May 26, 2017

It’s not uncommon for crooks who peddle stolen credit cards to seize on iconic American figures of wealth and power in the digital advertisements for their shops that run incessantly on various cybercrime forums. Exhibit A: McDumpals, a hugely popular carding site that borrows the Ronald McDonald character from McDonald’s and caters to bulk buyers. Exhibit B: Uncle Sam’s dumps shop, which wants YOU! to buy American. Today, we’ll look at an up-and-coming stolen credit card shop called Trump’s-Dumps, which invokes the 45th president’s likeness and promises to make credit card fraud great again.

trumpsdumps

One reason thieves who sell stolen credit cards like to use popular American figures in their ads may be that a majority of their clients are people in the United States. Very often we’re talking about street gang members in the U.S. who use their purchased “dumps” — the data copied from the magnetic stripes of cards swiped through hacked point-of-sale systems — to make counterfeit copies of the cards. They then use the counterfeit cards in big-box stores to buy merchandise that they can easily resell for cash, such as gift cards, Apple devices and gaming systems.

When most of your clientele are street thugs based in the United States, it helps to leverage a brand strongly associated with America because you gain instant brand recognition with your customers. Also, a great many of these card shops are run by Russians and hosted at networks based in Russia, and the abuse of trademarks closely tied to the U.S. economy is a not-so-subtle “screw you” to American consumers.

In some cases, the guys running these card shops are openly hostile to the United States. Loyal readers will recall the stolen credit card shop “Rescator” — which was the main source of cards stolen in the Target, Home Depot and Sally Beauty breaches (among others) — was tied to a Ukrainian man who authored a nationalistic, pro-Russian blog which railed against the United States and called for the collapse of the American economy.

In deconstructing the 2014 breach at Sally Beauty, I interviewed a former Sally Beauty corporate network administrator who said the customer credit cards being stolen with the help of card-stealing malware installed on Sally Beauty point-of-sale devices that phoned home to a domain called “anti-us-proxy-war[dot]com.”

Trump’s Dumps currently advertises more than 133,000 stolen credit and debit card dumps for sale. The prices range from just under $10 worth of Bitcoin to more than $40 in Bitcoin, depending on which bank issued the card, the cardholder’s geographic location, and whether the cards are tied to premium, prepaid, business or executive accounts.

A "state of the dumps" address on Trump's-Dumps.

A “state of the dumps” address on Trump’s-Dumps.

Trump’s Dumps is currently hosted on a Russian server that caters to a handful of other high-profile carding shops, including the long-running “Fe-shop” and “Monopoly” dumps stores.

Sites like Trump’s Dumps can be taken offline — by forcing a domain name registrar to revoke the domain — but the people responsible for running this shop have already registered a slew of similar domains and no doubt have fresh bulletproof hosting standing by in case their primary domain is somehow seized.

Also, like many other modern carding sites this one has versions of itself running on the Dark Web — sites that are only accessible using Tor and are far more difficult to force offline.

The home page of Trump’s Dumps takes some literary license with splices of President Trump’s inaugural address (see the above screenshot for the full text):

“WE, THE CITIZENS OF DARK WEB, ARE NOW JOINED IN A GREAT NATIONAL EFFORT TO REBUILD OUR COMMUNITY AND RESTORE ITS PROMISE FOR ALL OF OUR PEOPLE.”

TOGETHER, WE WILL DETERMINE THE COURSE OF CARDING AND THE BLACKHAT COMMUNITY FOR MANY, MANY YEARS TO COME. WE WILL FACE CHALLENGES. WE WILL CONFRONT HARDSHIPS. BUT WE WILL GET THE JOB DONE.”

The U.S. Secret Service, which has the dual role of protecting the President and busting up counterfeiters (including credit card theft rings), declined to comment for this story.

WHO RUNS TRUMP’S DUMPS?

