Hacking for Profit: Credit Card
Fraud
A
Beginners Guide – Leak Information from SA E.J. Hilbert II, Federal Bureau of
Investigation, Los Angeles Field Office, Santa Ana Resident Agency.
INTRODUCTION
This
paper is intended to detail how financially motivated hacking groups convert
stolen data to monetary instruments. The primary premise for this paper is
based on Eastern European hacking groups but in recent months, the “financially
motivated” hacker sub group has expanded to include hackers from the Far and
Middle East Hackers. What the individuals are doing with the illicit profits of
their activities range from childish purchases to funding terrorist attacks as
was detailed in the recent autobiography, “Aku Melawan Teroris” (Me, Fighting
the Terrorists) by the Bali nightclub bomber. In the chapter “Hacking, Mengapa
Tidak” (Hacking, Why not?), Iman Samura, a computer scientist provides a primer
to Islamic Extremists of how to learn the trade of credit card fraud and
hacking.
To
quote BigBoss, from forum.Carderplanet.com, “Carding shouldn’t be something you
do for fun, it is something you do to survive.”
Financially
motivated hackers consider hacking and carding as their career. The employment
opportunities are in their home countries, particularly those whose salaries
are enough to pay for the life styles these individuals have become accustomed,
are extremely limited. They come from a society where the average pay is $200
per month but Internet connectivity costs $40 per month. Thus they are willing
to spend one fifth of their monthly salary to be online. A $1000 profit is more
money then most Eastern European hackers have ever seen at one time.
Though
they understand the process of credit cards, most International hackers do not
understand the impact of committing credit card fraud. Most come from cash
economies and the use of a credit card by regular citizens is extremely
uncommon. They feel the attack is directed at a big corporation and not an
individual. The idea of rising interest rates, chargeback fees or economic
instability are not concepts they can understand nor are they their concern.
Money is the object of their actions.
At
the time of the first version of this paper in August 2003, many financially
motivated hackers could be found chatting in the forums of the web sites
carderplanet.com, shadowcrew.com and/or darkprofits.com. These sites are still
referenced in this paper because the information provided on the sites are still
relevant.
Since
that time, many of the referenced sites have been shutdown or taken over by
script-kiddies and the real profiteers have moved deeper underground. Many have
also become allied with organized crime groups or created their own hacking
teams.
Also
at the time of original publication, EFnet and DALnet on IRC initiated a
crackdown on channels dedicated to cyber crime. Since that time, the criminals
have found loop holes in the crackdown, such as renaming the groups, attaching
messages of the day (MOTD)forbidding criminal activity or making the channels
private. Many of the channels have also gone native; meaning
they are dedicated to a particular language group and all posts to the channel
utilize that language and the corresponding slang for carding.
The
point being, the groups have not gone away. They still exist and
communicate on the Internet by adapting to the rules. Law Enforcement must now
adapt in kind.
By no means is this paper intended
to be the end-all authority on this crime. Comments, questions and revision are
always welcome.
Definitions,
Concepts and Statistics
Since
the readers of this paper will range from skilled investigators to neophytes,
some basic terms and concepts need to be set forth:
Hacker
– Individual who gains unauthorized access to computer networks and systems
Carder
– Individual who uses stolen data, usually Credit cards, to fraudulently
purchase items or convert the credit into cash.
Credit
card – a monetary instrument, often referred to as plastic, used in place of
cash to make purchases. Credit cards are assigned to entities and have specific
monetary limits and an interest rate associated with payoff. Since credit cards
do not have to be paid off each month, the available limit will fluctuate. Visa
or MasterCard does not issue Visa and MasterCard credit cards. They are issued
by an issuing bank in conjunction with a use agreement between the bank and
Visa or MasterCard.
This
agreement is for the use of the Visanet or the MasterCard equivalent for
verification and authorization of the card.
Charge
card – same as credit card however, a charge card must be paid off each month
or risk an extremely high interest rate or the card being shutdown.
Debit
Card – Card associated with a bank account and limited by the amount of money
in said account, which resembles the credit card by the method of purchase.
However, these cards may only be used with the owners Personalized
Identification Number.
