Carding is the process of obtaining unauthorized access to a card’s information and fraudulently using it for personal gain.
How does it work?
Criminals aim to carry out carding transactions in two forms, either through cloning physical cards or through utilizing the Card Not Present (CNP) feature during online access. CNP fraud has significantly increased over time as it bypasses the checks for the identity of the person at the other end of the transaction. The Carder (Actor of Fraud) then uses the card information to conduct fraudulent transactions or sells the card information itself.
How does card information get into the hands of carders and how does it happen?
There are numerous ways in which a card’s information can be stolen, with actual carding activities commonly possible via:
- Data breaches: Where a merchant, payment processor, acquirer, or a bank is breached through a sophisticated hack, resulting in a bulk of card PAN & PIN being acquired by criminals.
- Skimming: A criminal can insert or attach a small device onto the card reader of an ATM machine to collect the card’s PAN (complete card number, name, and expiry date) & PIN.
- Phishing: Criminals deceive the targets to give out their card’s PAN & PIN through bogus websites, emails, and phone calls.
- Carding: Purchasing card information from other carders.
There are other ways to steal card information such as social engineering or by rogue staff that may have access to card data.
What are Carding websites?
Since the inception of the internet, criminals have been using the internet as a channel to exchange data and ideas. Initially, they were more reliant on conducting their activities privately using IRC chat forums, but since the year 2000 carding websites have gained popularity where criminals set up websites as “marketplaces” and anyone can openly advertise their stash of card data (also referred to as a “carding dump”).
For purposes of advertisement, most carding sites often make claims of having data by referring to BINs affiliated with various banks and sometimes reveal part of cardholder name and expiry date. Between the year 2000 to approximately 2009, these websites were mostly in the clear web, i.e. accessible by anyone from common browsers. Later, criminals realized that anyone interested in this data would even pay a fee to access their sites, hence they started charging for providing access credentials to their sites. These restricted sites can be classified as being in the “Deep web,” where these websites could be accessed through a common browser but require login credentials. Some of these carding sites reside on the “Dark Web” where special browsers (e.g. TOR) are required to access those sites with special URLs (.onion). To conduct transactions, criminals have historically used various anonymous payment methods such as throwaway gift cards and emails via “PayPal”. However, the use of cryptocurrencies has been adopted as the main method of payment for malicious activities.
How much carding data is being advertised as available for sale?
On a daily basis, hundreds of carding dumps are being advertised by thousands of self-claimed carders under various alias names. These data dumps are at times grouped based on specific bank names, countries or regions. Many times, the same data dump is seen advertised across various carding sites with same or under a different alias.
The size of marketplaces can be estimated by using any popular search engine for the term sell+CVV. This returns 50,000+ results. If even 1% of these are actual carding marketplaces that would mean 500 online carding shops. An estimated 500,000 cards are on average advertised on each marketplace on any given day. As a low possible estimate, that is approximately 25 million cards at any time.
For any bank as the issuer of cards, it is important to note that carding dumps contain card data from all banks and not specific to an individual bank. The bigger the bank the more of their card alleged data will be found in such carding marketplaces.
Note: These statistics DO NOT account for carding data that is genuine versus carding data that is bogus.
How valid (cardable) is the card data on carding websites?
Carding marketplaces have been growing year on year. The biggest question is, how valid (cardable) is the information being advertised by the carders (criminals). Yes, there are various breaches, skimming, and phishing attacks on a daily basis but does that mean that the data being advertised is the same from such breaches? Researchers from CTM360 have discovered that a high percentage of carding websites hold an opportunistic, for-quick-profit model with bogus, blocked, expired or incomplete card data. Almost all of these marketplaces deal with cryptocurrency, making it difficult to purchase this kind of data. It has been reported that after arranging for an amount of cryptocurrency to be transferred to a known marketplace, the transferred balance is often not reflected on that website indicating such websites to be a scam.
