October 15, 2014

The U.S. Justice Department has piled on more charges against alleged cybercrime kingpin Roman Seleznev, a Russian national who made headlines in July when it emerged that he’d been whisked away to Guam by U.S. federal agents while vacationing in the Maldives. The additional charges against Seleznev may help explain the extended downtime at an extremely popular credit card fraud shop in the cybercrime underground.

The 2pac[dot]cc credit card shop.

The 2pac[dot]cc credit card shop.

The government alleges that the hacker known in the underground as “nCux” and “Bulba” was Roman Seleznev, a 30-year-old Russian citizen who was arrested in July 2014 by the U.S. Secret Service. According to Russian media reports, the young man is the son of a prominent Russian politician.

Seleznev was initially identified by the government in 2012, when it named him as part of a conspiracy involving more than three dozen popular merchants on carder[dot]su, a bustling fraud forum where Bulba and other members openly marketed various cybercrime-oriented services (see the original indictment here).

According to Seleznev’s original indictment, he was allegedly part of a group that hacked into restaurants between 2009 and 2011 and planted malicious software to steal card data from store point-of-sale devices. The indictment further alleges that Seleznev and unnamed accomplices used his online monikers to sell stolen credit and debit cards at bulba[dot]cc and track2[dot]name. Customers of these services paid for their cards with virtual currencies, including WebMoney and Bitcoin.

But last week, U.S. prosecutors piled on another 11 felony counts against Seleznev, charging that he also sold stolen credit card data on a popular carding store called 2pac[dot]cc. Interestingly, Seleznev’s arrest coincides with a period of extended downtime on 2pac[dot]cc, during which time regular customers of the store could be seen complaining on cybercrime forums where the store was advertised that the proprietor of the shop had gone silent and was no longer responding to customer support inquiries.

A few weeks after Seleznev’s arrest, it appears that someone new began taking ownership of 2pac[dot]cc’s day-to-day operations. That individual recently posted a message on the carding shop’s home page apologizing for the extended outage and stating that fresh, new cards were once again being added to the shop’s inventory.

The message, dated Aug. 8, 2014, explains that the proprietor of the shop was unreachable because he was hospitalized following a car accident:

“Dear customers. We apologize for the inconvenience that you are experiencing now by the fact that there are no updates and [credit card] checker doesn’t work. This is due to the fact that our boss had a car accident and he is in hospital. We will solve all problems as soon as possible. Support always available, thank you for your understanding.”

2pac[dot]cc's apologetic message to would-be customers of the credit card fraud shop.

2pac[dot]cc’s apologetic message to would-be customers of the credit card fraud shop.

IT’S ALL ABOUT CUSTOMER SERVICE

2pac is but one of dozens of fraud shops selling stolen debit and credit cards. And with news of new card breaches at major retailers surfacing practically each week, the underground is flush with inventory. The single most important factor that allows individual card shop owners to differentiate themselves among so much choice is providing excellent customer service.

Many card shops, including 2pac[dot]cc, try to keep customers happy by including an a-la-carte card-checking service that allows customers to test purchased cards using compromised merchant accounts — to verify that the cards are still active. Most card shop checkers are configured to automatically refund to the customer’s balance the value of any cards that come back as declined by the checking service.

This same card checking service also is built into rescator[dot]cc, a card shop profiled several times in this blog and perhaps best known as the source of cards stolen from the Target, Sally Beauty, P.F. Chang’s and Home Depot retail breaches. Shortly after breaking the news about the Target breach, I published a lengthy analysis of forum data that suggested Rescator was a young man based in Odessa, Ukraine.

Turns out, Rescator is a major supplier of stolen cards to other, competing card shops, including swiped1[dot]su — a carding shop that’s been around in various forms since at least 2008. That information came in a report (PDF) released today by Russian computer security firm Group-IB, which said it discovered a secret way to view the administrative statistics for the swiped1[dot]su Web site. Group-IB found that a user named Rescator was by far the single largest supplier of stolen cards to the shop, providing some 5,306,024 cards to the shop over the years.

Group-IB also listed the stats on how many of Rescator’s cards turned out to be useful for cybercriminal customers. Of the more than five million cards Rescator contributed to the shop, only 151,720 (2.8 percent) were sold. Another 421,801 expired before they could be sold. A total of 42,626 of the 151,720 — or about 28 percent – of Rescator’s cards that were sold on Swiped1[dot]su came back as declined when run through the site’s checking service.

The swiped1[dot]su login page.

The swiped1[dot]su login page.

Many readers have asked why the thieves responsible for the card breach at Home Depot collected cards from Home Depot customers for five months before selling the cards (on Rescator’s site, of course). After all, stolen credit cards don’t exactly age gracefully or grow more valuable over time.

