I recently wrote about an online service that was selling access to stolen credit and debit card data. That post received a lot of attention, but criminal bazaars are a dime a dozen. The real news is that few of these fraud shops are secure enough to keep their stock of stolen data from being pilfered by thieves.
A prime example is the shop mn0g0.su (“mnogo” is a transliteration of много, which means “many” in Russian). This online store, launched in January 2011, lets customers shop for stolen card data by bank issuer, victim ZIP code, and card type. A source who enjoys ruining criminal projects said he stumbled upon mn0g0.su’s back-end database by accident; the site was backing up its cache of stolen card data to a third party server that was wide open and unencrypted.
Included in the database are more than 81,000 sets of credit and debit card numbers, along with their associated expiration dates and card security code. Each listing also includes the owner’s name, address and phone number and/or email address. The Social Security number, mother’s maiden name and date of birth are available for some cardholders. The site does not accept credit card payments; shopper accounts are funded by deposits from “virtual currencies,” such as WebMoney and LibertyReserve.
It’s not clear how or when these card numbers were stolen. Fraudulent card shops purchase data in bulk from multiple suppliers, most likely from small-time fraudsters who use automated tools to hack e-commerce stores. The data is inserted into the database in varying formats. For example, one batch of card information for sale includes email addresses in lieu of phone numbers, and all of the victim cardholders from that batch have physical addresses in the United Kingdom.
Just for amusement, I searched for my last name, and was surprised to find four people with the last name “Krebs” whose card information was included in the database (none are known relatives).
Not only did mn0g0.su leak all of the credit and debit cards it had for sale, but it also spilled its own “customer” list: The email addresses, IP addresses, ICQ numbers, usernames and passwords of more than 4,300 mn0g0.su shoppers were included in the exposed database backup. The customer passwords were better protected than the credit card numbers. The passwords are encrypted with a salted SHA256 hash, although a decent set of password-cracking tools could probably decipher 50-75 percent of the hashed passwords if given enough time.
The database backup appears to be a few months old. I know this because I registered two accounts at mn0g0.su, and only one of them — the one I registered late May or early June — is included in the customer database. In addition, it seems that many of the cards for sale were stolen quite recently. I ran a search for cards in my ZIP code, and the site returned just two results. Again, one of the cards was listed in the backup database, and the other — a listing for Annandale, Va. resident Andrea Bolz — was not.
My source offered to pay the $2.50 asking price to buy Bolz’s data (presumably using one of the compromised mn0g0.su customer accounts). When I called her at the phone number that mn0g0.su returned in the purchase receipt, Bolz confirmed the Bank of America Platinum debit card was hers. Bolz said she was unaware that it had been stolen; she had not experienced any recent fraud on the account. She said that she would call her bank to cancel the card.
The good news? The act of purchasing Bolz’s card appears to have removed her personal information from the list of cards for sale at mn0g0.su. The bad news? The fraud shop is still backing up its database to a wide-open third party server.
Bolz’s debit card data may well have been stolen in a physical data breach, via an ATM skimmer, a server at a restaurant, or a store employee who swiped her card. It’s always a good idea to avoid using debit cards for most retail transactions. U.S. consumer protection laws are much stronger for credit cards than for debit cards. Unauthorized transactions on a credit card are simple to report and reverse. Stolen debit card data may lead to fraudulent cash withdrawals. Resolving incidents of unauthorized withdrawals from a debit card requires a lot of time and paperwork. What’s more, many banks require that you file a police report before they will investigate an unauthorized withdrawal.
Have you seen:
Digital Hit Men for Hire…Cyber attacks designed to knock Web sites off line happen every day, yet shopping for a virtual hit man to launch one of these assaults has traditionally been a dicey affair. That’s starting to change: Hackers are openly competing to offer services that can take out a rival online business or to settle a score.