HOW TO CATCH CARDERS: REAL STORIES

[Carder]

Online stores, with their simplicity of making a purchase, attract not only ordinary buyers, but also people who want to make money in a dishonest way. For clothing carders who live on the darknet, amazon, ebay and the like, these are the most fishy places. In an attempt to make money, criminals study these sites and their payment systems for vulnerabilities. In the film "Catch Me If You Can", the main character, with his cunning and ingenuity, evokes positive emotions from viewers. In real life, everything is not so funny and the main characters do not evoke those positive emotions. Although, according to their stories, you can write a book or make a film, which in the plot will definitely not be worse than Hollywood.

In real life, mostly decent and gullible citizens suffer from fraud. There is hardly a person who will be delighted that other people's purchases will be paid at his expense. And we are talking about large sums, since carders are interested in expensive goods.

I bring to your attention the stories of how and what carders are caught in America. At one of the foreign forums, I read about the fight against carders, an international parcel delivery service for people who live outside the United States. PlanetaExpress accepts parcels from the Amazon online store in the USA and forwards them to other countries of the world, including Russia. Therefore, from time to time they encounter unscrupulous buyers, which experience helps them to identify and, of course, their own mistakes carders, sometimes stupid to the point of absurdity.

HOW CARDERS WORK

Fraudsters use the classic scheme that has already been worked out for years:

• First, a swindler steals bank card details. For this, all kinds of tools are used: overhead keyboards on ATMs, phishing, viruses on the computer, hacked accounts on the server of the online store and other tricks.
• After that, the fraudster, using the received card data, pays for the goods in the online store and issues an application for express delivery, for example, to Russia, through the international mail delivery service. There are also particularly arrogant people who try to pay for delivery services with "cardboard" so that funds are debited from the card of the unsuspecting owner not only for the goods, but also for delivery to Russia.
• The bank or the cardholder himself, having noticed suspicious activity in his bank account, blocks it. Also, the operation can be blocked by the store: the cancellation of delivery or the transaction itself is blocked by an automatic security system. Now especially "resourceful" people began to buy goods using Gift Cards, which were purchased with stolen credit cards. For a store, payment from such a card is "white", so rarely anyone is interested in how these cards were purchased. Often, only the delivery service notices the fraud and blocks the shipment of the goods, and online stores are notified of the cancellation of the transaction.
• PlanetaExpress says that sometimes a parcel leaves the warehouse, but later it turns out that it contains stolen goods. Then the employees conduct a check. Along the way, it is established in what way the order was sent and the current stage of delivery is found out. It happens that it is blocked right on the way. For example, if it is delivered to the Russian Federation, the company contacts the Russian Post at the place of delivery and blocks its issue. This scheme has been successfully used by PlanetaExpress since 2012.

Sometimes there are more sophisticated clothing carding schemes that are based on working with "drops". Such an unusual word is called people who perform simple work such as receiving a parcel in the mail and then sending it to another address. The person himself, as a rule, does not suspect that he is participating in a fraud, because the need for sending to him is explained by completely logical reasons. In our practice, there were even cases when a request was made to forward a parcel, allegedly on behalf of our company. Explaining this to the recipient, PlanetaExpress's ridiculous errors.

The more scammers want to cover their tracks, the more transfers will be made. Unraveling such a chain is very difficult, but possible. The aforementioned company managed to "catch" such packages and return.

HOW TO CATCH CARDERS

I will not list all the methods, but I will note the key points:

