26
Mar 20

Russians Shut Down Huge Card Fraud Ring

Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.

In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of payment in connection with some 90 websites that sold stolen credit card data.

A still image from a video of the raids released by the Russian FSB this week shows stacks of hundred dollar bills and cash counting machines seized at a residence of one of the accused.

The FSB has not released a list of those apprehended, but the agency’s statement came several days after details of the raids were first leaked on the LiveJournal blog of cybersecurity blogger Andrey Sporov. The post claimed that among those apprehended was the infamous cybercriminal Alexey Stroganov, who goes by the hacker names “Flint” and “Flint24.”

According to cyber intelligence firm Intel 471, Stroganov has been a long-standing member of major underground forums since at least 2001. In 2006, Stroganov and an associate Gerasim Silivanon (a.k.a. “Gabrik“) were sentenced to six years of confinement in Russia, but were set free just two years into their sentence. Intel 471 says Selivanon also was charged along with Stroganov in this past week’s law enforcement action.

“Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene,” reads an analysis penned by Intel 471.

“You can draw your own conclusions [about why he was released early],” Sporaw wrote, suggesting that perhaps the accused bribed someone to get out of jail before his sentence was up.

Flint is among the biggest players in the crowded underground market for stolen credit card data, according to a U.S. law enforcement source who asked to remain anonymous because he was not authorized to speak to the media. The source described Flint’s role as that of a wholesaler of credit card data stolen in some of the biggest breaches at major Western retailers.

“He moved hundreds of millions of dollars through BTC-e,” the source said, referring to a cryptocurrency exchange that was seized by U.S. authorities in 2017. “Flint had a piece of almost every major hack because in many cases it was his guys doing it. Whether or not his marketplaces sold it, his crew had a role in a lot of the big breaches over the last ten years.”

Intel 471’s analysis seemed to support that conclusion, noting that Flint worked closely with other major carding shops that were not his, and that he associated with a number of cybercrooks who regularly bought stolen credit cards in batches of 100,000 pieces at once.

Top denizens of several cybercrime forums who’ve been tracking the raids posited that Stroganov and others were busted because they had a habit of violating the golden rule for criminal hackers residing in Russia or in a former Soviet country: Don’t target your own country’s people and/or banks.

A longtime moderator of perhaps the cybercrime underground’s most venerated Russian hacking forum posted a list of more than 40 carding sites thought to be tied to the group’s operations that are no longer online. Among them is MrWhite[.]biz, a carding site whose slick video ads were profiled in a KrebsOnSecurity post last year.

A snippet from a promotional video from the carding/dumps shop MrWhite.

KNOW YOUR FRAUDSTER

Nearly all of the carding sites allegedly tied to this law enforcement action — including those with such catchy names as BingoDumps, DumpsKindgom, GoldenDumps, HoneyMoney and HustleBank — were united by a common innovation designed to win loyalty among cybercriminals who buy stolen cards or “dumps” in bulk: Namely, a system that allowed buyers to get instant refunds on “bad” stolen cards without having to first prove that the cards were canceled by the issuing bank before they could be used for fraud.

Most carding sites will offer customers a form of buyer’s insurance known as a “checker,” which is an automated, à la carte service customers can use after purchasing cards to validate whether the cards they just bought are still active.

These checking services are tied to “moneyback” guarantees that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the buyer agrees to pay an added fee of a few cents per card to use the shop’s own checking service.

But many cybercrooks have long suspected some checkers at the more popular carding sites routinely give inaccurate results that favor the card shop (i.e., intentionally flagging some percentage of inactive cards as valid). So, the innovation that Flint’s gang came up with was a policy called “Trust Your Client” or “TYC,” which appears to be a sly dig on the banking industry’s “know your customer” or KYC rules to help fight fraud and money laundering.

With TYC, if a customer claimed a card they bought was declined for fraudulent transaction attempts made within six hours of purchase, the carding shop would refund the price of that card — no questions asked. However, it seems likely these shops that observed TYC ran their own checkers on the back-end to protect themselves against dishonest customers.

An ad for the “Trust Your Client” or TYC policy observed by virtually all of the carding shops taken down in this past week’s Russian law enforcement operation.

Want to learn more about how carding shops work and all the lingo that comes with them? Check out my behind-the-scenes profile of one major fraud store — Peek Inside a Professional Carding Shop.

Tags: , , , , , , , , , , , , , , , , , ,

24 comments

  1. Yes please. Keep on using that checker.

  2. Must have stepped into the territory controlled by putin and his oligarch friends.

    • That is what I was going to say! 🙂

    • That’s amazing. As stupid as it is to be arrested in Kennedy Airport (Firsov), it’s more obviously stupid to prey on Russians or annoy Putin & Co (LLC). Only time will tell if it’s more dangerous.

    • Lol me too. They all seem to operate from the USSR and generally with impunity. I always wondered if they actually involved the government, or at a minimum paid some sort of informal tax.

      • Bribery is the name of the game. You run a racket, the cops come knocking, you pay them off, their supervisors come knocking, you pay them off, the prosecutors come knocking, you pay them off, and on and on and on it goes with politicians and law enforcement and organized crime all getting their share. Arrest usually is a shakedown for additional funds from whatever group is arresting you. Used to be the golden rule was to never target your fellow citizens but in the past few years it sounds like if the bribes are big enough to big enough people that even that’s okay.