One possible explanation — supported by the swiped1[dot]su data and by my own reporting on this subject — is that veteran fraudsters like Rescator know that only a tiny fraction of stolen cards actually get sold. Based on interviews with several banks that were heavily impacted by the Target breach, for example, I have estimated that although Rescator and his band of thieves managed to steal some 40 million debit and credit card numbers in the Target breach, they likely only sold between one and three million of those cards.

The crooks in the Target breach were able to collect 40 million cards in approximately three weeks, mainly because they pulled the trigger on the heist on or around Black Friday, the busiest shopping day of the year and the official start of the holiday shopping season in the United States. My guess is that Rescator and his associates understood all too well how many cards they needed to steal from Home Depot to realize a certain number of sales and monetary return for the heist, and that they kept collecting cards until they had hit that magic number.

For anyone who’s interested, the investigation into swiped1[dot]su was part of a larger report that Group-IB published today, available here.


32 thoughts on “Seleznev Arrest Explains ‘2Pac’ Downtime

  1. Adobe-Wan Kenobi

    The Fail is Great with this one!

    “Roman Seleznev, a 30-year-old Russian citizen who was arrested in July 2014 by the U.S. Secret Service. According to Russian media reports, the young man is the son of a prominent Russian politician”

    Скатертью дорога!
    скатертью дорога уголовное

    1. Evgueni

      I am puzzled… what exectly did you write in Google translate to get “скатертью дорога уголовное”? “Farewell criminal”? 🙂

      1. Wren

        It comes back through google translate (after adding a comma to the second line) as “Good riddance! good riddance, criminal”

  2. IA Eng

    lets hope that the Russians see that fraud and computer crime is not an avenue to fill the government coffers. maybe a slight plea barganing can be done. The Russians can deport Rescator to the USA, for a slightly milder sentencing of the Roman Seleznev punk.

    With Snowden on their turf, this case will probably be drug through all media channels, sort of a “payback”.

    Let’s hope the fun stops there. If convicted, sentence Roman Seleznev for what he’s done wrong, and then, maybe in a few years, offer an exchange…. for……

    1. DF

      How are the Russians going to deport Rescator if he lives in Odessa, Ukraine?

      1. IA Eng

        Read the news…. The FBI has been helping the Ukraine government, and I am sure, there are ways to have this crook standing in front of a US Federal Judge.

        Should that individual travel outside ukraine, you betcha others are going to looking for him as well. Its a matter of time before the crook is caught.

        If one becomes an annoyance, and it hits the media mainstream, it seems to knee-jerk the government into action.

        Maybe some one will visit the crook, club him in his head, and dump his butt off in front of an American embassy.

      2. W Sanders

        Because Odessa was “annexed” by Russia a few months ago?

      3. W Sanders

        Oops, Odessa isn’t in Crimea…. (looks at map, slaps head.)

        1. E.M.H.

          This is where you can make an Orwellian joke about how they can deport him anyway, despite not being in their country. 😉

  3. Evgueni

    Seleznev’s father is not really a “prominent Russian politician” – he is not even a member of the Putin’s rulling party “Edinaya Rossiya”.

  4. TheFatMan

    Brian,
    After I signed up for a free account at Alien Vault, I looked up countries with the largest number of malicious IP’s & was shocked that the U.S. was no.1 with over 28K+ malicious IP’s.

    I just checked & found that China has now taken over the top spot:

    TOP MALICIOUS IPS

    SK (Slovakia) 217.67.30.169 9610 Malicious Activities
    Scottsdale, US 50.63.51.52 32810 Malicious Activities
    DE (Germany) 46.20.43.210 28628 Malicious Activities
    Scottsdale, US 50.63.35.1 17468 Malicious Activities
    TR (Turkey) 178.210.171.15 17032 Malicious Activities

    TOP MALICIOUS COUNTRIES

    China 33961 Malicious IPs
    United States 30988 Malicious IPs
    France 10039 Malicious IPs
    Netherlands 5964 Malicious IPs
    Russian Federation 4589 Malicious IPs
    Germany 4108 Malicious IPs

    What’s keeping U.S. law enforcement from taking these cybercriminals down? They’re in the U.S. so no lack of jurisdiction. Russia has only 4589 compared to 30988 in the U.S.

    1. BrianKrebs Post author

      Malicious IPs/addresses almost certain correspond to compromised sites, not sites set up by crooks to snare unsuspecting passers-by. So, “taking down” legitimate, hacked sites is not really what the feds do.

