The Life and Crimes of a Carder
By: Amy L. Wees
University of Maryland University College
April 6, 2012
The Internet carding industry is responsible for the identity theft, fraud, and financial losses of countless individuals and businesses every year. The most lucrative example of the carding network came from a website called CarderPlanet. Criminals steal account information, credit cards, and personally identifiable information in a variety of ways, then buy, sell or trade the information online, after which the information can be used to make purchases, withdraw money or further the carder’s career. Though CarderPlanet was taken down and many arrests were made, similar sites and forums are still in existence and flourishing across the Internet. To learn more about the way carding works and why it is so appealing to criminals; one can look at the ease of the craft, the multiple ways to get involved, and the habits and profiles of arrested criminals. This paper will explore the carding crime, the criminals’ actions and motivations, lessons learned from victims and prevention strategies.
Keywords: Carders, Identity Theft, Credit Card Fraud, Cyber-crime
The Life and Crimes of a Carder
The words of a fictitious Internet advertisement boast “Don’t miss it! There is a limited time only sale on stolen identifications, debit and credit cards including pins and CVVs, counterfeiting equipment, bank account information and PayPal accounts! Get dumps of U.S. accounts for as little as 20 dollars! Learn how to make your own credit cards with our specialized equipment. It has never been easier to get your hands on all of this FREE money!! Fine print: Membership required, website can be relocated at any time and cannot be held liable for unlawful transactions. All transactions are risky and success is not guaranteed”.
Unfortunately the above advertisement illustrates a scenario that is very real. The Internet carding industry is responsible for the identity theft, fraud, and financial losses of countless individuals and businesses every year. Criminals steal account information, credit cards, and personally identifiable information in a variety of ways, then buy, sell or trade the information online, after which the information can be used to make purchases, withdraw money or further the carder’s career. Though these criminals can make a lot of easy money and mask their identities behind online codenames to avoid capture, there are many separate roles played in this crime ring and different motivations for involvement. This paper will explore the carding crime, the criminals’ actions and motivations, lessons learned from victims and prevention strategies.
The most lucrative example of the carding network came from a website called CarderPlanet. CarderPlanet was launched in 2003 and was quickly known in the underground community as the place to go to learn the secrets of the carder trade and how to make money from stolen credit cards and identities. Forum topics on the site covered everything from beginners’ instructions, sales or trades of credit cards, identity theft information and sales, programming, hacking and carder software, how to maintain anonymity and security, and employers offering carding jobs (Munns, 2010). The site had fake contact information for an address in Ho Chi Minh City, Vietnam and an administrator who went by the alias “Script”. “Script” was so bold he even created several online advertisements boasting of CarderPlanet’s success. One of the flashy advertisements makes the following statements in capital letters: “NEED RELIABLE PARTER? CARDERPLANET! WORLD-CLASS CARDERS; GENIUS OF PROCESSING SECURITY; PROFESSIONALS OF PAYMENT SYSTEMS; WE GIVE YOU THE KNOWLEDGE; PROFITABLE STRATEGIES, CARDERPLANET TACTICS AND TUTORIALS; CARDERPLANET IS INEVITABLE” (F-Secure, 2008).
The site was easy to find for Internet browsers and Federal Bureau of Investigation (FBI) investigators attempting to hunt down cyber criminals. Authorities gained a lot of leads from posts on the site which could be linked to open cases, but only names of aliases and little in regards to location or actual identities of criminals could be found. Interpol soon was involved, and with the cooperation of multi-national law enforcement agencies, arrests were made and the site brought down (Munns, 2010). In a 2010 FBI press release after the arrest of one of CarderPlanet’s founders Vladislav Anatolievich Horohorin, U.S. Secret Service Assistant Director for Investigations Michael Merritt stated:
“The network created by the founders of CarderPlanet, including Vladislav Horohorin, remains one of the most sophisticated organizations of online financial criminals in the world; this network has been repeatedly linked to nearly every major intrusion of financial information reported to the international law enforcement community” (U.S. Department of Justice , 2010).
