Payment Declined: Carding Cyber Criminals Fear for Their Future

Payment Declined: Carding Cybercriminals Fear for Their Future

Carding has always been seen as a gateway to the more involved and nuanced types of cybercrime. Traditionally, it required only low-level technical knowledge and the funds to purchase material from the vast number of carding shops and marketplaces available on the dark web. For years, it’s been a recommended starting point for beginner threat actors.

But recent cyber criminal chatter indicates all is not well in the carding world. A combination of factors—law-enforcement action, increased defenses, the list goes on—has many threat actors predicting the death of carding entirely.

In this blog, we’ll look at three of the most commonly discussed problems with the current carding landscape: increased prices, decreased validity, and more unusual alternatives. We’ll also take a look at two case studies of recently launched carding shops and analyze the effect they have on the carding ecosystem, to ponder:

  • What do these conversations tell us about the future of carding?
  • Does it continue to pose a threat to consumers and financial institutions alike?

What Is Carding?

“Carding” is a term that we in the cybersecurity community use frequently, but let’s go back to the basics and define the concept so that we’re all on the same page. Carding is a type of scam that begins with cyber criminals obtaining payment-card details in various ways. They might gain access to an online retailer’s payment card processing system and intercept the log traffic containing the card details, and maybe even additional personal details, like usernames, passwords, and social security numbers.

Alternatively, they could install spyware on a victim’s computer to capture the payment-card details as they’re entered. Or it might be the old-fashioned method—using a physical ATM skimmer equipped with a recording device to gather information when a victim inserts their card into a payment machine or swipes it.

Once a threat actor has stolen card details, they might buy physical products they can later sell on the black market. A second option is purchasing cryptocurrency or prepaid gift cards, which help crooks stay anonymous: It removes the requirement to submit any personal information that could reveal the criminal’s real-life identity. Third, threat actors could sell the card information on cyber criminal platforms in a whole host of ways. There are generalized forums with carding sections, dedicated carding forums, catch-all marketplaces, and specialized carding AVCs.

House of Cards: The Fragile Carding Ecosystem

This carefully developed system of methods for obtaining and trading card details was shaken up earlier this year by a shocking law-enforcement operation. In early 2022, representatives of the long-standing carding platform UniCC announced on several cyber criminal forums the retirement of the site’s operators. The statements thanked UniCC’s “loyal partners, clients and colleagues” and warned against creating “conspiracy theories” about the site’s closure. UniCC customers would have ten days to spend any funds deposited on the site, and vendors would be “paid up to the last cent.”

A few days later, a message appeared on UniCC’s domains, declaring that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation.” Cyber criminal forum users highlighted that the source code for the seizure notice featured an ominous hidden question: “Which of you is next?”

News also broke that, in cooperation with US law-enforcement officials, the FSB had detained four alleged members of hacking group “The Infraud Organization”. They included the group’s organizer, Andrey Novak, who was also the UniCC administrator. A few days later, more arrests by the Russian Internal Affairs Ministry made headlines: six more people, under the same charges—linked to selling stolen credit-card information—that had been leveled at the previous four.

Almost simultaneously, the domains of several carding platforms displayed the same seizure notice seen on UniCC’s URLs, announcing that the Russian Internal Affairs Ministry had shut down the site as part of a “special law enforcement operation.” Affected platforms included long-time mainstays on the carding scene, such as Trump’s Dumps, Ferum, and Sky-Fraud, plus the remote desktop protocol (RDP) shop UAS.

The shutdowns sent a ripple of panic throughout the cyber criminal community. Without some of the most reliable shops, threat actors were left with limited options for payment card purchases. The crackdown also made carders wonder whether the potential punishments for their illicit activity outweighed the profits.

Immediately after these law-enforcement seizures, users took to cyber criminal forums to share their worries about the takedowns. We’ve been tracking the carding-related chatter throughout 2022 and have seen worry morph into frustration, and then into predictions that carding is on its way out.

