Security Experts:

The Value of Free in the Underground Economy

Giving credit cards away doesn’t always conflict with a cybercriminal's desire to make money – in many cases it supports it.

Whenever we present about the underground and mention that fraudsters often post compromised credit cards for free we often get the question “Why would they do that?” Considering that unlike the hacker communities of years past, the underground economy is all about the money (and not bragging rights), this is a very legitimate question. After all, if the fraudsters’ goal is to maximize profit, why would they give away stuff they can otherwise sell? The answer is pretty straightforward. Giving credit cards away doesn’t conflict with the vendor’s desire to make money – in many cases it supports it. The focus of the underground economy, maximizing one’s profits, is not exclusive to it but is the focus of every capitalistic market – and that’s not where the similarities end. Just like free samples and promotions exist in any market, so does it exist in the underground economy, with stolen credit cards being the product. However, these free sample promotions are not the result of some sleek underground marketer, but a necessity in some areas of the underground where these vendors operate.

Underground EconomyThis necessity stems from a big issue in the underground economy – trust. In the real world, if one criminal doesn’t hold their end of a bargain, they would suffer dire consequences. However in the underground, members can freely rip off other criminals, then leave the trading area, change their nickname and come back as a fresh entity. This ability motivated many individuals from around the world to do just that, by claiming they’re either buying or selling products and then running away mid-deal with either free products or a buyer’s payment. These individuals are called “rippers” (as they rip off others) and they’re considered the lowest of the low in the online criminal world. Certain areas of the underground which are harder to moderate, such as chat rooms, are filled with rippers who make trading in these circles a perilous thing. A vendor of stolen credit card data needs to prove that he’s “legit” and this is where the free samples come into play. Most vendors have a database of thousands, tens of thousands or hundreds of thousands of stolen credit card numbers. Providing a few or even several dozen free cards can go a long way in proving a vendor’s legitimacy and stimulating business.

Years ago, due to the swelling number of rippers within their midst, fraudsters migrated to a different platform that enabled much stricter moderation – forums. Unlike chat rooms, forums can provide a community with gates and the means to throw rippers out of them. Escrow services, outing rippers and a vouching system were put into place in order to provide “legit” criminals with a safe environment to trade in. Anyone interested in becoming a vendor on the forums first had to receive a coveted stamp of approval by the moderators, a special “verified vendor” status. This meant parting again from some free samples in order to have the products reviewed, but these samples were sent to a limited group of individuals instead of the whole community. A “verified vendor” status meant a huge increase in business, as they were considered trustworthy. Of course, some verified vendors proved to be turncoats and misused this trust, ripping off buyers when the opportunity was ripe.

Cybercriminal UndergroundStolen credit cards are not only posted exclusively in chat rooms, though. In the aftermath of DarkMarket, CardersMarket and GhostMarket, many English-speaking forums that opened up were more similar to chat rooms than their ancestral mega-boards, with little moderation and an all-business no-community approach. Vendors interested in operating on those boards were required to follow the same tactics as in the chat rooms, posting free credit cards for the community to prove their legitimacy. In other types of forums, ones that are not part of the underground and focus on online mischief in general, members often search to increase their reputation in the community, in order to climb through the ranks even when they are not selling anything. In such cases, posting free credit cards (that in many cases are copy-pasted from other forums) can help achieve that. Instead of simply selling credit cards, some underground vendors used forums and credit card samples in a different business model. Each vendor opened up a carding forum, in which he posted free card samples on an on-going basis. These posts were meant to draw other fraudsters to the forum. Once the forum had enough members, the vendors created a special “VIP” section, where additional cards were shared exclusively with the members who were able to access the section. In order to become a VIP member, of course, one had to pay the vendor for it.

As long as the underground economy continues to be riddled with trust issues, vendors will continue to have to prove their worth. While in the more exclusive and sophisticated circles, fraudsters rely on building a name for themselves and provide the best possible service, those catering to the “common folk” will have to show that they don’t only talk the talk – but walk the walk.

view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.