Intro
Going up against online fraudsters is a tough battle. There isn’t one rule that can help you win it all, but there are certainly some crucial steps each fraud specialist should undertake.
Anti-fraud tools are a “must-have’’, but a more sophisticated approach is to understand the behaviour and language of your opponent. However, 75% of fraud analysts admit that they do not research and collect evidence from the darkweb.
We totally understand that. Digging through the darknet is a time-consuming job, and it’s hard to keep up with evolving criminal threats and technological advances. It’s also a risky activity. If you’re not experienced, you may find yourself in cyber trouble.
Step 1: Learn the language. Dictionary.
Scammers use specific slang to communicate and commit online payment crimes which already gives a broad understanding of their operational techniques. Learn the most common phrases.
A
Altcoins
/ɑlt kɔɪnz/
Alternative coins. Slang name for all cryptocurrency other than BTC.
Anonymity Checker
/ænəˈnɪmɪti ˈʧɛkər/
When any user enters an eCommerce website, the merchant can see many details about the visitor. Before the attack, the fraudster needs to ensure that his browser and connection configuration will not seem suspicious to the system. For this purpose carders use anonymity checkers. On such websites, anybody can check his browser version, user agent, type of operating system, plugins in a browser, IP address, IP presence on blacklists and many more. Popular checkers are whoer.net and browserleaks.com.
If the fraudster does not like certain information (e.g. that the website shows his real IP), he may try to change it. Imagine he knows that the owner of the stolen account/card is using a Macbook and the anonymous checker shows that the fraudster is using Windows. In that case, the cybercriminal may see the inaccuracy and react to it.
Automatic Vending Cart (AVC)
/ɔtəˈmætɪk ˈvɛndɪŋ kɑrt/
Automatic Vending Cart (AVC) is an automated “click and buy” website selling compromised data, which operates in the darknet as well as in the Clearnet. Most AVCs sell stolen credit cards (fullz, dumps), but there are also AVCs that offer stolen accounts, travel points and anonymity tools.
To make the process of purchasing credit cards more comfortable for the fraudster, AVC websites have filter features that help carders find “the right credit card” they need. A fraudster can filter by price, BIN, card type, bank, country, state (only for the USA), city, zip code, reseller and base (credit cards are placed on AVCs in big batches consisting of thousands of cards, every set has its name). There is also an option to find cards with wanted personal data like phone, email, SSN, date of birth, mother maiden name, cardholder IP, address.
After receiving a payment buyer immediately and automatically receives bought data.
AVS
/eɪ-vi-ɛs/
Address verification system. Another phrase from the financial industry used by fraudsters. It is an operating mode used by the processor to confirm that the legitimate owner, in fact, carries out a card transaction. It uses the billing address entered in the registration process and compares it to the one registered with the credit/debit card company. If they are not similar, then the transaction will be declined. For this reason, crooks buy fullz and registered accounts with the details. Also, many shops won’t ship to addresses other than given in the bank as billing address.
B
BIN
/bɪn/
A term is well known among the bank and credit card industry.Knowledge of what a BIN is and how to use it is also the basis for carders. Bank Identification Number is the first six digits of the credit card number. BIN determines card issuer, card type, level of security (for example the presence of 3D Security), country of origin, and sometimes even bank regional branches. Knowing the cardholder state of origin, even without the address, carder knows from which country he should connect to e-shop to be successful.
Sometimes fraudsters buy a card from Germany and try to connect to a shop from India, but that’s where the antifraud system enters. It will detect that mismatch and decline the transaction.
Bulletproof hosting
/ˈbʊlətˌpruf ˈhoʊstɪŋ/
Fraudsters who run their services in the darkweb also need hosting services. Sure, they could make everything by themselves, but most of them are not skilled enough. So they need professional hosting servers that are called bulletproof. That means hosting providers won’t cooperate with law enforcement authorities (lea). Even illicit or strongly unethical content will find their place there. Usually, such servers are located in countries that reluctantly cooperate with lea from other countries, especially from the West.
Real darknet stories
Hosting servers inside a military bunker
In September 2019 German authorities arrested seven people in connection with the raid of a bulletproof hosting provider “CyberBunker” located in Traben-Trarbach, Germany. The provider supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker.
Investigators believed the 13-acre former military facility served a number of darknet sites, including: the Wall Street Market; the drug portal “Cannabis Road;” and the synthetic drug market “Orange Chemicals.” German police seized $41 million worth of funds tied to these markets, and more than 200 servers.
For at least two of the men accused in the scheme, Herman Johan Xennt, and Sven Kamphuis, this was their second bunker- based hosting business. CyberBunker 1.0 facility was a lab used to produce the drug ecstasy/XTC. In 2003 Xennt and others were denied a business license to continue operating in the bunker, and
they were forced to resell servers from a different location — even though they bragged to clients for years to come about hosting their operations from an ultra-secure underground bunker.
Between 2012 and 2013, Xennt purchased a new bunker in Traben-Trarbach, and the CyberBunker was reborn.
