THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE

Know Your Enemy - A Profile

Recently, an international network of IRC
Profile: Automated Credit channels and related Web sites has arisen to
TOOLS AND TACTICS

Card Fraud facilitate credit card fraud and other forms of The IRC channels utilized by carders provide
Assessment Date: 6 June, 2003 identity theft and payments fraud. Between 2 a sophisticated set of automated response
April 2003 and 13 May 2003, affiliated generators or “bots” to facilitate the
EXECUTIVE SUMMARY researchers observed over a dozen such IRC compromise of merchant sites, the validation
channels as traffic for these channels passed or verification of card info from merchant
Automation of Credit Card Fraud
through an IRC proxy on a compromised host. records, and access to open proxies used to
For several years the Honeynet Project and
The use of IRC channels and semi-covert conceal online identity during commission of
Alliance members have been monitoring
Web sites for illicit activity is nothing new; this crimes. The executable for one common bot
individuals using the Internet to trade or deal
case, however, has several distinctive was downloaded from its author’s public web
in stolen credit card information. In the past,
features: site. This bot is implemented in a monolithic
these individuals (commonly called “carders”)
script, with several associated flat-file
typically acted on their own without significant Automation of carding activities: IRC bots databases that include a list of exploit URI
organization or automation. Recently, the were run on many of the intercepted channels (universal resource identifier) strings that can
Project has identified an organized exchange to enable and facilitate elements of the attack be executed through a Web browser to
for stolen credit card information linking and exploitation process, including: target compromise a merchant website, a list of
hundreds of carders worldwide through (merchant site) identification, target stolen identities, and a set of lists of targets
specialized IRC channels and related web exploitation, card validation, card verification, (mostly Internet merchant sites) known to be
sites. This network provides far greater and accessing open proxies used to conceal vulnerable to credit card fraud, differentiated
automation of a number of illicit activities online identity during commission of crimes. by industry (e.g. clothing, books, electronics).
contributing to credit card fraud and identity Users need master only a series of custom These tools are used in combination with an
theft, including: compromising merchant sites, IRC commands to carry out many key IRC client, so that text messages exchanged
validating and verifying stolen credit card activities of credit card / identity theft. on an IRC channel can be monitored by the
information, and the sale or exchange of
tool, which recognizes standard commands
stolen information. As with the automation Distribution of carding information: Many of
and sends responses to the channel. Such a
and dissemination of exploit code in the the above bot functions leverage extensive
combination of tool and IRC client functions as
vulnerability cycle, this implies a significant databases of application-level attacks,
a bot. For example, active carders may
capacity for increased criminal activity. merchant sites to target for credit card fraud (a
remotely access the bot’s databases, using
vulnerable site is said to be cardable), and
the !cardable command to identify target
WHAT IS HAPPENING credit card data, including card numbers,
merchants, and the !exploit command to
expiry dates, card validation values (known as
Stolen credit cards and related identity obtain exploit URI strings that they may use to
CVVs) and associated personal identity
information (name, address, phone, etc.) have compromise merchant sites. Carders focus
information. One or more bot functions
long been a popular form of illicit “currency” on targets of opportunity, with some
appear to draw data from third-party sources
among cyber-criminals and within the blackhat vulnerable merchant sites apparently being
in real time, determining the validity and
community. However, the skill sets required compromised repeatedly. The !cc command,
available credit of cards.
to successfully steal credit card information the command most often used, returns a
online, and to successfully sell or exchange Active participation of channel random merchant record from a flat file of
such information, have historically been moderators: In addition to their officially stolen credit card and identity information.
limited to a relatively small number of online sanctioned duties in assisting new users and
Channel participants do little to hide their
criminals possessing the full range of such policy channel activity, several channel
activities. They transmit almost all their traffic
skills. moderators were observed actively facilitating
clear text across public IRC networks, typically
and participating in illicit behavior.
leveraging IRC proxies on compromised hosts
The end result is that for worldwide to obfuscate their entry points into the
participants on these IRC channels, many of network. The !proxy command requests a bot
the technical and logistical barriers to large- to provide the host name of an open proxy
scale online identity theft and subsequent from its database and the !proxychk
credit card fraud have been removed. command conveniently verifies the availability
and correct operation of a proxy.

