Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.

orange arrow

Fraudsters Ripping Off Their Own: Fake Carding Shops

intro image

Written by Aviel Bar Eitan - Sep 30, 2022

Executive Summary

  • During late 2021 and early 2022, many leading underground marketplaces for compromised payment cards (aka “carding shops”) shut down due to actions and threats against their Russian operators taken by Russian law enforcement agencies.
  • The resulting upheaval in the underground carding ecosystem had a substantial, albeit temporary, impact on the supply and distribution of compromised payment cards.
  • Some threat actors capitalized on this disruption and launched several fake carding shops mimicking what previously were leading carding shops (e.g., JokersStash, UniCC).
  • In this scam, fraudsters (primarily amateurs) were duped to believe that they were purchasing recently compromised payment cards. Instead, they were getting worthless fake or old cards.
  • Most of these fake shops are almost identical to the original ones not only by their interface, but also by their functionality, enabling users to transfer funds to their accounts, search for cards by different criteria, and purchase cards.
  • The existence of scammers on the Dark Web targeting their “peers” is not new; however, this recent campaign is unique in terms of its scale and sophistication. For example, the operators behind this scam have been promoting their fake carding shops on Reddit and created fake carding forums to further promote these shops.
  • While this campaign, may increase the level of caution among fraudsters and cybercriminals seeking sources of compromised payment cards, we do not expect this to generate a substantial impact on “real" carding shops on the Dark Web.

Background: Upheaval in the Underground Carding Ecosystem

Starting in late 2021 and continuing through early 2022, the laissez-faire attitude of Russian law enforcement towards cybercriminals operating in Russia was seemingly changing. During that time, we witnessed numerous actions by Russian law enforcement targeting cybercriminals. As a result, many underground carding shops were shut down. For more information, please refer to our blog report “Pandemonium in the Dark Web”. The resulting upheaval in the underground carding ecosystem had a substantial, albeit temporary, impact on the supply and distribution of compromised payment cards. At the same time, some threat actors identified an opportunity to take advantage of the situation and launch fake carding shops mimicking the original ones. In this scam, fraudsters (primarily amateurs) were duped to believe that they were purchasing recently compromised payment cards. Instead, they were getting worthless fake or old cards. In some instances, fraudsters would lose their funds as soon as they loaded cryptocurrency to their wallets on the shop. The existence of scammers on the Dark Web targeting their “peers” is not new; however, this recent campaign is unique in terms of its scope and sophistication.

Reddit: Where It All Begins

A subreddit on Reddit1 platform, named “CvvDumpsShop”, was created on January 19, 2020. The subreddit has 4.2K followers and contains links to the fake carding shops designed to mimic several highly-reputable and well-known carding shops that were shut down in late 2021 and early 2022. The subreddit also contains links to two fake carding forums2 that in turn contain threads, banners and ads to the abovementioned fake carding shops as well as to other forums and fake carding shops.

CvvDumpsShop
Main page of “CvvDumpsShop” subreddit.
Fake Underground Forums

The carding forums that are advertised on “CvvDumpsShop” subreddit seem quite trustworthy and legitimate, even allowing users to create accounts. Some of them include threads and posts organized by subjects, while others simply feature banners and advertisements for fake carding shops.

CVV DUMPS SHOP forum
The fake carding forum "CVV DUMPS SHOP" contains links to many fake carding shops

These fake carding forums play a critical role in the scam as they advertise and lend credibility to the fake carding shops, especially since underground forums are an important source of information for fraudsters looking for providers of compromised payment cards.

Each fake forum has its own style and unique features; for example, “Carders” contains threads dating back to 2020 promoting various fake carding shops with links and many positive user comments. However, the domain of this forum was registered in 2022. Another interesting example is “Sky-Fraud3” forum, a fake forum mimicking a highly popular underground forum with the same name and similar domain name that has been inactive lately.

Carders[.]mx
"Carders[.]mx" - fake carding forum

Inside a Fake Carding Shop

As mentioned earlier, fake carding shops are not new. However, most of the fake shops examined so far were not sophisticated or well designed, and often easy to spot. Usually, following login, the user was redirected to a page where a cryptocurrency deposit was required to proceed to browse the store. Obviously, after the deposit was made, nothing happened and the funds were stolen.

The current fake carding shops scam is far more sophisticated and convincing. Each fake shop in the current campaign is almost identical to the original, real shop.

Ferum Shop
Login page of the fake carding shop “Ferum Shop”

In addition, the shops have functionality and features that include:

  • Compromised payment cards for purchase (that are old or fake). The user is able to purchase the cards; however, the cards are fake or otherwise invalid.
  • Ability to search by various criteria (e.g., BIN number, expiration, state etc.).
  • Option to transfer funds and view account balance.
  • Navigation between different sections on the site, giving the impression of a real carding store.
  • Registration and login process typical for underground markets, i.e., a new user must register and subsequently log in with a set of valid credentials.
UniCC fake carding shop
UniCC fake carding shop, allowing advanced search and displaying partial card data.

Conclusion

As we witnessed in the past year, the ecosystem of payment card fraud on the digital underground has been shifting to an unexpected, new directions. Threat actors will always try to take advantage of such dislocations and profit, no matter the target - “peer” fraudsters and civilians alike. While fake carding shops are not a novel phenomenon, the scale and timing of the current campaign, closely mimicking several highly-popular carding shops that recently shut down, combined with fake carding forums, points to a cleverly orchestrated operation. The use of Reddit as a starting point for the whole scheme is also quite unique.

While this campaign, may increase the level of caution among fraudsters and cybercriminals seeking sources of compromised payment cards, we do not expect this to generate a substantial impact on “real" carding shops on the Dark Web. Demand remains high, especially for high quality vendors of compromised payment cards. The effect of this campaign will likely be limited for a period of time in a segment of fraudsters that are novice or amateurs.

Don't forget

to Visit

Our Solutions


1 Reddit is a social news aggregation, content rating, and discussion website. Registered users (commonly referred to as "Redditors") submit content to the site such as links, text posts, images, and videos, which are then voted up or down by other members. Posts are organized by subject into user-created boards called "communities" or "subreddits".
2 A carding forum is an underground forum facilitating discussion and trade in guides, components, sensitive data, advertisements for services related to payment card fraud and other electronic crimes. It also offers a platform for threat actors to meet and collaborate.
3 http://sky-fraud[.]cc, impersonating the domain: skyfraud.ru, a very popular underground fraud forum

About the Author

Aviel is a Technical Threat Intelligence Analyst at Q6 Cyber. Prior to Q6, Aviel held roles as a malware analyst as well as served in the Israel Defense Forces.