For now, I’m disinclined to believe much about a dox supposedly listing the Trump’s Dumps administrator’s various contacts that was released by one of his competitors in the cybercrime underground. However, there are some interesting clues that tie Trump’s Dumps to a series of hacking attacks on e-commerce providers over the past year. Those clues suggest the criminals behind Trump’s Dumps are massively into stealing credit card data that fuels both card-present and online fraud.

In the “contacts” section of Trump’s Dumps the proprietors list three Jabber instant messenger IDs. All of them end in @trumplink[dot]su. That site is not currently active, but Web site registration records for the domain show it is tied to the email address “rudneva-y@mail.ua.”

A reverse WHOIS website registration record search ordered from domaintools.com [full disclosure: Domaintools is an advertiser on this blog] shows that this email address is associated with at least 15 other domains. Most of those domains appear to have been registered to look like legitimate Javascript calls that many e-commerce sites routinely make to process transactions, such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su” (the full list is in this PDF).

A Google search on those domains produces a report from security firm RiskIQ, which explains how those domains featured prominently in a series of hacking campaigns against e-commerce websites dating back to March 2016. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.

These same domains showed up in an attack last October when it was revealed that hackers had compromised the Web site for the U.S. Senate GOP Senatorial Committee, among more than 5,900 other sites that accept credit cards. The intruders tinkered with the GOP Committee site’s HTML code to insert calls to domains like “jquery-cloud[dot]net” to hide the fact that they were stealing all credit card data that donors submitted via the Web site.


56 thoughts on “Trump’s Dumps: ‘Making Dumps Great Again’

  1. Daniel

    Funny thing is you Brian tell people where to shop for dumps and what to do with them. How is this not supposed to encourage people not to do fraud ? You help fraudsters not the industry.

    1. timeless

      There are different kinds of criminals. One kind hacks servers. Another kind maintains servers to sell stolen goods. A third buys stolen card information and tries to cash it out.

      In general, I think that the order I’ve listed them roughly corresponds in decreasing likeliness to them being aware of and reading this blog.

      The group of people cashing out appear to be classical criminal gangs, not cover criminals. They’re performing a fairly basic form of pretty Rhett/counterfeiting. Once they pick up their tools, they just need numbers, why would they try reading through everything Brian writes?

    2. Ole Juul

      You can’t be serious. Credit card fraud is a popular topic and well known opportunity already. Type “cc dumps” into Google and see how many shopping hits you get. If you haven’t looked before, you’ll be shocked. It is clear that anybody looking, will find what they want as easy as they could find running shoes.

      Also, if you hang around the net for very long, you’ll see ads for dumps posted on most forums. They get deleted quickly by admins, but these ads just keep on coming and they’re up long enough to be seen by most people. Anybody that wants can respond. It’s actually a credit to the integrity of the general population that more people aren’t succumbing to this relentless advertising.

    3. RM

      Ahh… here’s the ticket.

      We the people of the USA are interested in knowing as much as possible about the enemy, and being as friendly as possible. Until we put a noose around their necks, and tied to a pickup truck, pull.

      I have no sympathy for criminals. There are too many things they could be doing to feed themselves and their children, and stealing and exploiting weaknesses of others is not honorable. They have the option to change their ways. We are an open country with good-intentioned people. We welcome others like that.

      So I want to know. I don’t want filtering or censorship, thank you.

      I hope this makes sense.

      1. kaganovich

        Trump probably even dont know about it.

      2. bob

        “We are an open country with good-intentioned people”

        You have the hightest incarceration rate in the world and the least humane prisons of any first world country. Once someone has ended up in your criminal “justice” system for such horrible crimes as smoking weed, drinking alcohol before 21 or fucking before 18 they suffer massively reduced options for the rest of their life.

        Your opinions are naive, black-and-white and ignore human nature. You are American.

        1. Robert

          Good-intentioned and smart enough to realize they are being played by the politicians (and others) to keep things at the status-quo are two totally separate things.

    4. Mike

      Would Daniel’s point be an argument from fallacy?