1
THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE

Typically, a prospective seller of stolen www.ccpowerforums.net While the IRC channels are ostensibly
identities posts a sample of stolen information www.ccsquad.org established for carding, in practice they are
to a channel, including personal identity and www.ccworldz.net also open forums for exchange of all sorts of
payment instruments, e.g. credit card www.forum-gs.net stolen information and illicit activity, including
numbers, expiry dates, and, in some cases, the fencing of identities stolen offline (e.g.
PIN numbers and CVV2 numbers. This Migration between channels and websites is copied from a hotel ledger by a corrupt clerk)
advertising/negotiation activity is the principal frequent, complicating efforts to monitor illegal and stolen computer equipment. While online
online activity, with actual deals being activities. merchant customer records are the most
concluded via IRC private messages or other common contraband, participants also offer
Preliminary analysis indicates international
out-of-band means not readily susceptible to other forms of goods and even services.
involvement in CC fraud, with the bulk of
monitoring via honeypots. Carders and
activity concentrated in South Asia and the The chief motive for most participants appears
buyers alike use a variety of commands to
Pacific Rim. There appear to be several to be financial gain. Typically, a prospective
verify that stolen credit card data is valid; for
distinct user groups: lurkers, apparently the seller posts a generalized description of stolen
example, !chk is used to verify the
vast majority of users, who join channels for identity/card information to a channel, usually
correctness of credit card numbers, while
varying periods but don’t publicly participate; including a sample in the form of a
!bank decodes the identity of the issuing
active participants, who message the channel compromised merchant record. Prospective
bank. Of particular interest are the !cvv2
for help using tools or to offer stolen identities buyers may also post requests for specific
command, which verifies the card verification
or other contraband for sale or trade; and goods to the channel. Many sellers are
value associated with a given card, and the
moderators, who monitor the IRC channels looking for someone to help them convert their
!cclimit command, which obtains the
and offer support to users. Of special note is contraband to cash, soliciting access to
available credit limit associated with a given
the apparent active involvement of moderators Paypal or other online payments system that
card. The existence of these commands
in the use of the channels for illicit activity. In originate payments from credit cards online in
implies significant knowledge and/or
addition to their sanctioned role as return for a percentage cut (typically 50-60%
compromise of credit card networks.
gatekeepers and enforcers of channel rules, of the take). Others are looking to trade
the moderators facilitate illicit activity by contraband relevant to one instrument or
assisting newcomers in using the bots, channel (e.g. stolen ATM PINs and account
WHO’S INVOLVED verifying/vouching for principal actors, and numbers) for one more familiar to them (e.g.
Principal IRC channels used for this activity facilitating offline dealmaking. They may also credit card numbers with CVVs) or for non-
include: have a commercial interest in the channel, financial goods or services (e.g. root shell
accepting payments or items in trade in return accounts on compromised systems). In
#cc for access. Finally, the existence of numerous almost all observed cases, deals were
#ccards bots and databases indicates a small, skilled concluded out of band, presumably via private
#ccinfo base of "power users" driving tool IRC messages, or e-mail or other simple
#ccpower development. It appears that this power-user means.
#ccs base of moderators and toolmakers is small,
#masterccs probably numbering less than ten individuals. There is also a significant cultural component
#thacc The monolithic nature of bot implementation to these channels and websites. Lurkers and
#thecc implies a sole author, but several functionally newbies are frequently recruited by active
#virgincc similar but nevertheless distinct bots have users and moderators to use the tools to
been observed on various channels, implying commit what may be their first financial
Principal associated websites include: the existence of multiple authors. crimes. Supporting material found in related
Web sites promotes “carding’ as an alternative
www.ccpower.info
lifestyle choice rather than criminal activity.
www. ccpowerforms.org