Though CarderPlanet was taken down and many arrests were made, similar sites and forums are still in existence and flourishing across the Internet. To learn more about the way carding works and why it is so appealing to criminals; one can look at the ease of the craft, the multiple ways to get involved, and the habits and profiles of arrested criminals.
Threat Profiles and Scenarios
According to University of Maryland University College (2010), a threat profile has five elements: asset – an item of value, whether data or physical property; actor – the person causing damage; motive – the reason for the action; access – the means of obtaining the item; and outcome- the eventual result of the action (p. 9). For the purpose of this paper threat profiles will be given based on observed and reported scenarios of carders.
Scenario 1: Data Breach via Wardriving
In 2010, eleven cybercriminals were charged with conspiracy, computer intrusion, fraud, identity theft and various other crimes after stealing forty million credit and debit card numbers via wardriving. The criminals tapped into the wireless networks using laptops while parked in front of various retailers including Sports Authority, TJ Maxx, Barnes & Noble, Marshalls and Office Max. After gaining access to the network packet sniffers were installed to capture account numbers as cash registers processed purchases (U.S. Department of Justice , 2010).
The asset in this case is the credit and debit card numbers. There were 11 separate actors, most with the motive of financial gain as account numbers were sold over the internet or imprinted on magnetic strips of counterfeit cards and used to withdraw thousands of dollars (DOJ, 2008). Ukrainian Maksym Yastremski was a well-known online seller of stolen cards and supposedly gained eleven million dollars from his crimes. U.S. citizen Albert Gonzalez was also caught while simultaneously acting as a Secret Service informant on a separate operation (Poulsen, 2008). Gonzalez’s motive may have been to lessen his previous sentence by working as an informant but also to use this position as a cover up to participate in other crimes for financial gain. He may have been addicted to this crime if even after being caught he could not stop. The outcome of this crime was severe financial losses to several major retailers. The cost of the intrusion to TJ Maxx alone was reported to be over 130 million dollars (Poulsen, 2008).
How could these wardriving attacks have been prevented? Data on a wireless network is transmitted via radio instead of over a wire, leaving it highly vulnerable to interception. The first step in protection is to keep all essential data on a more secured wired network and not connect a device loaded with critical data to an unsecured wireless network. Next, defaults on routers should be changed from factory settings and the Service Set Identifier (SSID) should not be broadcasted. When setting passwords, ensure they are complex enough to deter a password cracker. Third, Media Access Control (MAC) address filtering and Dynamic Host Configuration Protocol (DHCP) can be used to limit the number of workstations or devices allowed to access the network. Last and most importantly, ensure the information sent over the wireless network is encrypted. The best encryption standard is Wi-Fi Protected Access (WPA) 2 and is included in the latest router configurations. Information should also be protected at the source using anti-virus programs, personal firewalls, and wireless network firewalls. For businesses that may need even more protection, virtual private networks (VPN) can be used to ensure the person connecting to the network enters via a secure gateway (Comodo, 2006).
Scenario 2: Skimming
In 2011, carders were arrested in several states after installing skimming devices on top of existing automatic teller machine (ATM) card slots on the entryway door used for access to the machine. Additionally, carders installed pinhole cameras pointed at the ATM number pad (KTLA News, 2012). The skimming device captured the account numbers on customers’ debit cards and carders later used these numbers in combination with the pins from captured videos to create counterfeit cards used for purchases and cash withdrawals (Kitten, ATM Skimmer Sentenced to Jail, 2011).
The asset in this scenario is the account data and pin numbers. In this case there were three actors believed to be linked to a larger crime ring as several separate arrests were made for similar crimes in New York. Gabriella Graham plead guilty of acting a lookout for other members of her team while they installed cameras and skimming machines at eleven banks in Connecticut, Massachusetts and Rhode Island. She also admitted to creating and using counterfeit debit cards. At first glance Graham’s motive appears to be financial gain, though she was labeled as a mule by authorities and offered a lower sentence in exchange for her testimony against accomplices. This suggests she may have been pressured into involvement by others. The skimming attacks cost banks and customers over $335,000 (Kitten, ATM Skimmer Sentenced to Jail, 2011).
