Home / Industry

Uncovering Stolen Card E-Shops Using DNS Intelligence

Ever wondered where the personally identifiable information (PII) phishers steal from victims end up? More likely than not, they’re put up for sale on the ever-growing number of online stolen card shops.

Cybersecuirty researcher Dancho Danchev amassed 20 email addresses that belonged to payment card thieves through OSINT research. Using these addresses as jump-off points, Threat Intelligence Platform (TIP) researchers sought to uncover otherwise-unknown web properties that could be peddling stolen credentials. Our in-depth analysis of the indicators of compromise (IoCs) Danchev identified led to the discovery of:

  • 20,814 domains registered using the payment card thieves’ email addresses, eight of which turned out to be malicious
  • 6,207 IP addresses the email-connected domains resolved to
  • 14,624 domains that shared the email-connected domains’ IP hosts, 37 of which turned out to be malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the IoCs

Several of the email addresses identified as IoCs, nine to be exact, were Gmail addresses. Completing the top 3 email service providers were Rambler.ru and Mail.ru, which accounted for five and four addresses, respectively.

To date, only eight of the 20 email addresses remained valid based on a bulk email verification lookup. Seven of them were Gmail addresses while one was a Mail.ru address.

IoC Expansion Analysis Findings

Our search for currently active payment card e-shops began with reverse WHOIS searches for domains registered using the malicious email addresses. That provided a list of 20,814 domains, eight of which turned out to be malicious.

Four of the eight malicious domains continued to host live content but one was particularly interesting in that it led to the login page of a payment card e-shop.

We then looked at the email-connected domains more closely to determine which had clear connections to stolen card shops. We specifically identified which of them had the strings cvv, dump, card, fullz, and cc—commonly affiliated with the sale of stolen credit and debit cards with their card verification values (CVVs) and corresponding owners’ personal data (e.g., complete name, address, birthdate, and Social Security number).

We were left with 30 domains, nine of which continued to host live content. Here are some examples.

More interesting, though, is that of the nine confirmed online payment card shops, only one—dumps247[.]su—is currently tagged as malicious.

DNS lookups revealed that the 20,814 email-connected domains resolved to 6,207 unique IP addresses scattered across 43 countries led by the U.S., China, and Germany. The U.S. accounted for 4,598 IP hosts, followed by China (986 IP hosts) and Germany (72 IP hosts).

Reverse IP lookups for the 6,207 IP addresses uncovered at least 14,624 domains (limited to five per IP host), 37 of which turned out to be malware hosts. One of these malicious properties continued to host live content, specifically what appears to be an e-commerce site for the latest gadgets.

As with the email-connected domains, we sought to discover which of the IP-connected domains could point to shops peddling stolen payment card credentials. We found 34 domains containing the strings cvv, dump, card, fullz, and cc. Take a look at some of them below.

It’s also worth noting the following domains:

  • Instead of the typical login page you see on payment card e-shops, buying-cc-dumps[.]su showed instructions on how to get in touch with the shop owner on Tor.
  • We also stumbled upon what looks to be a carding forum hosted on carder-forum[.]ru.

  • Last but not least, we also found what appears to be a carder’s blog hosted on badb-carder[.]ru.

What was interesting to note, again, is that none of the 34 domains, including those hosting stolen card e-shops, have so far been dubbed malicious.

Our IoC expansion analysis of 20 email addresses that belonged to known carders uncovered more than 40,000 web properties that could have ties to credit card theft and their sale. The findings featured in this post can clue law enforcement agencies into launching more in-depth investigations on the stolen payment card shops we identified.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global