Furthermore, upon a detailed investigation of most popular websites, sellers are often highly rated by buyers to show that the data is valid, and sellers even provide money back guarantees. A cursory glance makes this appealing but there is always a high probability that all of this data can be bogus as well. There are too many gray areas that suggest that most of these carding sites may offer bogus data.
CTM360 does collect full credit/debit PANs/card data actively from our surface, deep, and dark web sources and share it with our members. On carding websites where payment is required to obtain data, however, we do not engage for the following reasons:
- Engaging and purchasing data for a specific bank or region is likely to increase cybercriminals’ interest in obtaining and/or posting further data for that bank or region, leading to further attacks.
- Transferring money in order to purchase stolen card data is a criminal offence in itself.
We have experienced posting of such carding data of various banks across the globe including GCC Banks, appearing on similar carding sites in the surface, deep, and dark web on a daily basis.
So what should the bank (issuer of cards) do?
It is highly recommended that banks ignore these carding websites for the following reasons:
- There is a very high probability of most of the data being bogus, blocked, expired or incomplete.
- Buying this data yields more attention from the carders and the probability rises of more bogus data in the future — this can also escalate into more targeted attacks and should be avoided.
- Engaging or authorizing someone on your behalf to engage with criminals itself is an act of crime and should be avoided.
Instead, banks should:
- Ask card schemes (Visa, Master, AMEX) to have such sites taken down.
- Leave it to the national and international security agencies to deal with.
Appendix
(List of some fake carding sites on the clear & surface web)
hxxp://just4valid[.]ru
hxxp://cardstorm[.]ru
hxxp://cvvstore[.]pro
hxxp://best-cvvshop[.]com
hxxps://shopcvv[.]ru/login[.]php
hxxp://freshbase[.]cc
hxxp://fullz[.]su/login[.]php
hxxp://n1shop[.]cc
hxxp://track2shop[.]me
hxxp://ww1[.]cardingforum[.]org
hxxp://jallo[.]su
hxxp://fullz[.]su/login[.]php
hxxp://cvvshop[.]su/account/login[.]html
hxxps://ccbase[.]biz
hxxps://shopcvv[.]ru/login[.]php
hxxp://zonecvv[.]com
hxxp://validdumps[.]ru/login[.]php
hxxp://cvv-seller[.]ru
hxxp://cvvshop[.]lv
hxxps://ccbase[.]biz
hxxp://2pac[.]su
hxxp://approved1[.]net
hxxp://approved1[.]ru
hxxp://best-cvvshop[.]com
hxxp://bestbins[.]su
hxxp://bestcvvshop[.]com
hxxp://bestcvvshop[.]su
hxxp://bigbase1[.]su
hxxp://bigcarder[.]com
hxxp://binswork[.]biz
hxxp://blackservice[.]su
hxxp://brandcc[.]name
hxxp://btcard[.]su
hxxp://buycvv[.]info
hxxp://buyst0re[.]com
hxxp://c4c[.]su
hxxp://card-srv[.]com
hxxp://selldumpsv6m[.]com
hxxps://carder007[.]org
hxxp://carderpro[.]su
hxxp://cardersbay[.]com