        Sad thing is I get the impression from some of my Russian friends that their countrymen think this is how it works everywhere. That their relatives (my friends) who left Russia are simply indoctrinated and/or lying to them.

        When all you’ve ever lived in is a fishbowl, it can make you think the entire world is that fishbowl.

        • +1 for “When all you’ve ever lived in is a fishbowl, it can make you think the entire world is that fishbowl.”
          Going to have to remember that one, thank you.

  3. The Sunshine State

    I think the scammers in India use the same type of credit card checking system .

  4. This is an interesting topic. An website I own and manage, which accepts payments for digital goods, recently got targeted by a ‘checker’ due to our naive implementation of stripe.com’s payments API allowing payment attempts to be ‘replayed’ with different card details.

    The vast majority of the approximately 40,000 cards that got run through our merchant account were never actually tested against the issuing banks, because Stripe’s own fraud detection AI kicked in and blocked them. And, fortunately, I’m in the habit of checking all my online service dashboards daily, so I noticed the activity within 24 hours of it starting and was able to start work on mitigation immediately.

    I reached out to an email address used by the ‘checker’ transactions and started a conversation with the guy running it, who helped me test our site by re-running card check batches until we’d finished refining our logic around the Stripe API to successfully block the activity. He was in the Philippines (and he had terrible opsec – as a result of the conversation, I have his home internet connection’s IP address and his mobile number!) and I did not get the impression he actually developed the checker himself.

    The checker seemed like a sophisticated bit of software, with transaction attempts coming at our website at a rate of dozens per second from a couple hundred different IPs around the world (most of which had Russian owner info, but geolocated to the US and EU) and, for instance, immediately switching to a mode where each successive transaction would come from a new IP, rather than in blocks from one IP at a time, as soon as we introduced rate-limiting logic on IPs and payments.

    Last but not least, Stripe themselves paid all the transaction fees for the fraudulent payments that did successfully get through (which of course I immediately refunded). GG Stripe.

  5. Everyone should use email alerts for all credit cards. Even as low as a one dollar purchase. This way you get to dispute false charges immediately. I set up an audible alert on a separate email account for this purpose.

    • The issuing bank for my main credit card (Bank of America) has in its app near real time notifications for credit card activity in selectable categories, including online/card not present.

      I just caught a bogus charge last week with that feature.

  6. Quite frankly, I’m surprised ANY Russian carder or otherwise network cracker, gets any jail time in Russia; but tw0 years, is about what the average US criminal gets on charges like that as well don’t they? I’m sure the FSB probably loves trading off jail time for government spy craft, anytime they can do it. I hope the culprits in this ring rot in jail, though – they deserve it.

  7. Sounds to me like the FSB’s recruitment program in action. They need more people to grow that massive botnet to use against the US and others.

  8. Send them to Siberia without an overcoat!

  9. Avoiding leaving information on illegal websites is a good choice

  10. My bank account was hacked on the 5th May last year. I had the well-known (in the UK) TV licence fraud email so I didn’t click on their link. My bank confirmed that I didn’t do that but they still have no idea how the hacker by-passed their two stage security wall. (Or perhaps they’re just not telling me.)

    My details were obviously sold on the dark web because (1) I get one fraud phone call every week (easy to deal with, using my call blocker) and 2 or 3 fraud emails a week. Again easy to spot but the outlook.com email blocker isn’t working – Microsoft’s team is still trying to resolve that.
    What concerns me is that Microsoft told me that there was no need for me to changes my email address. Were they right?

    • Francis Ford Crapola

      “My details were obviously sold on the dark web because (1) I get one fraud phone call every week (easy to deal with, using my call blocker) and 2 or 3 fraud emails a week.”

      This is not evidence of your actual “details” being sold, really at all.
      This is evidence that your email and phone number are spammable.
      They are probably unrelated.

      “What concerns me is that Microsoft told me that there was no need for me to changes my email address. Were they right?”

      Yes. But do what you want.

  11. So many years writing about Russian hackers and still… Silivanon in 2 places.

  12. I am so tired of governments reacting 10 years late to every incident and problem. Even Russia needs to have some tougher enforcement methods. What happened to a good action scene with Carmina Burana playing soundtrack? Putin’s Chef could serve pork chops and livestream the activity.

  13. Brian;

    I’ve been working recently with a vendor to produce some synthetic data for us to use in testing and training environments. It got me to thinking…

    Like any other business, these fraudsters rely on a certain percentage of good transactions to make their operations work. What if we seed synthetic card and cardholder data into their operation, either directly or with honeypots set up with deliberately weak security?

    Watering down their profits ought to drive them out of business, no?

    • It’s a nice idea in theory, but in practice it would be hard. These guys are either stealing the cards themselves or they get them from trusted vendors who steal them. They’re not going to allow just anyone to feed them cards.

  14. Back in days when I was Young…
    The real carding forums like omerta…
    The Good cvv shops like… Ccstore. Ru cvv with DOB

    And best payment processor like Liberty reserv.
    Ouu… What the Nice days Good memories

Leave a comment