Card “Verification” Now Offered “As a Service” by Brazilian Cybercriminals

We highlighted in our Brazil underground report how rampant credit card fraud is in Latin America. One key step in this process is card verification – i.e., checking that the cards work. We’ve found a new service called CheckerCC that was meant to help make this easier. This is the first time that this capability has been offered “as a service” in Brazil, with access sold for a monthly R$100 fee (approximately US$25). The person behind this service is believed to be a teenager from São Paulo, Brazil.

What exactly is card verification? This checks if stolen/newly generated credit card numbers work by attempting to charge small amounts. An attacker would upload the credentials on CheckerCC and the service would automatically check which numbers work. Traditionally, crooks in the Brazilian underground would use a program on their computer to do this.

Figure 1. CheckerCC login screen

CheckerCC has an updated database of cards that work and don’t work, minimizing the number of transactions that actually have to be run on the cards. This reduces the chances of detection. Thus, CheckerCC is better than to program-based credit card checkers.

How was this service sold? An ad was posted on an underground forum by its creator, who went by the name Fama. (Fama, in Portuguese, means famous.) To demonstrate the service’s capabilities, the service was (briefly) available for free. The advertisement is below, and one can immediately note two things: Fama was quite well-known on this forum, with badges and medals to indicate his status on the forum. In addition, the post itself has acquired a significant number of “likes” (more than 600) from other forum users.

Figure 2. Advertisement for CheckerCC (click to enlarge)

What do we know of Fama himself? He doesn’t seem to be particularly careful about hiding his online presence. For example, his Skype profile mentions his real first name (which we’ve blacked out):

Figure 3. Fama’s Skype profile

From this and other sites, we’re able to tell that he’s 17-18 years old and lives in São Paulo. Despite his young age, he has also been responsible for other malicious activity: for example, he registered the domain blackfrindaymarketing[.]com[.]br which was used to phish members of an airline’s frequent flyer program. This isn’t the only cybercrime domain he’s registered either: he has registered around ten domains, most of them fairly recently. At this stage in his “career” he is enthusiastic, but inexperienced – like most beginners.

We will continue to keep an eye on services like these that may show up in various underground communities as part of our research. In the meantime, we advise users to keep an eye on their credit card transactions: fraudulent transactions in small amounts may indicate that someone is trying to verify your account in this manner.