Online credit card shops – a numbers game

Online credit card shops – a numbers game
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
March 21, 2016 | 3 Min Read

You may have recently read headlines about an online shop that was selling millions of stolen credit cards. Questions were even raised by a British politician in the UK Parliament about why this site was allowed to operate and outrage was voiced that tens of thousands of UK cardholders’ data was up for sale on the site. Most sites like this, it was added, were on the dark web or they require a customer to be vetted or pay a fee to enter.

But how unusual are these kinds of sites? Are they new? Are they difficult to access? Are they mostly on the “dark web”?

Firstly, these sites are not new. Way back in 2012 – an age in cybercrime terms – international law-enforcement announced an operation which resulted in the takedown of 36 of these sites, as well as the seizure of data relating to 2.5 million cards over two years, with an estimated fraud prevented in excess of half a billion pounds ($700m USD).

Law enforcement refer to these kinds of sites as “Automated Vending Carts” (AVCs) and, while these sites and the sale of card data certainly can be found on the dark web, it isn’t exactly rare on the surface or clear web. For example, a Google search for some associated terms “CVV online shop” returned 464,000 hits with all of the first page at least, providing links to similar websites.

Figure 1 – google search for AVCs

Of course, sites like this can also be found on the dark web. As Figure 2 demonstrates, one of the largest dark web marketplaces, Alphabay, runs its own credit card shop as an additional feature of the site.

Figure 2 – Alphabay AVC

And how difficult are these to access? Well, the answer is typically very easy. While some AVCs are invite-only or restricted, it doesn’t make too much sense for the vendors to limit their market by introducing too many barriers to accessing the sites and buying the cards. They want to find as many customers as possible, as quickly as possible, so that the cards are fresh and therefore still valid. Given that you can buy a stolen credit card for just a few dollars or even less, this industry is a numbers game and vendors make their money by selling in bulk.

You might also be wondering where the data comes from – the answer here is a number of sources. Hackers might find the data on badly secured websites and get hold of it through SQL injection techniques, or it might be swiped by magnetic card readers at physical locations or even Point-of-Sale (POS) malware that hoovers up card data from payment devices. However it is obtained, these kind of sites offer a service, a service that will buy the data, aggregate it and structure it for buying and automatic download by fraudsters.

For organizations in the banking industry, this is a constant struggle. Therefore, the ability to quickly detect instances of customers’ cards for sale is critical for organizations. Organizations with greater cyber situational awareness will be able to detect and respond to these instances more quickly.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

June 30, 2020 | 4 Min Read

We all have those days or that time of the...
Multiple vs. Exclusive Sales on the Dark Web: What’s in a sale?

Multiple vs. Exclusive Sales on the Dark Web: What’s in a sale?

June 29, 2020 | 9 Min Read

When going out on a shopping spree, you would...
Introducing Nulledflix – Nulled forum’s own streaming service

Introducing Nulledflix – Nulled forum’s own streaming service

June 23, 2020 | 8 Min Read

Lockdowns implemented during the COVID-19...
Torigon Forum: A sad case of all show and no go

Torigon Forum: A sad case of all show and no go

June 23, 2020 | 11 Min Read

When we review the ideal template for a...