|
Ever wondered where the personally identifiable information (PII) phishers steal from victims end up? More likely than not, they’re put up for sale on the ever-growing number of online stolen card shops.
Cybersecuirty researcher Dancho Danchev amassed 20 email addresses that belonged to payment card thieves through OSINT research. Using these addresses as jump-off points, Threat Intelligence Platform (TIP) researchers sought to uncover otherwise-unknown web properties that could be peddling stolen credentials. Our in-depth analysis of the indicators of compromise (IoCs) Danchev identified led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Several of the email addresses identified as IoCs, nine to be exact, were Gmail addresses. Completing the top 3 email service providers were Rambler.ru and Mail.ru, which accounted for five and four addresses, respectively.
To date, only eight of the 20 email addresses remained valid based on a bulk email verification lookup. Seven of them were Gmail addresses while one was a Mail.ru address.
Our search for currently active payment card e-shops began with reverse WHOIS searches for domains registered using the malicious email addresses. That provided a list of 20,814 domains, eight of which turned out to be malicious.
Four of the eight malicious domains continued to host live content but one was particularly interesting in that it led to the login page of a payment card e-shop.
We then looked at the email-connected domains more closely to determine which had clear connections to stolen card shops. We specifically identified which of them had the strings cvv, dump, card, fullz, and cc—commonly affiliated with the sale of stolen credit and debit cards with their card verification values (CVVs) and corresponding owners’ personal data (e.g., complete name, address, birthdate, and Social Security number).
We were left with 30 domains, nine of which continued to host live content. Here are some examples.
More interesting, though, is that of the nine confirmed online payment card shops, only one—dumps247[.]su—is currently tagged as malicious.
DNS lookups revealed that the 20,814 email-connected domains resolved to 6,207 unique IP addresses scattered across 43 countries led by the U.S., China, and Germany. The U.S. accounted for 4,598 IP hosts, followed by China (986 IP hosts) and Germany (72 IP hosts).
Reverse IP lookups for the 6,207 IP addresses uncovered at least 14,624 domains (limited to five per IP host), 37 of which turned out to be malware hosts. One of these malicious properties continued to host live content, specifically what appears to be an e-commerce site for the latest gadgets.
As with the email-connected domains, we sought to discover which of the IP-connected domains could point to shops peddling stolen payment card credentials. We found 34 domains containing the strings cvv, dump, card, fullz, and cc. Take a look at some of them below.
It’s also worth noting the following domains:
We also stumbled upon what looks to be a carding forum hosted on carder-forum[.]ru.
Last but not least, we also found what appears to be a carder’s blog hosted on badb-carder[.]ru.
What was interesting to note, again, is that none of the 34 domains, including those hosting stolen card e-shops, have so far been dubbed malicious.
Our IoC expansion analysis of 20 email addresses that belonged to known carders uncovered more than 40,000 web properties that could have ties to credit card theft and their sale. The findings featured in this post can clue law enforcement agencies into launching more in-depth investigations on the stolen payment card shops we identified.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC