Why Fraud Teams Need Visibility into Underground Card Shops
To learn more about how Business Risk Intelligence (BRI) can help fraud teams combat card-shop activity, download our BRI for Fraud Teams overview.
Underground card shops play a crucial role in the fraud ecosystem. They provide threat actors with a platform to buy and sell stolen card data, which is often sourced directly from breaches or malware-infected point-of-sale (POS) terminals, as well as from skimming devices attached to POS terminals and ATMs. Card shops epitomize the notion of a centralized cybercrime economy, enabling even fledgling fraudsters to withdraw cash from accounts or to make carded purchases without having to steal payment card data themselves. As such, these shops lower the barriers to entry for committing fraud.
Despite law-enforcement and private-sector efforts to curb underground card-shop activity, such shops remain the primary means by which cybercriminals seek and obtain stolen payment card data. As such, visibility into card shops is essential to efforts to combat fraud. But given most card shops’ covert nature, fraud teams face a number of challenges:
In order to effectively track conspiring fraudsters at scale, identify and halt developing schemes, and monitor for data leaks, fraud teams need visibility into underground card shops. However, gaining access to these shops can be a technically challenging endeavor; certain card shops are invite-only or password-protected and thus difficult to access without extensive expertise and experience in navigating cybercrime communities. Further complicating matters is the fact that retrieving compromised data from card shops in some cases requires purchasing such data from the shop vendors who sell it. Aside from the difficulties inherent to procuring the cryptocurrency in which the payment must be made, such purchases can present additional difficulties, as well as security risks, because they often require engaging directly with shop vendors.
Deriving Meaningful Insight
The most common types of data found on underground card shops are dumps—information skimmed from the magnetic stripe of a card—or card numbers and associated data, such as personally identifiable cardholder information and bank identification numbers (BINs). BINs can be used to identify what security measures are in place for a compromised card, thus enabling threat actors to choose poorly protected cards for use in carded purchases. However, since the overwhelmingly large volume of data advertised on card shops varies widely in terms of quality and recency, fraud teams face additional obstacles to finding relevant information, even if they are able gain access to these shops.
Despite the wealth of sensitive data they hold, viewing card shops in isolation without additional context presents an incomplete picture for fraud teams. Threat actors involved in card-shop activity frequently use Deep & Dark Web (DDW) forums to advertise their shops, discuss new breaches of card information, and discuss the credibility of vendors. Without the big-picture insight provided by DDW forums, fraud teams may allocate resources inefficiently, attempting to retrieve data or combat activity that is not a concern.
Finding External Support
The fraud lifecycle is in many ways similar to a supply chain. Fraudulent schemes are rarely carried out in isolation, typically requiring support from multiple threat actors and illicit services, and often targeting and/or impacting multiple organizations and individuals across industries and locations. For example, credit card data may be scraped at a compromised point-of-sale (PoS) terminal at one retailer and then used to make fraudulent online purchases from another retailer. In order to cash-out and therefore profit from those carded purchases, fraudsters often sell them—typically leveraging mules, drop networks, and fraudulent shipping-label services to evade law-enforcement detection.
Given the complex and diffuse nature of fraud—including schemes that originate or rely heavily on card shops—engaging in cross-organizational information sharing across industry sectors can be beneficial for fraud teams. Although the benefits of engaging in information sharing are extensive and well documented, many fraud teams fail to do so for reasons ranging from concerns about trust and security, to relevance, value, and accessibility. However, since the challenges fraud teams face can be unprecedented, information-sharing groups focused on indicators-of-compromise are insufficient for most use cases. Furthermore, fraud teams may lack experience engaging with law enforcement, which is often necessary if an organization is being targeted by card-shop activity.
Gaining Visibility into Underground Card Shops with Business Risk Intelligence (BRI)
BRI has become the new standard of intelligence for fraud teams across all industry sectors, empowering them with visibility into underground communities supplemented with contextual analysis and collaborative support. BRI helps address the challenges faced by fraud teams by providing extensive visibility into card-shop activity, finished intelligence reporting and analysis, and robust external support from leading subject-matter experts, law enforcement, and peers. When necessary, fraud teams can also leverage Flashpoint’s directed threat-actor engagements to retrieve sensitive data from illicit card shops.
Director of European Research & Analysis
Roman Sannikov is the Director of European Research & Analysis at Flashpoint, where he specializes in leveraging intelligence derived from Russian-language communities within the Deep & Dark Web to help organizations combat cybercrime and mitigate risk. A fluent Russian speaker, Roman has spent nearly two decades studying cybercriminal activity within the Russian underground and has extensive experience working as both a translator and cyber intelligence analyst in the public and private sectors. During his 21-year career with the FBI, Roman served as a translator for numerous major cyber cases involving Russian-speaking actors. He has also had the privilege of interpreting for several high-profile individuals, including former FBI Director Robert Mueller and former U.S. Attorney General Eric Holder. Most recently, Roman supported Russian-language data collection and intelligence reporting as a Senior Intelligence Analyst at CrowdStrike. He holds both Bachelor’s and Master’s degrees in Russian from the University of Albany.