15
Oct 19

“BriansClub” Hack Rescues 26M Stolen Cards

BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.

An ad for BriansClub has been using my name and likeness for years to peddle millions of stolen credit cards.

Last month, KrebsOnSecurity was contacted by a source who shared a plain text file containing what was claimed to be the full database of cards for sale both currently and historically through BriansClub[.]at, a thriving fraud bazaar named after this author. Imitating my site, likeness and namesake, BriansClub even dubiously claims a copyright with a reference at the bottom of each page: “© 2019 Crabs on Security.”

Multiple people who reviewed the database shared by my source confirmed that the same credit card records also could be found in a more redacted form simply by searching the BriansClub Web site with a valid, properly-funded account.

All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground.

The leaked data shows that in 2015, BriansClub added just 1.7 million card records for sale. But business would pick up in each of the years that followed: In 2016, BriansClub uploaded 2.89 million stolen cards; 2017 saw some 4.9 million cards added; 2018 brought in 9.2 million more.

Between January and August 2019 (when this database snapshot was apparently taken), BriansClub added roughly 7.6 million cards.

Most of what’s on offer at BriansClub are “dumps,” strings of ones and zeros that — when encoded onto anything with a magnetic stripe the size of a credit card — can be used by thieves to purchase electronics, gift cards and other high-priced items at big box stores.

As shown in the table below (taken from this story), many federal hacking prosecutions involving stolen credit cards will for sentencing purposes value each stolen card record at $500, which is intended to represent the average loss per compromised cardholder.

The black market value, impact to consumers and banks, and liability associated with different types of card fraud.

STOLEN BACK FAIR AND SQUARE

An extensive analysis of the database indicates BriansClub holds approximately $414 million worth of stolen credit cards for sale, based on the pricing tiers listed on the site. That’s according to an analysis by Flashpoint, a security intelligence firm based in New York City.

Allison Nixon, the company’s director of security research, said the data suggests that between 2015 and August 2019, BriansClub sold roughly 9.1 million stolen credit cards, earning the site $126 million in sales (all sales are transacted in bitcoin).

If we take just the 9.1 million cards that were confirmed sold through BriansClub, we’re talking about more than $4 billion in likely losses at the $500 average loss per card figure from the Justice Department.

Also, it seems likely the total number of stolen credit cards for sale on BriansClub and related sites vastly exceeds the number of criminals who will buy such data. Shame on them for not investing more in marketing!

There’s no easy way to tell how many of the 26 million or so cards for sale at BriansClub are still valid, but the closest approximation of that — how many unsold cards have expiration dates in the future — indicates more than 14 million of them could still be valid.

The archive also reveals the proprietor(s) of BriansClub frequently uploaded new batches of stolen cards — some just a few thousand records, and others tens of thousands.

That’s because like many other carding sites, BriansClub mostly resells cards stolen by other cybercriminals — known as resellers or affiliates — who earn a percentage from each sale. It’s not yet clear how that revenue is shared in this case, but perhaps this information will be revealed in further analysis of the purloined database.

BRIANS CHAT

In a message titled “Your site is hacked,’ KrebsOnSecurity requested comment from BriansClub via the “Support Tickets” page on the carding shop’s site, informing its operators that all of their card data had been shared with the card-issuing banks.

I was surprised and delighted to receive a polite reply a few hours later from the site’s administrator (“admin”):

“No. I’m the real Brian Krebs here 🙂

Correct subject would be the data center was hacked.

Will get in touch with you on jabber. Should I mention that all information affected by the data-center breach has been since taken off sales, so no worries about the issuing banks.”

Flashpoint’s Nixon said a spot check comparison between the stolen card database and the card data advertised at BriansClub suggests the administrator is not being truthful in his claims of having removed the leaked stolen card data from his online shop.

The admin hasn’t yet responded to follow-up questions, such as why BriansClub chose to use my name and likeness to peddle millions of stolen credit cards.

