Cybercrime and Dark Web Research / Online credit card shops – a numbers game

Online credit card shops – a numbers game

Online credit card shops – a numbers game
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
March 21, 2016 | 3 Min Read

You may have recently read headlines about an online shop that was selling millions of stolen credit cards. Questions were even raised by a British politician in the UK Parliament about why this site was allowed to operate and outrage was voiced that tens of thousands of UK cardholders’ data was up for sale on the site. Most sites like this, it was added, were on the dark web or they require a customer to be vetted or pay a fee to enter.

But how unusual are these kinds of sites? Are they new? Are they difficult to access? Are they mostly on the “dark web”?

Firstly, these sites are not new. Way back in 2012 – an age in cybercrime terms – international law-enforcement announced an operation which resulted in the takedown of 36 of these sites, as well as the seizure of data relating to 2.5 million cards over two years, with an estimated fraud prevented in excess of half a billion pounds ($700m USD).

Law enforcement refer to these kinds of sites as “Automated Vending Carts” (AVCs) and, while these sites and the sale of card data certainly can be found on the dark web, it isn’t exactly rare on the surface or clear web. For example, a Google search for some associated terms “CVV online shop” returned 464,000 hits with all of the first page at least, providing links to similar websites.

Figure 1 – google search for AVCs

Of course, sites like this can also be found on the dark web. As Figure 2 demonstrates, one of the largest dark web marketplaces, Alphabay, runs its own credit card shop as an additional feature of the site.

Figure 2 – Alphabay AVC

And how difficult are these to access? Well, the answer is typically very easy. While some AVCs are invite-only or restricted, it doesn’t make too much sense for the vendors to limit their market by introducing too many barriers to accessing the sites and buying the cards. They want to find as many customers as possible, as quickly as possible, so that the cards are fresh and therefore still valid. Given that you can buy a stolen credit card for just a few dollars or even less, this industry is a numbers game and vendors make their money by selling in bulk.

You might also be wondering where the data comes from – the answer here is a number of sources. Hackers might find the data on badly secured websites and get hold of it through SQL injection techniques, or it might be swiped by magnetic card readers at physical locations or even Point-of-Sale (POS) malware that hoovers up card data from payment devices. However it is obtained, these kind of sites offer a service, a service that will buy the data, aggregate it and structure it for buying and automatic download by fraudsters.

For organizations in the banking industry, this is a constant struggle. Therefore, the ability to quickly detect instances of customers’ cards for sale is critical for organizations. Organizations with greater cyber situational awareness will be able to detect and respond to these instances more quickly.

Cyber Threats to the UEFA EURO 2020 Championship

Cyber Threats to the UEFA EURO 2020 Championship

June 9, 2021 | 7 Min Read

You may have recently read headlines about an...
The Business of Extortion: How Ransomware Makes Money

The Business of Extortion: How Ransomware Makes Money

June 9, 2021 | 8 Min Read

You may have recently read headlines about an...
Cryptocurrency Attacks to be Aware of in 2021

Cryptocurrency Attacks to be Aware of in 2021

June 8, 2021 | 10 Min Read

You may have recently read headlines about an...
The Top Three Cybercrime Takeaways from the 2021 Verizon DBIR

The Top Three Cybercrime Takeaways from the 2021 Verizon DBIR

June 2, 2021 | 4 Min Read

You may have recently read headlines about an...