Web Fraud 2.0: Validating Your Stolen Goods

If there is any truth to the old saying that there is no honor among thieves then it is doubly true for thieves who transact with one another yet never actually meet face-to-face. Perhaps that explains the popularity of certain services in the underground cyber crime economy that make it easy for crooks to purchase stolen credit and bank accounts in bulk and check whether the accounts are legitimate and active.

From the many hours Security Fix spent skulking around some of the more active cyber crime communities online recently, I saw a site called sh0pp0rtal.net mentioned quite a bit. I managed to acquire an account on this exclusive service, and found some 78,628 individual MasterCard and Visa credit and debit accounts for sale at various prices there.

As one can see from the screen shot to the left, users can select cards that come from victims in particular cities, states or countries. For instance, I sorted the list by my home state of Virginia and found exactly 2,149 accounts for sale, each entry including the victim's account number, expiration, name, address, and phone number. The average price currently is about $1.20 apiece.

Alternatively, sh0pp0rtal users can enter the unique bank identification number (BIN) assigned to the financial institution for which they're seeking active accounts. Don't know the BIN of the bank you're targeting? No problem: the site includes an archive listing thousands of BIN numbers.

Sh0pp0rtal also sells PayPal accounts. The prices fluctuate between $3 USD and $50 USD, depending on a number of factors, such as whether the accounts are PayPal "verified," and whether they were recently active. PayPal accounts that have not been used by their owners for extended periods of time are more valuable in the underground because those victims are considered less likely to log back into their accounts and potentially notice any unauthorized activity.

According to the price list posted at sh0pp0rtal, for PayPal accounts with balances greater than $1,000, the purchase fee is a flat 5 percent of the total balance. "Balance is shown for each account. Special prices and discounts for bulk purchases greater than $500 WMZ, you will have to talk with SUPPORT." [WMZ is the Americanized version of the Webmoney virtual currency, and currently $1 WMZ~=$1 USD]. Oh no! Not tech support!

But hang on, you say: Why should any thief trust these chaps? After all, they could be just scamming the scammer, no? Absolutely, and that's the impetus behind this next site I will feature, although, at the request of a source with ties to this site, I've agreed not to mention its Web address or its trademarked name.

(Yes, these guys take their businesses very seriously, often tacking trademark or copyright symbols next to their brand names. Not that the irony of the whole thing is necessarily lost on the crooks. Sh0pp0rtal, for instance, makes a sly dig at Master Card's ubiquitous television ads, with its slogan: "There are Some Things Money Can't Buy. For Everything Else, there are Credit Cards.")

Check out the screen shot to the right. What you will see is another software-as-a-service type model for checking the validity and current balance of stolen accounts for sale. Authorized users can check single accounts, or in automated batches of 150 accounts at a time, provided the user has the purloined data arranged in the proper format.

Just like with sh0pp0rtal, the prices per transaction decrease as the user increases his purchase volume. $25 USD buys you 50 credit checks; 200 checks can be had for $75; 4,000 credit and debit card checks can be had for $700, and users who pay $1,500-$2,000 up front are entitled to as many checks per month as they want.

Here's the utterly fascinating part about this service. Examine the screen shot above a bit closer, and you will see on the right some dates and information about merchants added. "Fresh merchants," refers to merchant accounts that established businesses have with the credit card issuers.

Most merchant accounts can be used to conduct "pre-authorization requests," which credit card companies use to place a temporary charge on the account to make sure that the cardholder has sufficient funds to pay for the promised goods or services. Such pre-auths are typical for businesses that rent equipment or vehicles, where the customer pays in full when he or she returns the equipment or vehicle. This is just an example; pre-auths are actually quite common. In fact, every time you slip your credit card into the machine at the gas pump before filling up you are prompting the station to issue a pre-auth request to your bank.

Peruse the "Help" page at this online thieves den and you'll get a much better feel for how this service works (see screen shot to the left). It looks like the scammers who run this portal have designed their system to make it appear that the pre-authorization checks they use to determine the validity of the stolen accounts are coming from the merchants who accounts have been hijacked.

Users are warned not to try to exceed the portal's limits on checking more than a certain number of accounts at any given time. "As you see we set a limit for checking in Gate 1 and Gate 3. It should stop killing a merchant so fast. Also in this case a Processing [processor] will think that our merchant is legit and it will be more safely for your card."