Dec 15

When Undercover Credit Card Buys Go Bad

I recently heard from a source in law enforcement who had a peculiar problem. The source investigates cybercrime, and he was reaching out for advice after trying but failing to conduct undercover buys of stolen credit cards from a well-known underground card market. Turns out, the cybercrime bazaar’s own security system triggered a “pig alert” and brazenly flagged the fed’s transactions as an undercover purchase placed by a law enforcement officer.

Law enforcement officials and bank anti-fraud specialists sometimes purchase stolen cards from crime forums and “carding” markets online in hopes of identifying a pattern among all the cards from a given batch that might make it easy to learn who got breached: If all of the cards from a given batch were later found to be used at the same e-commerce or brick-and-mortar merchant over the same time period, investigators can often determine the source of the card breach, alert the breached company and stem the flow of stolen cards.

Of course, such activity is not something the carding shops take lightly, since it tends to cut into their criminal sales and revenues. So it is that one of the more popular carding shops — Rescator — somehow enacted a system to detect purchases from suspected law enforcement officials. Rescator and his crew aren’t shy about letting you know when they think you’re not a real criminal. My law enforcement source said he’d just placed a batch of cards into his shopping cart and was preparing to pay for the goods when the carding site’s checkout page was replaced with this image:

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this "pig detected" alert.

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this “pig detected” alert.

The shop from which my source attempted to make the purchase — called Rescator — is the same carding store that was the first to move millions of cards on sale that were stolen in the Target and Home Depot breaches, among others. I’ve estimated that although Rescator and his band of thieves stole 40 million credit and debit card numbers from Target, they only likely managed to sell between 1 and 3 million of those cards. Even so, at a median price of $26.85 per card and the median loss of 2 million cards, that’s still more than $50 million in revenue. It’s no wonder they want to keep the authorities out.

The analysis method used by my source — the buying of stolen cards to determine a breach source (also called “common point-of-purchase or “CPP” analysis) — was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years (including Target and Home Depot).

But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale. Rescator’s site earned its infamy in part by flouting this best practice with cards stolen in separate breaches at Target, Home Depot, Sally Beauty, P.F. Chang’s and Harbor Freight. But according to banking industry sources, more recently it seems Rescator and other card shops have been flooded with cards from hacked point-of-sale machines at small restaurants across North America.

I told my law enforcement source that it’s not unheard of for cyber thieves who run online stores to employ blacklists of Internet address ranges known to be frequented or assigned to government and law enforcement agencies worldwide. The cybercrime kingpins I wrote about in my book Spam Nation used blacklists to block purchases of rogue pharmaceuticals by fraud investigators (a Spam Nation excerpt showing two key cybercrooks arguing about how best to flag suspicious purchases is in the second half of this story).

Then again, perhaps Rescator’s site simply noticed something amiss when my source funded his account with Bitcoin. The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source’s screen — effectively stealing hundreds of taxpayer dollars directly from the authorities.

Unsurprisingly, my source was unwilling to divulge anything about his undercover operations, including any foibles he might have made that led to his outing. He just wanted advice about how to avoid the pig alert in future undercover buys. But I found his case fascinating and yet another example of the growing sophistication of large-scale cybercrime operations.

If the idea of fraudsters using intelligence to outwit investigators sounds fascinating, check out this Nov. 2015 story at PaymentsSource.com, which references the above-pictured pig alert and some other ways many of the more savvy black-market card shops are getting less welcoming to outsiders.

Tags: , , , , ,


  1. Haseeb Ahmad Ayazi

    As the Law enforcement agencies are becoming more powerful, criminals are also adding sophistication in their methodology. We have to think one step ahead of them.

    • affirmative, safe to assume all wifi hotspots in donut shops are no go by now, officer

    • Using the “wild west” as a metaphor perhaps substantial rewards for locating and bringing sites like this to justice could bring this sort of sleazy thievery to it’s knees. Imagine if a $500,000 reward and some sort of immunity for a hacker bringing down the Silk Road?

      • It’s not that easy. I think it is safe to assume that most of these criminals do not know who their real life partners are. They only know their online personas. It takes a fair amount of digging and ingenuity to bring these guys down, if they know what they are doing.

      • The SilkRoad probably had more cash than $0.5M in it’s various bitcoin wallets, so the incentive was already there.
        In fact the incentive was so high that one of the investigators has just been convicted of stealing some of the bitcoin.

        • They definitely did. I think just in FBI seizures alone, there was approximately 26,000 BTC, or just shy of $12,000,000 at current prices.

