Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.
Written by Aviel Bar Eitan - Sep 30, 2022
Starting in late 2021 and continuing through early 2022, the laissez-faire attitude of Russian law enforcement towards cybercriminals operating in Russia was seemingly changing. During that time, we witnessed numerous actions by Russian law enforcement targeting cybercriminals. As a result, many underground carding shops were shut down. For more information, please refer to our blog report “Pandemonium in the Dark Web”. The resulting upheaval in the underground carding ecosystem had a substantial, albeit temporary, impact on the supply and distribution of compromised payment cards. At the same time, some threat actors identified an opportunity to take advantage of the situation and launch fake carding shops mimicking the original ones. In this scam, fraudsters (primarily amateurs) were duped to believe that they were purchasing recently compromised payment cards. Instead, they were getting worthless fake or old cards. In some instances, fraudsters would lose their funds as soon as they loaded cryptocurrency to their wallets on the shop. The existence of scammers on the Dark Web targeting their “peers” is not new; however, this recent campaign is unique in terms of its scope and sophistication.
A subreddit on Reddit1 platform, named “CvvDumpsShop”, was created on January 19, 2020. The subreddit has 4.2K followers and contains links to the fake carding shops designed to mimic several highly-reputable and well-known carding shops that were shut down in late 2021 and early 2022. The subreddit also contains links to two fake carding forums2 that in turn contain threads, banners and ads to the abovementioned fake carding shops as well as to other forums and fake carding shops.
The carding forums that are advertised on “CvvDumpsShop” subreddit seem quite trustworthy and legitimate, even allowing users to create accounts. Some of them include threads and posts organized by subjects, while others simply feature banners and advertisements for fake carding shops.
These fake carding forums play a critical role in the scam as they advertise and lend credibility to the fake carding shops, especially since underground forums are an important source of information for fraudsters looking for providers of compromised payment cards.
Each fake forum has its own style and unique features; for example, “Carders” contains threads dating back to 2020 promoting various fake carding shops with links and many positive user comments. However, the domain of this forum was registered in 2022. Another interesting example is “Sky-Fraud3” forum, a fake forum mimicking a highly popular underground forum with the same name and similar domain name that has been inactive lately.
As mentioned earlier, fake carding shops are not new. However, most of the fake shops examined so far were not sophisticated or well designed, and often easy to spot. Usually, following login, the user was redirected to a page where a cryptocurrency deposit was required to proceed to browse the store. Obviously, after the deposit was made, nothing happened and the funds were stolen.
The current fake carding shops scam is far more sophisticated and convincing. Each fake shop in the current campaign is almost identical to the original, real shop.
In addition, the shops have functionality and features that include:
As we witnessed in the past year, the ecosystem of payment card fraud on the digital underground has been shifting to an unexpected, new directions. Threat actors will always try to take advantage of such dislocations and profit, no matter the target - “peer” fraudsters and civilians alike. While fake carding shops are not a novel phenomenon, the scale and timing of the current campaign, closely mimicking several highly-popular carding shops that recently shut down, combined with fake carding forums, points to a cleverly orchestrated operation. The use of Reddit as a starting point for the whole scheme is also quite unique.
While this campaign, may increase the level of caution among fraudsters and cybercriminals seeking sources of compromised payment cards, we do not expect this to generate a substantial impact on “real" carding shops on the Dark Web. Demand remains high, especially for high quality vendors of compromised payment cards. The effect of this campaign will likely be limited for a period of time in a segment of fraudsters that are novice or amateurs.
About the AuthorAviel is a Technical Threat Intelligence Analyst at Q6 Cyber. Prior to Q6, Aviel held roles as a malware analyst as well as served in the Israel Defense Forces.