THE HEADLINE
Last year, threat actors launched a new dark web carding site specializing in credit card details, account information, and other financial data with which cybercriminals perpetrate fraud, impersonate bank customers, and steal money from accounts. The carding market filled a void left by similar carding stores that were shut down in 2022 and 2021. Similar to previous stores, the new carding market’s branding uses images of a U.S. president in an apparent attempt to antagonize the American government.
While the carding market’s initially limited infrastructure offered only basic services, Cybersixgill observed its founder advertising the site on Russian-speaking forums. In June 2022, the carding market launched a promotional giveaway, releasing free stolen credit card numbers, names, addresses, telephone numbers, and emails. This is a tactic that other markets have used to attract new customers to dark web markets.
In the wake of a competitor’s giveaway, the new carding market dropped a trove of 1.2 million free credit cards in October 2022, with 30% of the data proving suitable (“fresh”) for fraud based on an analysis of random samples. In addition, the carding market used another common promotional tactic, offering illicit goods at below-market prices, advertising credit cards for as little as 15 cents.
Seeking to capitalize on the success of its previous giveaways, at the end of February 2023, the carding market announced a new free database containing millions of debit and credit cards, leaked to celebrate the market’s first anniversary. The market announced the leak on its own site, in addition to posting about it on a popular Russian cybercrime forum.
According to researchers who analyzed the leaked information, the free database contains at least 1.5 million credit and debit cards and close to 300 cards for charge accounts. While the database reportedly contains duplicates, more than 2.1 million unique cards were observed. In addition to card numbers, the dataset also provides the combination of personally identifiable information commonly known as “fullz,” which includes names, phone numbers, addresses, and emails -- in this case, hundreds of thousands of them. Other details bundled in the carding market leak included payment details, CVV codes, and card expiration dates.
The validity of the carding market data remains unknown, and we explore that topic at greater length in the section that follows. With that being said, it is likely that at least a portion of the included fullz could be used by cybercriminals for financial and identity theft, in addition to phishing schemes, social engineering campaigns, and other types of scams. With regard to sales, the carding market provides validity ratings, and listings are regularly double-checked and removed. The carding market also filters stolen card searches based on countries of origin, bank, and content (i.e., CVV, email, address, card type, or cardholder name).
DIVING DEEPER
Since the carding market’s creation in February 2022, Cybersixgill has collected hundreds of posts related to the market’s activity and promotion. Most recently, Cybersixgill collected the carding market’s announcement advertising the one-year anniversary leak, in addition to discussions of the giveaway on sites frequented by cybercriminals.
The following screenshot displays the carding market’s publicly-facing anniversary announcement, which mimicked similar messaging from legitimate businesses, stating, "We are proud to have you as a customer, and we look forward to continuing to serve you in the coming years. Your loyalty and trust are what motivate us to keep improving and growing our business." The advertisement emphasizes that the leak is “free.”
Figure 1: Carding market’s admins advertise the anniversary data leak
Figure 2: The anniversary credit card database leaked on the carding market site
In addition to the above post on the carding market site, the market’s admins also hyped the giveaway on popular forums, with feedback from other members far from universally positive. For example, the February 2023 post below from a popular cybercrime forum garnered 12 responses. While a fair share of these were standard “congratulations” replies, several forum members chimed in to denigrate the carding market site and question the value of its wares.
In the screenshot below, a highly active forum member with a 3/10 reputation used an expletive to refer to the “quality” of items in the carding market shop, suggesting that the site is giving away items because the cards lack value and wouldn’t generate income. Another forum member with a low reputation score refers to the free cards as “dead,” apparently suspecting that the leaked data is not fresh. A member with an average reputation concurs, positing that the cards were “dead” before they were released.
Figure 3: Forum members discuss the most recent free leak from the carding market
In addition, Cybersixgill spotted a discussion of the carding market on another popular cybercrime forum. The thread began when the market launched its October 2022 giveaway and continued to chalk up replies through March 6, 2023, after the carding market’s most recent free leak. While some of the recent responses are positive, there are several negative replies, one of which questions the profitability of carding in general.
That comment was posted by a forum member with an average reputation score (5/10) who seems to believe that the security features of credit cards make the type of data the carding market trades in obsolete. Specifically, the forum member asks if another member is “living in the 90s,” adding a reference to Verified by Visa (VBV), a security feature for authenticating purchasers as authorized cardholders. It appears that the forum member believes VBV has made credit card fraud significantly more challenging.
Cybersixgill has observed a diminution in compromised credit card sales on the dark web over the last three years in the Latin American region. The trend reflects a global decrease in credit card sales amid the rise of digital payment applications, such as Venmo, Zelle, Apple Pay, and Google Pay, among others. Based on this trend, threat actors on the dark web may increasingly turn their attention to pay app account sales, in addition to e-commerce site accesses.
Figure 4: Forum members discuss the carding market’s free credit card leaks
TAKEAWAYS
Carding sites have existed for years, with new markets popping up on the dark web as authorities shut down existing sites. During a one-year period from mid-2021 to mid-2022, Cybersixgill collected over 100 million posts from threat actors on the underground discussing carding activities. Carding sites also serve a critical function in the cybercriminal ecosystem, providing a sales channel for data from breaches, malware that collects sensitive information, and other sniffer devices.
In the wake of shuttered sites disappearing, new cybercriminal marketplaces have sprung up. Successful ones become hotbeds for carding activities, launching promotions, and courting positive feedback from existing users. Whether the carding market in this report will meet the same fate as its predecessors remains to be seen. With upstart carding markets regularly debuting on the underground, Cybersixgill continues to search for new cybercriminal sources.With the constant risk of sensitive data theft, organizations, and credit card holders in particular, should remain vigilant with regard to the use of their personal information. Any suspicious financial activity should be immediately reported to the relevant entity, bank, or assets manager. Organizations, specifically those in the banking and financial sectors, must use multiple-factor authentication (MFA) to protect their assets and enable alerts for critical actions to detect and prevent possible data theft by cybercriminals.
Cybersixgill automatically aggregates data leaks and alerts customers in real time.
1“Carding” is an umbrella term for both trafficking in stolen credit cards (or credit card numbers) and the unauthorized use of such cards and numbers. Frequently, the stolen cards or numbers are used to buy prepaid gift cards, which can be sold or used to purchase goods that are resold for cash.
2The giveaway contained roughly 8 million lines, with 6,600 of them covering credit card information, mostly from U.S.-based VISA credit cards.
3CVV stands for “card verification value” and may include card numbers, expiration dates, and the actual CVV codes found on the back of cards, in addition to zip codes and other information.