Cybercrime Credit Card Stores
If you’re interested in the cybercrime field, it shouldn’t be news to you that the current cybercrime market and forum model is experiencing unprecedented instability and uncertainty. In recent weeks, another member has joined the club of uncertainty: BriansClub, an automated commerce website (AVC) specializing in stolen credit card data, which reportedly fell victim to a targeted attack on its data center.
In this blog, we determine whether this targeted attack on BriansClub affects the broader credit card cybercrime landscape, and ponder whether it may encourage the community to push another AVC credit card store to the top.
BRIANSCLUB: WHAT HAPPENED?
In October 2019, Krebs on Security reported that data had been stolen from BriansClub, revealing some 26 million stolen credit and debit cards. Ironic? We thought so too. It’s currently unknown if the stolen data was available from other sources. Such breaches are especially difficult to trace because they can often be sold to another AVC or forum.
WHAT MAKES IT A LIKELY TARGET?
It is a dog-eat-dog world in cybercrime and no site, whether it is a forum, a marketplace or an AVC, is safe. Given the huge amount of data available on the site, combined with the high average value assigned to each hacked card (estimated to be worth $500 each), BriansClub is an attractive target for cybercriminals. While the source responsible for the attack has not yet been identified, it is likely that they were financially motivated as well as selfishly driven, as the treatment of Krebs from security indicates that the actor was seeking publicity as well as access to the 26 million stolen cards.
CREDIT CARD STORES: WHAT EXPLAINS THEIR POPULARITY?
Cybercriminals’ online stores have grown in popularity over time, in part because of the ease of access, but also because of the large amount of credit card data available, which is often updated daily. A cybercriminal who wants to commit financial fraud only needs to register on one of these sites, select the bank of his or her choice, and then select the appropriate account to purchase. All this is done with a few clicks and a couple of keystrokes.
An example of a cybercriminal credit card store, Trump’s Dumps
Figure 1: Example of a cybercriminal credit card store, Trump’s Dumps
BRIANSCLUB: WHAT LEADS TO A SUCCESSFUL BUSINESS MODEL?
BriansClub’s business model is based on making money from compromised card data. Excluding the fact that BriansClub sold 9.1 million cards, the report estimates that AVC would have made $126 million from sales. Such a figure demonstrates that cybercriminals have a huge incentive to use such a platform because the return on investment is “useful” (albeit highly illegal).
To effectively make huge profits, BriansClub and other CC AVC stores rely on a constant supply of “fresh” data by organizations referred to as “affiliates” or “vendors” who are direct sources of information. Fresh data can be divided into the following categories:
A card that has not been canceled by the victim’s bank,
CC accounts that have been sent to the AVC site as soon as possible
Data that has not been previously advertised on other AVCs
Affiliates or vendors subsequently forward this data to the store and in return receive a share of the profits for any successful transactions. Using this model eliminates the risk of law enforcement trying to find the direct source.
Nevertheless, a key skill is needed to ensure the smooth operation of stores: timing. If stolen CC data is not collected, delivered and advertised in a timely manner, the CC can be canceled before the customer has even had a chance to review it. Such instances can then affect the AVC store’s reputation among cybercriminals, customer confidence in the service, and ultimately, the volume of Internet traffic passing through its doors.
Failure in any of the above areas leads to a bad reputation that spreads throughout the cybercrime community, which reduces Internet traffic and sales.
CYBERCRIME CREDIT CARD STORES: WHO WILL TAKE THE THRONE?
BriansClub is one of many prominent CC AVC stores currently operating and selling similar datasets. In the cybercriminal credit card store environment, it is widely believed that much of the existing stolen CC data is replicated at these sites and is not unique to one particular platform. The scene is also flooded with “ripper” sites seeking to prey on willing buyers. In such cases, shoppers mistakenly believe they are buying a valid credit card. The success of AVC sites, like forums, depends on several factors:
Reputation: like any other business seeking to attract customers, CC AVC sites rely heavily on reputation, promoted largely through forums – a good reputation inspires trust.
Paid Digital Marketing: Cybercriminals are digitally savvy. Scanning the underworld of cybercrime, you may come across paid advertising space on the most prestigious sites. Advertising alone doesn’t lead to success, but investing in marketing promotes a brand and spreads information beyond word of mouth. Investing in digital marketing also drives Internet traffic, which is necessary because without enough interest and engagement from users, AVC will quickly die.