• There is a signal from the seller. In some cases, a notification about a cherjback (return of funds to the card) comes very quickly. When the cardholder receives an SMS about the purchase, he contacts the bank and informs about the illegality of the operation. After that, the issuing bank initiates an "alert" through the MasterCard or Visa payment system. The signal is received by the bank, which serves the terminal of the online store and informs its administration about the cancellation of the transaction (disputable transaction). If the order has not yet been sent, the store will block it. Otherwise, a corresponding request is sent to the intermediary company, which cancels or slows down the delivery. For example, if the parcel has not yet left the PlanetaExpress warehouse, the seller provides the tracks and the client's suite number, and a refund is issued. When the order is on the way, other ways of solving the problem are used.
• Reporting to the police. Sometimes the signal goes directly to law enforcement. There is already a proven scheme for the return of purchases, since PlanetaExpress has long been cooperating with the police station. By the way, in the photo is the curator of the company from the police department. By the way, requests may come from other states.
• 
• Payment through a PayPal account by a certain John Smith, while he is registered to Vanya Ivanov. By the way, in this payment system "antifraud" is weaker than monitoring on Amazon. Fraudsters may well bind stolen cards to left profiles and use them to pay in stores through PayPal.
• Grammar and other silly "mistakes". Carders can make a mistake, as in the photo, or when trying to impersonate a woman, when it is clear that the signature was put by a man.
• 
• Increased nervousness. When the "addressee" is bombarded with questions about where the package is and does not hesitate to threaten to contact the FBI in order to reveal the alleged "black plans" of our company. This is understandable, they, too, may have paid some money to be provided with the details of this stolen credit card. PlanetaExpress is already familiar with the FBI, whose employees politely asked to inform them if there was an order for the delivery of a nuclear missile.
• 
• Social networks to help. In the company's practice, there was a case when a fraudster betrayed himself by publishing a post on his VKontakte page about selling iPhones at half price.

FUNNY CASES WITH FAKE DOCUMENTS

A separate topic is how carders are caught when checking documents. Sometimes it comes to the point of absurdity, but there are also very "diligent" people. Why does PlanetaExpress require scanned documents? When there is doubt about the legality of the transaction, the company asks for more data about the customer - the direct buyer of the product. You need to provide his ID or call the office.

There were cases when they received documents with a photograph of a famous football player, a teacher from Kazakhstan and even Margaret Thatcher! In the picture below, the passport is issued to a certain Veronica Pitt.

But PlanetExpress employees are also good at recognizing Photoshop, so they quickly discovered a fake: the signatures on the pages of passports are 100% identical, which does not happen in life.

The second document has a slightly expanded signature copied from the first passport.

Carders are getting more dodgy every day, so they try to use photographs of people who look very similar to a fraudster.

In the photo "Toor Luc", which in fact has a Russian name and surname.

When fraudulent documents are identified, the company will permanently block the buyer's account and return the item to the sender.

ERROR BANS ALSO HAPPEN

Once the company blocked the account of a resident of Ukraine, Vanessa Alejandro Acosto Malero. Understandably, such a name aroused suspicion. However, in personal correspondence and through social networks, it was possible to establish the reliability of the data. The girl herself is from Venezuela, from where she moved when she married a Ukrainian. By the way, she absolutely adequately responded to the questions and sent scans of documents and even a photo with the child without any problems.

CARDERS ARE ALSO PEOPLE OR AS SCAFFOLDERS HAPPEN

Scamming is not easy, and if you put in a lot of effort, then you want to get more money. Therefore, carders often act as clients, whose "righteous anger" pours on the intermediary company. They actively leave their feedback on various forums, although most of such sites are not available to ordinary users.

As touching and vital, one wants to feel sorry for the guy.

Someone goes even further. One of the typical situations when an account was blocked due to the fact that its owner was not able to send scans of documents.

If you don't know what a "storm of emotions" looks like, look at the picture below:

Unfortunately, scammers still manage to cash in on others. PlanetaExpress had a client who provided all the documents without any problems and in general the situation did not seem suspicious. Only the warehouse manager shared her doubt. It turned out that her intuition did not disappoint. As soon as the parcels were dispatched, another salesperson showed up asking about the "client". The seller said that this customer bought a gold iPhone, but after some time the store received a payment cancellation.

When the company contacted the Russian Post to return the parcel, the fraudster also began to actively call there. And not just like that, but introducing himself as the head of PlanetaExpress, and assuring that everything is in order with the parcel and it can be issued. He even sent an official letter, signing for Pyotr Sharapov, the head of our company. Nobody expected such impudence! Therefore, while the proceedings lasted, the parcel was still issued.

Here is such a "talented Mr. Ripley" as the hero of the film of the same name. He followed up with hard scribbling negative reviews about PlanetaExpress, publishing them on a special website. We must pay tribute to the seller of the iPhone, who visited this site and revealed the essence of the carder in the dialogue, calling him a thief.

