The Russian Underground—Revamped

When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices.

Million dollar breaches

News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence.   2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot.  The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?

Buying a stolen credit card

One interesting thing I observed was that right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc.

Figure 1. The marketplace GoCVV offers a global map index to show the availability of credit cards in different locations for a better underground shopping experience

During my research excursions through various underground forums, I stumbled across several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of fresh credit card leaks.

Corporate Credit Cards = $$$

How often do you use your corporate credit card to pay for an overnight stay, a flight, a business lunch? Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement.

Shopping in the Russian Underground

Today we are releasing the third of a series of papers on the Russian Underground, titled Russian Underground 2.0.  It discusses the most current set-up of the Russian cyber underground scene, a mature ecosystem that covers all aspects of cybercriminal business activities. The Russian Underground not only provides products and services for cyber criminals but creates new niches for “employment” in the underground such as translation or spam-proofing services for criminals. The paper looks into new services becoming available to criminal minds, automated and optimized processes for quick and easy deals, and looming attack avenues we expect to see in the near future.

This is part of the Cybercrime Underground Economy Series, which take a comprehensive view of various cybercrime markets from around the world.

Read more: The Russian Underground—Revamped

Story added 28. July 2015, content source with full text you can find at link above.