Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Carding has always been seen as a gateway to the more involved and nuanced types of cybercrime. Traditionally, it required only low-level technical knowledge and the funds to purchase material from the vast number of carding shops and marketplaces available on the dark web. For years, it’s been a recommended starting point for beginner threat actors.
But recent cyber criminal chatter indicates all is not well in the carding world. A combination of factors—law-enforcement action, increased defenses, the list goes on—has many threat actors predicting the death of carding entirely.
In this blog, we’ll look at three of the most commonly discussed problems with the current carding landscape: increased prices, decreased validity, and more unusual alternatives. We’ll also take a look at two case studies of recently launched carding shops and analyze the effect they have on the carding ecosystem, to ponder:
“Carding” is a term that we in the cybersecurity community use frequently, but let’s go back to the basics and define the concept so that we’re all on the same page. Carding is a type of scam that begins with cyber criminals obtaining payment-card details in various ways. They might gain access to an online retailer’s payment card processing system and intercept the log traffic containing the card details, and maybe even additional personal details, like usernames, passwords, and social security numbers.
Alternatively, they could install spyware on a victim’s computer to capture the payment-card details as they’re entered. Or it might be the old-fashioned method—using a physical ATM skimmer equipped with a recording device to gather information when a victim inserts their card into a payment machine or swipes it.
Once a threat actor has stolen card details, they might buy physical products they can later sell on the black market. A second option is purchasing cryptocurrency or prepaid gift cards, which help crooks stay anonymous: It removes the requirement to submit any personal information that could reveal the criminal’s real-life identity. Third, threat actors could sell the card information on cyber criminal platforms in a whole host of ways. There are generalized forums with carding sections, dedicated carding forums, catch-all marketplaces, and specialized carding AVCs.
This carefully developed system of methods for obtaining and trading card details was shaken up earlier this year by a shocking law-enforcement operation. In early 2022, representatives of the long-standing carding platform UniCC announced on several cyber criminal forums the retirement of the site’s operators. The statements thanked UniCC’s “loyal partners, clients and colleagues” and warned against creating “conspiracy theories” about the site’s closure. UniCC customers would have ten days to spend any funds deposited on the site, and vendors would be “paid up to the last cent.”
A few days later, a message appeared on UniCC’s domains, declaring that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation.” Cyber criminal forum users highlighted that the source code for the seizure notice featured an ominous hidden question: “Which of you is next?”
News also broke that, in cooperation with US law-enforcement officials, the FSB had detained four alleged members of hacking group “The Infraud Organization”. They included the group’s organizer, Andrey Novak, who was also the UniCC administrator. A few days later, more arrests by the Russian Internal Affairs Ministry made headlines: six more people, under the same charges—linked to selling stolen credit-card information—that had been leveled at the previous four.
Almost simultaneously, the domains of several carding platforms displayed the same seizure notice seen on UniCC’s URLs, announcing that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation.” Affected platforms included long-time mainstays on the carding scene, such as Trump’s Dumps, Ferum, and Sky-Fraud, plus the remote desktop protocol (RDP) shop UAS.
The shutdowns sent a ripple of panic throughout the cyber criminal community. Without some of the most reliable shops, threat actors were left with limited options for payment card purchases. The crackdown also made carders wonder whether the potential punishments for their illicit activity outweighed the profits.
Immediately after these law-enforcement seizures, users took to cyber criminal forums to share their worries about the takedowns. We’ve been tracking the carding-related chatter throughout 2022 and have seen worry morph into frustration, and then into predictions that carding is on its way out.
Shortly after the shutdowns, we began to notice users advising “beginners” to avoid carding. Newbies seeking help to start out in the game suddenly began to receive thread responses to choose another type of malicious activity. The reason given? Prices to obtain stolen payment-card details are too high. In a classic case of market supply-and-demand, it seems that fewer carding platforms is making payment cards more expensive.
Until now, carding was seen as a way for novice crooks to begin their criminal careers because of the low startup capital required. It’s always been fairly cheap to buy a few valid payment card details, monetize them, and make a small profit from these low-effort endeavors. This makes sense—those just starting out in the business haven’t earned the illicit funds they’ll need to invest in more expensive material that can make them even more money in the future. If it’s too expensive to start out, this is a huge, and often insurmountable, barrier to entry.
Cyber criminal forum user complaining about difficulties for beginner carders
Another opinion was that the funds that carders must invest don’t justify the typically small profits. We observed one threat actor suggest that carding, in its current form, has outlived its usefulness. They said few cyber criminals can make real money from this type of malicious activity; a few years ago, forum articles regularly spoke of beginner carders earning $3,000–5,000. Today, making just $1,000 is proving difficult.
Another user said it’s “scary” to imagine what the future of carding will look like. They predicted that if the issues aren’t resolved, carding won’t be at all profitable within “a few years.”
Threads complaining about carding notwithstanding, the carding-related content on cyber criminal platforms is dwindling—even on carding-focused platforms. Are we seeing a defense mechanism triggered by cyber criminals? Experienced carders won’t benefit from sharing advice, as they used to do, and it would only increase the competition in an already-difficult market.
Forum users are also arguing that of the payment cards they earmark for carding, fewer and fewer are valid. We found a fascinating forum thread in which one threat actor delved deep into the potential reasons. They claimed that “sniffers” (see the next section) might be misidentifying other types of data as carding data. They also suggested that vendors are adding invalid data to increase the size of their database.