  2. I wonder if they could be blacklisting addresses, which are seized by feds publicly, as well as those which are related (received bitcon from) those addresses. I suppose you could use Silk Roads seized bitcoins for example, which can be found here: https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX

  3. For a couple bucks a month, per account, LEA (or malware, fraud, M&A…researchers) can come from anywhere in the world, and look like any browser (IE, FF, Safari, iOS, Android,…, and any language, timezone, keyboard,…) they like (mis-attribution). And, their host can be perfectly insulated from both the local remote access-point, as well as all arbitrary code the researched site may push.
    (secure virtual cloud browser, and storage)

  4. HA ! get a network engineer and a white hat hacker involved. I am sure they can get rid of that photo.

    The crooks probably have a very long list of IP ranges that the feds have used in the past. Sit at a wifi spot at an airport or other entity and it makes it difficult to find out who you are.

    The Feds have many logs of IPs that have been used for criminal activity. For that matter – they have all the IPs from many sites they have taken down. With a little ingenuity, I am sure one of those addresses can be used. = X

    Have any agents in other countries? Let them pull that data.

    • One other thing – The object of them triggering a pig alert if you will, why not challenge them? Come up with a not to pleasant barrage of words calling them scammers and cheats and you will let all of your carder friends know to go elsewhere.

      Silence is an admission of guilt and loss of funds without any sort of effort to mask the truth.

    • Law Enforcement Agencies need to rethink their strategy as they cannot go fishing and afford to lose a bunch of bitcoins everytime they try from a new source IP. It’s taxpayers’ money.

  5. Did you ask your government contact why he (she) didn’t use TOR to hide their location? It seems to me that a real criminal would use TOR to try to hide the purchases.

    • Yea, I would think since most criminals use Tor or a VPN to hide their identities, it would be trivial for LE to do the same and blend in. Indeed, kinda surprised they don’t do that as a matter of course already.

      • Cripes, if American law enforcement isn’t smart enough to do that already, then we have definitely lost the war before it’s even begun.

    • Law enforcement does use TOR. Pretty regularly. Its too easy to identify them otherwise. There might be some small agencies out there that don’t know better but all the big ones including the feds do.

      • Well, these cops obviously didn’t use Tor.

      • Using TOR on the cc markets could be a red flag and easily identifiable since all TOR end nods IPs are public used concurrently by other users. TOR and VPNs are red flags to retailers as security companies compile IP lists. It’s a lot more ideal for cc fraudsters to use a SOCKS5 proxy, that’s a residential ISP and the geo location corresponds to the credit card owners location.

    • The cops are infamously dumb when it comes to online investigations; I doubt it would even have occurred to them to take even such an obvious precaution as using TOR or even a VPN.

  6. It sounds like a classic case of fraud management, but the other way around. Crooks are flagging transactions of the good guys.

    There are public (and possibly not published too) IP ranges linked to governmental organisations. Carders may reply on these lists to flag suspicious purchases. For instance iBlockList publishes a blocklist of US Governmental IPs.

    Other tactics may involve the validation of other details used for the purchase such as phone numbers, email addresses, following the Bitcoin chains and so on. Other things may also raise the risk score and ultimately flag transactions like certain User-Agents, Referer values etc.

    Here are two nice summaries from the good guy perspective:

  7. Why don’t they just recruit people who are in trouble with the law for minor offenses and drop the charges / confinement terms for them and pay them 20K a year to makes these purchases. I am sure that would hide their presence and association with LEA’s.

    If these recruits get caught using the merchandise re-instate their sentences and punishments.

  8. Assuming the $50 million is anywhere near accurate, that makes it more than worth their while to plunk a few million in the equivalent protections against the good guys as we are putting toward the bad guys.

    In short, and something I try to make others aware of – this is no longer script kiddies. This is a job. This is clocking in in the AM to go to work at the career of hacking. These are professionals.

    With this sort of RTO, it’s not all that surprising either.

  9. Bitcoin transactions are public record. My guess is there’s a common funding pattern pigs use, like maybe they’re siphoning directly out of a particular common wallet.

    They could launder through darkcoin to obscure the source.

    IP address is obvious and was probably already taken care of.

  10. Gotta admit that is pretty funny.

  11. Perhaps it is better that the law was tipped off rather than they were fed bogus products and had THEIR activity monitored. :-)

    I hope the authorities start getting help from concerned citizens such as myself. I doubt they realize that detection of their activities is possible even using some of the suggestions offered here. Moving around to different locations and even proxy servers may not be enough to conceal a lawperson’s identity. Yes, this technology existed for a couple of years and I doubt law enforcement even knows about it. Tor may provide a better level of security, but I am not sure. IMO the front line is with the ISPs. They could do so much in the way of automated policing if they wanted to. I hate to ask them, but that way some level of privacy could be preserved.