Kamphuis was later arrested in Spain on the DDoS attack charges. He was convicted in The Netherlands and sentenced to time served, which was approximately 55 days of detention prior to his extradition to the United States.
Herman Johan Xennt was believed to have links to organized crime. He has been seen frequently associating with another man: an Irish mobster named George “the Penguin” Mitchell, listed by Europol as one of the top-20 drug traffickers in Europe and thought to be involved in smuggling heroin, cocaine and ecstasy.
Source: krebsonsecurity.com
C
Carding
/ˈkɑrdɪŋ/
It’s a process of using stolen credit cards to make a purchase. Fraudsters who use this technique are called carders. There are two different types of carding: real and virtual. In the first one, the carder uses a forged credit card — a plastic card with loaded data from a stolen credit card. This fraud is also called in-store carding.
The second type of carding is a virtual one and doesn’t require a physical item but just its data: number, validation date and security code. Virtual carding is easier than in-store for many reasons:
• everything is done online
• carder can card shops from all around the world
• no special equipment is needed to load data on physical credit cards
• it’s just safer. When something goes wrong with the transaction, it is only cancelled, and the card is burned.
Fraudsters increasingly choose virtual carding than in-store.
Cashout
/kæʃ aʊt/
The point in all fraud attacks is to earn money that will be usable. It is child’s play to buy a stolen credit card, but it is much more difficult to withdraw money from it. To cashout, stolen credit cards is to transfer money and make them easy and safe to use. Carders often prefer to cashout by buying merchandise similar to real money, e.g., cryptocurrencies, gift cards, loyalty points.
When a fraudster buys stolen bank accounts, he also needs to cashout these accounts to get money.
Cardable websites
/ˈkɑrdəbl ˈwɛbˌsaɪts/
Fraudsters are aware of anti-fraud systems, 3-D Secure and other security measures undertaken by online merchants. But they also know that not the whole eCommerce sector has implemented those solutions. Carders (scammers) describe such websites as “easy cardable”, and they exchange information about them.
Forum administrators show examples of such sites to make their forum more attractive for carders. Regular users also share such information to gain a reputation in crooks society.
Credit card checkers
/ˈkrɛdət kɑrd ˈʧɛkərz/
When a carder buys a stolen credit card, he’s never sure if the card hasn’t been blocked already. Cybercriminals have to be 100% sure that their crime tool is usable and will not cause them trouble. To check that they use “credit card checkers”.
In the past, it was a software application that used credit card data to perform 1 cent transactions. However, finance security departments noticed that when a large one follows 1 cent transactions, it is probably a fraud. They started to red-flag those payments, and such checkers are mostly useless now.
Currently, card checkers use, for example, paid accounts with free trials where users have to add a valid credit card. Another method is to send small donations to charity organisations. Such entities can play an important, mostly unaware, role in carding and money laundering.
Criminal forums
/ˈkrɪmənəl ˈfɔrəmz/
There are various criminal forums on the Internet. Some of them are available only in the darknet, but many are also available in the clearnet. There are three main illegal subjects on cybercriminal forums: frauds, hacking/cracking and drugs.
There are places specialised in one topic or general forum where all three are welcome. 1 or 2 of these subjects can be forbidden, for example, because the forum doesn’t want to be involved in criminal activity (e.g. they claim that drugs are harmless) or on the contrary, they say that drugs are harmful to people and should be not allowed.
Some sections can be found on all types of forums: anonymity and operational security, discussions about vendors, and marketplaces where users can trade. Administrators often get paid for sales brokerage (e.g. for escrow service) and for advertisements. Many underground forums are hubs for hackers or fraudster environments.
Most cybercriminals don’t want to have anything in common with terrorism and child pornography. There is no permission for such topics, and all users who try to talk about it are banned. On many forums, other prohibited topics include guns, explosive devices, poisons, etc.
Cryptocurrency mixer
/ˈkrɪptoʊ ˈkɜrənsi ˈmɪksər/
A cryptocurrency mixer is a service associated with cryptocurrency to increase the anonymity of transactions and to make bitcoin harder to trace.
Many cryptocurrency transactions are transparent, and it is possible to see from which wallet to which the currency has travelled. The cryptocurrency mixer serves as a place where crypto owners can tumble money to obfuscate transaction flow.
Crooks often use those platforms in laundering money from cybercrimes.
D
Darknet
/dɑrk nɛt/
It’s a part of the unindexed Internet and a subset of the deepweb consisting of several encrypted networks. To get access to it, users have to use specific software, such as the TOR browser, which is often wrongly identified with the darknet. Apart from TOR, the darknet includes networks like I2P, Freenet, GNUnet and others. They were created to ensure anonymous and uncensored access to the Internet and communication. Because of a high level of anonymity, the darknet is often used for unethical or illicit activities like trading of stolen or illegal merchandise, money laundering and others. Sometimes cybercriminals consider criminal forums in clearnet as part of the darknet, but it is incorrect.
Despite the above, the darknet can still be used for positive purposes. Citizens from countries where the Internet is censored can use it to access websites from other parts of the world. Companies like Facebook and BBC have websites on TOR.