Cyber Criminal Complaint 1: Increase in Carding Costs

Shortly after the shutdowns, we began to notice users advising “beginners” to avoid carding. Newbies seeking help to start out in the game suddenly began to receive thread responses to choose another type of malicious activity. The reason given? Prices to obtain stolen payment-card details are too high. In a classic case of market supply-and-demand, it seems that fewer carding platforms is making payment cards more expensive.

Until now, carding was seen as a way for novice crooks to begin their criminal careers because of the low startup capital required. It’s always been fairly cheap to buy a few valid payment card details, monetize them, and make a small profit from these low-effort endeavors. This makes sense—those just starting out in the business haven’t earned the illicit funds they’ll need to invest in more expensive material that can make them even more money in the future. If it’s too expensive to start out, this is a huge, and often insurmountable, barrier to entry.

Cybercriminal forum user complaining about difficulties for beginner carders

Cyber criminal forum user complaining about difficulties for beginner carders

 

Another opinion was that the funds that carders must invest don’t justify the typically small profits. We observed one threat actor suggest that carding, in its current form, has outlived its usefulness. They said few cyber criminals can make real money from this type of malicious activity; a few years ago, forum articles regularly spoke of beginner carders earning $3,000–5,000. Today, making just $1,000 is proving difficult.

Another user said it’s “scary” to imagine what the future of carding will look like. They predicted that if the issues aren’t resolved, carding won’t be at all profitable within “a few years.”

Threads complaining about carding notwithstanding, the carding-related content on cyber criminal platforms is dwindling—even on carding-focused platforms. Are we seeing a defense mechanism triggered by cyber criminals? Experienced carders won’t benefit from sharing advice, as they used to do, and it would only increase the competition in an already-difficult market.

Cyber Criminal Complaint 2: Decrease in Cards’ Validity

Forum users are also arguing that of the payment cards they earmark for carding, fewer and fewer are valid. We found a fascinating forum thread in which one threat actor delved deep into the potential reasons. They claimed that “sniffers” (see the next section) might be misidentifying other types of data as carding data. They also suggested that vendors are adding invalid data to increase the size of their database.

That user described the current carding situation as a “hunger strike”. They complained about carding shops selling duplicated credit cards with a low validity rate, giving multiple threat actors access to the same card information. And they found that only 500 out of the 426,684 stolen credit cards they had purchased were valid—a staggeringly low rate by any account.

We’ve seen users expressing a willingness to pay more for a quality carding shop that would provide data they can trust. But there’s little evidence that any of the carding shops on the market are reliably fulfilling this role.

Cybercriminal forum user complaining about the status of carding

Cyber criminal forum user complaining about the status of carding

 

Cyber Criminal Complaint 3: Carding Is Complicated

Carding shops, or the vendors selling on these platforms, often get their material from “sniffers” and “skimmers.” A sniffer is a malicious script a threat actor injects onto retailers’ websites. The script steals customers’ personal and payment details, including credit-card data. A skimmer usually refers to a small, physical device that allows criminals to obtain information from a card’s magnetic stripe when it’s inserted into or swiped on a payment machine.

Some carders are claiming that the lack of valid material available through carding shops has forced them to start cutting out the middleman (i.e. the carding shop). They’re instead buying their material directly from the threat actors who operate the skimmers and sniffers. Is it working? Well, allegedly it’s reduced the likelihood of payment-card duplication and increased the chances of a good validity rate. After all, it’s in the seller’s own interest to provide the best service for their “partner.”

Some users also said working privately was “two times cheaper” than buying from shops. On the other hand, you could argue that working directly with another cyber criminal―with zero recourse through an arbitration process or protection from an established shop―only opens you up to the chance of being scammed.

