| usatoday wrote:|
How stolen credit cards are fenced on the Dark Web
Credit card data stolen from retailers such as Target, Sally Beauty
Supply, P.F. Chang's, and now perhaps Home Depot, are flooding into
underground hacker forums where customers' card numbers, names and
addresses can be sold for as little as $1 each.
Tuesday, a large
batch of credit and debit card information that appears to be from Home
Depot went on sale on such an underground marketplace, known as a
"carder forum." A Home Depot spokeswoman confirmed that the company had
contacted its banks and law enforcement to look into "unusual activity"
but did not confirm a breach.
Carder forums "are the Craig's List
of the hacker underground," says Neal O'Farrell, an identity theft
expert at Credit Sesame and founder of the non-profit Identity Theft
Council, based in San Francisco.
"It's not just cards. It's phishing kits, malware, spammer lists," O'Farrell said. "It's a like a shopping mall for cybercrime."
opened an account on one carder forum, rescator.la, where he was able
to peruse offers for millions of Target credit cards. The website,
registered in Latvia, listed the card information along with ZIP codes
and e-mail addresses — information that makes it easier for criminals to
use the cards to purchase goods online or withdraw money from bank
The hacker asked for payment in Bitcoin, a difficult-to-trace digital currency.
Journalist Brian Krebs of KrebsonSecurity.com wrote that he found the newest batch of cards on that site.
credit information stolen from Target appeared for sale in the forums,
individual card numbers fetched up to $120 each, O'Farrell says. Within
weeks, as banks started to cancel the cards, the prices dropped to $8 a
card, he says. Seven months after Target learned of the breach, they
are nearly worthless.
"The most important part of the price is the
freshness, before the victim knows they've been breached and when no
one is canceling," he says. "The guarantees on the cards dwindle the
older they get."
outrun law enforcement, the most sophisticated criminal hackers hide
their "carder forums" on the "Dark Web," which uses The Onion Router,
known as TOR, to conceal the location of the computer servers hosting
the websites. TOR ensures secrecy by randomly routing computer messages
through several places on the Internet, wrapped in encrypted code, so no
single point can link the source to the destination, making the sites
nearly impossible to trace.
FROM YOUR WALLET TO CYBERDEN
can break into companies' databases with malicious software purchased
online from computer hackers, who mostly operate out of Eastern Europe
and Russia, says Tom Kellermann, chief cybersecurity officer for
Dallas-based Trend Micro. The software can infiltrate a database, spread
its code like a virus, and remain undetected for months. When a
customer swipes a credit or a debit card, the software captures the
information, stores it, then sends it in bulk to the cybercriminals.
the information is collected, members of the cybergang test it and sort
it into bundles that are priced, then sold in the underground sites,
Kellermann says. Bundles range from 500 cards to 10,000 cards.
ensure the cards work, the cyberthieves use an automated system to
charge a small amount — around the price of a cup of coffee — to 10,000
cards at a time.
The tests determine the card's validity and
credit limit. Cards with the highest credit limits, such as an American
Express Platinum card, sell for the most money, Kellermann says. A card
number with a low limit might sell for $1 or $2, while a high limit can
sell for $15 or considerably more.
QUICK WINDOW OF VALUE
recent series of data breaches have flooded the market with cards,
which must be moved quickly before they lose their value, Kellermann
Some of the criminals who buy the cards use the data to shop
online. Others create credit cards from blank plastic cards, known as
"white classics" that can be purchased online and imprinted with the
data. The buyers must move quickly, too, before consumers notice fraud
charges and call their banks to cancel the cards.
Tavarez, 34, pleaded guilty last week in New York to a year-long,
$600,000, multi-state shopping spree with stolen credit cards purchased
from cybercriminals, court papers show.
In April 2013, Tavarez and
his four accomplices purchased at least 200 stolen credit card numbers
from a "carding" website, encoded the stolen account information onto
counterfeit cards and purchased dozens of store gift cards and
merchandise at stores in New York, New Jersey, Pennsylvania,
Connecticut, Rhode Island and Massachusetts, federal prosecutors said.
says the FBI is becoming more skilled at catching the cybercrooks, and
companies are employing better software to catch the breaches. On
average, a company detects a breach within five months of the
infiltration, Kellermann says.
"That window is shrinking dramatically," he says. "So the criminals typically have one billing cycle to have a shopping spree."