Carding or the theft and consequent selling of credit and other payment card information to users has long been a problem. And with the ease of obtaining hosts for carder forums and communities and hiding their tracks online, the threat has become even bigger.

WhoisXML API threat researcher Dancho Danchev recently trooped online to gather known carding forum and community domains. From there, the WhoisXML API extended security research team performed an indicator of compromise (IoC) expansion analysis to identify as many other potential threat vectors as possible. The exercise led to the discovery of:

• 45 unredacted registrant email addresses from the IoCs’ historical WHOIS records
• 14,254 domains that shared the IoCs’ registrant email addresses, 12 of which turned out to be malicious
• 60 IP addresses that played host to the IoCs
• 154 domains that shared the IoCs’ IP hosts, one of which was deemed malicious
• 1,073 domains that shared commons strings found among the IoCs, 12 of which were tagged malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Diving Deeper into the Known Carding Forum Pages

As a first step in our investigation, we dug deeper into the 29 domains that played host to carding forums and communities, namely:

• cardingforum[.]cx
• crdforum[.]cc
• darkstash[.]com
• carders[.]biz
• crdpro[.]cc
• carders[.]mx
• carding-forum[.]com
• crdclub[.]su
• procrd[.]pw
• cardmafia[.]cc
• cardingforum[.]info
• cardingleaks[.]ws
• darkpro[.]net
• crackingforum[.]to
• cardingworld[.]ru
• darkwebmafias[.]ws
• leetforums[.]ru
• legitcarders[.]ws
• crdcrew[.]cc
• prtship[.]pro
• verifiedcarder[.]net
• legitcarder[.]ru
• carders[.]zone
• drdark[.]ru
• darknetweb[.]ru
• bpcforum[.]ru
• wc-club[.]com
• cybercarders[.]com
• bitorder[.]pw

A bulk WHOIS lookup for these web properties revealed they were spread across 11 registrars (see the breakdown below) led by NiceNIC International Group Co., Limited; R01-RU; and Eranet International Limited, which managed six domains each.

Uncovering WHOIS Connections

Historical WHOIS searches for the IoCs allowed us to uncover 45 unredacted email addresses used to register them. These addresses were spread across 13 email service providers topped by gmail.com. Take a look at the service provider distribution below.

Note that all of the providers’ email services can be obtained free of charge. Also, 27 of the email addresses were used to register 14,254 other domains, 12 of which turned out to be malware hosts. Examples of these web properties are:

• novostroykivbatumi[.]com
• adtsda[.]org
• familytravelling[.]us
• al-anwar[.]us
• swordfishcentral[.]com
• phoneboosterapps[.]com

Fortunately, only one of the malicious web properties remains accessible to date.

Finding DNS Links

As a next step, we trooped to the DNS to uncover more potential threat vectors. DNS lookups for the 29 domains provided us with 60 IP resolutions spread across four countries led by the U.S. (see the breakdown below).

Next, reverse IP lookups for the hosts led to the discovery of 154 domains (up to five domains only per IP address) that could be connected to the threat, one of which—ge[.]helltoheaven[.]me—was tagged a malware host.

Closer scrutiny of the IoCs allowed us to identify common strings, such as card + forum and card + community. As a final step toward uncovering as many other yet-unnamed potential attack vectors, we used these strings as Domains & Subdomains Discovery search terms. That gave us 1,073 additional domains, 12 of which turned out to be malicious. Examples of the confirmed malware hosts are:

• cardingforum[.]biz
• cardingforums[.]net
• carderforum2018[.]ru
• carderland-forum[.]ru
• shopcardingforum[.]ru
• bestcardersforum[.]ru

One of these dangerous sites proved especially similar to the IoCs—bestcardersforum[.]ru, as accessing it led to a login page, typical of carding forums. Like legitimate business websites, cybercriminals are known for limiting access to their pages to members (fellow fraudsters and unscrupulous users) to avoid law enforcement.

Based on the hosted page’s content, GoCVV Shop offers members access to full and working credit card information—credit card number and card verification value (CVV) combinations for payment cards with available balances.

Our IoC expansion analysis led to the discovery of nearly 16,000 yet-undisclosed web properties, including 25 malicious domains, accessing which could lead to the download of malware.

This data can be useful for law enforcement agents and other cybersecurity professionals who may wish to identify more potential threat vectors.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.