Hacker
knowledge
Below is the “Beginning Carders
Dictionary’” as posted online by the Russian hacker, KLYKVA on
forum.carderplanet.com. It is presented in its original form to
illustrate the level of knowledge from which these individuals are working.
- Bank-emitent (Issuing bank) – bank which has issued the card Billing address – the card owner address
- Drop – innerman. His task is to receive the money or goods and, accordingly, give the part of the earnings to you.
- Drop/Pick-Up guy/Runner – person or location that is setup to accept packages or to receive the money. He should be paid nicely for this position.
- Billing – office, which has agreement with a bank and assumes payments for the cards.
- COB – Change of Billing address
- Card bill – a Bank emitent card bill.
- Bank-aquirer – bank, in which the store opens the account. Merchant account – bank account for accepting credit cards.
- Merchant Bank – bank, through which occur the payments between the buyer and the seller (frequently it is used as synonym “bank- equirer”).
- Cardholder – owner of the card.
- Validity – suitability of card.
- White plastic – a piece of pure plastic, where the information is plotted/printed.
- CR-80 – rectangular piece of pure white plastic (without the drawing image) the size of a credit card with the magnetic strip.
- Transaction – charge to the credit card
- POS terminal (Point Of Sale terminal) – reading card device, which stands at commercial point.
- PIN-code – (Personal Identification Number) the sequence, which consists of 4-12 numbers, known only to the owner of card. A simple word password for an ATM and so on.
- AVS – the card owner address checking. It is used for the confirmation of the card belonging exactly to its holder.
- “Globe” – card holographic gluing with the image of two hemispheres (MasterCard).
- Pigeon (hen) – card holographic gluing with the image of the flying pigeon (VISA).
- Reader – information reading device for the readout from the magnetic strip of card.
- Encoder – read/write device for the magnetic track of the card. Embosser – card symbol extrusion device.
- Card printer – card information printing device. Exp.date – card validity period.
- Area code – the first of 3 or 6 digits of the card owner’s phone number.
- CVV2, cvv, cvn – 3 or 4 additional numbers, which stand at the end of the number of card.
- ePlus – program for checking the cards.
- BIN – first 6 numbers of the card number which make it possible to learn what bank issued the card and what type of card (ATM-card, credit, gold, etc.). Synonym of word “Prefix”.
- Chargeback – the cardholder’s bank voids the removal of money from its card.
- Dump – information, which is written to the magnetic strip of the card, it consists of 1,2 or 3 tracks.
- MMN – Mothers Maiden Name (generally the primary account holders mother)
- Track (road) – a part of the dump with specific information. Every 1st track is the information about the owner of the card.
- 2nd track – information about the owner of card and about the bank who issued the card, etc. 3rd track – it is possible to say – spare, it is used by stores for the addition of the points and other.
- Slip – synonym to the word “cheque” (conformably to card settlings).
- Card balance – amount of credit remaining for spending in the card account.
- Automated Clearing House (ACH) – the automated clearinghouse. The voluntary association of depositors, which achieves clearing of checks and electronic units by the direct exchange of means between the members of association.
- Continuous Acquisition and Life-cycle Support (CALS) – the integrated system of the production guaranteeing, purchase and exploitation. This system makes possible to computerize all data about the design, development, production, servicing and the propagation of the production.
- Debit Card – Card, which resembles the credit card by the method of using, but making possible to realize direct buyer account debiting at the moment of the purchase of goods or service.
- Delivery Versus Payment (DVP) – the system of calculations in the operations with the valuable papers, which ensures the mechanism, that guarantees the delivery will occur only in the case of payment and at the moment of payment.
- Direct debit – payment levy method, mainly, with the repetitive nature (lease pay, insurance reward, etc.) with which the debitor authorizes his financial establishment to debit his current account when obtaining calculations on payment from the indicated creditor.
- Electronic Fund Transfer (EFT) – the remittance of means, initiated from the terminal, telephone or magnetic carrier (tape or diskette), by transfer of instructions or authorities to financial establishment, that concern the debiting or crediting of the account (see Electronic Fund Transfer/Point of Sale – EFT/POS).
- Electronic Fund Transfer/Point of Sale – EFT/POS – debiting from the electronic terminal, for the transfer purpose from the account of a buyer into the payment on the obligations, which arose in the course of transaction at the point of sale.
