Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/12/2016
08:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Monetize Stolen Payment Card Data

The carding value chain not only relies on carders and buyers, but individuals who don't even know they're involved.

Bosses of the operations that turn stolen payment card data into cash have been known to take home as much as $1 million of profit in one year. One of the reasons they're so profitable: They scam and stiff thousands of the people who make the operation work.  

In a new report today, Hewlett Packard Enterprise Security Research outlined the process and the players in this value chain. To monetize stolen payment card data, organized criminals buy goods and then sell them for cash. According to HPE, in nearly all cases, card data was stolen from US accountholders, goods were bought in the US from online retailers in the US, and goods were shipped to Russia via intermediaries located in the US.

Beneath the bosses leading the operation are a network of administrators, "stuffers," and "drops," mostly managed via the Web. More specifically:  

  • Admins notify "stuffers" about what goods need to be purchased and, sometimes, what retailers they should be purchased from. Walmart, BestBuy, AT&T, Sprint, and Verizon were popular choices.
  • Stuffers, located in the US, buy goods online -- a wide variety of products ranging from electronics, to nutrition products, to toys, to rifle scopes. Stuffers are paid a 25- to 40% cut, depending upon the item.
  • The stuffers have the goods shipped to "drops," located in the US. 
  • Admins purchase labels from fraudulent shipping label services that forge labels for legitimate parcel delivery services like FedEx, UPS, and the US Postal Service.
  • Admins send the labels to drops.
  • Drops repackage goods with fraudulent labels and reship goods to Russia, using legitimate delivery services. The drops do not know that the items were bought illegally or that the shipping labels are fraudulent.

The drops were often "recruited" -- or, more accurately, scammed -- through social media advertising "work from home" opportunities that required no special skills but promised base salaries of as much as $2,500 per month.

However, the drops are almost never paid at all, according to the report. In fact, the admin's workflow software includes a system for tracking when drops sign up, quit, and become "dangerous" -- meaning they're expected to quit soon when they realize they are never going to see a dime for their reshipping efforts. Adding insult to injury, when drops sign up, they are convinced to submit a host of personal information -- including scans of government-issued IDs and proof of address -- as part of their "onboarding" process for the job.

From the report:

Recruiters find it more cost effective to recruit new drops from those looking for a "work from home" opportunity than to actually maintain and pay drops on an ongoing basis. This practice has the added benefit of isolating the most exposed part of the operation from the rest of the organization. Drops are exposed to very little if any of the true organization. ...

It's important to understand that drops are not a part of the organization; rather, they are as much a victim as others in the types of fraud schemes targeting human assets for exploitation.

Admins and stuffers, however, are key members of the organization. Admins manage the day-to-day technical functions of the Web interface through which business is conducted -- including taking orders for the products Russian buyers want, notifying stuffers about what those products are, connecting stuffers with drops, and tracking packages.

The operability and user interfaces of different re-shipper sites are so similar that researchers believe that these different operations must use the same software developers. 

     

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2319
PUBLISHED: 2019-12-12
HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
CVE-2019-2320
PUBLISHED: 2019-12-12
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
CVE-2019-2321
PUBLISHED: 2019-12-12
Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
CVE-2019-2337
PUBLISHED: 2019-12-12
While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
CVE-2019-2338
PUBLISHED: 2019-12-12
Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...