hxxp://cardersbay[.]ru
hxxp://carderscafe[.]com
hxxp://carderscave[.]com
hxxp://carderscave[.]ru
hxxp://cardersheaven[.]org
hxxp://carding-world[.]su
hxxp://cardingforum[.]su
hxxp://cardingthe[.]com
hxxp://cardroad[.]net
hxxp://cardrock[.]org
hxxp://cardrock[.]su
hxxps://cardrockcafe[.]cc
hxxp://cardstorm[.]ru
hxxp://cc-db[.]net/login
hxxps://ccbase[.]biz
hxxp://ccbases[.]cc
hxxp://ccbases[.]su
hxxp://ccdumb[.]com
hxxp://ccdumps[.]su
hxxp://ccnall[.]net
hxxp://ccshoponline[.]com
hxxp://cheapcvv[.]net
hxxp://cheapcvv[.]su
hxxp://codesellz[.]com
hxxp://consuella[.]su
hxxps://crdclub[.]su
hxxps://crdclub[.]ws
hxxp://credit-o-mat[.]su
hxxp://cvv-seller[.]su
hxxp://cvv-shop[.]org
hxxp://cvv-shop[.]ru
hxxp://cvv-store[.]com
hxxp://cvv-store[.]ru
hxxp://cvv2[.]su
hxxp://cvv2shop[.]ru/account/login[.]html
hxxp://cvv2store[.]com
hxxp://cvv2store[.]su
hxxp://cvvbank[.]ru
hxxp://cvvbase[.]me
hxxp://cvvcarders[.]com
hxxp://cvvdump[.]com
hxxp://cvvdumpsshop[.]su
hxxp://cvvonline[.]me
hxxp://cvvonline[.]net
hxxp://cvvonline[.]ru
hxxp://cvvonline[.]su
hxxp://cvvshop[.]lv
hxxp://cvvshop[.]su/account/login[.]html
hxxp://cvvshop1[.]ru
hxxp://cvvshop1[.]su
hxxp://cvvshop39[.]ru
hxxp://cvvshopadmin[.]com
hxxp://cvvshoponline[.]ru
hxxp://cvvshoponline[.]su
hxxp://cvvus[.]su
hxxp://cw-cc[.]su
hxxp://d4rksys[.]com
hxxp://d4rksys[.]ru
hxxp://dcshop[.]su
hxxp://dnums[.]com
hxxp://dnums[.]su
hxxp://dumps-shop[.]com
hxxp://dumps-shop[.]ru
hxxp://dumpscvv[.]biz/login
hxxp://dumpscvvshop[.]com
hxxp://dumpscvvshop[.]ru
hxxp://dumpscvvshop[.]su
hxxp://dumpsgate[.]com
hxxp://dumpsgate[.]ru
hxxp://dumpsgate[.]su
hxxp://dumpsmall[.]com
hxxp://dumpspage[.]com/login
hxxp://dumpsseller[.]com/login
hxxp://dumpsshop[.]net
hxxp://dumpst1t2[.]com
hxxp://dumpster[.]su
hxxp://eliteservices[.]su
hxxp://fe-cc[.]ru
hxxp://fedumps[.]ru
hxxp://feshop-card[.]com
hxxp://feshop-card[.]su
hxxp://feshop-store[.]ru
hxxp://feshop[.]su/login
hxxp://foreverpp[.]su
hxxp://forumcarder[.]net
hxxp://freshbase[.]ru
hxxp://freshcard[.]biz
hxxp://freshcvv[.]ru
hxxp://freshcvvshop[.]su
hxxp://fuls[.]su/login
hxxps://goldendumps[.]cc
hxxp://gocvv[.]su/signin[.]php
hxxp://getcvvs[.]com
hxxp://good-cvv[.]ru
hxxp://goodcvv[.]su
hxxp://great-dumpz[.]su
hxxp://greatdumps[.]cc/login[.]php
hxxp://greatdumps[.]info
hxxp://greatdumps[.]ru
hxxp://greatdumps[.]su
hxxp://greatdumpz[.]su
hxxp://instantcvv[.]com/login
hxxp://instantcvv[.]su
hxxp://jbestcc[.]com
hxxp://jupi-sell[.]com/login
hxxp://just-valid[.]com/login
hxxp://justvalid[.]ru
hxxp://jworldtopcc[.]com
hxxp://lampeduza[.]su
hxxp://legitvendors[.]su
hxxp://logoshopcc[.]biz
hxxp://logoshopcc[.]ru
hxxp://logoshopcc[.]su
hxxp://cvvshop[.]lv
hxxp://track2shop[.]me
hxxp://shopcvvdumps[.]com
hxxps://unicc[.]at
hxxps://ebin[.]cc
hxxps://centralshop[.]cn/ru/#
hxxp://cvvshop[.]su/account/login[.]html
hxxp://kiwi-bestshop[.]com
hxxp://mastercvv[.]ru/login
hxxp://fullz[.]su/login[.]php