    To me, there is much that can be done to detect and track criminal activity. We don’t hear about it, but I hope it’s being done. However, stories like this indicate to me that we are sorely lacking.

    The government and “outguned” investigators should ask for and coordinate our help. I don’t need money or fame. I just need for our country and the world in general to be more safe and secure. I know I am not the only one.

    • I agree. This is a really nice signal to Law Enforcement to abandon the sign-on account. They’re lucky they weren’t fed old cards and then asked what they thought of the results. They could of been just dragged along and frustrated running CPP’s that are all long tails that lead everywhere and nowhere. Has LEO every used their money back guarantee of freshness? The complaining route may work, after all it’s a business in their minds, marketing and all.

  12. Brain, doesn’t publishing this article confirm an accurate kill to the carding team? Furthermore doesn’t it out the user as a LE Source for Brian Krebs?

  13. Law enforcement can’t use Tor or VPN services? Really?

  14. The last link doesn’t work for me. It returns a message: “Client: [my IP] is not authorized to access URL:/news/risk-analytics/banks-have-a-harder-time-blending-among-fraudsters-3022713-1.html”. Is there a version without geoblocking?

  15. Yippie-ki-yay…

  16. I showed this to a cop friend, who got the biggest kick out of it. He’s now using it as wallpaper.

  17. Someday hopefully not too long from now, A real person will go and find the bad guys who are getting the money from this rip-off. We need to fight crime in the real world with physical contact. I understand the need to gather evidence but if we know where they are and can go there. Lets just do that and be done with it.

    Let’s keep these guys looking over their shoulder and unable to enjoy the benefits of the millions they have earned.

    We have done this before many times.
    We just need to go and do it.

  18. Another great read. Recently stumbled upon your blog and have been enjoying the posts regularly.

    I suppose this UC source was lucky enough just to get on Rescators site at all. Simple enough to block known IPs and eliminate any less tech-familiar individuals attempts to access it. Or maybe this was a deliberate “in your face, buddy”.

    Sadly, just one more example of law enforcement’s long, slow wake-up call.

  19. Good read, but shouldn’t the authorities really be getting people who are already in the inside rather on the outside?

  20. wild guess, but is it possible that the criminals used bitcoin tracing (ex: blockseer) on the bitcoin and noticed that it was not previously run through a mixer or that the LEO’s bitcoin was not associated with dirty coins or other such marketplaces in the past?

    A brand new set of bitcoin without any previous transactions with anything illegal on the blockchain, suddenly making selective and maybe thoughtful purchases of illegal goods? That could tip a criminal off.

    If bitcoin tracing can be used by the good guys, it can also be used by the bad.

  21. What I find interesting is that I had thought that using the word “pig” to refer to the police was strictly something from American English. I guess that term has migrated overseas.

    There are times that I think that severing the internet connections to anything in Russia would be a good idea. It wouldn’t stop this stuff completely of course.

    • If you don’t need a connection to Russia, then that is a great idea. Of course Russia is only one place with this kind of problem, but you may not need access to or from those other places either.

      I don’t need to be exposed to countries where hacking and scams are widespread. So I block them from our sites and our email systems. Countries that don’t like to be blocked by us can put some effort into policing their own systems. I encourage them to do so.

      Anyone who would like to reduce their exposure can contact me for our htaccess block list. It’s a result of identifying spam and hacking over the past several years and along with country IPs also lists common IPs for US hosting providers which are a source of proxy traffic and other problems.

  22. Nothing new here but the picture made me laugh.

    >effectively stealing hundreds of taxpayer dollars directly from the authorities.

    This is hyperoble. If an investigator sends money to a criminal, it’s already considered at stake and high risk investment, and the investigator is well aware of this.

  23. Couldn’t the Rescator site simply do random account theft? They are thieves after all. Why not have an algorithm that randomly takes all the Bitcoin funds from a buyer’s account and throw that image up. Maybe they just randomly nailed him with it…

  24. I would suggest starting by making a minimum purchase of cards to begin with. If you can do it legally with the support of the creditor use them. Have the card company shut them down for suspicious activity. Come back later with your ill gotten gains and order a slightly larger batch. Know how many cards failed. Complain about it, but point out that you were still able to make money. Ask for better, fresher, cards. Approach it like someone who is starting off their criminal career. Ask questions.

