Online credit card shops – a numbers game

5 April 2016

You may have recently read headlines about an online shop that was selling millions of stolen credit cards. Questions were even raised by a British politician in the UK Parliament about why this site was allowed to operate and outrage was voiced that tens of thousands of UK cardholders’ data was up for sale on the site. Most sites like this, it was added, were on the dark web or they require a customer to be vetted or pay a fee to enter.

But how unusual are these kinds of sites? Are they new? Are they difficult to access? Are they mostly on the “dark web”?

Firstly, these sites are not new. Way back in 2012 – an age in cybercrime terms – international law-enforcement announced an operation which resulted in the takedown of 36 of these sites, as well as the seizure of data relating to 2.5 million cards over two years, with an estimated fraud prevented in excess of half a billion pounds ($700m USD).

Law enforcement refer to these kinds of sites as “Automated Vending Carts” (AVCs) and, while these sites and the sale of card data certainly can be found on the dark web, it isn’t exactly rare on the surface or clear web. For example, a Google search for some associated terms “CVV online shop” returned 464,000 hits with all of the first page at least, providing links to similar websites.

Online CVV 1 

Figure 1 - google search for AVCs

Of course, sites like this can also be found on the dark web. As Figure 2 demonstrates, one of the largest dark web marketplaces, Alphabay, runs its own credit card shop as an additional feature of the site.

 

Online CVV 2 

Figure 2 - Alphabay AVC

 

And how difficult are these to access? Well, the answer is typically very easy. While some AVCs are invite-only or restricted, it doesn’t make too much sense for the vendors to limit their market by introducing too many barriers to accessing the sites and buying the cards. They want to find as many customers as possible, as quickly as possible, so that the cards are fresh and therefore still valid. Given that you can buy a stolen credit card for just a few dollars or even less, this industry is a numbers game and vendors make their money by selling in bulk.

You might also be wondering where the data comes from – the answer here is a number of sources. Hackers might find the data on badly secured websites and get hold of it through SQL injection techniques, or it might be swiped by magnetic card readers at physical locations or even Point-of-Sale (POS) malware that hoovers up card data from payment devices. However it is obtained, these kind of sites offer a service, a service that will buy the data, aggregate it and structure it for buying and automatic download by fraudsters.

For organizations in the banking industry, this is a constant struggle. Therefore, the ability to quickly detect instances of customers’ cards for sale is critical for organizations. Organizations with greater cyber situational awareness will be able to detect and respond to these instances more quickly.