Cybercriminal forum user advertising a sniffer service

Cyber criminal forum user advertising a sniffer service

 

This need to learn how to operate/build sniffers or build relationships with sniffer/skimmer operators has lessened the appeal of carding. It’s no longer seen as an easy, low-effort type of cyber crime. Obtaining card details with sniffing or skimming tools is no simple matter—to go down this route, a cyber criminal has to find a way of installing their scraping tool on the target, whether it’s digitally or physically.

Plenty of advertisements on cyber criminal forums offer services that install sniffer malware on target systems. This only adds another step to the carding chain, and another stage of the process that enables third parties to cream off a profit for themselves. One forum user lamented, “Give me back my 2002.” In those days, carding was a much simpler matter.

Carding Shop Case Studies: Bankomat and BatMarket

Let’s take a look at two new carding shops that have been promoted on high-profile Russian-language cyber criminal forums in recent weeks. What can they tell us about the carding ecosystem crisis?

We first observed cyber criminal forum advertisements for the English-language carding shop BatMarket back in August 2022. The site’s representative promoted BatMarket’s “very high” card-validity levels, its “favorable” prices, and the “great diversity” within the store’s database. The representative initially stressed that vendors don’t need to make a deposit to sell on the site; later, they changed the rule and stipulated that sellers must deposit $50 into the system.

Cybercriminal forum advertisement for BatMarket

Carding forum advertisement for BatMarket

 

A forum user offered to test the shop and later reported back that the site was a “waste of time” and the “worst shop.” They clarified: Although the shop claims validity levels of 50 to 60%, they had checked 50 credit cards and found only 1 valid card. Another forum member thanked the user for “saving [my] time.” They opined that carding shops are “spawning like mushrooms nowadays” but that “the suppliers are still the same.”

The scathing criticism continued with another user: “This is another no-name, [with] no reviews, no name, no background on who they are and where they’re from, [and] no deposit, [who] immediately asks for another $50 for registration. Taking into account the current situation in the carding market, people are prepared to buy anything and anywhere out of desperation, in the hope of finding something suitable.”

Let’s compare this with another site that we first noticed around the same time. Threat actors left very mixed feedback about Bankomat, a shop that made similar claims about high validity levels and ease of use. One cyber criminal forum user claimed that they had used the shop for around a year and that it was the “best” carding market they had found. Although the review may have originated from a fake account set up by the site’s representative to drum up trade—not an uncommon occurrence on cyber criminal platforms!

A different user left a negative response about Bankomat, reporting that only 4 of the 34 cards they had tested were valid. They also claimed that the site was selling the same data that it had advertised mere months ago. Their frustration was clear when they commented (in Russian): “I hope, your scam project goes down.”

Carders desperately seeking new carding shops open a new gateway that other threat actors can use to scam by creating fake carding shops. But the Bankomat forum representative seems undeterred; they’ve continued to promote the shop since receiving the negative feedback.

A cybercriminal forum user leaving a negative review for the Bankomat carding shop

A cyber criminal forum user leaving a negative review for the Bankomat carding shop

Is the demise of carding inevitable?

There’s no doubt that the carding ecosystem has become more complicated and less appealing for cyber criminals. A once-simple endeavor is now a multistage operation with many barriers to entry and many points of potential failure. Law-enforcement operations targeting carders have also upped the risk factor. And the decrease in validity rates has thrown profitability into question. Even so, we don’t consider the “death of carding”—which so many threat actors fear—imminent.

New carding shops pop up frequently, so the demand for carding is still there. And at least some threat actors still believe that they can squeeze money from this type of cyber crime. One forum member claimed, “People are prepared to buy anything and anywhere, in the hope of finding something suitable.” Will desperation still fuel sales?

If nothing else, cyber criminals’ increasing reliance on coding and operating their own skimmers indicates creativity: They’re finding new ways to adapt and continue carding into 2023 and beyond. Financial services organizations, and individual consumers, should keep on top of the continued threat of carding. This is especially critical as carders’ tactics and techniques continue to evolve.