Cannibal carders: Group-IB has identified the largest networks of fake shops.

[Father]

In this post, for the first time, we will explore such a layer of the underground as fake marketplaces for trading bank card data. Carding is a crime. Trading bank card data is a crime. Creating fake stores that copy "original" cardshops is also a crime. We believe that the deeper the underground industry is studied, the more opportunities there are for tracking, studying and combating cybercrime.
That is why we are publishing a study of phishing resources copying cardshops for the first time. In this case, under cardshops, we will understand "original" resources for trading dumps and text data of bank cards. Under "fake shops" — phishing resources that copy cardshops. Under users-buyers of stolen bank card data.
As you probably already understood, there are no "ordinary users" who have become "victims" of scammers in this study. It describes the phenomenon of "cannibalism" in the underground environment, when some attackers profit from others.

Every Internet user regularly encounters phishing sites. Cybercriminals are no exception. Analysts of Group-IB Threat Intelligence managed to identify several large groups of scammers who earn money from novice inexperienced carders by creating and distributing phishing sites for cardshops-underground stores selling compromised payment data. These sites are called fake shops by Group-IB analysts.

A large number of fake shops on the web cause problems not only for users of underground forums — cybercriminals, but can also create difficulties for cyber intelligence specialists. Fake data posted on them can lead to false statistics when monitoring and describing cardshops, and copied designs of original resources can mislead even an experienced anti-fraud analyst.

As a rule, fake shops are not created one at a time. To reach more users (buyers of stolen bank card data), the creators of fake shops advertise on underground forums, Telegram chats and deceive users to follow their links, forcing the creators of original resources, no matter how comical it may sound, to suffer reputational losses, and also combine their sites into giant networks.

Analysts of Group-IB Threat Intelligence found three major networks of fake shops, which were named UniFake, JokerMantey, and SPAGETTI. The latter-the largest network discovered-has more than 3,000 domain names, many of which are copies of the most popular card sites in the underground, such as: Joker's Stash, BriansClub, Uniq, Ferum shop, ValidCC and others.

The creators of this network managed to receive at least 9,200 incoming transactions to various crypto wallets, totaling more than $1,200,000 (most of which were received in Bitcoin – 23 BTC at the exchange rate on October 12, 2021).

Unlike other networks, SPAGETTI also distributes malware through its websites. The creators of this network have placed the Taurus Project styler on their sites as a downloadable file, thus collecting user data from the browser, usernames and passwords from banking applications, and even crypto wallets.

Group-IB specialists studied how fake shop networks are created and maintained. In the first part of this article, Ruslan Chebesov, head of the Group-IB underground market research group, and Sergey Kokurin, an analyst at Group-IB underground markets, explain how analysts can distinguish an original card shop from a fake one and how to correctly attribute a fake resource. And in the next post, using the Threat Intelligence & Attribution system, they will analyze the largest fake shop networks for example.

What are fake shops?​

In the underground sphere of the Internet, there are resources for trading compromised information, such as credit or debit card data, access to user accounts, access to computers via RDP or SSH ports, passport or identification data of citizens of different countries, access to servers and control panels of sites, etc.

These resources are called "underground markets".

The main feature of such markets is a large number of sellers on the resource. The sites themselves are analogous to Amazon or Ebay only on the shadow side of the Internet.

Screenshot of the main page of Amigos market

Cardshops are special cases of Yandex. Markets. Stolen bank card data is sold here in the form of text data from the card itself, or in the form of dumps-a saved copy of information from the magnetic stripe. Usually, there are no other types of compromised data sold on cardshops.

Bestvalid Card Shop's Map Search section

Cardshops and markets are the main resources for small-time scammers involved in carding, scamming, spam, and other similar types of cybercrime.

Carding-bank card fraud-is one of the simplest forms of fraud that does not require additional training from the criminal, except for basic computer skills. A low threshold for entering this "industry" creates a high demand for cardshops and marketplaces.

In fact, the high demand and low literacy levels of novice carders creates ideal conditions for scammers who earn money by creating fake shops — sites that pretend to be working cardshops or underground markets. The most important task is to create the illusion of a real resource, so that the user who gets to the site wants to leave their money on it. Additionally, you can use the names of existing underground resources or even completely copy the design of their pages.

In the case of real cardshops and markets, the user first needs to deposit money to their account in order to use these funds to purchase compromised data. A common practice among cardshops is also paid account activation. For this purpose, after registration, the user must pay from $20 to $200. Fake shops use these well-established pre-payment systems to mislead carders.