WHY ARE THE POLICE STOPPED?

Carders from year to year try to cash in on other people, but not all such cases are investigated by the police. For example, the company identified a fraudster and returned the goods to the store, respectively, the latter did not incur losses. That is, there is no fact of crime. Of course, the carder will not stop there and will continue to try. However, the police need a specific request: a statement about the theft of money from the card from its owner or from the store, if he has suffered damage.

Often, when the situation is resolved in favor of the seller and the buyer, no one wants to make unnecessary fuss. In addition, the size of the amount plays a role. For a few tens of dollars, US law enforcement will not be particularly zealous. Judge for yourself, the theft took place in one state, and the "drop" is in another, and the carder himself is generally outside the country.

Once, people from the American Secret Service came to the PlanetaExpress office. One customer ordered $ 15,000 worth of merchandise. It turned out that the amount was withdrawn from the card of the daughter of the owner of a bank. Carder made good money. However, the law enforcement authorities considered this amount to be not so large as to send a request to the Russian authorities. In memory of the company, only a business card remained…

Therefore, the fight against carders continues, as they say, with local efforts. So watch your bank cards carefully!

 

[Carding 4 Carders]

How carders are caught​

Today you will find out what the carders are "pouring on" and why the police, to put it mildly, do not care about cases of fraud, from an employee of one of the well-known shops.

How it goes​

A fraudster - "carder" - steals bank card details. There is a whole industry for extracting such data - you've probably heard about overhead keyboards on ATMs, etc.

Then the carder pays for the goods in the American store and orders express delivery to the address he needs outside the USA. Some types try to pay by "card" and services in order to hang on the card holder not only the cost of the drone, but also the cost of delivery.

The cardholder or bank notices suspicious activity and blocks the card. Or the payment is blocked by the store's security system.

Recently, separately cunning individuals began to buy goods with the help of "white" gift cards, purchased with stolen credit cards. It is important for the store that the payment from the gift card is "white", and in what way the gift cards were purchased - few will understand. Therefore, it is the last line of defense for online retailers who have received a transaction cancellation notification.

Sometimes employees suspect something, but there is nothing to complain about, there is no reason. Then the package leaves the warehouse. If later information appears that the things in the parcel are stolen, they look at the way the parcel was sent, and at what stage of delivery it is now. Sometimes there is an opportunity to "get stuck" right on the way. If the parcel is already in Russia, contact the local branch of the Russian Post and block the issue there.

Sometimes there are more professional schemes when scammers work with drops. Usually a "drop" is an unsuspecting person who has been hired for a simple job: to receive parcels by mail and send them to another address. The need for such redirection is explained by some quite normal reasons.

There can be several transfers - depending on how badly the sender wants to cover up his tracks. This chain is more difficult to untangle, although such parcels are also caught and returned.

How carders come across​

1. The seller can get in touch. Sometimes, they get notified very quickly about Cheergebacks. The cardholder received an SMS, contacted his bank and said that he had not made these purchases.

The card issuing bank initiates an "alert" through the "Visa" or "Master Card". The signal goes to the bank that serves the payment terminal of the online store. That, in turn, informs the store about the disputable transaction within a few minutes. The store, if the order is not sent, delays delivery.

If the package is in the warehouse, they provide the tracks and the client's suite number, and everything is returned immediately. If the parcel is gone, they are looking for ways to return it.

2. There is an option when the seller gets in touch not with the site, but with the police. A lot of shops are friends with the police station.

If they call the police, they send a notification to the store on the same day, which says: I received such and such a request. Sometimes a request may come from a police station in another state.

3. Carders are trying to pay using a PayPal account and call themselves John Smith, although the account is registered to Vasya Pupkin. PayPal's anti-fraud system is weaker than, for example, Amazon. With due diligence, carders tie the stolen cards to the left accounts and pay with paper pallet in stores.

4. They often write with errors. Or they may pretend to be a girl, but the style of the letter shows that this is a boy.

5. They get nervous and often write "Where is my package?" They also paid some money to be provided with the details of this credit card. And for a long time we set up the system on our side so that it was difficult to catch them.

And I also had to work with the "carding": they carding the card data and some store suddenly missed the payment. Then you need to have time to order and receive the goods, until the owner of the card discovered the loss and blocked the card.