Almost certainly, at least part of the appeal is that my surname means “crab” (or cancer), and crab is Russian hacker slang for “carder,” a person who engages in credit card fraud.

Many of the cards for sale on BriansClub are not visible to all customers. Those who wish to see the “best” cards in the shop need to maintain certain minimum balances, as shown in this screenshot.

HACKING BACK?

Nixon said breaches of criminal website databases often lead not just to prevented cybercrimes, but also to arrests and prosecutions.

“When people talk about ‘hacking back,’ they’re talking about stuff like this,” Nixon said. “As long as our government is hacking into all these foreign government resources, they should be hacking into these carding sites as well. There’s a lot of attention being paid to this data now and people are remediating and working on it.”

By way of example on hacking back, she pointed to the 2016 breach of vDOS — at the time the largest and most powerful service for knocking Web sites offline in large-scale cyberattacks.

Soon after vDOS’s database was stolen and leaked to this author, its two main proprietors were arrested. Also, the database added to evidence of criminal activity for several other individuals who were persons of interest in unrelated cybercrime investigations, Nixon said.

“When vDOS got breached, that basically reopened cases that were cold because [the leak of the vDOS database] supplied the final piece of evidence needed,” she said.

THE TARGET BREACH OF THE UNDERGROUND?

After many hours spent poring over this data, it became clear I needed some perspective on the scope and impact of this breach. As a major event in the cybercrime underground, was it somehow the reverse analog of the Target breach — which negatively impacted tens of millions of consumers and greatly enriched a large number of bad guys? Or was it more prosaic, like a Jimmy Johns-sized debacle?

For that insight, I spoke with Gemini Advisory, a New York-based company that works with financial institutions to monitor dozens of underground markets trafficking in stolen card data.

Andrei Barysevich, co-founder and CEO at Gemini, said the breach at BriansClub is certainly significant, given that Gemini currently tracks a total of 87 million credit and debit card records for sale across the cybercrime underground.

Gemini is monitoring most underground stores that peddle stolen card data — including such heavy hitters as Joker’s Stash, Trump’s Dumps, and BriansDump.

Contrary to popular belief, when these shops sell a stolen credit card record, that record is then removed from the inventory of items for sale. This allows companies like Gemini to determine roughly how many new cards are put up for sale and how many have sold.

Barysevich said the loss of so many valid cards may well impact how other carding stores compete and price their products.

“With over 78% of the illicit trade of stolen cards attributed to only a dozen of dark web markets, a breach of this magnitude will undoubtedly disturb the underground trade in the short term,” he said. “However, since the demand for stolen credit cards is on the rise, other vendors will undoubtedly attempt to capitalize on the disappearance of the top player.”

Liked this story and want to learn more about how carding shops operate? Check out Peek Inside a Professional Carding Shop.

Tags: , , , , ,

49 comments

  1. “If we take just the 9.1 million cards that were confirmed sold through BriansClub, we’re talking about $2.27 billion in likely losses at the $500 average loss per card figure from the Justice Department.” This is just the potential consumer loss in the event of untimely notification. The bank’s loss could be considerably more because Regulation E requires banks to reimburse customers for unauthorized transactions regardless of whether the bank receives money back from the merchant – which almost NEVER happens.

    • “… which almost NEVER happens.”

      I’m sorry, but based on what? Transaction disputes where I work generally run at about an 80-90% recovery rate of fraud via chargeback, which also includes card-present transactions thanks to the EMV mandate. And we see plenty of merchant reversals where their own detection processes have identified transactions as fraud.

    • Hi I sent my money to you guys app and it hasn’t arrived or shown up yet I need my refund all my money to show up

  2. The Sunsine State

    In my opinion , a lot of financial institutions fail to implement multi-factor authentication or rely on SMS to authenticate card holders. If you look at the bank BBVA , they will send you a electronic token for your account authentication. More banks should be doing this to secure their users account from being subjected to fraud abuse.

