When Undercover Credit Card Buys Go Bad


I recently heard from a source in law enforcement who had a peculiar problem. The source investigates cybercrime, and he was reaching out for advice after trying but failing to conduct undercover buys of stolen credit cards from a well-known underground card market. Turns out, the cybercrime bazaar’s own security system triggered a “pig alert” and brazenly flagged the fed’s transactions as an undercover purchase placed by a law enforcement officer.

Law enforcement officials and bank anti-fraud specialists sometimes purchase stolen cards from crime forums and “carding” markets online in hopes of identifying a pattern among all the cards from a given batch that might make it easy to learn who got breached: If all of the cards from a given batch turn were later found to be used at the same e-commerce or brick-and-mortar merchant over the same time period, investigators can often determine the source of the card breach, alert the breached company and stem the flow of stolen cards.

Of course, such activity is not something the carding shops take lightly, since it tends to cut into their criminal sales and revenues. So it is that one of the more popular carding shops — Rescator — somehow enacted a system to detect purchases from suspected law enforcement officials. Rescator and his crew aren’t shy about letting you know when they think you’re not a real criminal. My law enforcement source said he’d just placed a batch of cards into his shopping cart and was preparing to pay for the goods when the carding site’s checkout page was replaced with this image:

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this "pig detected" alert.

A major vendor of stolen credit cards tries to detect suspicious transactions by law enforcement officials. When it does, it triggers this “pig detected” alert.

The shop from which my source attempted to make the purchase — called Rescator — is the same carding store that was the first to move millions of cards on sale that were stolen in the Target and Home Depot breaches, among others. I’ve estimated that although Rescator and his band of thieves stole 40 million credit and debit card numbers from Target, they only likely managed to sell between 1 and 3 million of those cards. Even so, at a median price of $26.85 per card and the median loss of 2 million cards, that still more than $50 million in revenue. It’s no wonder they want to keep the authorities out.

The analysis method used by my source — the buying of stolen cards to determine a breach source (also called “common point-of-purchase or “CPP” analysis) — was critical to banks helping this reporter identify some of the biggest retail breaches on record in recent years (including Target and Home Depot).

But the CPP approach usually falls flat if all of the cards purchased from the fraud shop fail to reveal a common merchant. More seasoned fraud shops have sought to achieve this confusion and confound investigators by “making sausage” — i.e., methodically mixing cards stolen from multiple victims into any single new batch of stolen cards that they offer for sale. Rescator’s site earned its infamy in part by flouting this best practice with cards stolen in separate breaches at Target, Home Depot, Sally Beauty, P.F. Chang’s and Harbor Freight. But according to banking industry sources, more recently it seems Rescator and other card shops have been flooded with cards from hacked point-of-sale machines at small restaurants across North America.

I told my law enforcement source that it’s not unheard of for cyber thieves who run online stores to employ blacklists of Internet address ranges known to be frequented or assigned to government and law enforcement agencies worldwide. The cybercrime kingpins I wrote about in my book Spam Nation used blacklists to block purchases of rogue pharmaceuticals by fraud investigators (a Spam Nation excerpt showing two key cybercrooks arguing about how best to flag suspicious purchases is in the second half of this story).

Then again, perhaps Rescator’s site simply noticed something amiss when my source funded his account with Bitcoin. The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source’s screen — effectively stealing hundreds of taxpayer dollars directly from the authorities.

Unsurprisingly, my source was unwilling to divulge anything about his undercover operations, including any foibles he might have made that led to his outing. He just wanted advice about how to avoid the pig alert in future undercover buys. But I found his case fascinating and yet another example of the growing sophistication of large-scale cybercrime operations.

If the idea of fraudsters using intelligence to outwit investigators sounds fascinating, check out this Nov. 2015 story at PaymentsSource.com, which references the above-pictured pig alert and some other ways many of the more savvy black-market card shops are getting less welcoming to outsiders.

Tags: , , , , ,

Leave a Reply