Julie McNelley, a fraud analyst for Aite Group, states “ATM skimming has helped push debit-related fraud losses to the top of the card-fraud list; debit losses now outpace credit card fraud” (Kitten, Skimmers Busted by Fraud Detection, 2011). Customers and banks need to know how to protect themselves from skimming. Customers need to keep an eye on their account statements, look for irregular charges and report them to the bank immediately. Credit cards offer fraud protection but debit cards are limited to a $50 limit by the FDIC’s consumer protection rule. Therefore if a customer’s bank account is drained due to theft or fraud the bank does not have to refund the money unless a full investigation is completed to determine there was no fault of the customer (Sullivan, 2004). Some banks use fraud detection software that limits the amount of cash that can be withdrawn on a daily basis and looks for irregular customer spending habits such as large dollar amounts outside of the immediate area.
Customers should also pay attention to ATM card slots or credit card swiping machines that look out of the ordinary. If it appears as if something is attached to the original machine, do not use it and report suspicion to the vendor (Rogak, 2012). Skimmers have also been found on cashiers and wait staff at restaurants, so customers should pay at the register when possible and not leave their card with staff for long periods of time (such as for a bar tab). Retailers should mount security cameras over all areas in the store where transactions are processed to deter employees from theft or fraud (Crane, 2008).
Scenario 3: Phishing
In December, 2011 the United Kingdom’s e-crime unit caught six cybercriminals running a phishing scam targeted at college students across the U.K. The criminals sent e-mails to students at various schools asking them to update the login details to their student loans. Some students followed the e-mail link to an official looking website and provided enough personal information for criminals to gain access to the student’s bank accounts (Kovacs, 2011).
The asset was the student loan accounts and the bank accounts. The actors, whose names were not released, were four men and two women many in their mid-20’s and one age 49. Police found computers and storage media used to access the stolen information (Neal, 2011). The motive was financial gain as amounts of up to 5,000 pounds were withdrawn at one time adding up to over 1 million pounds stolen. The U.K. charged the suspects with “conspiracy to defraud, money laundering and other offences under the Computer Misuse Act” (Ashford, 2011). The outcome to the victimized students and banks is unknown.
Consumer awareness is key when it comes to preventing phishing attacks as the amount of phishing e-mails sent and the differences in subjects are substantial. Consumers need to know what to look for that is commonplace in many phishing e-mails and web addresses so they are able to recognize the scams in their inboxes. The Anti-Phishing Working Group (APWG) offers consumer advice and recommendations; a brief summary is given:
- Do not respond to e-mails with requests for personal financial information; banks and other businesses will not ask for this information via e-mail
- Avoid clicking on links in an e-mail. Type the known web address in the address bar instead
- When purchasing items online use trusted retailers and ensure the https:// secure site is enabled as well as the padlock icon
- Install a web browser toolbar that will provide alerts when browsing known fraudulent websites
- Report phishing e-mails to the company being spoofed, the Federal Trade Commission or the Internet Crime Complaint Center of the FBI (Anti-Phishing Working Group, 2012).
Scenario 4: The Middle Man
The U.S. Secret Service reports they have arrested “one of its five most wanted cybercriminals in the world” (Metzger, 2010). “BadB” was an online credit card trafficker who was one of the founders of CarderPlanet.com and later opened another site named badb.biz. “BadB” sold credit card dumps to Secret Service agents on one of his sites and collected money for the sale through a Russian hosted site called Webmoney. The sale led to his eventual identification and arrest in Nice, France (U.S. Department of Justice , 2010).