      I think the vast majority of us have already done all the credit card fraud we want to do. For almost all of us it’s zero credit card fraud. Just because I’m reading how to do it, doesn’t mean I intend to or want to risk my life, lifestyle, freedom, and happiness to do it.

      1. SeymourB

        Some people really dislike Brian’s activities and will always try to claim that he’s a morally horrible person for posting information about the kinds of people who post comments like this on his forum.

        They don’t like bright lights to be shined on them and while scurrying back into the dark they try to make themselves feel better about being immoral scumbags by claiming they’re a victim and Krebs is a bad guy.

        Its kind of like Nigerian scammers who think the reason they’re being prosecuted for committing illegal acts is because of racism, rather than their illegal acts. They’ve so screwed up their heads that the illegal acts aren’t wrong and prosecuting them for it is.

    5. Jeff

      Sunlight is the best disinfectant…Keep shining Brian Krebs!

    6. Cameochi

      Would you really want Brian Krebs after you? I know I sure wouldn’t. He is tech savvy and very good at ferreting out crooks and they know that.

    7. Bill

      Daniel – Oh, please! Knowledge doesn’t create a criminal any more than a spoon forces me to eat ice cream. However, for the honest majority having this information improves awareness, and allows some to take precautions.

      1. MimiEtteCoco

        Bill writes: “Daniel – Oh, please! Knowledge doesn’t create a criminal any more than a spoon forces me to eat ice cream. However, for the honest majority having this information improves awareness, and allows some to take precautions.”

        Bill -Oh, please! 😉 A spoon does not clue someone into the existence of ice cream. You don’t even need a spoon to eat ice cream -Duh! (You committed a false analogy -well, you did! Mimi giggles.)

        Also -The majority of people are not honest.

        No one wants the messenger shot, either, Daniel. And, question for Daniel? How’s that credit card dump site treating you? Did you get your $$’s worth? 🙂

  2. Andy

    @Daniel – Ah, the “Hear no evil, see no evil” defence. I’m sure that will work out well for you.

  3. Zackis

    @BK nice job on the last few weeks you’ve been quite busy. I continue to read and be educated as to what the Ne”er-do-wells, are trying to do next.

    @Daniel there is this belief among many cultures of right and wrong YMMV.

  4. marty

    @Daniel – if you are inclined to be a criminal, you can easily find out how to become one without Brian’s help.

    Brian raises awareness and does great investigative work. Keep reading and learn how to protect yourself (or your cooperation) from fraud.

  5. Louis Leahy

    Daniel I am sure you mean well however it is too easy to shoot the messenger rather than deal with the matters. Really the question that should be asked is why are the credit card companies not engaging with small businesses like ours that have new technologies to fix the deficiencies in their systems. Attacking journalists who are just doing their job is not going to stop anything in fact it just perpetuates the problems because it is censorship and that stifles communication of new ideas and systems to improve things.

  6. DM

    Its a really bad time to be ticking off this president I think. Russia, china, most countries are trying to figure out how to get his favor at this point. Turning over some half bright stooges that are hurting his brand would be easy.

    1. Moike

      I think Russia has already found a way into his favor for over a year now.

        1. Crustier curmudgeon

          The trump Foundation. Trump University. Per your example, the student has surpassed the teacher. 😉

          1. RM

            I’d like you to consider the difference between what Trump did before he was elected vs. what Clintons did.

            There is a big difference between being someone who is padding their pockets when working as a powerful employee we are bound to (Clintons) vs. someone who advertises and sells to unbound clients (Trump).

            I know you probably won’t get that, but I wish you the best regardless.

            PS – now that DJT is in office, by all means, find the crime. I just can’t wait to see what comes of this Kush push. I am hopeful that it was bait for our establishment, just to stir the pot and show how TTower was bugged as he said, and anything discussed and heard by Brennan was limited to talk of hairy women and smoked sausage. I know our comrades like both. I like both.