- Integrated Circuit (IC) Card – It is known also as chip card.
- Card equipped with one or several computer micro-chips or integrated microcircuits for identification and storing of data or their special treatment, utilized for the establishment of the authenticity of personal identification number (PIN), for delivery of permission for the purchase, account balance checking and storing the personal records. In certain cases, the card memory renewal during each use (renewed account balance).
- Internet – the open world communication infrastructure, which consists of the interrelated computer networks and provides access to the remote information and information exchange between the computers.
- International Standardization Organization (ISO) – International organization, which carries out standardization, with the staff office in Geneva, Switzerland.
- Magnetic Ink Character Recognition (MICR) – System, which ensures the machine reading of the information, substituted by magnetic inks in the lower part of the check, including the number of check, the code of department, sum and the number of account.
- RSA – the coding and authentication technology, developed in 1977 in MIT by Rivest, Shamir and Adel’man, which subsequently opened their own company RSA Data Security, Inc., purchased recently by the company Security Dynamics Technologies, Inc.
- Real-Time Gross Settlement (RTGS) – the payment method, with which the transfer of means is achieved for each transaction in obtaining instructions about the payment. Decrease the risk with the payment.
- Smart Card – card equipped with integrated circuit and microprocessor, capable of carrying out the calculations.
- System risk – the risk, with which the incapacity of one of the payment system participants either financial market participants as a whole to fulfill their obligations, causes the incapacity of other participants or financial establishments to fulfill its obligations (including obligations regarding the realization of calculations in means transfer systems) properly. This failure can cause significant liquidity or crediting problems and, as result, it can cause loss to the stability of financial markets (with the subsequent action on the level of economic activity).
- Truncation – procedure, which makes it possible to limit the physical displacements of a paper document (in the ideal version) by the bank of the first presentation, by the replacement by electronic transfer of entire or part of the information, which is contained on this document (check).
- Card Balance – Current used Credit
- Avail Credit – Actual credit avail for Spending
- Cash Advance Avail – Actual amount avail as Cash for ATM usage. Integrated Circuit (IC) Card – It is known also as chip card.
- Card equipped with one or several computer micro-chips or
- integrated microcircuits for identification and storing of data or their special treatment, utilized for the establishment of the authenticity of personal identification number (PIN), for delivery of permission for the purchase, account balance checking and storing the personal records. In certain cases, the card memory renewal during each use (renewed account balance).
- LE – Law Enforcement, Coppers, Piggies, The Fuzzzzzzzzzzzz Lappie- Laptop
Communication
Methods
As
in all endeavors, hackers and carders need a means or several means of
communication. Given the international make-up of most hacking groups and
the fact of Cyber crime being truly borderless, the communication methods
chosen by these groups must be internationally accessible, cost effective and
have a high level of anonymity. Listed below are several of
the primary communications methods used by hackers and carders:
- IRC – Internet Relay Chat, a series of interconnected computer servers on various network which enable users to chat in channels and one to one. The channels are also referred to as rooms and are controlled by the user who first established the room.
- ICQ – America Online (AOL) owned peer-to-peer chat application. Chat rooms can be established within the ICQ network but entrance is by invitation only.
- AIM- AOL Instant Messenger
- Forums – Website sponsored bulletin boards where public and private messages can be posted about various topics. Examples: forum.carderplanet.com, eraser.hostmos.ru, www.darkprofits.com and www.carderclan.net
- Email – Electronic mail
A
Credit Card (VISA) Transaction
There are two parts to every
transaction. First, a customer presents a Visa product, usually a card, to a
merchant, who needs immediate authorization of the transaction. Second, at the
end of the day, the merchant needs to receive the funds for the transaction via
its financial institution and ultimately from the customer’s issuer. The
specifics will vary depending on transaction type, complexity, technology, and
processing services but the typical flow is illustrated here.
How
a Purchase is Made
Authorization at the Point of Sale
Maria
presents a Visa card (credit or debit) at ABC Stores.
ABC
uses an electronic terminal or the telephone to request an authorization from
its financial institution (DEF Merchant Services).