    • For the most part, it isn’t the banks that are compromised. It’s the merchants.

      • Chip & PIN adds another layer of security that carders have to capture. USA decides that is too inconvenient so they rather adopt Chip & Sign and let the fraud continue. 2FA is certainly better but the implementation details I think are more complicated. Is there was a decentralized way to for Apple/Android Pay to work globally, I’d support that.

        • My bank (a major one in the US) has specifically advised me not to use PIN numbers and run the debit card (with chip) as a credit card. Very few merchants force the PIN, and usually only at unmanned stations such as self-checkout or the gas pump.

          OTP’s would help, such as something like Authy or Authenticator embedded in the card chip, but it has to have an internal clock synced to a time standard to work correctly. All that entails extra costs that nobody wants to pay for in the States…

        • That is only for Card Present transactions.
          Yeah, enforced Chip&PIN would prevent carders using skimmers from getting card data.
          But even in Europe, the Card Not Present data is still available. You cannot use a Chip&PIN for online transactions. You have to use CC#+exp+CVV. And THIS is the data that is for sale on these carder sites.

          There is no easy way to fix online purchases without a middleman of some kind. VISA secure checkout, Paypal, etc… are one way they try.

          • Is that a specific part of Europe when you write “You cannot use a Chip&PIN for online transactions. “?

            In Europe, when making an online transaction I get asked
            the
            Step 1 number, expiry, cvv,
            Step 2 last 4 digits of registered mobile phone
            Step 3 a one time code through that phone (SMS or app) , or a code from using the card with a little non-unique bank-issued chip & pin card reader.

            • Step 1 number, expiry, cvv,
              – This is the static carding data

              Step 2 last 4 digits of registered mobile phone
              – Nothing to do with your card, but some pre-registered account info. Not needed for a carder to use at any other vendor.

              Step 3 a one time code through that phone (SMS or app) , or a code from using the card with a little non-unique bank-issued chip & pin card reader.
              – This also is not tied to the card… but rather some account that you’ve set up.

              Are you talking about logging into online banking?
              I am talking about making online purchases. Online vendors don’t/can’t ask for the PIN set on that specific card. This is very different than OTP codes going to the phone.

              “non-unique bank-issued chip & pin card reader”
              Your bank actually sends you a card reader that you insert your CC, and it displays a rotating code?

              • Yes. Every card I have been issued in Sweden in the last 20 years has come with a card reader which after proper authentication generates a one-use code valid for a few minutes.

                • Thanks. Sounds similar to the ever popular RSA tokens.

                  The question is not getting codes (OTP via SMS, Grid matrix, card reader, etc)…

                  But rather, where can those codes be used??
                  Online “Banking” of course…. but what about Online “Shopping”???

                  There are millions of online vendors out there… and they would all need to have web forms that ask for PIN/OTP during checkout.

                  I suspect that there is confusion here about the additional security of these cards. They may include two factor elements that are used for highly secure transactions, such as wire/bank transfers. Of course the issuing bank can implement a verification of the code on their own web site.

                  Can these cards ONLY BE USED to make online purchases on web sites that ask for PIN/OTP??? If this is not the case, then there IS VALUE in stealing all the static data that is available in these breaches.
                  Thieves might not be able to take over an entire bank account, transfer cash or use an ATM… but they CAN still make purchases.

                • Sounds neat, they issue you hardware that reads your chip and gives a OTP? Do you know of a page or video that shows examples of this?

                  • Yeah, agree with Marc. You’d haveto establish a bank-managed portal on your desktop/device to perform tokenized authentication to a merchant’s online site, and may even require to merchant to add software/web service.
                    Plus, in the US the risk culture is that if I’m frauded, my bank/card issuer will take care of it. I don’t worry about a card reader/tokenized transaction.

            • I’m afraid there’s some game changing news coming from Europe.

