Carding is a form of cybercrime in which criminals use stolen bank card information or compromised accounts to conduct unauthorized transactions, purchases, or withdrawals. For educational purposes, I will analyze a real-life case involving the use of compromised accounts for carding, describing the mechanisms, stages, tools, consequences, and prevention measures. I will use the
2013 attack on the major retail platform Target as an example, supplementing it with general patterns and examples from the carders' practice to illustrate how this works on a broader level.
Case Study: Attack on Target (2013)
Context and scale
In late 2013, the American retail chain
Target suffered one of the largest data breaches in retail history. Attackers gained access to 40 million credit and debit card details, as well as personal information (including names, addresses, email addresses, and passwords) for approximately 70 million customers. While the focus was primarily on the theft of card data, compromised customer accounts on Target's website were also actively used for card fraud. This incident illustrates how hackers can exploit access to accounts for fraud.
Stages of attack
- Initial hack and credential compromise:
- Entry Point: The attack began with the compromise of the credentials of a contractor working with Target (Fazio Mechanical Services). The hackers used a phishing email containing malware, which allowed them to access the contractor's credentials.
- Network Intrusion: Using these credentials, hackers penetrated Target's internal network. They installed malware (the BlackPOS Trojan) on POS terminals in stores, which collected card data as they were used.
- Harvesting customer credentials: In addition to card data, hackers gained access to the Target.com website database, which stored usernames, passwords (in encrypted form), and other personal information.
- Credential Stuffing Technique:
- The attackers used stolen logins and passwords to test them on Target.com and other websites (e.g., Amazon, eBay, PayPal). Credential stuffing involves automated testing of login-password combinations across multiple platforms, as many users use the same passwords across different services.
- Tools like Sentry MBA or OpenBullet allow carders to check thousands of accounts per second. In Target's case, many clients used weak or duplicate passwords, making the task easier.
- Using compromised accounts for carding:
- Direct Purchases: After gaining access to Target.com accounts, carders used saved payment information (if linked to the profile) to purchase high-ticket items such as electronics, game consoles, televisions, and gift cards.
- Adding New Cards: In cases where the account had no stored payment information, carders added stolen card details (purchased on the black market or obtained from other leaks) to complete transactions.
- Changing delivery details: To cover their tracks, carders changed the delivery address to a fake one (called "drops"—the addresses of intermediaries who forwarded the goods onward). In some cases, temporary email addresses or phone numbers were used to confirm orders.
- Cross-platform attacks: After successfully testing credentials on other platforms, carders made purchases on Amazon, eBay, or other sites using compromised accounts or adding stolen cards.
- Monetization:
- Resale of goods: Purchased goods (such as electronics) were resold through platforms such as eBay, Craigslist, or local markets. Often, goods were shipped to countries with less stringent controls to make tracking more difficult.
- Gift card cashing: Target gift cards purchased with compromised accounts were sold on the black market (such as darknet forums like AlphaBay or Hansa) at a discount. Buyers of these cards used them for further transactions or cashing out.
- Carding for cryptocurrency: In some cases, carders used compromised accounts to purchase cryptocurrency (for example, through exchanges where cards were linked), allowing them to quickly convert the stolen funds into anonymous assets.
Technical aspects of carding
- Carder tools:
- Combolists: Carders use "combolists" — lists of stolen usernames and passwords that are purchased on the dark web or collected from public leaks (for example, through sites like Have I Been Pwned).
- Proxies and VPNs: To bypass security systems (such as IP blocking), carders use proxy servers or VPNs to mask their location and simulate access from the victim's region.
- Anti-fraud bypass: Modern carders use techniques to bypass anti-fraud systems, such as imitating user behavior (for example, using bots that scroll through pages before making a purchase) or browser fingerprinting.
- CC Checkers: To verify the validity of stolen cards, carders use services that test cards on small transactions (for example, through donations to charity sites).
- Darknet market:
- Stolen accounts and card details were sold on darknet forums. For example, a complete set of card details (number, CVV, cardholder name) could cost between $5 and $50, depending on the card's limit and region. Compromised accounts with linked cards or high credit limits were valued higher.
- Carders also exchanged "guides" (manuals) that described methods for bypassing specific platforms (for example, how to bypass two-factor authentication or transaction monitoring systems).
The aftermath of the attack on Target
- For the company:
- Financial losses: Target estimated direct losses at $252 million, including customer compensation, investigation costs, and legal fees. Indirect losses (reputational damage, lost sales) were even higher.
- Legal implications: The company faced numerous lawsuits from customers and banks whose cards were compromised.
- Layoffs and reputational damage: Target CEO Gregg Steinhafel resigned. The company lost customer confidence, leading to a temporary decline in its stock.
- For clients:
- Affected customers faced unauthorized card charges, identity theft, and the need to replace their cards.
- Many customers have fallen victim to secondary attacks as their accounts were used on other platforms due to password reuse.
- For industry:
- The incident became a catalyst for the introduction of new security standards in retail, such as EMV chips (more secure than magnetic stripes) and improved encryption protocols.
- Companies have begun to more actively implement two-factor authentication (2FA) and systems for monitoring suspicious transactions.
Common carding schemes using compromised accounts
Besides the Target case, carders often use the following approaches:
- Phishing: Sending fake emails or creating fake websites to trick users into entering their personal information.
- Skimming: Installing devices on ATMs or terminals to read card data.
- Purchasing data on the darknet: Carders purchase ready-made databases (logins, passwords, card data) from forums such as RaidForums or its successors.
- Automation Bots: Using bots to mass test credentials and perform transactions.
- Social engineering: Deceiving users to gain access to their accounts (e.g. by calling while pretending to be tech support).
How to Protect Yourself: Recommendations for Users and Companies
- For users:
- Unique passwords: Use different passwords for each service. Password managers (e.g., LastPass, 1Password) can help you store them.
- Two-factor authentication (2FA): Enable 2FA wherever possible, preferably through authenticator apps (Google Authenticator, Authy) rather than SMS.
- Transaction Monitoring: Regularly check your card statements and bank notifications.
- Limit data saving: Do not save card data on websites unless necessary.
- Antivirus and updates: Use antivirus software and update your devices regularly to protect yourself from malware.
- For companies:
- Data encryption: Store passwords and payment data in encrypted form (for example, using bcrypt algorithms).
- Access Restriction: Apply the principle of least privilege to employees and contractors.
- Anti-fraud systems: Use tools to monitor suspicious transactions (e.g. FraudLabs, Signifyd).
- Regular Audits: Conduct network security audits and penetration testing.
- Customer Education: Educate users about phishing and the importance of 2FA.
Conclusion
The Target incident demonstrates how compromised accounts can become tools for large-scale carding. Attackers use a combination of technical methods (credential stuffing, malware) and social engineering to gain access to accounts and monetize them. This incident highlights the importance of cyber hygiene for users and the need for strict security measures for companies. If you have any questions about specific aspects (such as the technical details of credential stuffing or examples of other attacks), let me know, and I'll dive into them in more depth!