Sometimes they write very funny things to force the store to send the package as soon as possible: "I will inform the FBI that you are embezzling someone else's packages and, hiding behind a forwarding company, are shipping biological weapons and sponsoring terrorists."

6. You can catch a carder using social networks. There was one comrade who “burned” through social networks. He was telling one thing, and on his Vkontakte page we found the post "I sell iPhones in bulk with a 50% discount." The man had a sense of humor.

If there is a suspicion, the store asks for more data. Many make excuses:

- A business partner bought this for me …

- This is my compensation as a salary …

In the meantime, there is no need to worry about it. "

After that, the store replies: ok, let the person who paid for this order contact us. Or provide its ID.

Once they sent a scan of documents with a photograph of Margaret Thatcher. Once - photographs of a famous football player and teacher from Ust-Kamenogorsk (who, of course, did not order anything).

How carders take offense at us​

The guys are very offended by us that we do not let them "earn", and write angry reviews on the Internet, pretending to be dissatisfied customers.

Although on their forums (the bulk of the forums of "carders" and "fraudsters" in the shadow part of the Internet, but there are also accessible from the search), they communicate much more directly.

Tears welling up in my eyes

Some carders go further. A typical case when we had to block the account of a user who could not provide the required documents:

Literally caused a storm of emotions

Unfortunately, sometimes they still manage to profit. Let's tell one high-profile case.

We had one client. He provided all the documents. There was nothing to find fault with, although Galina (the main one in the warehouse) had some internal suspicions.

When his parcels left, we received a call from another salesman who was looking for other traces of this "client". It turned out that the guy bought a gold iPhone in another store, but after a while the store received a payment cancellation.

We contacted the Russian Post and requested this parcel back. Then the guy started calling the Russian Post, introducing himself as our manager Peter Sharapov, and convincing that everything is in order and the parcel should be handed over. He even sent a letter and signed it as if on behalf of Peter.

Russian Post is at a loss whether to issue it or not. We also see the light from such impudence. In general, while we were figuring it out, some kind of wheel slipped by the Russian Post and the parcel was issued. Here is such a talented Mr. Ripley.

After that, he began to write reviews on a special website - what a bad company we are, we steal packages. A salesperson entered into a dialogue with him, who sold him a gold iPhone and asks - are you generally normal? You're a thief!

Why don't the police investigate these cases and the carders keep trying from year to year?

For example, we caught a person and returned his orders to the store. The store did not suffer losses. We know that the scammer will try again, and we are ready to give it up.

But until there is a request to the police station from those whose cards were stolen or from the store that received a refund, no one will worry. And people are often inclined not to raise further fuss: they returned the money, and good.

American law enforcement agencies will only start an investigation because of the very large amount. Otherwise, it is inconvenient: the theft happened in one state, the drop is in another …

And if the parcel is already in another country, then even more so. Once we were visited by agents from the US Secret Service. As far as we understood, the card of the daughter of some banker was involved, the Russian carder bought 15 thousand dollars. We provided them with all the data of the person who ordered the package. But we were told that this is not the amount due to which they will make a request to the authorities of the Russian Federation.

 

[Hacker]

The FSB has "operational capabilities" in the Webmoney payment system, thanks to which the investigation uncovered a DDOS attack against Aeroflot. After finding out which WM wallets were used to transfer money for the attack, the investigation identified their owners, identified IP addresses, analyzed traffic, and thus went to the botnet's control panel.
CNews continues to publish materials of the criminal case of Pavel Vrublevsky, the owner of the Chronopay payment system, whom the FSB accuses of ordering a DDOS attack on the server of a competing system - Assist-in order to block the possibility of buying e-tickets on the Aeroflot website.

The investigators immediately came to the attention of a wallet in the Webmoney (WM) payment system used by a person under the pseudonym Engel, according to the case materials.
CNews continues to publish materials of the criminal case of Pavel Vrublevsky, the owner of the Chronopay payment system, whom the FSB accuses of ordering a DDOS attack on the server of a competing system - Assist-in order to block the possibility of buying e-tickets on the Aeroflot website.
The investigators immediately came to the attention of a wallet in the Webmoney (WM) payment system used by a person under the pseudonym Engel, according to the case materials. Also at the disposal of the investigation was the electronic correspondence of Chronopay employees (financiers Maxim Andreev and Natalia Klyueva with security specialists Maxim Permyakov and Stanislav Maltsev), according to which during the attack days, $500 was to be transferred daily to the specified wallet for the purpose of "PR and competition". A little earlier, another $10k was transferred from Chronopay to the same wallet.