Example of activating an account on the Amigos market

All fake shops can be divided into three types:​

1. Creates the appearance of a new card shop or Yandex. Market. This is the easiest way to cheat. In this case, the attacker creates a resource that creates the impression of a card shop or market with design elements on the site: product database lists, shopping cart, news and updates, support system, etc. Well-established words and abbreviations are also used for the name and domain name itself: "cc", "dump", "cvv", "shop", "carding", "pin", "swipe", "sniff", "money" and others.
   
   
   Screenshot of the cvvunion fake shop
2. Creating a phishing resource that mimics the original card shop. To do this, attackers create sites with a domain name that resembles the original one, change the location of letters or words in the name, add abbreviations, make special mistakes, or add some of the phrases from the paragraph above. To further mislead, attackers can copy the design of the original site: html code, css styles, and images. This is not a difficult task, but it increases the victim's confidence in the credibility of such a resource for an inexperienced user.
   
   
   Screenshot of the main page of the Unicc fake shop, completely copying the original
3. "Capture" the domain name of a real cardshop or market. This is one of the most difficult ways to create a fake shop. To do this, attackers need to buy back a domain name that once belonged to cardshop or Yandex. Market. This is quite possible if the site owners did not have time to pay the rent of the domain name to the registrar, or their domain address was split for some reason. In this case, users who have previously visited the resource via this link will be added to the fake shop.
   Such examples are unicc [domain hijacking.] cm and briansclub [.] ru. As we can see, outraged users who suspect fraud send messages to the administration of the original cardshops. Often, admins have to additionally inform their users about changing the domain name.
   
   
   
   A post on the altenens[.]org forum. Source: Group-IB Threat Intelligence & Attribution
   As follows from the message of the BriansClub administrator shown in the screenshot below, the briansclub domain is[.] ru previously belonged to his card shop. However, at the moment there is a fake shop posted there
   
   
   
   A post on the omerta forum. Source: Group-IB Threat Intelligence & Attribution

On underground forums, you can often notice topics and messages with a list of fake shops. This is how forum users try to fight phishing ads.

Message on the forum crdclub.ws. source: Group-IB Threat Intelligence & Attribution

You can often find messages from deceived carders on various forums, as in the screenshot below, where the user deposited money to an account in Yandex. Market, but did not wait for the opportunity to purchase the desired "services".

Screenshot from the carder.market forum

And some resource owners, in an effort to avoid losing their audience and reputation, even indicate a list of fake shops masquerading as them on their resource.

Screenshot of the Valcc market authorization page

Identifying a real or fake resource is often not easy. Just like the creators of ordinary phishing web pages, the owners of fake shops try to copy the original as accurately as possible. Let's compare the authorization page of a real Ferum-shop and its fake one:

Visually, the differences are almost invisible, for example, banner ads are copied completely. However, you can pay attention to different captcha systems on the original and fake (highlighted in red). The panel designs (highlighted in green) and button designs (highlighted in blue) were also incorrectly transferred.

Such differences can easily mislead an inexperienced user, especially when the creators of the Ferum-Shop fake shop actively advertise on the forums an urgent" change " of the Yandex. Market domain name.

Post on the sky-fraud.ru forum. Source: Group-IB Threat Intelligence & Attribution

Disclaimer​

1. The purpose of this study is to provide information on ways to commit illegal acts in order to attract the attention of state regulators and relevant authorized bodies, as well as to minimize the risk of further committing such illegal acts, prevent them in a timely manner and form an appropriate level of legal awareness among users.
2. The conclusions contained in this study are made as a result of analysis by Group-IB specialists of information obtained from open sources, and in no part of it are the official position of the competent authorities, including law enforcement agencies of any jurisdiction. Information that became publicly known prior to the publication of this study is listed in its original unspoken form. The study does not contain direct accusations of committing crimes or other illegal actions and is analytical in nature.
3. This research is prepared for informational and informational purposes and cannot be used by the reader for commercial or other purposes not related to education or personal non-commercial use.
4. The research is subject to copyright and is protected by the norms of intellectual property law.

 

[Father]

If you remember, in the first part of our study, Ruslan Chebesov, head of the Group-IB underground market research group, and Sergey Kokurin, an analyst at Group-IB underground markets, explained how and why fake shop networks are created, how analysts can distinguish an original card shop from a fake one, and how to correctly attribute a fake resource. In this post, experts moved from theory to practice and used the Group-IB Threat Intelligence & Attribution system to analyze the largest fake shop networks. Let's see what happened.

The largest fake shop networks​

UniFake​

Fakes are rarely made one at a time. To gain more coverage and attract traffic, entire networks are created from domains that are owned by attackers.