              The nov 2015 EU directive 2015/2366 (DSP2) “on payment services in the internal market” is enforced since jan 2018.
              Art 97 mandates strong authentication including – albeit not limited to – for CNP scenarios.
              European Commission published technical norms 2018/389 about “strong authentication”. Enforcement september 2019.
              The strong authentication (art 5 to 9) code is non reusable and bound to both payment amount and payee identity.
              Three categories are envisioned (broadly) : knowledge, 2F owning and inherence (biometry)
              For each category there is specific requirements. For knowledge which as I understand includes OTP transmited on the wire, it is unclear wether SMS meets them.

              Remains to be seen how banks will act. Early 2018 saw a bunch of TOS modifications. Another wave of such “adjustments” seems to be on the rise since this summer.

    • Wrong! BBVA has no idea what a token is. Just ask their so-called customer service. Only thing BBVA uses is questions and answers. Their online security is rated ‘poor’ by various monitoring agencies.

      • What are you talking about? I just ran SSLlabs tests on their online servers (mostly As, and one B). What monitoring service rates their online security as “poor”???

  3. Another good reason for making the possession and
    trading in Bitcoin and similar cyber currencies a
    criminal offence with extremely severe penalties.

    Drip drip drip this evil menace is ruining the world’s
    economic security

    • That is foolish. You want to criminalize someone for holding a certain currency?

      That would be similar to criminalizing anyone who carries USD on them outside the US for drug trafficking.

      Emotionally charged comment, which was not thought out whatsoever.

      • It’s a spam bot, check the comment right underneath, it’s worded the same just run through a thesaurus. I’m not saying the chinese astroturf against digital currencies, but if you check their IP, yeah.

      • Notably, US Citizens are required to report when they pool $10k+ in a location outside the US. And anyone traveling into/out of the US is required to report carrying $10k+. There is no penalty for exceeding these, just for failure to report.

        Bitcoin is an open ledger. The only thing missing is a direct link between accounts and people, although it’s a forensic accountant’s dream.

        Roughly, there are enough laws available, one could probably argue that bitcoin doesn’t live within the US, and thus any US citizen who controls $10k (and it isn’t USD, it’s USD or equivalent) would be required to report it (annually).

    • Sorry Rob,
      Although I agree with you that offenders of credit card fraud should be prosecuted to the fullest extent of the law, you have a misunderstanding of how bitcoin works, and thus your suggested analysis and resolution of limiting digital currency is incorrect.
      If two people conduct an illegal transaction and pay cash. For the most part using this simplistic example that transaction is untraceable. If those same two people conduct an illegal transaction and use bitcoin or similar crypto currencies that transaction IS traceable. You can determine where the bitcoin came from, where it is being sent to, and when the holders of the digital wallets use that digital wallet / currency in the future, those transactions are traceable as well. It’s traceable from the beginning to the end of the transaction. You do have a point with some digital assets such as (Monero, Z-cash, Dash, Lynda) who’s purpose is to obscure ownership of the transaction. You are correct that these types of transactions should be illegal. However, thieves typically don’t request payment in these forms of digital assets because they are not as popularly known as bitcoin. What you should be asking yourself is why do the banks / merchants not implement the technology to combat this form of fraud. The reason is because they don’t want to spend the money to solve the problem, and they don’t care because insurance picks up the loss. Do not bundle fraudulent transactions with Bitcoin. There are more fraudulent transactions using fiat currency then there ever will be using bitcoin.

      • This myth is often used as a defense of cryptocurrency… that it is “traceable”. While this is true to an extent… it is a serious overstatement. It is just as easy to bypass/obscure the traceability of cryptocurrency, than it is to do the same with cash. Remember, cash has serial numbers which can be, and are frequently traced. Of course, only a few transactions are needed to “wash” paper currency to get around the serial numbers. Similarly, criminals can easily get around the built in traceability of cryptocurrency, they only need to move it once.