That user described the current carding situation as a “hunger strike”. They complained about carding shops selling duplicated credit cards with a low validity rate, giving multiple threat actors access to the same card information. And they found that only 500 out of the 426,684 stolen credit cards they had purchased were valid—a staggeringly low rate by any account.
We’ve seen users expressing a willingness to pay more for a quality carding shop that would provide data they can trust. But there’s little evidence that any of the carding shops on the market are reliably fulfilling this role.
Cyber criminal forum user complaining about the status of carding
Carding shops, or the vendors selling on these platforms, often get their material from “sniffers” and “skimmers.” A sniffer is a malicious script a threat actor injects onto retailers’ websites. The script steals customers’ personal and payment details, including credit-card data. A skimmer usually refers to a small, physical device that allows criminals to obtain information from a card’s magnetic stripe when it’s inserted into or swiped on a payment machine.
Some carders are claiming that the lack of valid material available through carding shops has forced them to start cutting out the middleman (i.e. the carding shop). They’re instead buying their material directly from the threat actors who operate the skimmers and sniffers. Is it working? Well, allegedly it’s reduced the likelihood of payment-card duplication and increased the chances of a good validity rate. After all, it’s in the seller’s own interest to provide the best service for their “partner.”
Some users also said working privately was “two times cheaper” than buying from shops. On the other hand, you could argue that working directly with another cyber criminal―with zero recourse through an arbitration process or protection from an established shop―only opens you up to the chance of being scammed.
Cyber criminal forum user advertising a sniffer service
This need to learn how to operate/build sniffers or build relationships with sniffer/skimmer operators has lessened the appeal of carding. It’s no longer seen as an easy, low-effort type of cyber crime. Obtaining card details with sniffing or skimming tools is no simple matter—to go down this route, a cyber criminal has to find a way of installing their scraping tool on the target, whether it’s digitally or physically.
Plenty of advertisements on cyber criminal forums offer services that install sniffer malware on target systems. This only adds another step to the carding chain, and another stage of the process that enables third parties to cream off a profit for themselves. One forum user lamented, “Give me back my 2002.” In those days, carding was a much simpler matter.
Let’s take a look at two new carding shops that have been promoted on high-profile Russian-language cyber criminal forums in recent weeks. What can they tell us about the carding ecosystem crisis?
We first observed cyber criminal forum advertisements for the English-language carding shop BatMarket back in August 2022. The site’s representative promoted BatMarket’s “very high” card-validity levels, its “favorable” prices, and the “great diversity” within the store’s database. The representative initially stressed that vendors don’t need to make a deposit to sell on the site; later, they changed the rule and stipulated that sellers must deposit $50 into the system.
Carding forum advertisement for BatMarket
A forum user offered to test the shop and later reported back that the site was a “waste of time” and the “worst shop.” They clarified: Although the shop claims validity levels of 50 to 60%, they had checked 50 credit cards and found only 1 valid card. Another forum member thanked the user for “saving [my] time.” They opined that carding shops are “spawning like mushrooms nowadays” but that “the suppliers are still the same.”
The scathing criticism continued with another user: “This is another no-name, [with] no reviews, no name, no background on who they are and where they’re from, [and] no deposit, [who] immediately asks for another $50 for registration. Taking into account the current situation in the carding market, people are prepared to buy anything and anywhere out of desperation, in the hope of finding something suitable.”
Let’s compare this with another site that we first noticed around the same time. Threat actors left very mixed feedback about Bankomat, a shop that made similar claims about high validity levels and ease of use. One cyber criminal forum user claimed that they had used the shop for around a year and that it was the “best” carding market they had found. Although the review may have originated from a fake account set up by the site’s representative to drum up trade—not an uncommon occurrence on cyber criminal platforms!
A different user left a negative response about Bankomat, reporting that only 4 of the 34 cards they had tested were valid. They also claimed that the site was selling the same data that it had advertised mere months ago. Their frustration was clear when they commented (in Russian): “I hope, your scam project goes down.”
Carders desperately seeking new carding shops open a new gateway that other threat actors can use to scam by creating fake carding shops. But the Bankomat forum representative seems undeterred; they’ve continued to promote the shop since receiving the negative feedback.
A cyber criminal forum user leaving a negative review for the Bankomat carding shop
There’s no doubt that the carding ecosystem has become more complicated and less appealing for cyber criminals. A once-simple endeavor is now a multistage operation with many barriers to entry and many points of potential failure. Law-enforcement operations targeting carders have also upped the risk factor. And the decrease in validity rates has thrown profitability into question. Even so, we don’t consider the “death of carding”—which so many threat actors fear—imminent.
New carding shops pop up frequently, so the demand for carding is still there. And at least some threat actors still believe that they can squeeze money from this type of cyber crime. One forum member claimed, “People are prepared to buy anything and anywhere, in the hope of finding something suitable.” Will desperation still fuel sales?
If nothing else, cyber criminals’ increasing reliance on coding and operating their own skimmers indicates creativity: They’re finding new ways to adapt and continue carding into 2023 and beyond. Financial services organizations, and individual consumers, should keep on top of the continued threat of carding. This is especially critical as carders’ tactics and techniques continue to evolve.