How Cyber Criminal Marketplaces Operate: Carding and Reshipping

Cybercriminals operate in an economic system that, though hidden from the view of everyday citizens, is not much different from that of a traditional economy. In both cases, a marketplace links consumers with the producers of the goods and services that the consumers demand.

In the cybercrime economy, criminal forums and online shops represent the primary marketplaces in which products and services are bought and sold, including malware, access to compromised computer systems, login credentials, credit cards, personally identifiable information (PII), and brute-forcing tools, among many others. The reasons for these transactions are as varied as the products and services themselves, as the overall objective of cybercriminals varies from individual to individual.

The purchase of goods (either online or in-store) with compromised credit card information is one of the most common forms of activity driving the cybercrime marketplace. The business model is relatively straightforward: criminals seek to purchase and then resell products at a price that exceeds the cost of obtaining compromised credit cards, be it the cost of purchasing/developing information-stealing malware or the cost of buying compromised cards.

The execution of the schemes, however, can be more problematic. Criminals may have to transpose digital data onto physical cards, detect and defeat e-commerce fraud detection processes, and/or move purchased products between a retailer and the product’s final buyer. Most criminals do not have the resources to perform all of these steps without using services provided by other criminals in the cybercriminal ecosystem. This report provides a high-level overview of how the cybercrime marketplace enables criminals to accomplish each of these tasks and highlights how it facilitates the purchase, shipment, and resale of products that are purchased with compromised credit cards (see Figure 1).

Figure 1: Process for monetizing compromised credit card data via the online purchase of goods.

1A. Obtaining Compromised Credit Card Data

Compromised credit data is often at the heart of many reshipping schemes (the repackaging and shipment of fraudulently purchased goods), and, essentially, a criminal has two options for obtaining credit card data: he may either collect the data himself or purchase data that has been collected and offered for sale by other criminals. In both cases, the criminal can turn to the cybercrime marketplace (e.g., forums and online shops) to meet his resource needs. In the event that a criminal wishes to collect credit data himself, he may purchase the malware and/or system accesses (e.g., remote access to a point-of-sale system) that will enable him to collect the data himself. If the criminal prefers a more direct, less labor-intensive approach to obtaining credit cards, he may visit online shops or contact criminal forum participants who sell card data that may be used for in-store and/or online purchases (Figure 2). Once the card data is obtained, the criminal can then make preparations to use the cards to purchase goods.

Figure 2: A screenshot of compromised credit cards being offered for sale at “Joker’s Stash,” one of many online shops where criminals can purchase credit card data.

1B. Obtaining and Using a Proxy

Criminals may choose to purchase goods in-store or online, but, in many respects, online purchases represent the less risky and resource-intensive option. There is no need for a criminal to make physical counterfeit cards, and purchases can be made from a distance, thus limiting the circumstances in which a criminal needs to physically expose himself or his associates to victims or potential apprehenders. To that point, and for the sake of simplicity, this section refers to scenarios in which online channels are used to buy goods with compromised credit card data.

Though conducted from a distance, online purchases are not without risk—IP addresses and other system-level indicators can trigger fraud alerts (thus preventing a transaction from taking place), or they can be used to trace a fraudulent transaction back to the perpetrator. For this reason, criminals must don an electronic mask that both
hides their true identities and makes them appear to own the compromised credit card or retail account that is used to make a purchase.

Proxies—computers through which criminals route their Internet traffic—serve as a cybercriminal’s mask. As in the acquisition of credit card data, a criminal may either establish his own proxies or purchase access to ready-made proxies that have been established by others. Again, the cybercrime marketplace can provide the resources needed for both approaches. In the do-it-yourself approach, the criminal may purchase the malware or brute-forcing tools that will allow him to compromise, and ultimately co-opt, the computer systems through which he can route his online activities. In the ready-made approach, the criminal can peruse online shops (Figure 3) or contact individual criminal forum members to purchase access to proxies that meet his unique needs, such as a location in a specific geographic region.

Figure 3: An example of a compromised computer system being offered for sale as a potential proxy.

2. Cashing Out Compromised Credit Cards

A criminal with access to compromised credit cards and proxies is ready to begin making fraudulent online purchases. As in other steps of the reshipping process, options for making online purchases abound. Perhaps one of the easiest options is for a criminal to identify e-commerce sites that have been deemed easily cardable—i.e., those that are lacking in some aspect of fraud detection—and then use those sites to make purchases with compromised credit cards. Although a criminal can certainly opt to expend his own resources to identify cardable sites, this generally may not be necessary, given that carding-focused forums frequently contain threads where participants freely identify sites that are easy to card.

A criminal may also choose to set up a fraudulent customer account on an e-commerce site by using the PII of the compromised credit card’s legitimate owner, such as the victim’s name and address.  Once a cardable website is identified or an account is established, the criminal may then make his online purchase. Although online purchases can run the gamut from rather innocuous iPhones to export-controlled rifle scopes, the majority of cybercriminals focus their efforts on obtaining smartphones and other electronic goods, as they are the most likely to attract a large number of buyers (Figure 4).

Figure 4: Portions of a Pastebin post that demonstrate the variety of products that can be purchased with compromised credit card data.

3. Shipping and Reselling Fraudulent Purchased Products

At some point, digital purchases need to conclude with the delivery of physical products to physical locations, or, in the case of in-store pickups, directly into somebody’s hands. The product-delivery phase of reshipping schemes poses a significant risk to the criminal who opts to receive fraudulently obtained products himself. As such, most criminals will choose to outsource most, if not all, of the product-pickup process (Figure 5).

Figure 5: An underground forum participant advertising his need for a reshipping service.

Here again, the cybercrime marketplace can come to the criminal’s rescue. So called “mule herders” provide a one-stop shop service that handles both the product pick-up and product-delivery phases of the reshipping process, typically for a percentage of the profits that a criminal receives from reselling his fraudulently purchased products. Mule herders recruit, direct, and supply individuals (i.e., mules) who pick up/receive a criminal’s purchased goods, and then reship those goods to a destination of the criminal’s choice. Sometimes mules are witting criminal participants, and sometimes they are not. In either case, the use of a mule network keeps a criminal several steps removed from the physical handling of the fraudulently obtained goods (Figure 6). Once a criminal’s purchased goods arrive at their final destination, they can be resold on the black market, thus completing the monetization of compromised credit card data.

Conclusion

At first glance, financial institutions and retailers may seem like the primary victims of carding and reshipping schemes; however, a critical look at the movement from compromised credit card data to the reshipment of fraudulently obtained goods reveals that, for a cybercriminal, anybody’s computer system can be put to use at some stage of the fraud process.

Consider, for example, the computer systems of a “typical” citizen or a non-banking, non-retail company. These systems almost certainly store and/or process PII that can be used to establish fraudulent accounts on e-commerce sites or be otherwise monetized in criminal forums, and such systems may be equally suitable for use as a proxy after being co-opted through a malware infection or password brute-forcing attack. Even individuals’ physical properties are not immune to targeting, as fraudulently purchased goods can be shipped to residential addresses when the owner is not home, and then retrieved by individuals who will reship the product on a criminal’s behalf. Indeed, the infrastructure behind the monetization of compromised credit card data is characterized by a fluid cast of both criminals and potential victims, and no single type of organization or individual is immune from potentially being victimized at some stage of the monetization process.