If you’re an avid follower of Digital Shadows’ blogs, or just have a general interest in the cybercriminal landscape, it shouldn’t be news to you that the current cybercriminal marketplace and forum model is experiencing unprecedented volatility and uncertainty. In recent weeks, another member has joined the club of uncertainty: BriansClub – the automated vending site (AVC) specializing in stolen credit card data that was reportedly the victim of a targeted attack on its data center.
In this blog, we determine whether this targeted attack on BriansClub will impact the wider cybercriminal credit carding landscape, and speculate whether it could galvanize the community to push another AVC credit card (CC) store to the top.
Curious on the differences between forums, marketplaces, and AVCs? Check out our blog to learn more:
Understanding the Different Cybercriminal Platforms: AVCs, Marketplaces, and Forums.
BriansClub: What happened?
In October 2019, Krebs on Security reported that data had been stolen from BriansClub, resulting in the exposure of around 26 million stolen credit and debit cards. Ironic? We thought so too. It is currently unknown whether the stolen data has been made available on other sources. Breaches of this type are especially difficult to track as they can often be sold to another AVC or forum.
BriansClub: what makes it a likely target?
It’s a dog-eat-dog world in the cybercriminal landscape, and no site, whether that’s a forum, marketplace or AVC, is safe. Given the vast amount of data available on the site, combined with the high average value assigned to each compromised card (estimated to cost $500 each), BriansClub is an attractive target for cybercriminals. Though the source responsible for the attack is yet to be identified, it is likely they were financially motivated as well as ego-driven, as contacting Krebs on Security indicates the actor was seeking publicity as well as access to 26 million stolen cards.
Credit Card Shops: What explains their popularity?
Cybercriminal CC shops’ popularity has increased with time, partly due to the ease of access, as well as the mass supply of credit card data available – which is often updated on a daily basis. A cybercriminal looking to conduct financial fraud only has to register on one of these sites, select a bank of their choosing, and then choose a relevant account to purchase. All done in a matter of a few clicks of the mouse and a couple of keystrokes.
Figure 1: Example of a cybercriminal credit card shop, Trump’s Dumps
BriansClub: What leads to a successful business model?
BriansClub’s business model thrives off making money from compromised card details. If we go off the fact that BriansClub sold 9.1 million cards, the report estimates that the AVC would have earned $126 million in sales. Such a figure demonstrates there is a huge incentive for cybercriminals to operate such a platform, as the return on investment is “rewarding” (though highly illegal).
In order to reap a huge return effectively, BriansClub and other CC AVC stores, rely on the continuous supply of “fresh” data by entities referred to as “affiliates” or “vendors” who directly source the information. Fresh data can either be categorized as:
- A card that has not been ‘voided’ by the victim bank,
- CC accounts that have been supplied to the AVC site in the shortest space of time
- Data that has not previously been advertised on other AVCs
The affiliates or vendors subsequently forward this data on to the store, and in return receive a cut of the profits for any successful transactions. Running such a model eliminates the risk of law enforcement attempting to find the direct source.
That said, there is a major skill needed to ensure the shops operate smoothly: timing. If the stolen CC data is not captured, delivered, and advertised in a timely manner, the CC could be void before the buyer has even had time to view it. Such occurrences can then impact the reputation of the AVC store across the cybercriminal scene, the trust a customer places in this service, and ultimately the amount of internet traffic passing through its doors.
Failure in either of the above areas results in poor reputation, which spreads throughout the cybercriminal community, therefore decreasing the amount of internet traffic and sales.
Cybercriminal credit card stores: Who will take the throne?
BriansClub is one of many prominent CC AVC stores currently active and selling similar datasets. Across the cybercriminal credit card store landscape, it is widely believed that much of the stolen CC data in existence is replicated across these sites and is not unique to one specific platform. The scene is also awash with “ripper” sites eager to prey on willing buyers. In cases like this, buyers are falsely led to believe that they’re buying a valid credit card. AVC sites, much like forums, depend on several factors to succeed:
- Reputation: Similar to any business looking to acquire customers, CC AVC sites rely largely on reputation pushed in large part via forums – a good reputation instils trust.
