Many people have paid for online purchases with a bank card at least once. Moreover, if before the coronavirus pandemic this was only one of the opportunities to get the desired product, today using a card is a much more pressing need. And some are so accustomed to new technologies that they don’t hesitate to pay for any purchases online. Run out of porridge for breakfast? Can be ordered. There is no soap? Online order. Need a new towel? One more order! With this approach, there is a risk that sooner or later you will end up on a fraudulent site. In this case, bank data may fall into the hands of carders. This is where the fun begins.
After all this, the fraudster has a clandestinely manufactured bank card, which can be used to pay in the same way as a regular one. However, problems may arise here: for example, the owner of a real card may block the payment instrument even before the carder arrives at the store. Or a homemade card will fail for technical reasons.
This scheme misses one very important point: it is possible to obtain a “dump” without resorting to purchasing from third parties. To do this, criminals use skimmers (from the English skim - “to remove”) - special removable devices for machines for issuing and depositing money. However, this method is becoming a thing of the past, as banks are increasingly issuing cards with chips. Today, almost all Russian cards are equipped with them.
Also, don’t forget about social engineering. Of course, you can’t get a “dump” this way, but you can find out a lot of “important” information. Sometimes attackers need to obtain additional data or clarify the accuracy of existing data. This is how the culture of calls from fake bank security officers began. Typically, scammers use various legends to find out the CVV2/CVC2 code, bank card number, holder’s name, as well as codes from SMS or online banking. Remember that no real bank employee will ask you for such information. A real call from the bank will most likely be related to the promotion of its services or a social survey. Of course, sometimes the bank calls about a blocked card (after the fact of blocking) and other cases, but the lion’s share of “bank calls” still belong to scammers.
Often, scammers use various malware to obtain bank card information from your devices. One of the most common methods is phishing sites or emails. Using the data obtained in this way, it is impossible to make a counterfeit plastic card, but paying in an online store is quite possible. In this case, the scammer will need to figure out how to bypass two-factor authentication in order to make a purchase. We have devoted more than one issue to the topic of phishing, so this time we will not dwell on it in detail.
Another way to illegally obtain card data is PoS Trojans. This is malware that can extract information about payment instruments from the memory of PoS terminals.
If we talk about mobile devices, then owners of Android devices should be especially careful. There are Trojans that can control online banking applications. Having caught one once, the user risks losing all his money. In the summer, we talked in detail about the banking Trojan Android.BankBot.Cooper, which threatened residents of Colombia. Timely updated Dr.Web can save you from such threats.
It is worth noting that not all scammers alone perform all the actions of the described scheme. Many of them stop at the first stage, after which they sell the obtained data on the darknet. There they are bought by another person who has a machine for producing counterfeit plastic cards, and the money is cashed out by the third participant in the scheme, the so-called “drop” (from the English “drop” - “throw away”). Often the last link is the most vulnerable, and therefore teenagers, students or marginalized people find themselves in the role of “drop”. Those who urgently need money.
It is quite difficult to catch a criminal in the first two stages, but a “drop” can be caught red-handed. True, most likely this person will not give out any valuable information about his “employers” simply because he does not know anything truly important. “Drop” is a bargaining chip in the world of carding. They are recruited in the same way as those who leave stashes of drugs - scammers create advertisements in thematic chat rooms and forums. It is important not only to recognize a criminal scheme in time, but also to protect children from potential crime. Young guys do not always correctly assess risks, and therefore can, without knowing it, become a “dropper.”
Pay close attention to where your bank card details remain. Perhaps the browser automatically saved them all, including even the CVV2/CVC2 code. You can clear this information in the settings. Each browser has its own characteristics, but general recommendations on this matter can be given as follows: open “Settings” and select “Clear data”, then check the box similar to “Passwords and other login information”. This way you can force the browser to “forget” your bank card details. Follow the advice of Antivirus Truth, but remember that the safety of your funds depends only on you.
(c) https://www.drweb.ru/pravda/issue/?number=1211
How do carders get our data?