      Compromising systems in the United States for use in criminal schemes makes sense if the primary target is also in the United States, which is generally true. But those numbers say nothing about the location of the actors responsible for making those IPs malicious.

      1. Andrew Conway

        Another factor is that the two countries with the most IPv4 addresses allocated are the US and China, so they are the countries where it is cheapest and easiest to obtain an IP address. The US has about 1.6 billion IP addresses out of the total 4.3 billion IPv4 addresses. China has 0.3 billion. If you add in Japan (0.2 billion) those three countries have about half of the total IPv$ address space.

        As Brian said, the location of an IP address has little to do with the location of the people using it.

        1. Canuck

          All true – but after years of giving the people of China, Russia and Ukraine the benefit of the doubt when accessing my web servers, I’ve blocked them completely. For every one legitimate user from those countries I’d see hundreds or thousands of malicious attempts. Blocking entire countries is not nice but hey sometimes the facts speak for themselves. If it were just compromised web servers that would be one thing – but it’s not.

      2. TheFatMan

        Good explanation, Brian, thanks. I check your site every day. Very helpful.

  5. Bryan

    So is the old-school inefficiency of the criminal marketplace what keeps more of those stolen cards from being exploited? That is some delicious irony right there.

  6. Jeff

    Seems like it would be smarter to pull off smaller heists. Maybe a less chance that they would get identified.

    1. SeymourB

      When you live in a nation-state that allows you to break any and all international laws so long as you don’t affect your fellow citizens, and won’t honor extradition requests from foreign countries, it doesn’t entirely matter whether you’re identified or not – provided you’re not ignorant enough to travel to a country where you can be extradited.

      I wonder how much of the wailing and gnashing of teeth over Ukraine joining NATO was that Russia knew criminals living in the border areas of Ukraine would (sooner or later) be subject to arrest and extradition.

  7. TheOreganoRouter.onion.it

    Another interesting article, thanks again for the good read

  8. mike acker

    AAPL has the right idea in ApplePay: do not give the customer card number and related data (“dump”) to the merchant.

    the same thing could be accomplished by encrypting the mag stripe data with the key retained only by the processing center

    this would fix the problem better than EMV — and require only software changes — not wholescale replacement of all the POS terminals. remember: EMV makes the same error that mag stripe makes: it starts by sending customer data to the POS terminal.

    1. IA Ted

      If the stripe data is encrypted and only the processing center can decrypt it, then the encrypted data must be sent. How would this prevent a replay attack? Now the encrypted data is equivalent to the CC number.
      There must be a fully trusted comm channel from the processor to the card, and that is not even achieved by EMV in its current state. And this may not be feasible due to other usability issues for the merchant.
      A one time use token (like in Apple pay) seems like a better solution.

    2. Shonuff

      No one does that because you end up with the same result. If you skim, or plant malware on a POS terminal you have taken the track data. Therefore, the card can be cloned regardless if encrypted or not.

  9. Rich S

    One possible explanation for the hackers selling a limited percentage of cards is they are building inventory and selling the cards that will become obsolete the fastest. This will keep the fraudsters that buy cards coming back for more.

    For example, they can list cards for sale that have an upcoming expiry. They can also list cards for sale now that have the highest likelihood for being converted to EMV first (High Credit Limit, International Traveler Etc.).

    They will hold the other cards in reserve in case it gets harder to acquire them in the future.

  10. Harsh

    My Bank in India has made it mandatory to enter a 2FA password I receive in my mobile to buy anything and even if I swipe my VISA card in a POS. I need to enter my PIN. So the only way someone can use my card is in a POS or an ATM. Even if they do I will get instant notification over SMS and if I launch a complaint within 24 Hrs then the money will be returned to me.

  11. Neil W

    Grrrr, I follow this site regularly and just got defrauded, probably linked to the Home Depot intrusion. They used my credentials at a local Safeway POS. It surprises me that there is somebody that close to me that buys stolen credentials, meaning that the world must be uniformly saturated with low lifes, ensuring a criminal lives near me.

    Brian, thanks just for being here. It helps me better cope by understanding what goes on, rather than being an uniformed person who has no idea how the charges came to be. I wish there was something I could do to help the cause.

    1. Eaglewerks

      Neil:
      If you had such a loss, and still have your card in your possession, then the most frequent cause of such a loss can most often be traced to someone that you commonly have within 3 feet of you. It can be a co-worker, boyfriend, girlfriend, son, daughter, etc. The store, especially Safeway, will have a security tape showing the user. Contact the police and the Safeway Security Dept or particular Store Manager to assist them and possibly view the tape. This will assist you in determining your potential personal security hazards.

Comments are closed.