Source: Group-IB Threat Intelligence & Attribution, Network Graph

You can track domain name connections within the network using the same hash code of the domain owner's registration data (information from the domain name registrar), the same IP addresses, or SSL certificates for different sites.

Source: Group-IB Threat Intelligence & Attribution, Network Graph

Such networks can contain from several tens to thousands of domains. Creators of fake stores usually choose domain names that are similar to the URLs of existing cardshops.

However, creating copies of well-known cardshops can bring its own benefits — so there is a chance to deceive not only novice carders, but also experienced cybercriminals. One such example discovered by Group-IB experts is the UniFake network of fake shops, which copies the well-known Unicc card shop. The UniFake network has both copies of other cardshops and their own unique domain names, but the vast majority of sites on the network copy Unicc.

Source: Group-IB Threat Intelligence & Attribution, Network Graph

Unicc is one of the largest underground cardshops. The resource started working in 2012 and immediately gained popularity both among carders due to a large number of updates, and among cardshops-intermediaries who trade Unicc data for a commission, due to their card sales API system.

Forum post fl.l33t.su. Source: Group-IB Threat Intelligence & Attribution

Most likely, these factors influenced the appearance of a large number of fake shops. Users themselves have to create long lists of fake domains in order to figure out which one is real.

Screenshot from Reddit with a list of fake shops under Unicc

The UniFake network of fake shops has more than 100 domain names discovered by Group-IB Threat Intelligence analysts. Most of them — 66 domain names — copy the Unicc design with high accuracy. All of them use parts of the words "uni", "cc", "cvv", "shop", "store", "bazar" and hyphens in their names. All domains are located in different domain regions, including sites in domain zones .onion and .bazar. The main difference from a real card shop is the substitution of a wallet in the form of account activation for new users.

Screenshot of the unicc.cx fake shop authorization page

It should be noted that checking your username and password on fake shop sites is fictitious. Any data entered allows the user to get to the site.

At the moment, 22 fake shops mimicking Unicc remain active within the same network, 9 of which redirect to the same resource.

In total, during the analysis of the network of fake shops masquerading as Unicc, analysts of Group-IB Threat Intelligence found 21 crypto wallets for different currencies. Crypto wallets are controlled by the owners of fake shops and are used to accept payments for" activating " users.

Fake shops bring significant profits to their owners. Group-IB analysts recorded 150 transactions totaling $17,377 at the exchange rate for October 2021, made on the resources of the Unifake network of fake shops.

It should be clarified that this data may be incomplete, as the creators of fake shops periodically change the wallet addresses on their resources. Thus, they try not to arouse suspicion among experienced carders, who know that real cardshops often create new wallets, so that it is more difficult to track the movement of funds. Often, wallets are generated for each transaction separately, so you can only track resources where the generation does not work for any reason.

JokerMantey​

In January 2021, the owner of the resource under the nickname JokerStash announced the closure of its platform for selling bank card data.

Message from JokerStash about closing the resource

The original resource went on a "well-deserved rest", but this did not prevent its numerous fake "followers" from continuing their existence on the darknet. For example, Jstashbazar[.<url>-one of the most famous and long-standing fake shops "under the Joker" continues to be active.

Post on the wwh-club.net forum. Source: Group-IB Threat Intelligence & Attribution

JokerStash itself wrote about it even before it was closed, in April 2019. The owners of the fake marketplace tried to completely copy the design of the original site: the registration form, a unique captcha system, and map databases.

Joker's Stash Fake Shop Authorization Page

Databases presented on the fake Joker's Stash

Experienced carders could recognize a fake by paying attention to the names of databases of compromised cards posted on the site. On the original Joker's Stash card shop, they were always capitalized and included certain keywords:

Examples of database names sold on the original Joker's Stash card shop

The creators of the JokerMantey network did not take this feature into account.

Names of databases "offered" on the fake Joker's Stash

To make it appear that bank card data is available for sale, fraudsters can generate data that is allegedly masked using the " * " symbol. To do this, you need to know the Bank Identification Number (BIN — Bank Identification Number in English) — the first 6 digits in the card number, the name of the bank and the country. Such information can usually be found on specialized resources. The missing data for the fake lot (card expiration date, address, ZIP code, and owner's name) can simply be generated based on the BIN. The second option is to simply copy masked data hosted on other resources.

In any case, you don't need to provide the full card details. A buyer interested in such a" product " on a fake shop will lose money "in two ways" - the first time for "activating" access to the resource and the second-when "buying" fake cards.

