November 29, 2014

Underground cybercrime shops that sell credit and debit card accounts stolen from retailers are slashing prices and promoting their own Black Friday and Cyber Monday sales as fraudsters gear up for the busy holiday shopping season.

Card data stolen from main street retailers, a.k.a. “dumps,” is sold to crooks who encode the numbers onto new plastic and go shopping for high-priced electronics and gift cards at big box stores. Other shops sell mainly stolen card numbers, expiration dates and card security codes that can only be used to shop at online retailers.

Have a look at the slide show below, which features multiple advertisements pushed out by some of the most bustling crime shops competing for buyers with discounts and promotions. You might have to scroll down a bit to see the slideshow. Advance the slides by hovering over the right edge of the image and clicking the arrow that appears.

It’s nearly impossible for consumers to tell how secure a main street or online merchant is, so it’s best just to shop as if they’re all compromised. That is, if you have the choice between using a credit or debit card, shop with your credit card.

Sure, the card associations and your bank will be quick to point out that you’re not liable for fraudulent charges that you report in a timely manner, but this assurance rings hollow for many who find their checking accounts emptied by card thieves after shopping at a breached merchant with a debit card. Who pays for the fees levied against you by different merchants when your checks bounce? You do. Does the bank reimburse you when your credit score takes a ding because your mortgage or car payment was late? Don’t hold your breath.

Also, if you’re shopping online this holiday season, be wary of phantom stores. If you don’t know much about the seller that has the item you want to buy, take a few minutes to investigate its online reputation. It’s not uncommon for bargain basement, phantom Web sites to materialize during the holiday season and vanish forever not long afterward. If you’re buying merchandise from an online store that is brand new, the risk that you will get scammed increases significantly. But how do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “creation date,” the more likely it is a phantom store.

Be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process.


48 thoughts on “Black Friday, Cyber Monday for Crooks, Too!

  1. Some Guy

    I love how the first site claims that 5% of what they take in is going to charity. You’ve got to wonder if they really think that credit card thieves are going to believe hogwash like that.

    1. mibbzz

      I don’t see why not. Carders make a ridiculous amount of money out of selling cc’s when they get them for nothing, or next to nothing.

    2. Neej

      Er … yeah but I can also see why LOL but probably pretty canny marketing I reckon (making it a little easier for the criminals to continue offending without taking personal accountability basically)

      1. swattz101

        I can see how it’s kinda funny, but at the same time, remember anonymous is one of the hactivist groups that is causing trouble in Ferguson.

        I’m not saying that anonymous and one and the same (though I wouldn’t be surprised that some of the members frequent both circles) just that even some of the darker sides of the internet support good things.

    3. Bob

      I don’t doubt it at all. It is a group of crooks supporting other crooks and it makes it sound like they have morals. Add to that the fact that the criminal element in Russia (starting with Putin) views Ferguson as an indication of what is wrong with the U.S.

  2. Dr. Zackary Smith

    Good article. however any person can find a lot of underground criminal wares like this on the hidden services sites using T.O.R. You just have to know where to look , because their is everything from counterfeit money, to complete identities it’s all there to be sold.

  3. JCitizen

    Your advice is good as always Brian!

    All stores might as well be compromised; I’ve been doing that every since I learned a valuable lesson online. I saw no difference between brick and mortar and online retailing, as they are all connected to the internet in one way or another.

  4. Likes2LOL

    “…if you have the choice between using a credit or debit card, shop with your credit card.” All issues of “mark of the beast” and frequent flyer miles aside, it would seem like going back to CASH may be the safest thing to do.

    My grandfather used to carry a lot of cash in his wallet. He told me, “If I ever get robbed by a drug-addled guy with a gun, I don’t want to upset him further by not having enough cash for a fix.” On top of that, many tow truck companies don’t take credit cards, either. 😉

  5. Glen Robertson

    The sad fact is that in the USA ,so far . They don’t take data/network security that seriously. Europe has taken more active measures & has fewer problems as a result then American business do. Yes security does cost $$ money but it is cheaper then the costs of being hacked and damage to the reputation of the business involved. I am not sure what it will take before peoople take the necessary action to stop this evil behavior .

    1. achbed

      Yes, security costs. However, due to the nature of merchant agreements and the banking system in the US, those costs are passed along to someone else. So all the incentive to fix the problem is removed as the bank and/or card processors who need to fix the problem all pass the buck instead of investing in security. What’s cheaper for them, adding millions in expense to combat a system-wide problem that doesn’t affect their bottom line, or just passing that cost along to someone else?

  6. Peter

    Some dumps not living up to the promised acceptance rate on the cards.