The asset in this scenario is the credit card dumps, which are large amounts of electronic copies of the magnetic stripes of stolen credit card numbers offered for sale in bulk in online forums (CreditCards.com, 2012). The actor is Vladislav Horohorin, a.k.a. “BadB”, who bought and sold stolen credit card data online in web forums that he reportedly scrupulously participated in by posting chat rules against swearing and warnings of devious users. On his own site, badb.biz he advertised his services with animated cartoons showing Russian political gain by stealing from the U.S. and carders receiving medals for their work. Horohorin’s motive is more than just financial. Being a founder of CarderPlanet and watching fellow carders go to prison did not derail him. He continued on as a leader in the carder crime ring and did not make any attempts to cover his tracks, making noise with his bold cartoon advertisements, his website, and his avid participation on other popular carding sites (Metzger, 2010). His actions show political motivations as he was determined to show Russian carders as heroes and U.S. citizens as easy targets who deserve to be criminalized. Horohorin also showed that his crimes were motivated by his ego. He wanted to see how much he could get away with. It was obvious he thought he was untouchable. The outcome of Horohorin’s crimes was his arrest. He is charged with access device fraud and aggravated identity theft with a total maximum sentence of up to 12 years in prison and fines of up to $500,000 (U.S. D.O.J., 2010).
Although authorities have cracked down on carders, the problem remains almost too large to conquer. There is no sign carders are slowing down in their crimes. The credit card and banking industry must find better ways to combat the simplistic ways in which account data can be compromised. Europe, Japan and various other areas around the globe have moved to a new standard using credit cards embedded with a computer chip instead of a magnetic strip. The new cards also require the user to enter a pin to verify their identity at the time of purchase (Tulipan, 2012). The use of this card prohibits skimmers from being used to steal credit card data and is a step in the right direction toward more secure credit and debit cards. Another option would be to utilize biometric systems either instead of cards or to verify the identity of the owner of a card in lieu of a pin.
History has shown us that regulating information shared on the Internet is nearly impossible. Regulating users of the Internet is also exceedingly tough as many of the sites in which hackers and cybercriminals converge are quickly moved from one location or host to another or utilize dynamic internet protocol addresses. Law enforcement has come together on a global scale to bring cybercriminals to justice, but there are many more criminals to arrest than there are cyber-crime teams to dedicate to their capture. Another solution posed by journalist Misha Glenny while speaking for Technology Entertainment Design (TED) talks is to hire the hackers to design security solutions instead of jailing them. Glenny studied some of the most notorious cybercriminals and noted that nearly all of them learned their skills in their teens before their moral compass had developed, demonstrated advanced skills in science and math, and lacked social skills. He also noted that countries like Russia and China are recruiting these hackers before and after they get into crime and utilizing them to develop their cyber-offensive capabilities (Glenny, 2011). Glenny ends his presentation with an interesting point; he says “We need to find ways of offering guidance to these young people, because they are a remarkable breed. And if we rely, as we do at the moment, solely on the criminal justice system and the threat of punitive sentences, we will be nurturing a monster we cannot tame” (Glenny, 2011).
Identity theft and credit card fraud are a serious global problem. Criminals have various motivations for committing these crimes as carding does not require any advanced hacking skills, it is fairly easy to hide securely behind an Internet address and alias, and there is money to be made. Victims must report crimes and suspicious activity to law enforcement and consumer protection agencies and also stay informed on the latest security threats and prevention strategies.
