Underground Web sites can be a useful barometer for the daily volume of criminal trade in goods like stolen credit card numbers and hijacked PayPal or eBay accounts. And if the current low prices at one of Underweb’s newer and more brazen card shops are indicative of a trend, the market for these commodities has never been more cutthroat.
Badb.su is distinguishable from dozens of underground carding shops chiefly by its slick interface and tiny domain name, which borrows on the pseudonym and notoriety of the Underweb’s most recognizable carder. It’s difficult to say whether “Badb” himself would have endorsed the use of his brand for this particular venture, but it seems unlikely: The man alleged by U.S. authorities to be Badb — 29-year-old Vladislav Anatolievich Horohorin — has been in a French prison since his arrest there in 2010. Authorities believe Horohorin is one of the founding members of CarderPlanet, a site that helped move millions of stolen accounts. He remains jailed in France, fighting extradition to the United States (more about his case in an upcoming story).
Badb.su’s price list shows that purloined American Express and Discover accounts issued to Americans cost between $2.50 and $3 apiece, with MasterCard and Visa accounts commanding slightly lower prices ($2-$3). Cards of any type issued by banks in the United Kingdom or European Union fetch between $4-$7 each, while accounts from Canadian financial institutions cost between $3 to $5 a pop.
The site also sells verified PayPal and eBay accounts. Verified PayPal accounts with credit cards and bank accounts attached to them go for between 2-3$, while the same combination + access to the account holder’s email inbox increases the price by $2. PayPal accounts that are associated with bank and/or credit accounts and include a balance are sold for between 2 and 10 percent of the available balance. That rate is considerably lower than the last PayPal underground shop I reviewed, which charged 8 to 12 percent of the total compromised account balance.
Ebay auction accounts are priced according to the number of positive “feedback” points that each victim account possesses (feedback is the core of eBay’s reputation system, whereby members evaluate their buying and selling experiences with other members). eBay accounts with fewer than 75 feedback history sell for $2 each, while those with higher levels of feedback command prices of $5 and higher apiece, because these accounts are more likely to be perceived as trustworthy by other eBay members.
But don’t count on paying for any of these goods with a credit card; Badb.su accepts payment only through virtual currencies such as Liberty Reserve and WebMoney.
Badb.su, like many other card shops, offers an a-la-carte, card-checking service that allows buyers to gauge the validity of stolen cards before or after purchasing them. Typically, these services will test stolen card numbers using a hijacked merchant account that initiates tiny charges or so-called pre-authorization checks against the card; if the charge or pre-auth clears, the card-checking service issues a “valid” response for the checked card number.
But Badb.su’s card checking service, which costs an extra 20 cents per card, may not be all that sophisticated: Site administrators urge customers to quickly test the cards by making real purchases online. Rather, the administrators of the site implore customers to use the checking service only to verify cards that are declined by merchants, and thus as a way to verify on-site that the cards are invalid and to qualify the buyer for a refund.
“You have 10 minute to Check just buyed CC, before check option will be expired,” the site explains. “We don’t offer PayPal account checker atm. Please always make sure you USE card before you check it here. We don’t accept complains about 3rd party checker.”
Points to Badb.su for knowing its customer base: The site boasts its own bug bounty program, offering to pay hackers who discover and report flaws in the site’s machinery. It also warns users away from browsing the site with Internet Explorer.
“Find a bug? Any innovation idea? Contact with us! We will pay you!” reads a message on the site’s “readme” page. “Please don’t use IE – it’s not fully supported.”