    Good to see the crooks are honouring the distance selling laws and refunding items that are not as described. lol

    1. Robert.Walter

      At minimum, such a policy would seem to save your reputation, at maximum your life.

  7. MV

    I had an international charge alert pop on one card this morning that has been very trouble-free, but was used for a couple online charges in the past several days.

    It was an authorization for $24.75 from “Rapicompr”. No way to dispute the charge just yet with card company since it’s only an auth, but we’re following up.

    I haven’t been able to find anything connecting the vendor name to a web site or other info.

  8. David Longenecker

    Brian, what’s your opinion on using virtual one-time-use card numbers as offered by a few banks, if you choose to shop somewhere you are not entirely comfortable with? It seems it would limit any potential fraud to a single use (in addition to the liability protection you mentioned), but am I missing something?

    1. Ed Nicholos

      I’ve been using Virtual one time card numbers, even designed my own page to keep track. Never had a problem as long as I used it only for “Online” buying and had a limited dollar amount related to the number. After five or more years, I still feel confident about this system. It is a Master Card issued by a national bank I do not use for my personal banking. As you know, I generate a new card number for each time I need to use a credit card but I always have a limit as to the amount spent, I am surprised all bans do not use this system.

    2. BrianKrebs Post author

      Can’t hurt, but I’ve never felt like I could be bothered to do it. My credit card issuer used to offer it, then they didn’t, now they do again, but I don’t feel like going through the hassle again.

      1. Rick

        LOL, Brian, and since it sounds like one of my cards, you forgot that you have to have Flash installed to use their one-time generator. That made it even more inconvenient.

        1. Robert.Walter

          Look at the bright-side, at least it is Flash and not Java!

          re. cost vs benefit of throw away card numbers … the problem is not big enough to go to the trouble of using this feature … and assuming near future ubiquity of smartphone based services like Pay that use tokenization it would seem the need for such a service would decline over time.

      2. Neej

        Hmm OK BK that’s interesting … I have been considering whether to try this feature using Abine or Citibank and replace any credit card number I use online with them but that gives me pause for thought if you believe them to be not worth the trouble.

      3. Walter Houser

        I use Bank of America’s ShopSafe to generate one time use cards. And I agree it is not convenient. Because debit cards are dressed up to look like credit cards, ShopSafe keeps me from using my debit card by mistake – and keeps Dmitry, Igor, and Pavel from looting my bank account.

        1. Robert

          Thanks Walter, a person can learn a lot from this blog in addition to what Brian writes up. I’ve been a BOA Online customer for over a decade and never knew about ShopSafe until I read your comment. It seems like a great answer for an occasional purchase.

  9. Patrik

    Social engineering works on all types of people above and below the board. What i find interesting is that a Chinese vendor is using Ferguson as a marketing tool.

  10. Tom

    I work at a large retail and we cannot question any customer who comes in to purchase items even if and this did happen 20 year old comes in and pitches 3 65″ tvs 2 X boxes, 2 play stations and another 4 -32″ tvs and when he goes to pay tries three different credit cards all are denied then finally gives one that is approved the salesperson never asked any questions because he wanted his commission when the customer went to pick up tvs he saw police officer who was there on another matter he panicked when he saw him and ran off leaving his wallet with twenty credit cards inside all with one name on card but a further check revealed the cards actually belonged to many different people moral of story is Retail stores allow this and should be penalized

    1. Dee

      Infuriating! A perfect example of how retailers help criminals launder funds from stolen cards. Pah!

    2. JDavis

      I worked retail for a short time. Once, I asked someone for his ID before I swiped his credit card because the card said to see ID. Young guy, maybe 20. The card had a woman’s name on it. He said it was his girlfriend. My manager came over, took the card out of my hand and told me to go to the back. I was reprimanded and sent home for the day because I “risked losing the sale.” And I was not paid commission, so they couldn’t even use that excuse. The credit card specifically said to ask for ID, and it belonged to a female who wasn’t in the store at the time. I was later informed that it was “against company policy to request ID” but of course they couldn’t show me any policy in writing that dictated that. This same store also marketed it’s credit card to 16-17 year old girls, knowing they would be denied because they weren’t 18. Merely wanted to get the “attempts.” Retail stores are guilty too, IMO.

      1. swattz101

        I haven’t signed the back of my last 5 or 6 (or more) past Debit / Credit cards. I see the swipe terminal say to “present card” all the time, but the cashier always ignores it. It’s been 5+ years since I had one of them actually look at it and make me sign it before they would accept it.
        My step-son uses my wife’s card all the time to run to the store and pick something up for her and had never had a problem using it. SMH

      2. Brian Cummings

        Red Flag that manager. Looks like collusion to me. Not an angle I’ve considered before or encountered in my work. Hmmmm….