CONCLUSIONS

By implementing and widely deploying automated aids to website attack and compromise, credit card and personal identity acquisition, concealment of identity
during criminal activity, and exchange of stolen goods and services, power users within the carding community have decreased barriers of entry to the community
and facilitated the commission of crimes by members of the community. The dollar volume of related crime is significant and appears to be on the increase,
despite efforts by responsible IRC network operators to curtail illicit and illegal activity on their networks. By presenting their activities as a lifestyle choice rather
than criminal fraud, members of the carding community entice others to join them. They pose a growing threat to the financial community, online merchants, and
individual cardholders.

2
THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE

IRC COMMANDS IN REFERENCE TO CREDIT CARD EXCHANGE

!cardable classification Returns URLs of sites known to be vulnerable to credit card fraud from a
database forwarded through the IRC channel. The classification argument
returns sites of a particular type, e.g. electronics returns the URL of an
electronics vendor.
!cc Obtains a credit card number from a database forwarded through the IRC
channel.
!cclimit card_number Determines the available credit for a specified credit card.
!chk card_number Checks a credit card for validity.
!cvv2 card_number expiry_date Returns a valid CVV2 number for a given card.
!exploit Returns an exploit URI string from a database of known application-level Web
server attacks.
!order.log Provides transaction detail of compromised website.
!proxychk Verifies that an IRC proxy is working.

INTERNET RELAY CHATS, DEMONSTRATING TACTICS & MOTIVES

A non-online source of credit card information:

#masterccs 02:13:38 Pedro: Hi all, i work in the LaTourista hotel here inPeru and i have access to all ccs with full info, im looking for paypal,
anyone interested ??? msg me !!! i verify first!

Carders advertise their trading capacity:

#MasterCcs 12:01:41 BigDealer: ACTION have a drop thrue WU if u guys want to cash out cc on any name u send I’ll cash it out 50/50 msg me I can
cash out up to 20 K a week
#MasterCcs 08:43:33 BiggerDealer: ACTION has a drop in a bank if u want to cash out stuff up to 100 000K a week msg me

Trading CCs for exploits and tools:

#MasterCcs 12:40:28 Spiner: ACTION wants 0day exploits or Redhat 7.2,7.3 rootkit. msg me for trade … i have root

Solicitation for channel advertisers:

#masterccs 08:00:34 Card-InFo: ACTION Good news For Shell Holder: If u have Shell/hosting and wanna Advertise then msg
Op1 and Op2 and Op3 We will adv urs shell/hosting wid Auto msg

Channel ops discuss a difficult newbie:

#masterccs 14:18:40 TheOp: yeah i know AsstOp^- :P
#masterccs 14:19:07 AsstOp^-: hehehe
#masterccs 14:19:27 AsstOp^-: that bastard is killing me i tried to help him but he wont tell me whats happening on the command i told him
#masterccs 14:19:29 AsstOp^-: how can i help him them stupid as
#masterccs 14:19:31 AsstOp^-: ass

Solicitation for a bot author or owner:

#MasterCcs 06:58:06 BoogieMan: I need a Chk BOT ! i'll give to the Owner Sop access to the channel

Carder asks operator to banish a ripper, who cheated the carder:

#aimtech 18:23:22 ^Alky^: Vietkey ripped me cc akick him now
#aimtech 18:23:32 ^Alky^: ACTION thank TheOp

A newbie receives instruction and gets his first CC:

#MasterCcs 10:00:49 newbie: what i have to type to get cc info ?
#MasterCcs 10:01:15 helper: type !cc
#MasterCcs 10:04:04 newbie: !cc
#MasterCcs 10:05:33 Ccs`: newbie!cc Name: Yukio XXXXXXXX |Address: X-X-X-XXX |City: Koduru-shi |State: Tokyo |Zip: XXX-XXXX |Phone: N\A
|Country: Japan |CardType: American Express |Card Number: XXXXXXXXXXXXXXX XXXX
3
THE HONEYNET PROJECT & THE HONEYNET RESEARCH ALLIANCE

A newbie expresses anxiety:

#Masterccs 17:32:23 newbie: wont i get caught if i use these???
#masterccs 17:32:38 helper: mabe
#masterccs 17:32:40 helper: mabey
#masterccs 17:32:48 helper: if your smart you wont get caught
#Masterccs 17:32:59 newbie: how can i not get caught baby
#masterccs 17:33:00 helper: i boaught at least 20,000$ worth of stuff
#masterccs 17:33:10 helper: i donno figure it out :P
#Masterccs 17:33:18 newbie: awww :-(

Another non-online source of CCs:

#MasterCcs 10:43:23 traderx: i work at a credit card collection agancy and we get there banking information i need someone to drop money in and
send me half we split 50/50 pls don't ripping ... loosers , i know when someone 's a ripper so don't waste my ... time

A non-online use of CCs:

#CaRd-WorLD 12:24:45 QBar: ACTION looks for someone that can create fake plastic cards with the name & card serial I provide (I have pin code for
XX cards!!!)

A newbie expresses anxiety:

#card-world 21:17:27 newbie1: what is this site about
#CaRd-wOrLd 21:17:47 newbie2: why does all this look like BS to me?
#card-world 21:18:13 Helper: !chk XXXXXXXXXXXXXXXX XXXX
#card-world 21:18:20 CcVeR: Helper [X XXXXXXXXXXXXXXXX XXXXXX ] This transaction has been Declined.
#card-world 21:18:27 newbie1: i dunno
#card-world 21:18:30 newbie1: looks the same to me
#card-world 21:18:34 newbie1: or illegal
#card-world 21:18:46 Helper: it is ILLEGAL
#card-world 21:18:49 Helper: so what if its illegal?
#card-world 21:19:00 newbie1: then what do i do with it
#card-world 21:19:07 newbie1: i like illegal
#card-world 21:19:13 Helper: lol
#card-world 21:19:23 Helper: search a valid cc
#card-world 21:19:25 Helper: and use it
#card-world 21:19:25 Helper: lol
#card-world 21:19:29 Helper: :|
#card-world 21:19:32 newbie1: no way
#CaRd-wOrLd 21:20:00 newbie2: how the hell do you confirm these cc's?
#CaRd-wOrLd 21:20:05 newbie2: especially the cvv2?
#card-world 21:20:15 newbie1: anyone know where i can get up to date direct tv files
#CaRd-wOrLd 21:20:19 newbie2: these bots have merchant accounts or what?
#card-world 21:20:22 newbie1: i cant find ... except pay sites
#card-world 21:21:53 newbie1: anyone know of a channel or server that has a lot of good direct tv hu card files and info

A bot owner solicits a channel op:

#card-world 05:09:19 RelaxedCC: ACTION Need a CC bot in your channel? /msg RelaxedCC and i will be in your channel!

CARD VERIFICATION VALUE (CVV)

A card verification value, or CVV, is a three- or four-digit number printed on a credit card (and encoded on the mag strip) for
fraud protection. It provides a cryptographic check of the information embossed on the credit card. The use of the CVV in an
online transaction is intended to signify the physical presence of the card at the transaction’s origin, e.g. in the hands of an
online customer, thus reducing the occurrence of credit card fraud in card-not-present transactions. Unfortunately, as CVVs
have been captured and stored in merchant databases that are subsequently compromised, the anti-fraud value of the CVV
has recently diminished. (See http://usa.visa.com/business/merchants/fraud_basics_cvv2 for more information.)