I remember back in ~2000~2001 there was some popular cart application floating around. Everyone used it! A google search of "/uri/somecart.cgi?something" brought up tons of pages... and of course, a vulnerability in the wild put everyone's information out on a silver plate for these card scavengers.
Well, luckily I was poor and 16 when they bounced and locked my card up right away(never buying from that tshirt store again).
Years down the line though, I still can find my name, old cc, and address on these lists. They're all over IRC...
On the topic of scamming, most of them use a reputation based system (ie. traderx has 60 successful transactions, while traderb has -3 successful transactions; who would you go with?)
You can also hire moderators to check out some things, iirc. Such as, placing a $0.03 charge through a merchant and verifying or checking the accounts.
I did a pretty large study of this back in 2003 or so, but really lost interest once I pissed off the wrong people and they got personal.
Basically a man, "Pablo," figured out what I was doing in his community because I was being too blunt. Pablo told me to find somewhere else to toy around. After about another month of my presence, Pablo somehow got my phone number and called me. He had a strong Romanian accent and quite the vicious set of vocal cords to accompany his voice.
I'll never forget it, he not only told me my mother's name, but also read off her social security number and told me it was 'disgusting pig' she was on welfare. (born with CP)
That shock (the shock of involvement of family) led me to ditching all my research and moving on to writing papers on Cisco routers.
That was back in 2001, finding identities and ssn's wasn't quite so easy; especially for an invalid mother who had never ventured near a keyboard. On reflection, I suppose it wasn't too hard even then to obtain info if you had money, but still creepy to have some international guy threaten your life/your mother's life for gathering info.
This actually happened again recently, but the shock wasn't quite there. This time, my girlfriend was attacked by an angry blackhat SEO because I was treading on his niche territory. Its not too hard to tie adwords campaigns > domains > domain whois > real name > facebook/social networking > family and get info on them these days. This guy contacted me first too, but moved on to harassing my girlfriend. Domain parking, go go. Its not worth the $15 a month to get harassed. I'm pretty sure he got my adsense account banned (suspicious clicks) + had something going on to click my ads automatically and waste my money (I had a 15% CTR at one point). Also my wordpress had someone logged into my admin at one point, but I've basically turned my linode into knox since then.
She didn't quite seem to understand why I was in a panic over the situation...
"Romanian accent"? This suggests to me that either you yourself are Romanian or you have a rather acute ear. I live in Romania and it seems to me that almost every Romanian speaks English with a slightly different accent. I'd be hard put to it to identify a Romanian from his accent if I lived in London for instance. The same would not be true of an Italian, French or German native. I have no idea what a 'Romanian accent' is, let alone a 'strong one'.
The article points out that the "cyber criminals prefer to get paid via Liberty Reserve and Western Union money transfer services." This is something I've always been curious about. Getting a credit card number + other info seems like it would be simple compared to getting those bytes converted into paper form without getting caught.
Frankly, I think that Western Union isn't in the business of caring. They make a healthy margin on every transfer, and serve a segment of the population that has a strong disinterest in having to extensively document their identity, source of funds, etc, sometimes because the funds are "dirty" sometimes because the sender or recipient isn't "fully legal", etc.
It's against Western Union's interest to extensively document everyone and every dollar that passes through their systems. I'm sure they comply with the legal requirements placed on them, but I doubt they go WAY beyond that, for doing so would not be in their best business interests
-- Incompetence? Leadership, technical, other?
-- Low visibility to law enforcement? (In which case, why?)
-- Priorities? Well-placed? Misplaced?
-- Strategic? For ethical purposes?
The problem needs fixing, but it seems important understanding why we're at this point today when enforcement seems to obvious and simple. There's more than enough enforcement power available, at least in the U.S., to deal with the brazen criminals and make it much harder for them. Are those honeypots?
At least on the surface, it would seem that the CC companies themselves have the most motivation to put a stop to this. Why are their anti-fraud departments not forwarding these sites to the FBI, getting court orders to shut down the domains (at least those hosted in the USA) working with big ISPs to get them blacklisted...?
Is there some non-obvious reason that it's in the interest of the CC companies to let this go? Is there a lot of low-level fraud that customers never notice, and just keep making those monthly minimum payments?
Ever heard of chargebacks? You use my card, I complain to my cc company, they refund my money and attack the seller with fees for lack of verification.
So,
>CC Thief gets whatever he bought at an empty house
>CC holder gets stuck in an infinite customer service loop
>CC company avoids charges
>Seller gets fined
While this is certainly disturbing, I kinda wonder how much of the info being sold in this way is legit. I mean, if you scam your buyer by providing false info, what can they really do about it? Call the cops and tell them you got scammed while trying to buy stolen CC info online?
CC hackers rely on selling hundreds and thousands of numbers a time to make any money. It makes sense that most of their business comes from repeat customers, in which case scamming them isn't in their best interests.
I'm sure that is true for real CC hackers, but it is difficult to tell which, if any, of the people posting these ads is the real deal. The lack of trust and transparency is an opportunity for scammers hoping to make a quick buck before they change usernames/emails and try again.
It would actually be interesting to see how "legitimate" CC sellers try to distinguish themselves from the fakes. They mention in the article that some of them are using images to identify themselves, effectively creating CC hacker brands.
Edit: ambiate makes a good point about reputation systems on the forums they use. Seems practical and discourages username swapping.
Am I just the only one who finds it strange that people sell credit card info? I mean, that'd be like if you saw a guy on the street selling dollar bills for 1/100 cent each. Sure, they might be marked bills from the same printing run, but they are still money being sold for less than their value.
You'd think if the harvester has the ability to harvest, he'd be able to work out a better way of monetizing credit cards than selling them at $2 a pop.
Or, maybe I just misunderstand how the people who buy the lists monetize the credit card info.
The problem is that there are so many people who steal mass amounts of credit cards that there's a glut of them on the market. There's really no other way for them to protect their liabilities--these guys can sell their data, vanish, and make another heist without being caught, while someone actually using the credit card faces a lot more risk.
I read somewhere that cybercrime is extremely specialized; there are people who collect credit card numbers, people who broker them, people who extract money from them, people who launder that money, etc.
Well, luckily I was poor and 16 when they bounced and locked my card up right away(never buying from that tshirt store again).
Years down the line though, I still can find my name, old cc, and address on these lists. They're all over IRC...
On the topic of scamming, most of them use a reputation based system (ie. traderx has 60 successful transactions, while traderb has -3 successful transactions; who would you go with?)
You can also hire moderators to check out some things, iirc. Such as, placing a $0.03 charge through a merchant and verifying or checking the accounts.
I did a pretty large study of this back in 2003 or so, but really lost interest once I pissed off the wrong people and they got personal.