Sure, we all know that ripped-off payment card details – like these! – sell like hot potatoes on the dark web, where carders snap them up, slap them onto new cards, and go on mad spending sprees on somebody else’s dime.
But exactly how fast do hot potatoes get sold?
Two hours, it turns out. That’s how long it recently took somebody – or something, if it turns out to have been an automated bot – to find, and use, a credit card posted by a security researcher.
David Greenwood, from ThreatPipes, says he decided to run an experiment on how long it would take thieves to find his card, motivated as he is by the fact that he’s been bedeviled by e-thieves who keep poking at it:
In only two years, there have been 4 attempts to use my credit card fraudulently.
The cyber-crime headline writers are not struggling for work.
Greenwood got curious about the life cycle of stolen data. He wondered, how does data such as credit and debit card information propagate across the internet, including on the dark web, where carders conduct their dirty work?
Dirty work, as in, buying stolen payment card details, putting all the legitimate card details onto the fresh magnetic stripe of a blank card, and thereby cloning the card so they can use the counterfeit to buy themselves some bling.
So Greenwood picked up an anonymous, prepaid credit card, and he set to work at trying to do what crooks do: sell that tasty tidbit.
Oh, these cautious crooks
Unfortunately for his experiment, Greenwood says that he lacks a reputation as a carder, or a thief, or, really, as any kind of rascally wrongdoer. That’s not good if you’re trying to pass yourself off as a trustworthy purveyor of stolen goods in the web’s dark alleys.
Frustratingly, you can’t just start selling this information on dark web forums. You need a reputation. You need people to vouch for you.
So instead of trying to sell his credit card, he just gave it away for free, lock, stock, and barrel, along with a bunch of fake locks, stocks and barrels, lumping dummy credit card data in with his real data and dumping the whole thing onto multiple paste sites.
I dumped the complete package to various paste sites including; full card numbers, expiration dates, CVV codes, and billing address.
Bundled in my paste were a variety of fictitious card numbers I made up based on MasterCard and Visa formats.
And then he waited. For about two hours.
That’s how long it took for the bait to be nibbled on, with one of those small transactions made by fraudsters’ bots and scripts. The crooks test whether the payment card information is valid, by using a stolen card on merchant sites that automatically respond with a detailed reason for why a given card is declined.
Two hours was actually pretty slow, Greenwood said. The prepaid card was eventually used at the site for a well-known UK British retailer.
Payment card data isn’t the only hot potato out there, Greenwood noted. You’ve got the same army of bots and scripts out there looking for whatever they can get, waiting to sniff out things like…
- Sensitive internal company data (documents, emails…) which come in handy for crooks looking to pull off sophisticated Business Email Compromise (BEC) scams like this one.
- Network data (exposed ports, misconfigured SSL certificates…)
- Accidental or intentional data leaks (API keys, usernames and passwords…)
All of which present a slew of things you need to secure. When it comes to your payment cards in particular, here are two words of advice: Act fast!
Check your statements
Doing some things once in a blue moon isn’t good enough, be it flossing your teeth or checking your financial statements for fraudulent charges. Regularly checking means you’ll spot fishy charges before they cling to you.
We the consumers aren’t typically held responsible for fraudulent activity – but only when we report bad charges in a timely fashion. Don’t delay, if you don’t want to get stuck paying for somebody else’s baby lions and/or Lamborghinis.
Leave a Reply