            Find the crime and I am with you. Until then, onward with the conspiracies.

            1. PattiM

              Also be aware that as of 2003 it is de-facto legal for US news to “lie” [Akre vs. New World Communications, Fla Ct of Appeal, 2003] – You must ask yourself, how much do we really know?

            2. MimiEtteCoco

              @RM -And, I’d like you to have your next surgery performed by the master surgeon Hawkeye Pierce (Alan Alda) from M*A*S*H.

              Is it logical to compare the surgical skills of Dr. Mehmet Oz to Dr. Hawkeye Pierce?

              Do you think that’s a silly thing for me to say? Why?

              The qualifications are the same, correct? I don’t like the Clinton’s either, but, I very much value reason and logic. Comparing a Real Life Politician to one that Plays One on TV is RIDICULOUS!

          2. instig8r

            Because he has sold uranium to the Russians, and influence to the Saudis to line his pockets? Hmm. You need a reality check.

            1. RM

              Exactly. That wasn’t Trump.

              And in fairness, wasn’t really a “sale”, but you know. Was definitely NOT the refusal I would have liked to have seen.

              Keep up the good work. One bit at a time.

  7. Brent

    Interesting Article. Thanks. Enjoyed it.

  8. Algorythm

    Interesting how everything I find illegal coming out of the .ua domains over the last couple of years turns out to be a russian lowlife.

    I expect some FSB docs to eventually leak showing Russia has an open policy allowing their stooges to hurt as many innocent people as they want so long as they do it from Uke domains.

    Who needs prisons when you can ship the sleaze to the Ukraine, amirite?

    1. NJA

      The word you are looking for is Kleptocracy. https://en.wikipedia.org/wiki/Kleptocracy

      Funny thing, we were watching a British sitcom from the early 80s and they referred to Russia and its government as a bunch of hooligans.

      Seems, nothing has changed.

      1. Hayton

        Which 1980s British sitcom was classy enough, I wonder, to be making references of any kind to the Russian/Soviet government? And good enough to be still worth watching?

        I can only think of one : Yes Minister. Was that it?

    2. Don

      Well, the reverse is also true: if an American was caught hacking Russia do you think they’d extradite? Lol hell no. But they don’t use online banking as much and bitcoin is less prominent there. Ransomware using yandex money or webmoney is probably the best option. Also, their networks are actually less secure…

      1. PattiM

        Let’s see… how many puppet regimes did the US set up in the 20th century? How many sovereign states did the US covertly overthrow?

  9. kaganovich

    In Europe we have Terrorist attacks.
    In Usa Fraud scams Cybercrimes.
    We live in new world new reality.
    Get use to it.

    1. cyber

      There is nothing new about fraud, terrorist attacks, scams or crime. Just add a cyberprefix to every cyberword and cybersuddenly it’s like we’ve never cyberseen these cyberthings happening before? No. Your cyberreality is still the same old reality we’ve been living in for hundreds of years.

      Cybertrash is still the same old trash.

      1. RM

        Right. Kinda hard to wrap my head around all that , but probably just because I realize that the opportunity field for security people to help is so broad, and the barriers to entry are so few.

        Sometimes I wish I could just give it all up and flip burgers, but man, the mission. The mission. I feel if we know something others do not yet know, we have to do something good with it.

        Btw, Brian, I know I am not replying to you, but THANK YOU for all you do and try to do. I hope your rewards are sufficient.

      2. RM

        Brian, I thank you for all you do and try to do. I hope your rewards are sufficient.

  10. Vestas

    Stop accepting magstripes then. End of this problem – to a large extent it is in Europe.

    However given that 30 years ago nobody gave a damn about CC signatures in the USA & its not got any better since, maybe the answer is to boycott the USA until it adheres to the same standards it demands of others.

    No? RoTW says screw you to USA cards.

    Muppets.

