There is no shortage of credit card information being sold in online carding forums and marketplaces online. In the past six months alone, our dark web spider—which covers I2P and ToR Darknet overlay networks as well as surface web carding sites—detected thousands of instances of sites offering credit cards being offered publicly online. This is just within the non-gated carding forums! Credit card and financial data is sold frequently across the many online marketplaces and observing the sale of such data online is not uncommon. 

Credit card information continues to have short-term value to attackers who are launching more targeted attacks. Though the more highly valued data is personal identifiable information (PII), which provides long term value to those looking to exploit it, credit card information can provide immediate financial gains. Examples of these marketplaces are shown in Figure 1: Examples of DarkWeb Sites Selling Credit Card InformationThose wishing to sell such information are aided by the anonymity offered by hidden services such as those provided on the ToR and I2P networks.

 


Figure 1: Examples of DarkWeb Sites Selling Credit Card Information 

What are the controls in place for criminal marketplaces?

Among those purporting to sell credit card information online, there exist ‘rippers’, those falsely selling goods with the aim of making quick money. After all who do you complain to if you get “ripped off” on the dark web?  There is no such thing as consumer rights in a criminal marketplace. In response to this, buyers of this illicit information look for ways to discern the authenticity of the offer and reputation of the seller.  The sellers reputation, often linked to screen name—  i.e. their “brand” is of significant importance. This may be done through chat rooms as pictured below, where individuals seek advice to find reputable sellers.

Figure 2: Example Dialogue Taking Place Between Cybercriminals

There is no shortage of ways for buyers to garner such information. For example, a common trading name for sellers is the generic sounding ‘bestoffers’, a name that brings back several results using our spider.  In these results, individuals suggest that this seller is far from reliable. In Figure 3: Examples of Other Darkweb Markets Where ‘bestoffers is mentioned, the carder handle bestoffers’ is seen mentioned in Darkweb markets including the Dream market.


Figure 3: Examples of Other Darkweb Markets Where ‘bestoffers‘ is mentioned

To some degree, there are checks and balances.  Many of the marketplaces have spent time on sophisticated ‘vouching’ schemes that require genuine credit card details to be submitted before a user is allowed onto the site.  Where everyone is a thief evidence of a crime is required as entry criteria.  There are review systems used in conjunction with these ‘vouching’ schemes—with sellers seeking to gain positive reviews in order to better promote themselves.  It’s not clear if ‘bestoffers’ went through this process o30 reviews, 28 have rated the seller as 5-star. The feedback comment themselves claim the seller is “A+ valid” and that he is an ‘excellent seller’. The reliability of these claims cannot, of course, be corroborated and good reviews alone do not make a user genuine. 


Figure 4: Profile Information for Carder known as ‘bestoffers

 

Figure 5: Examples of Feedback Provided to Sellers on Darkweb Forums 

How do I protect my personal data from being exploited?

With more and more breaches, there are more and more opportunities for credit card information to be aggregated, re-packaged and sold online in various messaging channels, forums, and marketplaces. Such a package provides and exciting opportunity for cyber criminals. But we must be mindful that all may not be as it seems and online marketplaces are awash with rippers and scammers, all of whom are seeking to exploit this valuable information.

If you’d like the ability to search and index thousands of dark web forums, criminal forums, and threat feeds, get a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) (now ReliaQuest GreyMatter Digital Risk Protection).