DEF
checks to see if the account is valid and has sufficient funds. It sends an
authorization request message, including owner’s account, merchant account and
transaction details, through VisaNet to GHI Bank, Maria’s Visa issuer.
GHI
reviews the request and makes a decision to approve or decline the request.
GHI’s response message is sent back through VisaNet to ABC within seconds.
In
some cases, when an issuer is unavailable for authorization, VisaNet will
authorize the transaction as part of a Stand-In Processing Service. This is
done to further enhance payment system efficiency. The entire authorization
process, when done electronically, takes about two seconds.
How
the Merchant Gets Paid
Clearing and Settlement
At the end of the day, ABC Stores
delivers all its sales draft information (including Maria’s purchase) to DEF
Merchant Services. Each draft will contain the credit card number and the
merchant account number. DEF credits the merchant account of ABC Stores for the
net amount of all its sales. This is how ABC Stores obtains its funds from
Maria’s purchase.
Next, DEF’s processing center
creates an electronic version of all drafts for all the merchants it supports,
including ABC Stores. The electronic drafts, which may include transactions
from numerous Visa account holders in various countries, are sent through
VisaNet to one of Visa’s data centers.
Visa routes these drafts to the
financial institutions of the Visa account holders, for instance, Maria’s
transaction is sent to her issuing bank, GHI Bank. Visa consolidates all
transactions for each issuer into an electronic file that includes currency
conversions, fees, net settlement amounts, and required reporting information.
GHI’s processing center receives the
file and prepares the transactions for posting to its cardholders’ accounts
including Maria’s.
GHI Bank transfers all the funds
owed that day by its cardholders, including Maria, to a settlement bank, which
is responsible for delivering the funds to the merchant acquirers such as DEF
Merchant Services. This is how DEF gets paid for the amount it paid ABC Stores
in step #2.
At the end of the billing period,
GHI Bank produces a statement to Maria. This is how GHI settles with Maria.
Statistics
Visa annual worldwide sales volume
exceeds US$2.4 trillion. There are 1.2 billion Visa, Visa Electron, Visa Cash,
Interlink and PLUS cards
worldwide.
But only 49,413 legally issued cards in Central Europe, the Middle East and
Africa.
Visa is accepted in more than 150
countries.
As of March 31, 2003, MasterCard’s
gross dollar volume for credit and debit programs was US$285.7 billion, an
increase of 7.31% over the same period in 2002.
MasterCard has 32 million acceptance
locations; no payment card is more widely accepted globally.
Cardholders can obtain cash with the
card at bank branches and at all ATMs in the global MasterCard/Maestro/Cirrus
ATM Network, among the largest ATM networks in the world with more than 892,000
ATM locations worldwide on all seven continents.
Most Eastern European law
enforcement officers do not own, use or understand a credit
card. This is important when requesting
information from certain parts of the
world.
All requests must be highly detailed and precise.
What
to Steal
Everything
is worth stealing to these individuals. These hackers are financially
motivated and highly educated. They are not the typical hackers found in the
U.S. Hacking and Carding is a business for them. They hack to
steal databases, which in turn are provided to carders. Carders,
utilizing various schemes convert the stolen credit cards to cash or equipment
then, provide the cards freely online in carding related IRC chat rooms.
The intention of the free cards is to spread the information as widely as
possible thus making it difficult for law-enforcement to track who originally
committed the hack.
The hack occurs in three parts,
reconnaissance, theft and dump. During the reconnaissance portion, the hackers
steal everything. This information is used to identify the important parts of
the network, the location of the databases and user names and passwords. The
reconnaissance usually occurs two to three
months
before the theft. During the theft portion, the hacks begin to glean specific
information, i.e., credit card numbers from the system as needed. The theft
phase can last for years and the hackers usually leave a very small footprint
of their activities. The dump stage occurs when the hackers steal everything in
a very “noisy” manner. This stage is used to burn all those
“script-kiddies” and “lamerz” who are taking advantage of the original hackers
backdoors. The dump phase usually results in press coverage and the
“red-flagging” of all the credit cards in the system at that point in time. The
victim company makes security changes and over time lets their guard down. The
hackers then attempt to use the old backdoors they created. If they are still
in place, the theft stage begins again.
