Feeds

‘Open and helpful community’ – of credit card thieves

Honeynet shows carders are getting slick

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Credit card fraud "power users" with programming skills and no fear are making it easier for newbies to break into white collar crime, according to a report from the Honeynet Research Alliance this week.

The report draws on data gathered earlier this year when a fraudster looking for a random host to put between himself and IRC wound up cracking a research honeypot maintained by students and faculty at Azusa Pacific University, as part of a loosely affiliated gaggle of deliberately hackable hosts and networks organized around the non-profit Honeynet Project.

Researchers secretly monitored the intruder as he joined an IRC channel on DALnet dedicated to obtaining, verifying and swapping credit card numbers, along with matching names, addresses, and everything else a good carder needs to begin ordering goods and services illicitly.

From early April to mid-May they watched the intruder move through a dozen chat rooms with names like "#ccinfo," "#ccpower," and "#virgincc." They also joined some of the channels themselves. They found a surprisingly open and helpful community of credit card thieves, where experienced fraudsters offered advice to newcomers, and stolen credit cards were given away freely to neophytes -- at least, in small amounts.

"They weren't trying to hide this at all, it was just completely out in the open," says Patrick McCarty, an undergraduate at the university, and a co-author of the report. "You'd think they would want to keep a lower profile."

Carding Commands

The researchers were also impressed by the level of automation that a handful of sophisticated carders brought to the scene. Fraud-oriented IRC bots made the channels more than just a communications medium. Carders could type in commands like "!chk" to verify that a credit card number is correct, and "!bank" to identify the bank that issued a particular card.

Daring fraudsters looking to get credit card numbers directly from a vulnerable e-commerce site could avail themselves of the "!cardable" command, which returns the URL for sites known to be vulnerable to attack. For more help, the "!exploit" command yielded URLs that a beginner could cut-and-paste into their browser to exploit known application-level Web server attacks. If they weren't up for cracking a host personally, the "!cc" command dispensed a single stolen credit card number from a database.

"Users need master only a series of custom IRC commands to carry out many key activities of credit card / identity theft," the report found.

One command, "!cclimit," even produces the spending limit on a particular card number, according to the report. Where that information comes from is unclear; the report's authors believe some of the bots are interfacing in real time with credit card company databases. "That's what we're particularly interested in," says McCarty. "They seem to have an automated system for doing that."

The Research Alliance's monitoring also produced logs of corrupt merchants offering to sell large quantities of card numbers for a percentage of the take, though the report concluded that bulk transfers were handled in private chats, or outside of IRC.

The channels named in the report have since been shutdown by DALnet, says McCarty. "We've turned a substantial amount of data over to the FBI," he adds.

© SecurityFocus

Related stories

Trojan serves porn off home PCs, not many dead
Chip and PIN: not enough to beat card fraud
California enacts full disclosure security breach law
Joe Public blames banks for credit card fraud
Credit card firms 'profit from Net fraud'
Schoolgirl turns tables on email credit card fraudster

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.