    This isn’t at simple as showing up with a wad of cash and winning. You need to play it well. As suggested by others, use VPNs and Tor. Act like a criminal. The machine that is used to investigate should only have software one would find on your average PC. It shouldn’t have ever visited websites LEOs would frequent, and there should be no software common to law enforcement installed. Install nerdy “hacker” tools like SysInternals and and NirSoft tools. Make sure you install some games. Make the computer even look lived in with downloaded photos, music and pirated videos.

    These people are adept at breaking into computers. Assume your investigation workstation will be hacked. Physically disable the microphone, tape over the camera if it has one, video tape (not screen grab) what you do in your investigation, and remove the drive nightly to pull a disk image off of it. This computer may die horribly and you want to maintain evidence.

  25. There are a lot of commenters assuming here that the alert was based on IP address (and so, for example, using Tor would be sufficient to obscure the transaction). That seems like a strong assumption. There are other factors that might clue the site in.

    An obvious one would be trying to fund an account through a “new” bitcoin wallet (i.e. one that hasn’t had any transaction except a single transaction to purchase bitcoins). Cops don’t have a reason to have a transaction history, but a fraudster would presumably be using bitcoin regularly.

    Being a cop on a fraud market is like being a novice trying to sell fake items on eBay. It’s not actually that hard to spot the signs if you’re a regular.

  26. As an online merchant, I am absolutely annoyed at the huge gap in law enforcement that exists when it comes to fraudulent credit card sales.

    Many times we’re on the very front lines of this fraud. We’re usually 20 steps ahead of fraudsters after becoming familiar with their tricks, and often times stop it before it even happens.

    Where my annoyance begins is the fact that here I am, staring at fraud right in the face. Sometimes with a criminal too dumb to cover their tracks behind a Tor exit node or the like.

    And I have nobody to call. The FBI resources that are available are best to my knowledge, geared towards credit card holders, not merchants.

    Most of the times, these crimes are international. And if I make the effort, perhaps I can alert local authorities abroad for the victim and the perpetrator. But it’s supposed to be the injured party and it’s supposed to be after a fraud happens. Not if it’s been interdicted by a savvy merchant. Then there’s no crime. I’ve been told as much.

    In any case, most of the time, the local police are too bored to take my information seriously. Or they don’t have the resources to do anything meaningful with an IP address, even if it’s on a consumer internet connection. Or a proper drop point.

    It would be nice, if…whenever (and it is with fair frequency) I stop a criminal in his tracks… that there be SOME KIND OF RESOURCE I could contact that would coordinate with the correct authorities.

    There’s no reason why, if I know some dumb idiot is sitting behind a proper internet connection in Leeds, England, using a Canadian credit card to have me ship something to his obvious drop point across town….that I shouldn’t be able to convey all of this immediately the moment I spot it.

    That would be nice. It would also potentially help put criminals in jail.

    • Check out your local Infragard chapter. It’s a public-private partnership with the FBI. I’ve been to many chapter meetings where the presentations are on exactly this, and it gets you face time with the FBI so you’re not calling generic G-Man, you’re reaching out to Fred the FBI guy, who, if not on the team that would do something, can put you in touch with the people that do.

      They also often put out bulletins on ongoing threats. It’s been worth the time invested.

  27. Nothing in this world never ever happens randomly !!! It’s not like 2-3 guys had idea to start cyber crime no no no !! In this world you don’t do anything without someone allow you to do !!! It’s so naive to think that this people just criminals

  28. My guess is they have a zero-day exploit they are using to infiltrate the browser of the people purchasing, possibly with some sort of escalation involving cookie browsing. If the person buying has a bunch of cookies from the FBI or other government related intranet/extranets on their computer, then flag them. This, in conjunction with the other methods mentioned in the articles and comments would give them several avenues to attempt to indicate these types of purchases.

  29. The problem is, most feds are stupid and clueless. They rely on CI’s and hired “hackers” to actually do the technical work, this article makes that very clear. Why would a cyber security “expert” who works for the federal government need to ask someone how to bypass something that is so simple? It’s clear they are using some type of ip related blacklist. You’re telling me the feds aren’t smart enough to use a vpn or setup a cloud based proxy? Typical pigs… derp da derp, “tell me everything you know and I may be able to help you and we can work out a deal”… Apparently the government prefers to hire based on academics and not real world knowledge. If this is the case, you will NEVER be ahead of the true hackers.. So have fun..

    • I think many of comments assume no VPN or TOR. But it is more likely a combination of inexperience and a couple of mistakes that gave him away. Make the cover tight. All the pieces need to fit together to make a believable picture. Assume the criminals are smart enough to find inconsistencies.

      Also, what is overlooked in this is the authorities only have need to perfect a few times while the criminals need to be perfect all the time. While investigation got blown, others may be quietly amassing the evidence needed.