The hacks normally take advantage of
known vulnerabilities, which have not been patched by the various
victims. Most hacks occur against Microsoft Windows platforms and
utilize the Msdac exploit, the MSSQL exploit or the IIS exploit. A wealth of
information is available about these exploits on the Internet.
The truly skilled hackers have
developed their own tools and place backdoors on systems such as, installing
Telnet and secure shell daemons on high port numbers or creating their own user
id’s and passwords after installing a sniffer to steal the root level
passwords. These are the first things System Administrators should look for, as
well as changing all root level passwords via face-to-face meetings with all
root level users. Sending the change of passwords via email will be intercepted
if a sniffer has been installed on the system.
Sometimes, the hack is automated
through the use of a “bot” which makes it impossible for the System
Administrators of the victimized networks to stop because they are physically
not fast enough to fight the bot. The only way to stop the bot is to take the
network offline.
Investigations thus far indicate the
following items are being stolen for use in various schemes detailed later in
this paper:
- Credit card databases
- Personal information (name address telephone numbers)
- Bank accounts
- Bank routing numbers
- Social Security numbers
- Email addresses and passwords
- Computer logon names and passwords
- ACH transfer records
- Merchant accounts
- Order histories
- Client lists
- Partner lists
- Company telephone directories
- Website Source code
- Shipment tracking numbers
- Ebay accounts
- Escrow accounts
- Proprietary Software
Getting
Credit Cards
Of
all the data sought by hackers, credit card databases are the highest priority.
This is because they are the easiest to use.
There
are nine basic methods to obtain credit card numbers:
Phishing
– This is the practice of sending
fraudulent e-mails that appear legitimate. The email often appear to be
from a bank or financial institution and request the recipient update their
account information by utilizing the link included in the email. The link takes
the recipient to a bogus web page where all the requested information is
captured and later transmitted to a site controlled by the criminal for their
use in cyber crime. Amongst the information often requested is the
recipients social security number, credit card number, PIN and cvv2.
Buy
– There are literally thousands of
“Vendors” on web sites such as Forum.carderplanet.com, darkprofits.net and
Shadowcrew.com willing to sell dumps of credit cards at varying rates. If a
carder knows how to use cards, expending $200 up front for cards is easily
recouped.
Trade
– Through the different
communication methods discussed above, hackers and carders trade credit cards
online. Many cards are offered free of charge. The individual who stole the
cards often has used these cards for fraudulent purchases. They are then
offered to the community as a whole with the intention of having multiple
people use the cards. Law enforcement will therefore have a harder time
identifying the original hacker from the various carders.
Generate
– There are numerous software
packages freely available on the Internet, which generate credit card numbers.
Many of the programs use the DESIII algorithm just like the legitimate credit
card companies.
The
problem for the carder with generated cards, is that approximately 1% of the
cards are valid. This means the carder will need to have access to obtain
validity and authorization before trying to commit fraud. A common method would
be a merchant account.
Visa
and MasterCard do not issue or generate cards, however they allow banks to
issue cards with the respective logos/brands. American Express differs from
Visa and MasterCard in this respect. American Express controls all cards and
card numbers using their logo. American Express actually generates card numbers
in advance, which are stored in an active state awaiting issuance to a
customer. If a carder generates one of the stored American Express cards, any
merchant receiving the card for payment will receive authorization for the
purchase.
Extrapolate
– Once a Carder obtains a valid card
through any of the different means listed herein, he can extrapolate additional
cards based on the valid card number and the expiration date. Various
extrapolation programs are freely available on the Internet. These programs
utilize the valid card as a base for creating additional cards, particularly
the first six digits. Extrapolation increases the likelihood of obtaining valid
credit cards to approximately 35-40%. Once again a method to determine the
validity via authorization is required.