        This is why criminals have no problem asking for cryptocurrency when attacking any victim of ransomware. The “traceability” defense falls flat in the reality of how its used.

        BTW, cryptocurrency is also “Fiat”. As in, its value isn’t tied to an intrinsic standard. Paper or digital currency can still be fiat.

        To your other point,
        “Do not bundle fraudulent transactions with Bitcoin. There are more fraudulent transactions using fiat currency then there ever will be using bitcoin.”

        This is also false and misleading, because of statistics. In absolute transaction value terms, cryptocurrency is still a minor player compared to cash. But, as a percentage… cryptocurrency (bitcoin specifically) has a MUCH higher rate of being used for illegal activity. There are simply fewer legit/legal reasons for cryptocurrency in today’s market.
        There are only three types of people who use cryptocurrency:
        1) The idealist, those who believe the financial system should be decentralized.
        2) The speculator, those who see the volatility as a way to make money on trading.
        3) The criminal, those who want a means of moving money outside of legal oversight.

        There are very few (1)’s…. They are really the only ones buying groceries with bitcoin and pretty much spend every bitcoin they buy without holding for too long.
        There are way more (2)’s than (1)’s, and they are responsible for the fluctuating prices. They either hold cryptocurrency long term, or only sell back to the market for profit. (2)’s may have the largest volume of currency held.
        However, on a sheer $$$ transactional basis and number of people… IMO, (3)’s are the biggest share of the market. Not sure they are the majority, but I think they’ve got plurality.

        Thee most tangible benefits of cryptocurrency appeals most to criminals. It is appealing to speculators too… and there aren’t enough idealists to explain the current market.

      • > they don’t want to spend the money to solve the problem,
        > and they don’t care because insurance picks up the loss.

        Are you neglecting the cost of the insurance (the premium)?

    • Very own thoughts, so many crimes would be stopped dead in their tracks if anonymous crypto currencies were made illegal.
      This would include activities such as buying debit/credit card and other data as well as ransomware and a host of other crimes etc.

      That’s not saying ban crypto currencies, just that they have to be traceable to real people. If that detracts from their use – then that about says it all!

  4. Probably a Dumb Idea

    In order to make stolen credit cards less effective, what would your opinion(s) be on almost implementing a rotating OTP, similar to an RSA token, to the credit card? Instead of a PIN, maybe there’s some sort of OTP in the credit card itself? Of course, the obvious problem would be the overhead in everything needing to sync with the card — which not only would be a ton of work, but very costly to make sure there’s compatibility and making the systems actually sync with the cards. That’s just an idea, I’m sure there’s a better way to implement it or even a better idea altogether. Every time I read a story like this, it gets me thinking of how we can better secure credit cards to make attacks like this obsolete.

    • Chip and PIN, EMV,… is doing much more than a simple OTP.
      That is for Card Present purchases.

      For card not present, online purchases, it might be nice to have a thin lcd display an OTP as a rotating PIN.
      But power is usually a concern.

      Mastercard did talk about a similar concept:
      https://www.cnet.com/news/mastercard-rolls-out-credit-card-with-display-and-keypad/

      “Meet MasterCard’s new ‘Display Card,’ which basically combines the usual credit/debit or ATM card with an authentication token. The authentication portion features a touch-sensitive keypad and LCD display — hence the name ‘Display Card’ — for reflecting a one-time password (OTP). ”

      But of course, that OTP is only useful for participating partners such as the issuing banks online banking app. Getting all vendors to integrate with rotating PINs for online purchases… is going to be a huge feat.
      Right now, PIN is only used for Card Present transactions…. but for online purchases, every credit card form would need to be upgraded.
      And only AFTER every one switched over, could credit cards eliminate the insecure fallback to static CVV numbers.