Jstashbazar.com generates new Bitcoin wallets every time you try to activate your account, so it is impossible to track the amount of funds received by the site owners. However, we managed to establish a list of other domains that are located in the same fake shop network as jstashbazar [.] com.

Source: Group-IB Threat Intelligence & Attribution, Network Graph

Among the domains of the JokerMantey network, fake BriansClub (briansclub.store, briansclub.shop, briansclub.me), other addresses for the Joker's Stash fake shop (jokerstash.cc), a copy of Unicc (unicc.me), as well as independent fake shops without linking to existing ones (cvv2me.com, cryptonshops.com). The total number of domain names we detected is more than 20.

For fake JokerMantey marketplaces, we managed to find two linked Bitcoin wallets, 1 Litecoin and 1 Dash, which were placed on payment forms.

A total of 304 transactions totaling $220,587 were recorded at the exchange rate as of October 2021.

The main "asset" of SPAGHETTI is fakes for one of the oldest and largest cardshops BriansClub, which started working back in 2014.

As with other major players in the bank card sales market, several clones have been developed for BriansClub. One of them is briansclub[.] ru, the creators of which went beyond the usually required payment for account activation.

Fake BriansClub Account Activation System

After paying for the activation of your account on the briansclub fake shop[.] en the user has seen this message – "Your account is activated! For safe use of the store. Download the protected app." and a link to the archive panelcontorl.rar.

Message and download link

The archive itself contained two files PanelControl.exe and LitePanel.exe.

However, instead of accessing the dashboard for working with photoshop, when clicking on files, the user launched the Taurus Project styler (aka Taurus).

File structure "panelcontrol.rar". Source: Group-IB Threat Hunting Framework

The Taurus Project styler can not only collect information from the Chrome, Opera, and Firefox browsers, access the camera, and also collect authentication data from Bitcoin, Ethereum, Bytecoin, and other crypto wallets. Thus, after launching the file, an inexperienced user could lose credentials from their crypto wallets, from which they paid for activation, as well as access to other resources, including cardshops.

Released in April 2020, the Taurus Project is a more advanced version of the PredatorTheThief styler. Both stylers were developed by a user under the nickname Alexuiop1337 and have a lot in common: loading the original configuration, the same obfuscation method, functionality, etc.

When studying the work of the Taurus styler distributed through the SPAGETTI cardshop network, requests were found sent to the IP addresses 104.21.52.20 and 172.67.194.75.

Source: Group-IB Threat Intelligence & Attribution, Network Graph

Group-IB Threat Intelligence analysts were able to determine that these addresses belong to the monerdomen site.ru and are attributed to the Taurus botnet network.

HTTP POST requests were sent directly to the site itself.

Source: Group-IB Threat Intelligence & Attribution

To attract traffic, the creators of SPAGHETTI maintain a huge network of fake shops, both independent and copies of other well-known cardshops, such as BriansClub.

Source: Group-IB Threat Intelligence & Attribution, Network Graph

In general, the Group-IB Threat Intelligence team recorded more than 3,000 domains belonging to the SPAGETTI cardshop network.

It is worth noting that the main number of domains was registered starting from March 2021. At the same time, two sites appeared: monerdome[.] ru, which is the botnet controller of the Taurus styler, as well as panelshopload[.]su, where the download archive containing the Taurus Project styler files was located. The reason for this may be a change in the principles of operation or a change in the owner of the cardshop network. At the moment, this cannot be determined.

Note that all sites look the same, only the domain name, authorization page, and resource name change. The authorization page can be either unique, i.e. created or generated for each site separately, or a copy of the design of well-known cardshops.

Screenshot of the authorization page of the briansclub fake shop.ru

Original login page of the "Trump's Dumps" card shop

Screenshot of the festore-dumps fake shop.ru, which copies the login page of the "Trump's Dumps"card shop

However, after logging in to the site, the design always remains the same.

Screenshot of the festore-dumps.ru fake shop

On each site, after the registration procedure, an activation window appears and offers to download files containing the styler, ostensibly for working with cardshop.

Interestingly, the amount in bitcoins indicated in the activation form often does not match the stated amount of $30 and goes up to $100. Most often, we observed an amount of 0.00088 BTC, which is equal to $50 at the exchange rate on October 12, 2021.

Screenshot of the festore-dumps.ru fake shop

However, sometimes, for no apparent reason, the amount can change by 0.00316 BTC, which is $181 at the same exchange rate.

This is another way to deceive inexperienced users who will simply enter the specified amount in bitcoins, without checking its equivalent in dollars.