Fake
Shops – It seems every business must now
have a presence on the Internet in order to do business. Couple this fact with
the general publics’ belief that web sites are not easy to set up. It is not
difficult to understand why many feel if the company has a nice web site, the
company must have money and be a reputable company. Many hackers and carders
will use these beliefs to their advantage by setting up fake online shops
offering products for sale at cut-rate prices. Good hackers and carders will
spend the extra time to post fake recommendations on rating sites to help move
their fake shop into the top ten slot on search engines. When customers place
an order at the shop, they will be informed via email, their product will be
shipped in 4-6 weeks. While the customer is
waiting for their product, the shop owners continue to collect credit card
numbers. At this point there are three possible scenarios:
The
first is that the product is simply not shipped and the credit card is never
charged. The second is the product is not shipped but the credit card is
charged. In the third scenario, the product is shipped and the customer is
happy. The details of this scheme will be covered in depth later in the paper
but, in all three scenarios it should be noted, the hackers and carders
received legitimate credit card numbers with full information.
Intrusions
– The method of obtaining credit
cards that has received the most press is
Intrusion. The
hacker simply gains unauthorized access to a system and steals the
database. The systems targeted by hackers include the following:
- Online shops running shopping card programs
- E-Commerce payment solution sites which handle online orders for online shops
- Credit Card processing companies such as net, creditcards.com and CCBill.com
- Online monetary exchange sites where a person can purchase monetary units using credit cards
- Online Casinos
- Pornographic websites (victim often do not notify Law Enforcement of intrusions)
- Banks and Financial institutions
Each
of these targets will have credit card information stored in some variation.
Some will include full information including CVV2 numbers while others will
simply store the credit card number and expiration date.
Identity
Theft – This method is labor and time
intensive but, once the credit card is obtained, the card is valid and often
has a high credit limit. Using stolen identities, the carder simply applies for
a credit card. How the identities are obtained range from simply web
searches to buying access to ChoicePoint or Lexus/Nexus gaining data from their
databases.
This
scheme will also be covered more in depth later in this paper.
Social
Engineering (SE) – By far the most low-tech method of
obtaining information, the hackers and carders will simply try to get the
individuals to provide the information. This is done through
telephone calls, faxes or email. A very common SE method is the email sent to
particular customers stating there is some issue with their account. The
customer is asked to log on using the link contained in the email. Once the
customer logs on, all the information they input into the web site is collected
for use by the hacker. When the individual selects the submit button on the web
page, a message stating some computer glitch appears and the customer is asked
to select the continue button which will re- direct the customer to the
legitimate site and the customer re- enters their information. This time, the
proper site accepts whichever change the individual makes, and the customer has
unknowingly provided the hacker/carder with full account information.
This
method has been reportedly used for gathering email, Paypal, bank and credit
card account information.
The
Schemes
Each hacking and carding group try
to develop their own original scheme to make money from the stolen data
however, there are several primary schemes for converting stolen data into cash
or product upon which all the others are based. Below, the primary schemes and
a few widely used variations are detailed. It is important to note, the
variations are only limited by the imagination and knowledge of the subjects.
Sell – The easiest and quickest method to make money from stolen
cards is to simply sell them online. The sale of card data is called a “dump”
in which the hacker/carder offers the data for trade or sale, often track 1 and
2. The going rate online is approximately $.35-$.50 for credit card numbers and
expiration dates. Cards with full subscriber information and CVV2 numbers range
in price from $2.00 to $4.50. Also cards are sold based on their verified
credit line i.e., $100 for a card with an available credit line of $10,000.
Auction Fraud – Also an incredibly easy scheme, auction fraud has been
somewhat limited by the establishment of online escrow
companies.
But note, fake online auction companies can easily be created as well. In
this scheme, the subject simply posts a fake auction item and sells it to the
highest bidder. The buyer sends the seller money or a credit card number
but never receives the product.
A couple variations of this scheme
are as follows:
- The hacker/carder uses the stolen credit card to make purchases of auction This can be done on a person-to- person sale or through the use of an escrow account. If an escrow account is involved, the hacker/carder will either open an escrow account based on the stolen information or will steal an escrow account and use whatever funds are in the account to make purchases. The purchases will be shipped to a drop and picked up later by either the subject or his associate to be re-packaged and shipped elsewhere, usually overseas. The use of a drop and an associate is called a trans-shipper. How trans-shippers are obtained is discussed later.
- The second variation is more sophisticated and forces the escrow account to serve as a money laundering The hacker/carder will open several escrow accounts, one based on a bank account controlled by the hacker/carder and the others based on stolen credit card or bank account information. Often times neither account is in the subject’s true name.