First, let's define the term “carding”. Carding (from the English carding) is a type of fraud associated with bank cards. One of the common schemes used by criminals involves the massive purchase of “dumps” (from the English dump - “dump”) - this is the slang name for information recorded on the magnetic strip of cards. Next, the attackers illegally copy the data onto physical dummy cards.After all this, the fraudster has a clandestinely manufactured bank card, which can be used to pay in the same way as a regular one. However, problems may arise here: for example, the owner of a real card may block the payment instrument even before the carder arrives at the store. Or a homemade card will fail for technical reasons.
This scheme misses one very important point: it is possible to obtain a “dump” without resorting to purchasing from third parties. To do this, criminals use skimmers (from the English skim - “to remove”) - special removable devices for machines for issuing and depositing money. However, this method is becoming a thing of the past, as banks are increasingly issuing cards with chips. Today, almost all Russian cards are equipped with them.
Also, don’t forget about social engineering. Of course, you can’t get a “dump” this way, but you can find out a lot of “important” information. Sometimes attackers need to obtain additional data or clarify the accuracy of existing data. This is how the culture of calls from fake bank security officers began. Typically, scammers use various legends to find out the CVV2/CVC2 code, bank card number, holder’s name, as well as codes from SMS or online banking. Remember that no real bank employee will ask you for such information. A real call from the bank will most likely be related to the promotion of its services or a social survey. Of course, sometimes the bank calls about a blocked card (after the fact of blocking) and other cases, but the lion’s share of “bank calls” still belong to scammers.
Often, scammers use various malware to obtain bank card information from your devices. One of the most common methods is phishing sites or emails. Using the data obtained in this way, it is impossible to make a counterfeit plastic card, but paying in an online store is quite possible. In this case, the scammer will need to figure out how to bypass two-factor authentication in order to make a purchase. We have devoted more than one issue to the topic of phishing, so this time we will not dwell on it in detail.
Another way to illegally obtain card data is PoS Trojans. This is malware that can extract information about payment instruments from the memory of PoS terminals.
If we talk about mobile devices, then owners of Android devices should be especially careful. There are Trojans that can control online banking applications. Having caught one once, the user risks losing all his money. In the summer, we talked in detail about the banking Trojan Android.BankBot.Cooper, which threatened residents of Colombia. Timely updated Dr.Web can save you from such threats.
How do carders try to cash out money?
Traditionally, carding is considered one of the most studied types of modern fraud. In fact, this industry is much more complex and deeper than just “steal a dump, burn a card, pay in a store.” Fraudsters can make many mistakes and get caught. Buying “dumps” is a dangerous business, and producing counterfeit bank cards is a crime that is classified as “Illegal circulation of payment instruments” (Part 1 of Article 187 of the Criminal Code of the Russian Federation). If caught, the attacker will be punished with forced labor for up to five years, or imprisonment for up to six years with a fine of one hundred thousand to three hundred thousand rubles.It is worth noting that not all scammers alone perform all the actions of the described scheme. Many of them stop at the first stage, after which they sell the obtained data on the darknet. There they are bought by another person who has a machine for producing counterfeit plastic cards, and the money is cashed out by the third participant in the scheme, the so-called “drop” (from the English “drop” - “throw away”). Often the last link is the most vulnerable, and therefore teenagers, students or marginalized people find themselves in the role of “drop”. Those who urgently need money.
It is quite difficult to catch a criminal in the first two stages, but a “drop” can be caught red-handed. True, most likely this person will not give out any valuable information about his “employers” simply because he does not know anything truly important. “Drop” is a bargaining chip in the world of carding. They are recruited in the same way as those who leave stashes of drugs - scammers create advertisements in thematic chat rooms and forums. It is important not only to recognize a criminal scheme in time, but also to protect children from potential crime. Young guys do not always correctly assess risks, and therefore can, without knowing it, become a “dropper.”
Pay close attention to where your bank card details remain. Perhaps the browser automatically saved them all, including even the CVV2/CVC2 code. You can clear this information in the settings. Each browser has its own characteristics, but general recommendations on this matter can be given as follows: open “Settings” and select “Clear data”, then check the box similar to “Passwords and other login information”. This way you can force the browser to “forget” your bank card details. Follow the advice of Antivirus Truth, but remember that the safety of your funds depends only on you.
(c) https://www.drweb.ru/pravda/issue/?number=1211