A thread in Webmoney

The FSB suspected that the attack was carried out by Engel on the order of Vrublevsky. Using the" operational capabilities " in the Webmoney system, it was established that the wallet mentioned above refers to the WM identifier registered to Igor Artimovich, a native of the Leningrad Region. The investigation obtained access to the log of logins in the system over the past few months, thus finding out Artimovich's IP address and the checksum of his equipment (Engel used the authorization method in the WM Keeper program by checking the equipment from which the login is performed).

Using the checksum, the FSB also discovered the remaining WM identifiers registered for Artimovich (a year later, the relevant documents were officially seized during searches at the Webmoney office). The transaction log confirmed that Artimovich received money totaling $20 thousand during the attack on Assist. According to the intercepted correspondence of Chronopay employees. the wallet from which the money came belonged to this company.
After making a request to the provider that owned the above-mentioned IP address - National Cable Networks (Onlime brand) - the FSB established that the address was registered to Igor Artimovich's brother Dmitry (a year later, a copy of the contract was seized during searches at the provider). At that time, they shared an apartment in Moscow. After that, the investigation decided to conduct operational search activities (OPM) "KTKM" in relation to the case of operational development (DOR) "Pilot".

The Moscow City Court issued a sanction for removing information from the Internet channels used by the Artimovich brothers (from Onlime and Sky Link), listening to their landline and mobile phones (from Vimpelcom, MTS and Megafon), as well as reading e-mail in the domain artimovich.info. The Artimovichs had a few more boxes on their desk. Mail.ru, but they were blocked by the administration. In addition, the FSB department for St. Petersburg has gained access to the logs of visits to Igor Artimovich's page on the Vkontakte network.

Note that by the end of the summer, Artimovichi fell out of the FSB's field of view, but Webmoney again came to the rescue of the investigation. "Operational capabilities" in this system made it possible to detect their new wallets, as well as new email addresses and mobile phone numbers that they replenished (the phones themselves were registered to front persons). New IP addresses were also revealed: this time Artimovichi accessed Webmoney via the mobile networks "Sky Link" and "Scartel" (Yota brand). However, the brothers soon disappeared again.

"The FSB is watching us. Going to Jabber»

With the ability to track Internet traffic, the FSB was able to read Artimovich's ICQ correspondence with unidentified interlocutors. One of them sent a link to the article in Gazeta.ru about the launch of the VTB United Basketball League. The interlocutor pointed to the photo from the corresponding press conference: "The second from the left is me. An awesome basketball player, right?"
Second from the left in the photo was Pavel Vrublevsky. Next to him was the then Deputy Prime Minister and current head of the presidential administration, Sergei Ivanov. Then the unknown source sent a link to the Chronopay press release with the words "our release on the topic". When asked by Artimovich whether this kind of sponsorship is an advertisement for Chronopay, the interlocutor gave the following answer: "Officially, yes. Unofficially, look at the biography of Sergei Borisovich Ivanov and the answers will start to appear."

The interlocutors also discussed the sale of narcotic drugs ("controls"), the registration of several dozen relevant domains in the zone .En, registration of servers for a certain Andrey Bogdanov and work on the Spamdot forum (used by spammers who sell pharmaceuticals abroad). Analysis of the contact list of Artimovichi in ICQ showed that they often communicate with people who are in the field of view of law enforcement agencies due to the spread of malware. But the main thing that the investigation drew attention to was the detection of surveillance by suspects.