The real account is used to post
numerous online auctions.
The auctions take place for a
limited period of time and the hacker wins his own auctions using one of the
fraudulent accounts. This fraudulent account is then used to pay the escrow
company.
The
seller informs the escrow account the product has been sent, the buyer states
he received the product and instructs the escrow company to release the funds.
The funds are transferred to the real escrow account from which they are
immediately withdrawn and transferred to a bank account or withdrawn via an
ATM. At no time during the transaction did any product change hands. All the
money was transferred via the escrow company thus, in 30-days when the card
holders whose cards were used for the fraudulent accounts file chargebacks, the
chargeback is sent to the escrow company.
Fraudulent
Purchases – This scheme is also simple in that
the hacker/carder simply makes a purchase online using the stolen credit card.
The difficulty for this scheme is that merchants often will not ship overseas
therefore, the subjects need an address within the U.S. to which to ship the product.
On
Fraudulent Purchases the hacker/carders need a drop, a person or location to
send the packages without identifying themselves. Drops can be obtained
in various ways.
- The most common is to post on a hacker/carder forum the need of a partner and establish a working relationship with whoever answers the
- Drops can also be obtained by posting a job offer on Hotjobs.com or Monster.com for an individual to work at Individuals will be paid via Western Union to accept and repackage items and send them overseas. A skilled Social Engineer can convince people of the legality of accepting packages in this method and the newly hired employee is unaware they are facilitating a crime.
When it comes to paying these
employees, the hackers/carders vary as well. Many will simply not pay their
employees and leave them “holding the bag” when complaints are filed.
Others choose to pay their employees
through Western Union. Still others act as if they are paying the employee by
sending them a counterfeit check. The checks will be drawn for substantially
higher amounts then are owed the new employee. When the employee comments
regarding the value of the check, the employer states it was an oversight and
asks the employee to simply wire the employer the remaining funds after the
subtraction of the monies owed the employee plus a bonus for being honest. The
employee sends the wire transfer overseas and two to three days later finds out
the check is counterfeit. The employee is not only out their salary but
additionally the amount wired overseas.
- The third variation is called COB (change of billing). Most credit card companies allow their customers online access to their With this online access, the customer can change billing addresses; telephone numbers, passwords and so on. The intriguing aspect is that most people do not activate their online access. When a hacker/carder steals a credit card with full information, they can then go online and change the billing address to match that of one of the drops they control. The COB is extremely useful when the company the items are being purchased from, will only ship to the billing address.
- If the drop is worried about having the packages shipped to their address, P.O. boxes are used and an ingenious method is to send the packages to vacant An individual can contact a local real estate agent to determine which homes are for sale and when the occupants plan on moving out. During the brief time the house is vacant, the drop can simply pick up the packages from the mailbox of the vacant house.
- A final variation involves some sophistication, but it limits the need for an When an item is fraudulently purchased, the hacker/carder has the package shipped to the credit card holder’s real address. A slow shipment method is requested as well as a fax or email of the scanned shipping bar code. When the hacker/carder receives a copy of the shipping bar code, they can utilize a bar code scanner to read the code. They then contact the shipping company, provide the information contained in the bar code and a change of the shipping location. The new cost for the shipment is billed to the defrauded company or can be charged to another stolen credit card.
Below is a post by a carder named
JediMasterC detailing how to card in the real world based on dumps of credit
cards obtained online or through skimming:
Click here to read the conclusion (Part 2): A BEGINNER'S GUIDE 2
Click here to read the conclusion (Part 2): A BEGINNER'S GUIDE 2
This is dedicated to cumbajonny and
other people who watch their backs closely. If you’re that careful you will
probably never be caught. The date in the topic will be changed whenever there
is an update
Disclaimer
This
document was written for informational purposes only. It was written so that
credit card companies, banks, merchants, retail stores, and the consumer will have
a better understanding on how these activities work and how to protect
themselves. I have never participated in any of the described activities and am
not suggesting that anyone else should either. All described acts, memories,
quotes, and ideas are fictional.
Credit: Wicky
Carder (wickybay.com)
No comments:
Post a Comment