Another feature of this network of fake shops is the changing Bitcoin wallets. Every time you visit the page with activation or updating, a new Bitcoin wallet address appears. On some network resources, a script is provided that creates a new empty wallet with each request. However, most resources use a pool of nine Bitcoin wallets. At the same time, Etherium, Litecoin, and Dash wallets remain static.

To promote their fake shops, the owners of the SPAGETTI network create resources on the regular Internet with information about carding. In this way, these sites can appear in the search results for users to view without violating the rules of search engines.

As a rule, such promo resources contain links to Telegram bots, which also advertise the resources of the SPAGETTI fake shop network.

In addition to advertising, you can purchase cards or accounts via Telegram bots:

Screenshot of a Telegram bot offering to buy PayPal accounts

Screenshot of a Telegram bot offering to buy bank card text data

The owners of the fake shop network do not provide additional information for their bank accounts. However, in the case of compromised cards, it was found that this data was copied from a real BingoHi cardshop, which uses a specific method of data masking.

Source: Group-IB Threat Intelligence & Attribution, section Compromised & Leaks

The owners of the fake shop changed the card expiration data to create the appearance of validity, since all cards copied from BingoHi were put up for sale in 2019.

Despite all the information received from users, as well as the owners of real sites, the network of fake shops continues to actively exist, and the wallets placed on them regularly receive fees for "account activation".

Transactions to the Bitcoin wallet of the fake shop BriansClub

As you can see from this screenshot, on October 23, 2021, an amount of 0.00088 BTC was transferred to one of the network's nine wallets. We wrote above that this is just one of the amounts that appear on the activation page.

Every few days, money is transferred from all the network's wallets to the collector wallet.

Transaction to a collector wallet

All transfers are combined into one large transaction on the side of the SPAGETTI fake shop creator — which saves on paying transaction fees. The transfer process is always the same for any wallet. Thus, it was possible to install all the wallets belonging to the owner of this network of fake shops.

Subsequently, all collected funds are withdrawn to one of the cryptocurrency exchanges.

Transfer to one of the cryptocurrency exchanges

Thus, the Bitcoin, Etherium, Litecoin and Dash wallets, which have been active since the beginning of 2019, received more than 9,200 incoming transactions worth more than $1,296,322 at the exchange rate on October 12, 2021.

For Bitcoin wallets, it was possible to establish 33 outgoing transactions worth more than $ 746,000, which led to the wallets of major crypto exchanges.

However, it should be borne in mind that during the existence of the SPAGETTI fake shop network, the addresses of crypto wallets could change, and the hosted styler allowed you to access users ' wallets directly. Therefore, the amount of actual profit of SPAGHETTI owners can be significantly higher.

Conclusion​

Fake shops will continue to exist as long as there are underground markets and cardshops. The development of this segment of the underground is also facilitated by the fact that the owners of illegal original underground resources, unlike representatives of legal sites, do not have the opportunity to influence fake shops in the legal field.

However, we are far from thinking that new fake marketplaces related to carding will appear in the near future. At the moment, the fake shop market is divided between several large networks described in this study, and it will not be easy for beginners to build their own, which will be able to follow all the processes of creating, maintaining and promoting sites. The situation may change only if a new method is devised to deceive inexperienced carders or buyers of stolen bank card data, but there are no prerequisites for this yet.

What is the danger of fake shops for underground researchers and Threat Intelligence specialists? First of all, they can lead to the publication of false analytics and incorrect attribution of malicious users if they do not study this phenomenon in depth enough.

We emphasize that even experienced anti-fraud analysts can be misled by a fairly accurately copied design, displaying data from original resources, and active promotions. The study of fake shops helps researchers to study the underground market more comprehensively and in depth, since fake marketplaces have long been a direct part of the carding industry.

Disclaimer​

1. The purpose of this study is to provide information on ways to commit illegal acts in order to attract the attention of state regulators and relevant authorized bodies, as well as to minimize the risk of further committing such illegal acts, prevent them in a timely manner and form an appropriate level of legal awareness among users.

2. The conclusions contained in this study are made as a result of analysis by Group-IB specialists of information obtained from open sources, and in no part of it are the official position of the competent authorities, including law enforcement agencies of any jurisdiction. Information that became publicly known prior to the publication of this study is listed in its original unspoken form. The study does not contain direct accusations of committing crimes or other illegal actions and is analytical in nature.

3. This research is prepared for informational and informational purposes and may not be used by the reader for commercial or other purposes not related to education or personal non-commercial use.

4. The research is subject to copyright and is protected by the norms of intellectual property law.