The interlocutors suspected that the FSB was trying to arrange a fake meeting with a certain Khokholkov, an accomplice of the well-known spam and virus distributor Leonid Kuvaev, who is currently sentenced to a long prison term for pedophilia. The issue of moving the Artimovichs and renting an apartment on someone else's passport was also discussed. To the question of one of the brothers "What do you want to get us an apartment for", an unknown interlocutor gives a frank answer: "What do you think I'm not at all friendly with my head? The FSB is hunting you!" Next, the conversation is suggested to be transferred to the Jabber system.
However, the investigation did not establish the identity of the interlocutor. Vrublevsky himself told CNews that he did not conduct these negotiations. The entrepreneur also added that he does not understand why this correspondence was included in his case. ORM in relation to Vrublevsky did not give any results at all: as noted in the case file, by phone he communicated only on everyday topics.

How the FSB searches for passwords.

Another step of the investigation was the analysis of Artimovich's Internet traffic, using Ufasoft Sniffer and WireShark programs (they analyze traffic in TCPDump format). Thus, the facts of establishing a secure connection with two IP addresses belonging to the American hosting provider LayeredTech were discovered. At the specified addresses, there was an invitation to log in to the Topol-Mailer software control panel. A contextual search in the traffic logs for the word "password" found lines with a username and password that were successfully used to log in to both panels.

According to the investigation, these were botnets with proxy server functions that allow large-scale spam mailings and DDOS attacks of several types (UDP-Flood, TCP-Flood and HTTP-Get). At the time of the investigators ' visit in August 2010, both botnets together numbered 20 thousand infected computers. The control panel allowed you to view infection statistics with geographical distribution and information about the" suppliers " of infected computers, download samples of the malware used for specific suppliers, and enter addresses for DDOS attacks.

According to the relevant section, the addresses of the botnet's "victims" included the following pharmaceutical resources: 4allforum.com, accessbestpharmacy.com, canadian-rxonline.com, naturalviagraonline.com, glavmed.com, spamit.com, stimul-cash.com, yout-pills-online.com, ehost.by, spampeople.net, spamdot.us. Artimovichi themselves regularly carried out spam mailings advertising pharmaceutical products from addresses in the Rambler system. This led the investigation to believe that they were attacking their competitors.

The received materials were handed over to Group-IB expert Dmitry Volkov for examination. Volkov accessed the resource under study through the service of virtual private networks CryptoCloud from foreign IP addresses. After analyzing the resources, he confirmed the conclusions of the investigation that we are talking about the botnet control panel. The specialist also drew attention to the fact that during the attack on Assist, the number of infected computers increased dramatically (up to 250 thousand). Comparing with the list of 25k users.
The Group-IB specialist also conducted a study of malware downloaded from the botnet. Eset NOD32 antivirus identified this program as Win32/Rootkit.Agent.NRD trojan, and Kaspersky Anti-virus identified it as Rootkit. Win32. Tent. btt. Using the OllyDbg debugger and the IDA Pro 8.0 disassembler (which allows you to get the program code in a lower-level language), Volkov found that this program writes a driver for DDOS attacks to the operating system without user input.

However, the "Assist" address was not included in the list of attacked addresses. But there are also no restrictions that prevent a DDOS attack on this payment system from this botnet. Therefore, Volkov concluded that it could have been used for the attack under investigation. Based on the results of the Group-IB study, "operational sources from the virmaker environment" also confirmed this conclusion to the investigation.
The investigation also recorded appeals to another American hosting provider-DCSManage, where Artimovichi stored Topol-Mailer, a program for spam mailings and a 40 GB database of mail addresses in encrypted form (using the software program PGP Desktop). Analysis of the rest of Artimovich's Internet traffic showed that they logged in under the administrator's account to the spammers ' forum Spamplanet.com, and also searched in Yandex for information on the query "Putin Aeroflot".

Vrublevsky believes that the technical expertise of the DDOS attack on Assist was never carried out. "In the case, there is only a study of the control panel of a certain botnet, but there are no traces of an attack on Assist," the entrepreneur notes. - A partial match of the IP addresses infected by this botnet with the IP addresses from which the attack was carried out is not proof. The same computer can be infected with several viruses. For some time, hackers even hold competitions, removing competitors ' viruses from infected computers."

For more information about the problems that the investigation faced in the future, what testimony was given by Artimovichi, Vrublevsky and other participants in the case, read the following CNews materials.

Earlier, CNews wrote about how Kaspersky Lab tried to protect Assist from a DDOS attack.