- Paid digital marketing: Cybercriminals are digitally savvy. When crawling the cybercriminal underworld, you may come across a paid for advertising slot on the most prestigious sites. Alone, advertising does not lead to success, but investing into marketing promotes the brand and gets the word out, beyond word of mouth. Investing in digital marketing also drives internet traffic, which is needed as without enough interest and uptake by users, the AVC will die a quick death.
- Exclusivity: The most highly regarded carding AVCs operate some sort of gated entry, ensuring users feel part of an exclusive community and encouraging only serious customers to apply. Gated entry can mean customers pay for accounts, like Briansclub, or it can mean an invite-only model, like the AVC Benumb. In the case of paid-for accounts, like Briansclub, this process would allow a customer’s account to persist beyond a short interim membership period. Formerly operating on an invite-only basis, another prominent and well-marketed carding AVC, Joker’s Stash, moved to paid-for access in 2018.
- Customer service: AVCs need customer service to engage with their customer base on forums, to answer queries and various other admin functions.
- User experience: AVCs, much like forums, need a consistent user experience, with stable site functionality and dealing with buggy software. Executing this successfully will encourage customer loyalty.
- Mystique: Many popular carding AVCs have long persisted within the cybercriminal scene. Due to competition from ripper sites masquerading as credible AVCs, admins have largely eschewed multiple forms of communication, instead restricting communications to forums and contact forms via their own sites. This means that few can get closer than a superficial business-only relationship; this may also have hindered law enforcement opportunities to disrupt these sites. All in, this has contributed to an air of mystique around the most successful sites.
Figure 2 & 3: Joker Stash adverts on a dark web forum
Though the attack on BriansClub may affect its reputation somewhat in the CC AVC scene, it is unlikely that the AVC will close its shop doors due to the credibility and customer base it has already garnered. A likely possibility, following this attack, is that competition will continue to grow in this space, with each platform vying to be king. There are plenty of other offerings waiting in the wings, examples include, but are not limited to:
- Joker’s Stash
- Trump’s Dumps
- Deluxe Market
- Unicc shop
In order to succeed, an AVC shop, like forums, may need considerable resources to invest in the above.
How will they deal with the spotlight?
Although the existence of CC stores is well known, any increased media exposure is likely to garner added attention from law enforcement and anti-fraud agencies looking to crack down on and prevent this type of activity. But the revelation of just how much money can be made using these online CC stores may advertise the cost-benefit to a larger audience and invite an increasing number of like-minded threat actors willing to take advantage.
However, the increased unwanted attention may induce “affiliates” – aka the suppliers of the stolen credit card data – of these online CC shops to question the risks involved in selling their data to a third party. As a result of this, Digital Shadows is now beginning to see more affiliates directly advertising their datasets on cybercriminal forums to try and negate this threat [See Figure 4]. Vending on forums not only removes the cost implications of selling through a third party but also gives greater control as to who can view and buy the data in general. The downside of advertising on a forum is the challenge of trying to source interested and credible buyers.
Figure 4: CC database advertised on dark web forum
The impact of the BriansClub attack on the wider CC AVC scene is not yet apparent. Any platform’s existence is dependent on the cybercriminal community’s reaction. Threat actors can either choose to continue to use BriansClub and similar services despite the unwanted attention, shift solely to cybercriminal forums to buy and sell such datasets, or a combination of the two. Although the CC AVC scene in general may take somewhat of a hit, reputationally, from this attack, it is likely that the publicity will prove to skeptical users that the data available is legitimate and worth considerable investment.
To gain visibility into criminal and fraudulent activity impacting your brand on the deep and dark web, check out dark web monitoring solution or try our service for free below.