Anti-Phishing Working Group. (2012). Consumer Advice: How to Avoid Phishing Scams. Retrieved from APWG: http://www.antiphishing.org/consumer_recs.html
Ashford, W. (2011, December 9). UK police arrest six in £1m phishing scam. Retrieved from Computer Weekly: http://www.computerweekly.com/news/2240112250/UK-police-arrest-6-for-1m-phishing-scam
Comodo. (2006, October 11). Wardriving: What is it, how common is it, and how to protect against it. Retrieved from Comodo: http://forums.comodo.com/general-security-questions-and-comments/wardriving-what-is-it-how-common-is-it-and-how-to-protect-against-it-t3199.0.html;msg23829#msg23829
Crane, A. (2008, September 9). 5 steps to avoid ID theft at the register. Retrieved from CreditCards.com: http://www.creditcards.com/credit-card-news/merchant-data-security-identity-theft-tips-1275.php
CreditCards.com. (2012, April 6). Credid Card Glossary: Terms and Definitions. Retrieved from CreditCards.com: http://www.creditcards.com/glossary/term-dump.php
Department of Justice. (2008, August 5). Retail Hacking Ring Charged for Stealing and Distributing Credit and Debit Card Numbers from Major U.S. Retailers. Retrieved from Department of Justice: http://www.justice.gov/opa/pr/2008/August/08-ag-689.html
F-Secure. (2008, March 14). Digging the Archives for Case CarderPlanet. Retrieved from F-Secure.com: http://www.f-secure.com/weblog/archives/00001403.html
Glenny, M. (2011, July). Hire the Hackers. (M. Glenny, Performer) TED, Edinburgh, U.K.
Kitten, T. (2011, December 28). ATM Skimmer Sentenced to Jail. Retrieved from Bank Info Security: http://www.bankinfosecurity.com/articles.php?art_id=4362
Kitten, T. (2011, November 22). Skimmers Busted by Fraud Detection. Retrieved from Bank Info Security: http://www.bankinfosecurity.com/articles.php?art_id=4262
Kovacs, E. (2011, December 10). Six Phishers Arrested for Scamming UK Students. Retrieved from Softpedia: http://news.softpedia.com/news/Six-Phishers-Arrested-For-Scamming-UK-Students-239744.shtml
KTLA News. (2012, February 7). 2 Arrested for Installing Skimming Device at Chase Bank. Retrieved from KTLA News: http://www.ktla.com/news/landing/ktla-skimming-device-chase-bank,0,1600909.story
Metzger, T. (2010, August 12). Alleged cybercriminal, cartoonist arrested in France. Retrieved from Creditcards.com: http://www.creditcards.com/credit-card-news/carderplanet-badb-data-thief-cybercriminal-arrested-1282.php
Munns, D. (2010, August 12). The secret history of CarderPlanet.com and Dmitry Ivanovich Golubov. Retrieved from CreditCards.com: http://blogs.creditcards.com/2008/05/secret-history-of-carderplanet.php
Neal, D. (2011, December 9). Arrests made for student phishing scam. Retrieved from The Inquirer: http://www.theinquirer.net/inquirer/news/2131361/arrests-student-phishing-scam
Poulsen, K. (2008, August 5). Feds Charge 11 in Breaches at TJ Maxx, OfficeMax, DSW, Others. Retrieved from Wired: http://blog.wired.com/27bstroke6/2008/08/11-charged-in-m.html
Rogak, L. (2012, April 6). 10 things you should know about identity theft. Retrieved from CreditCards.com: http://www.creditcards.com/credit-card-news/help/10-things-you-should-know-about-identity-theft-6000.php
Sullivan, B. (2004, February 18). ID theft victims face tough bank fights. Retrieved from MSNBC: http://www.msnbc.msn.com/id/4264051/ns/business-online_banking/t/id-theft-victims-face-tough-bank-fights/#.T3kvBdm-2So
Tulipan, M. (2012). European Credit Card Standard Leaves Americans Stranded. Retrieved from The Saavy Explorer: http://www.thesavvyexplorer.com/index.php/life-and-style-mainmenu-31/36-tips/689-european-credit-card-standard-leaves-americans-stranded
U.S. Department of Justice . (2010, August 11). Alleged International Credit Card Trafficker Arrested in France on U.S. Charges Related to Sale of Stolen Card Data . Retrieved from Federal Bureau of Investigation: http://www.fbi.gov/atlanta/press-releases/2010/at081110.htm
University of Maryland University College. (2010). Human Aspects in Cybersecurity: Ethics, Legal Issues, and Psychology. Module 7. UMUC.