      • For Card not Present transactions, my bank in India gives me a debit card which has a grid at the back. This grid contains random numbers representing alphabets. So unless my card is physically stolen, ALL transactions online require me to enter numbers representing randomly selected alphabets. This is applicable to transactions through on-line banking as well as credit card ones.

        • That is for online banking
          What we are talking about is purchasing at any one of millions of online vendors.

          Online banking should have higher protections of MFA…. because large sums of money get transferred to other private parties.

          For online “shopping”…. Card Not Present transactions are NOT protected by PIN, OTP, or grid codes. And any card, credit or debit, that can be used by these millions of shops, only need the common card data available by these breaches.

    • Somewhere, there’s a checklist for “solutions to {great problems}” (one example is “email spam”). It’s a quick way to answer “probably a dumb idea” by checking the dumb parts and saving typing.

      —One basic thing about credit card processing is that any change in the protocol / implementation requires a lot of money and time, time and money to develop, time and money to certify, time and money to deploy.—

      For your idea, it’s important to understand the requirements for credit cards, especially US credit card processing.

      One of them is “transactions need to be able to be processed offline”.

      This includes someone who goes to an island without clearing capabilities and makes a week’s worth of transactions, the goal is to be able to take all of those transactions back to the processor at the end of the week and have them cleared.

      Anything with a timeout that is short of the credit card clearing time requirement fails this. Anything that requires network connectivity fails this.

      If you don’t have these requirements (or, simpler, if you require all transactions be processed online, instantly), then the problem becomes “much easier” to manage. — But there’s a huge cost tradeoff. It requires 100% network coverage throughout the world, and it requires all payment processing terminals be able to connect to that coverage at all times. It also means that when (not if), there’s a network failure, e.g. due to a natural disaster, suddenly you can’t use credit cards. This is really bad.

      To give you a sense of what this is… Allow me to introduce: the Waffle House Index [1]. For more information, see Money’s [2] / USA Today’s [3] write-ups. They have four emergency menus [4], one is the No Power menu. I’m not absolutely certain that they process old-fashioned carbon copy credit card transactions under those conditions, but they theoretically could — the credit card system we have in North America is designed to support it.

      Chip based transactions done right (involving tokenization) solve most of the card-present attacks. Right now, the problem is gas stations that haven’t updated (because there are lots of gas stations and updating them all is expensive, there are fun certification problems and general capital investment problems — It’s similar to the problem w/ electronic voting booths, except there are more gas stations, and we think there are more credit card thieves than election thieves, although we could be wrong, they could be the same people…).

      Once chips are used everywhere, the magnetic stripe can go away. You still have the “no power” problem.

      That leaves the card-not-present problem, which is basically every time the user makes a purchase by phone or internet.

      There’s a “simple” solution to this: Give every person in the world a Chip enabled Square (or competitor) device. This solves the internet version of the problem w/o requiring inventing new technology. The cost is massive, but probably cheaper than upgrading the gas stations (I could be wrong, we’re talking say 600 million people in North America, and I’ll naively guess it costs $50 per reader). The cost for the readers would be ~$30 billion, which exceeds the cost for the chip-and-pin implementation (it was estimated at $2.6 billion).

      While that $30 billion might sound like a lot, it’s probably cheaper than most alternatives. Anything that requires reworking the existing protocol would require redeploying the entire infrastructure *again*, not to mention the actual development and certification costs.

      There’s an advantage to offering these square terminals to everyone: people could do peer-to-peer payments at a scale we haven’t been able to do in North America (some African countries have been able to do it w/ Mobile payment systems, and elite folks have been able to use PayPal or other things), but the credit card companies in theory should love this, as they can take over more of the cash economy and take a cut of each transaction.

