold the products or services to members of the criminal organization.
- "Members" used the Web site to learn about the criminal activity, procure credit card numbers or false/counterfeit documents.

Looking through the Web archives for a few of these sites (all were shut down by September 2007), it was interesting to see how their sophistication level rose in later years versus the earlier years.

When these sites started out, most just offered credit cards, temporary addresses (called COBS) to ship products to and then re-sell the products, and tips on phishing software (malicious software used to extract information from a computer) and skimming.

By the time the sites had developed for a few months, if not for several years, they offered full-scale packages of identity information, which included victims' credit or debit card numbers embedded on a magnetic stripe (called a DUMP), PIN numbers for debit cards, CVV numbers (the three-digit identification number on the back of a card), birth date, mother's maiden name, passport information and more. The more mature sites also offered carding contraband -- the tools used to counterfeit a credit card. The pricing also evolved to meet demand from the date the site launched to when it was shut down.

The Web carding forums fed off of some of the same players. For example, cardersmarket.com was founded in 2005 when carderplanet.com went out of business, and it rapidly grew to several thousand members after subsuming the membership of four rival sites, according to the study.

Unlike identity theft, where the number of victims is limited to several hundred, or, in rare cases, thousands, carding "often involves thousands of victims, and, in some cases, millions," the DOJ study says.