Exclusivity: The most respected carding AVCs use a kind of closed-entry, ensuring that users feel part of an exclusive community and encouraging only serious customers to apply. Closed entry can mean paying customers for accounts, such as Briansclub, or it can mean an invitation-only model, such as AVC Benumb. In the case of paid accounts, such as Briansclub, this process will keep the customer account after a short time period of membership. Previously operated by invitation only, another well-known and well-selling AVC carding site, Joker’s Stash, switched to paid access in 2018.
Customer Service: AVCs need customer service to interact with their customer base in the forums, respond to inquiries, and perform various other admin functions.
User interaction: AVCs, like forums, need constant user interaction, stable site functionality, and bug free software. Successfully meeting this requirement will drive customer loyalty.
Mystery: Many popular carding AVCs have long existed in a cybercrime environment. Because of competition from ripper sites masquerading as trustworthy AVCs, administrators have largely avoided various forms of communication, instead limiting communication to forums and contact forms through their own sites. This meant that few could get closer than superficial business relationships; it also may have prevented law enforcement from blocking these sites. Overall, this contributed to the air of mystery surrounding the most successful sites.
Joker Stash ads in dark web forum 1
Joker Stash ads in dark web forum 2
Figures 2 and 3. Joker Stash ads on a dark web forum.
While the attack on BriansClub may affect its reputation in the CC AVC scene somewhat, it is unlikely that AVC will close its store doors because of the credibility and customer base it has already gained. The likelihood is that after this attack, the competition in this space will continue to grow and each platform will fight for the right to be king. There are many other offerings waiting to happen, examples include, but are not limited to:
To be successful, the AVC store, like the forum, may need significant resources to invest in the above.
HOW WILL THEY HANDLE THE SPOTLIGHT?
While the existence of CC stores is well known, any increased media coverage is likely to draw additional attention from law enforcement and anti-fraud agencies seeking to suppress and prevent this type of activity. But the revelation of how much money can be made with these online CC stores can advertise the profitability to a wider audience and attract a growing number of like-minded individuals willing to take advantage.
However, the increased unwanted attention may encourage “affiliates” – i.e., providers of stolen credit card data – these online CC retailers to wonder about the risks associated with selling their data to a third party. As a result, Digital Shadows is now starting to see more affiliates directly advertising their data sets on cybercrime forums to try to neutralize this threat [see Figure 4]. Vending on forums not only eliminates the financial
3. TRUST: NIGHTMARE LOSES ACCREDITATION
Ratings matter, and darknet is no exception. Declining credibility has caused the cybercrime community to turn its back on Nightmare.
Dread, a Reddit-style community with a big sectarian following, called the site’s server status “fraudulent.” Many Nightmare customers who had spent time and added funds to the site turned to Dread to express their frustration and warn others: one urged others to “stay away” from Nightmare, another recommended “CLOSE the accounts as soon as possible,” and another was less sympathetic, taking the “I told you so” attitude.
Nightmare market discredited on Dread
Figure 3: Nightmare Market Discredited on Dread
To top it all off, Dark Fail, a site that allows users to check if darknet sites are online, first changed it to “fraud” and then removed “URLs” from its lists entirely (see Figure 3). Such a move confirms that even Dark Fail does not trust the Nightmare marketplace.
CYBERCRIMINAL MARKETPLACES: DOES INSTABILITY HINDER CRIMINAL ACTIVITY?
Such instability creates a headache (perhaps even a migraine) for the English-speaking cybercrime world. New markets emerge, then disappear, creating chaos. Such chaos, however, is quickly becoming an increasingly prominent feature of cybercriminals. But will these developments affect the cybercriminal trade? Here’s what we assess:
Lack of trust: Such volatility causes distrust in the community. Nightmare tells us that the cybercriminal ecosystem has no time for “exit fraud” and inadequate markets – these sellers and trading venues are quickly weeded out.
The intent of cybercriminals remains: although the English-language cybercriminal markets appear to be shrinking, the criminal intent remains. Underground marketplaces are the most accessible way to serve a wide audience, so we can expect new marketplaces to emerge; however, they, like others, may go the same way as their predecessors.
Use of multiple platforms. As the marketplace becomes an increasingly toxic brand, we estimate that cybercriminals will use whatever services are available to make transactions. However, while chat services, insertion sites, and AVCS may present tempting alternatives, the human impulse to trade in a marketplace environment is likely to persist.