      [1] https://en.wikipedia.org/wiki/Waffle_House_Index
      [2] http://money.com/money/5397099/waffle-house-hurricane-florence-fema/
      [3] https://www.usatoday.com/story/news/nation/2019/09/01/hurricane-dorian-waffle-house-index-disasters/2187708001/
      [4] https://twitter.com/anniepnj/status/1168582629467312129

  5. Does Gemini interact with its client banks so as to have the stolen cards disabled?

  6. You mean it’s true that there is no honor among thieves?

  7. That’s absolutely hilarious. I love that little crab dancing around. The fact in 2019 this entire mess is getting worse, not better, is just nuts. The powers that be are doing a lousy job, imho. A failure on every level.

  8. Bitcoin will be 100k.

  9. Karma is a bitch.

  10. 9.1M x $500 = $4.55B, not $2.27B.

    Is there some other factor?

    • I had originally written that to say something like, even if we assume the government’s estimates are too high and halve that $500 loss number…..

  11. Would it not have been better if the breach had not been disclosed to the pirate site and subsequent transactions using the stolen card numbers tracked and the perpetrators arrested? That might have both put a dent in criminals’ trust in the site (leading to its demise) and alerted the end-user criminals that the use of stolen credit cards is not a safe occupation.

    But I know that the banks do not bother tracking and prosecuting card fraud because it’s cheaper for them to just consider it the cost of doing business. Maybe therein lies the problem.

    • Not there is real risk in the buyer getting caught, even if nobody was informed of this breach.
      Carder data is assumed invalid by the buyer… and they validate before purchase, at least a random sample.

  12. Hmmm, I can’t be the ONLY one thinking about a new meaning and direction in Brian’s life?

    We all live in nascent dawning of the digital warfare that Gibson, Halderman, Asimov talked of many years/decades ago.

    This warfare will become common, and ongoing everyday event for us.

    Thus, after reading thie artcile, I see the future. I hearby renounce my nation-state citizenship and instead choose to become a citizen of ‘KrebsLand’.

    KrebsLand is where the leader (ahem, Mr. Brian Krebs) builds out into thousands, hundreds of thousands, one day millions, of citizens that help engage in an intense cyber-nation and concomitant cyber-military going after cyber baddies.

    Above all else, this new cyber nation and cyber military KrebsLand will be devoted to rooting out all forms of digital malfeasance. Yes, that pointedly means it will conduct digital warfare strikes/operations/attacks in going after any digital-miscreants.

    Now, if KrebsLand could also offer us new Krebbie citizens basic, affordable healthcare along with a solemn promise no quarter will be given to any currently existing nation state, the future suddenly looks very interesting indeed.

  13. any possible forth-coming details on what commercial/vendor point-of-sale systems are compromised as a result of these credit card dumps being discussed?

  14. I reported around 10.000 stolen creditcard numbers to visa and mastercard in 2004 only to find many of them still active 3 years later! The CC companies did not seem to give a poop then and I doubt they changed their attire today. The cost of loss is calculated into the fees each CC user pays. I even found 1 victim who had blocked his card and it was still active and according to him he was not charged anymore but it was still being used by cybercriminals. My trust in the CC business dropped below zero after this…

  15. You are aware you’re not the only person in the world named Brian Krebs, correct?

  16. I never believe it works I just got 27,000$ from darkwebprogrammer@gmail.com

  17. I have no credit card and i didnt give any credit card request for my account, but past 8 months are i received credit card due messages from bank end.

    Pls anybody give me suggestion how to solve this issue.

    • First off, I’m really sorry to hear that. That’s terrible to have to deal with that. Have you contacted your bank? Banks typically have procedures on how to deal with Identity Theft. I would first contact them and report fraud in your name. Also, if it’s in your name (even though you didn’t open it up yourself), they should be able to freeze that account for you so no further transactions can be made against you. I would do this sooner rather than later because I honestly don’t know how it works with your credit report. If someone else is running around making purchases in your name, I’d assume that would affect your credit rating – though I am not 100%.

  18. I saw a comment about kloviaclinks(.)com on the web and I decided to give it a trial. Just few minutes ago, they granted my application and added $70,000 to my PayPal. I am super amazed that it works for me.