    1. RT

      The thing is criminals take the path of least resistance. You think that what Europe uses is invulnerable? If the US upgrades then criminals will just break that and now Euro cards will be vulnerable too.

  11. Joshua

    I know credit card fraud is a serious matter, but the first paragraph gave me the first real laugh I have had in some time, thanks Mr. Brian.

  12. Old School

    This article finally convinced me to write a checklist of all of the things I must do in the event that my cc is stolen.
    1. Report theft to cc company and order new cc with a new account number. (Telephone number)
    2. Record new cc number . Note: The only source for the CVV is the cc.
    3. Update accounts that have automatic, recurring charges. Use the backup cc until new cc arrives.
    A. Telephone company
    B. News service website
    C. Entertainment websites.
    D. Cable TV
    4. Await for the arrival of new cc. Use backup cc as needed.
    5. After new cc arrives, return to step three to replace backup cc with new cc.

    1. IK

      You forgot: Check account history for unauthorized activity. If found, report the activity to your FI right away.

  13. Sec

    Since when this blog become a “politics blog”? Where’s security blog?

    1. RM

      Sorry, sir, but just because the “Trump” word is spoken doesn’t make it a politics blog.

      That said, we can take the oppty to talk about how we get held accountable because of the choices of our Enn Ess Ayy , who failed to keep the tools we paid them PLENTY for, and lost them to the bad guys so they can use them against us, and then.. and more…and then…

      (and just how much benefit did we get from them there tools?)

      Politics? Security? Protect us, oh wonderful overlords.

      It’s either time to go retch in my flowerpot, or get back to work. Not sure which one I would prefer.

    2. RM

      Btw, I’m just being melodramatic. In case you didn’t catch that.

      It’s fine with me, since whatever dump we get dragged into, I get to clean it up.

      But I like to think about the old days when I didn’t have to be a janitor so often.

  14. Chris Nielsen

    What really makes the crooks mad is the fact that despite all they steal, the CC companies make so much money that they can afford to cover the loss and the cardholders are covered.

    But while this may encourage more to take up working in different parts of the carding industry, they are going to be up for a rude awakening. I think the seeding of fake CC records has been going on for some time now so that a complete profile of the industry can be assembled. When that reaches a certain point, the CC industry will start placing bounties on the crooks. Then we will have a new industry fueled by the same financial source, but that will drive towards the goal of carding industry eradication. If you doubt this, then you have not studied USA history.

    1. beno

      Its owned all by private federal reserve.
      people have no right to cry about it,and yes
      its their friends.

    2. keith

      To your point about the profitability of cc companies, I once was called to consult for one. The CEO wanted to know if I could use his data (or set up a process) to determine if there was some question he could ask on the cc application form that would decrease the number of holders who would ultimately default. In the process he revealed that he had 4 billionUSD in sales, and 900 million in “difficult to collect” accounts. And he was still profitable! Go figure.

  15. professorALTCORN

    > It’s not uncommon for crooks who peddle stolen credit cards to seize on iconic
    > American figures of wealth and power in the digital advertisements for their shops

    Like, for example, the time some guy opened a site called BrianKrebsDumps

    🙂

  16. C Doom

    As a long-time lurker of this forum, I would like to invite everyone who is actually interested in cyber-security from a professional point of view to keep reading, and everyone who would rather use Krebs’ reporting as a jumping-off point for your various political stances to go find another forum. Krebs is reporting cyber security. There are literally thousands of forums of all political slants and views you can go use if your primary goal is politics.

  17. DM

    EVA is taking off finally in the US. This is a non-issue soon. the Real issue?

    Who killed Seth Rich?!

    1. DF

      EVA has been taking off in the US for decades now. I fly them regularly.

      I think you meant EMV.

  18. tfracode

    Trump win the usa presidential elections with help of russian partners. Ex gen McFlyn

  19. Matt

    Nothing to do with Russian here.
    They just hacked everything and cleaned afterwards as far as they could. This is brilliant !

Comments are closed.