Carding, as a form of cybercrime, is linked to other types of cybercrime, including extortion, through a complex network of methods, technologies, infrastructure, and motives. For educational purposes, we will examine the connection between carding and extortion in more detail, including technical aspects, real-world examples, the tools used, and their role in the cybercrime ecosystem.
A connection occurs when data stolen through carding is used to bolster extortion, or when infrastructure built for one crime is used in another.
1. Common goals and motives
Carding and extortion share a common goal: financial gain. However, the methods used to achieve this goal differ, but often overlap:- Carding focuses on stealing credit card data (numbers, CVV codes, cardholder names) to conduct fraudulent transactions, such as purchasing goods, withdrawing money, or selling the data on the black market.
- Extortion (especially in the form of ransomware) involves blocking access to a victim's data or threatening to release it with a ransom demand, usually in cryptocurrency.
A connection occurs when data stolen through carding is used to bolster extortion, or when infrastructure built for one crime is used in another.
2. Technical methods and their intersections
Cybercriminals use similar technical approaches to carry out carding and extortion. Here are the main points of overlap:2.1. Phishing and Social Engineering
- Carding: Phishing attacks are one of the main methods for obtaining credit card information. Fraudsters create fake websites (such as those mimicking banking portals or online stores) and send emails or SMS messages to trick victims into giving up card or account information.
- Extortion: Phishing is used to deliver ransomware. For example, the victim receives an email with a malicious attachment (PDF, Word document, or link) that, when opened, installs ransomware that encrypts files.
- Communication: Social engineering techniques, such as creating convincing emails or fake websites, are universal. Skills honed in phishing for carding are easily applied to ransomware distribution. For example, a phishing email can simultaneously collect card details and install malware for subsequent extortion.
2.2. Exploitation of vulnerabilities
- Carding: Attackers can hack the databases of online stores, payment systems, or corporate servers by exploiting vulnerabilities such as SQL injections or weak security protocols. This allows them to access the data of thousands of cards.
- Ransomware: The same vulnerabilities can be used to penetrate corporate networks and install ransomware. For example, vulnerabilities in VPN or RDP servers are often exploited to gain access to systems.
- Connection: Vulnerability detection and exploitation tools (e.g., Metasploit, Cobalt Strike) are universal and are used in both schemes. Data stolen during a carding attack can be used for blackmail if it contains confidential information.
2.3. Skimming and Malware
- Carding: Skimmers (physical devices on ATMs or malicious scripts on websites) collect card data. Malware such as banking Trojans (e.g., Zeus or Dridex) is also used to steal financial data.
- Ransomware: Malware such as WannaCry or Ryuk encrypts the victim's data and demands a ransom. Some Trojans originally designed for carding can be modified to deliver ransomware.
- Connection: Malware is often multifunctional. For example, the Emotet Trojan, originally used to steal banking data, later became a ransomware delivery platform. This demonstrates how carding tools can be adapted for extortion.
3. Darknet infrastructure
The darknet plays a key role in the nexus of carding and extortion:- Carding: Darknet marketplaces such as AlphaBay (before its closure), Dream Market, and modern equivalents sell credit card data, skimmers, phishing kits, and access to compromised systems.
- Extortion: The same platforms sell ransomware creation kits (RaaS, Ransomware-as-a-Service), stolen data for blackmail, and access to corporate networks (RDP or VPN).
- Connection: The darknet is a unified ecosystem where cybercriminals exchange tools, data, and services. For example, a carder who has purchased access to a corporate network to steal card data may resell this access to ransomware attackers.
4. Combination attacks
Modern cybercrimes often involve a combination of methods. Examples:- Double extortion: Groups like Maze, REvil, and Conti not only encrypt data but also steal it before encryption. If the victim refuses to pay the ransom, the attackers threaten to publish the data or sell it on the black market. If the stolen data includes financial information, it can be used for carding.
- Blackmail using carding data: Carders who have stolen card data may threaten the victim with using that data or selling it, demanding a ransom to prevent this from happening.
- Post-extortion fraud: Ransom payments received in cryptocurrency are often laundered through fraudulent transactions, including purchasing goods with stolen cards (carding).
5. Real-life examples
- Emotet and TrickBot: These banking Trojans were initially used for carding, stealing account and card data. They were later adapted to deliver ransomware like Ryuk, demonstrating how a single piece of malware can serve both purposes.
- Colonial Pipeline Attack (2021): The DarkSide group used ransomware to lock down systems but also stole data that could be used for carding or sale. This demonstrates a combination of extortion and potential carding.
- Phishing Campaigns: In 2020, a phishing campaign targeting PayPal users collected card details for carding and also installed malware that could be used for extortion.
6. Roles of participants and their specialization
The cybercriminal ecosystem includes many roles that link carding and extortion:- Hackers: Hack into systems to steal data (for carding) or install ransomware.
- Coders: Develop malware that can be used for both purposes.
- Data sellers: Sell stolen data (cards, accounts) on darknet markets.
- Money launderers: Use stolen cards to purchase goods or cryptocurrency to launder money obtained from extortion.
- RaaS Organizers: Provide extortion platforms that can exploit data stolen by carders.
7. Socio-economic aspects
- Availability of tools: The low barrier to entry into cybercrime (available phishing kits, RaaS, skimmers) makes carding and extortion attractive to beginners.
- Globalization: Cybercriminals from different countries collaborate via the darknet, sharing data and tools. For example, a carder from one country might sell data to an extortionist from another.
- Cryptocurrency: Both types of crimes use cryptocurrencies (e.g. Bitcoin, Monero) for anonymous transactions, whether ransom or money laundering from carding.
8. Preventive measures and protection
Understanding the connection between carding and extortion is important for developing protective measures:- Multi-factor authentication (MFA): Protects against credential theft used in both types of attacks.
- User Education: Raising awareness of phishing reduces the likelihood of data breaches for carding or ransomware infections.
- Transaction monitoring: Banks and payment systems can identify suspicious transactions related to carding, which also helps track money laundering from extortion.
- Software Update: Patching vulnerabilities reduces the risk of being hacked for both purposes.
- Backup: Protects against ransomware by minimizing the need to pay the ransom.