I’ve been doing quite a bit of public speaking lately — usually about cybercrime and underground activity — and there’s one question that nearly always comes from the audience: “Why are these fraud Web sites allowed to operate, and not simply taken down?” This post is intended to serve as the go-to spot for answering that question.
Q: Why not take down the hundreds of sites now selling stolen credit cards and identity data?
A: For starters, it’s not always so easy to take these sites offline. Many of them rely on domain name registrars that routinely ignore abuse requests. The same goes for the organizations hosting a number of these unsavory markets. What’s more, most crime shops have a slew of new domain variations at a variety of hosting providers and registrars that they can turn to if they do get shut down.
More importantly, fraud shops don’t often get shut down because they are quite useful to law enforcement, banks and researchers alike. Stolen data that has value among computer crooks will always find a way onto illicit markets; it benefits the aforementioned parties if those markets aren’t so exclusive that the crooks can no longer easily view or buy the data for sale.
As I’ve discussed in several articles, banks and law enforcement often use these services to figure out which merchant has been hacked; to help stanch the flow of new stolen data; and, effectively, stop the breach.
Q: Why are there so many of these card shops hosted in the clear Web, instead of via Tor, I2P or some other anonymization technology that allows the shop to hide its true Internet address?
A: Most card shops sell only a tiny fraction (think single-digit percentages) of the cards they have for sale at any one time. As I noted in the second half of this piece, the thieves in charge of the shop primarily responsible for selling cards stolen from Target and Home Depot only sold a very small percentage of the more than 100 million credit and debit cards they stole from those two companies. Russian computer forensics firm Group-IB found similar single-digit sales figures at swipe[dot]su, a long running card shop that they hacked last year.
In short, stolen cards are not like fine wines: They don’t age well. The minute they are put up for sale, their value starts to decline. And there are many times more stolen cards available than there are crooks to absorb anywhere near double-digit percentages of cards stolen from a given merchant. Hence, it behooves the card vendors to make their shops as accessible and easy-to-use as possible.
Q: How come law enforcement officials can’t just put these guys and others out of business or behind bars for this activity?
A: Occasionally, the proprietors of these card shops do get arrested and jailed. But a great many of the sites are run by individuals living in Russia and Ukraine. Neither nation has shown itself particularly anxious to arrest cyber crooks within its borders, so long as those crooks are mainly picking on targets outside of their home country. Also, cybercrooks based in Russia and Ukraine who don’t steal from their own generally have little to fear from foreign law enforcement and governments provided they don’t travel to Western-friendly nations.
Q: Okay, but can’t we all achieve a certain catharsis from taking these sites offline?
A: Sure, but those fraud sites will be back online before you can say “where’s my debit card.” Most experienced card shops list on their home pages several — if not dozens — of alternate domains that customers can use in the event that the current one gets shut down. While this certainly presents a ripe target list for anyone wishing to take these sites offline, see the answer to the first question above for why this generally gets harder with every successive takedown.
Q: So is there nothing we can do to disrupt these crime shops that isn’t also disruptive to security folk looking to gain intelligence about who’s hacked?
A: Most of the top card fraud shops have redesigned their business models around creating a smoother customer experience. Gone are the days when a serious card shop could ignore customer complaints and still do a brisk and loyal business. It’s all about reputation. Creating a positive customer experience is the key to the way these guys establish legitimacy and loyalty among customers. But interfere with that customer experience — and seller reputation — enough, and that business may very well die on the vine.