Fraudsters Scoring Big – an Inside Look at the Carding Ecosystem

Michael Marriott | 19 July 2017

In season two of the Netflix series Narcos, Pablo Escobar points out that: “I’m not a rich person. I’m a poor person with money.” In real-life, Escobar’s cartel reportedly made so much money (at one point $US420 million a week) that their chief accountant, Roberto Escobar, claimed that they “would write off 10% of the money because the rats would eat it in storage or it would be damaged by water or lost.” This “poor” person certainly had a lot of money.

Online carding is another industry which is consistently lucrative for criminals, with payment card fraud to projected to reach $24 billion by the end of 2018. Our latest whitepaper reveals how criminals develop their capabilities and highlights a professional e-learning carding course, complete with webinars, instructors and reading material. This increased professionalization and sophistication of this fraud has negative implications for credit card companies, merchants and consumers.

 Online Carding Course

Figure 1: An English translation of the carding course overview

 

Whatever happened to EMV? Wasn’t payment card fraud meant to have been solved by the introduction of Chip and PIN? The implementation of EMV in the US has had its own problems. As I went to use my card over the weekend, I was prompted with the all-too-familiar message “No chip. Please swipe”. 

 

Chip not working 

Figure 2: Many United States’ EMV terminals are disabled and force customers to swipe instead

 

Recent research indicates that the increasing adoption of EMV has made physical card fraud more difficult, making Card Not Present (CNP) fraud more popular. CNP fraud occurs when the customer doesn’t physically present the card and uses card details online or over the phone. If we consider that annual online card spending will double to $6 trillion by 2021, this is a growth industry for cybercriminals.

Just as in Narcos’ cocaine empire, CNP fraud is unlikely to be achieved by a criminal acting alone. They rely on a sophisticated ecosystem and support network that provides a wide range of credit card details, fraud tools and online tutorials. This includes:

  • Payment Card Data Harvesters - do the ‘dirty work’ in terms of harvesting the payment card information. This is done through intercepting card holder’s information whether this be through point of sale malware, skimming devices, phishing, breached databases, or through operating botnets
  • Distributors – are the ‘middle men’ who typically make the most money. While the criminals who harvest may use the card data themselves, they also sell it on to others who will package, repackage and sell on the card information
  • Fraudsters - run the most risk in terms of getting caught by law enforcement or being conned by fellow criminals. Once fraudsters have acquired payment card information from their distributor, the fraud can happen. These individuals tend to be less technical and attract a lower calibre of cybercriminal, often relying on online guides and courses to learn the latest techniques
  • Monetization - There are many different roles within the stage, including those who have been duped into operating drop addresses and those involved in the reselling of fraudulently acquired goods.

Payment card fraud is not new, nor are online guides and courses for the fraudsters. However, the professionalism, reputation and freshness of this course provides useful insights for organizations across a range of industries as well as consumers. Download a copy of our latest paper to learn about the latest techniques and advice for merchants, payment card companies, and consumers.