If you’re hocking stolen credit card information online, you should really be more careful about who you sell your card numbers to, because theres a good chance that the customer who just mailed you a check for a few hundred dollars is really just an FBI agent in disguise. In fact, if youve been using the website called Carder Profit to unload your purloined information, its likely that all of your customers have been undercover FBI agents.
Thats because the FBI owns and operates the site.
This week, the Federal Bureau of Investigation finally sprung the trap on Carder Profit, a website the bureau has used for the past two years to bait hackers and cyber-fences. The sting, known as Operation Card Shop, led to 24 arrests in 13 different countries. According to the feds it stopped 400,000 different card numbers from falling into the wrong hands, thereby preventing $200 million in potential losses. But while the figures seem large, the FBI insists that this is just one small victory in their war against a type of crime that has become increasingly harder to stop.
The coordinated law enforcement actions taken by an unprecedented number of countries around the world today demonstrate that hackers and fraudsters cannot count on being able to prowl the Internet in anonymity and with impunity, even across national boundaries, said Preet Bharara, United States attorney for the Southern District of New York in an interview with the New York Times.
Credit card fraud is evolving. Old-school pickpockets are still out there, of course. Waiters still copy down numbers in the back of the restaurant. Shady dudes with high-tech devices suck data right through our clothing. John Connor is out there somewhere, right now, hotwiring an ATM. But thanks to the Internet, cyber-criminals today can reach across the dark Atlantic and rob a company dry. SQL injections and other breaching techniques allow hackers to force their way into painfully vulnerable company databases. And once theyre in, anything goes.
They’ll copy the data from all of the credit cards stored in a database hundreds of thousands of cards, in some cases and then shut off their computer as if nothing ever happened.
Since using the stolen numbers themselves would give authorities an easy trail to follow, many hackers prefer to sell their information to end users through sites like UGNazi.com, Carder.org and Carder Profit. These sites function like digital black markets, where fences and thieves post their wares in a forum and then privately arrange deals with interested buyers.
The value of any single card number depends on its credit limit, expiration date and date of theft. A fresh rewards credit card can net as much as $25. But since these cards are sold in batches of a hundred or a thousand, a significant amount of money changes hands.
The dealers dont always take money for their goods, though. Nineteen-year-old Joshua Hicks, known online as OxieDox, requested that his undercover buyer send him a DSLR camera in exchange for five stolen card numbers plus $250 for an additional 10 numbers. According to the FBI, other dealers have requested sunglasses, air purifiers and synthetic marijuana.
Stolen credit cards aren’t the only things you can find on the black market, either. It’s easy to find all the information you need (customer names, addresses, Social Security numbers) to create fake credit cards on your own. Some hackers even sell tools of the trade to amateurs who want to break into the underworld. For $50, one user offered remote access software for the purpose of spying on computers and webcams.
All in all, the sting is a big step for consumer safety. Though these black market sites are responsible for the illegal sale of hundreds of thousands of stolen cards each year, there are only a few major dealers operating in the shadows. Consequently, its been difficult for the law to work its way into the folds. Now that the FBI and other agencies have figured out how to put at least a handful of the big players behind bars, the Internet should be just a little bit safer at least until a new sort of cyber