  11. Brian

    When is the world going to understand that there is a solution to all these breaches??? Its called Vir-Sec, Inc and they have patented technology that will prevent these breaches in the future!!

    1. JCitizen

      That company has a very bad reputation if you are talking about their (dot) com site. I’d take caution posting references like that on KOS!

    2. Mica

      Thanks for giving us a great example of too good to be true. The ‘tell’ was actually threefold: The use of the handle Brian; the time-tested oratory technique of triple question marks; the subliminal zeal of double exclaimation points!!

      “Vir-Sec’s unique, patented technology provides strong multi-factor authentication using distributable media and then loads an application into a virtual session in RAM, bypassing the local computer drive. Vir-Sec provides full Internet functionality outside of web browsers. Browser-based log-on access is removed completely, eliminating security risks from plug-ins, cookies and other browser functions. Even if a client computer has been compromised, malware cannot record RAM activity and the local drive is never accessed. The virtual session closes out with absolutely no local record. As no software or hardware is required, Vir-Sec can be used any time, any place to access secure applications.

      The most secure server is the one that is simply not available.

      Vir-Sec connects clients directly to application servers without an intermediary browser. Attackers lurking on browser platforms who may target a server after they discover its location won’t see it in the first place. The server becomes invisible as soon as the key is removed or the server ends the session according to a protocol, eliminating the primary point of access. Vir-Sec can be layered on almost any platform to replace the full functionality of vulnerable, public-facing browsers. To constrain and control your attack surfaces, not leaving any footprints to follow is key.”

      Note: the material within quotes was copied from the very first listing of an Ixquick Search Engine page (which renders via proxy). I assume that that can be done without landing on a booby-trapped site.

      1. Brian

        You ass. Brian is my name. Not a handle. I do not claim to be any part of this website. Vir-sec will be a household name someday and mark my words, they are the “Holy Grail” of security. Yes Holy Grail is in quotes because of the prior term to define them by those in the know. Obviously not you.

        1. Heron

          Companies with truly excellent products don’t feel the need to advertise them in online comment sections. It shows a marked lack of good judgment for you to do so.

          1. Brian Cummings

            Good grief! A recommendation is not an advertisement. Now, we can see how wars can begin.

  12. Terry Stevens

    Simple solution is to buy from secure and trusted retailers. I did all my shopping on Amazon. Picked up this TV. http://amzn.to/1ysx9oB

    Stick to the big, trusted retailers and you’ll be safe. Stay away from shady and “too good to be true” deals. AKA, use common sense.

  13. P K Sengupta

    You are right – use common sense and reliable reputed retailers. However cash is not an answer barring a few shoppers

  14. jona

    Your advice is not universal, pls mention that in the most of Europe there is no difference between debit and credit in case of fraud. Banks cover all losses if reported timely.

    1. David Longenecker

      @jona, I’m not an expert on European consumer law, but I think the credit versus debit recommendation is still valid. Even if you have no liability with either card once all is resolved, with a debit card, you are out the money until it is resolved. With a credit card, the bank is out the money until it is resolved.

      As Brian said, the bank might or might not eventually cover the late fees you are assessed when you miss a mortgage or car payment because your checking account was drained, but they aren’t going to fix the ding to your credit score. It’s easy to avoid that risk altogether by using a credit card (and paying it off).

  15. Patricia Infanti

    Brian, would using a Visa gift card to purchase items online be the best way to protect yourself? Are there any draw backs? Thanks.

    1. Andy

      Visa gift cards may keep your actual credit/debit card numbers from being compromised, but there are unnecessary fees to purchase, it’s nearly impossible to utilize the entire balance, and most importantly, if a merchant were to issue a refund to the card, it would not be credited.

  16. Rebecca

    Actually we do reimburse our members (cu not a bank) for any fees that would be incurred from fraud associated with their debit card and do our own internal disputes so they get conditional credit within a day. But stating some of the proceeds go to charity, just when I thought I had seen everything. Priceless

    1. Mark

      “Priceless.”

      I’m sure MasterCard would be proud that we’re applying this adjective to credit card thieves!

  17. Brian Cummings

    Consumers cannot be too careful. My wife and I, having both worked in information security roles in banks in the past, have for many years running checked every account, every day, and twice on weekend days for anomalous memo posting activity.

  18. Paul Barwick

    I enjoyed seeing you on “60 Minutes” last night. Nice job.

  19. Heron

    We use a separate account for our debit card, so if the card info is stolen, the checking account with which we pay our bills won’t be affected. We don’t use our debit card online, either.

    I, too, would like a “Report Comment” feature, if that’s a possibility.

Comments are closed.