Lurking in the Depths: Credit Card Fraud in the Deep Web
The internet. Wide, immersive, informative, and virtually infinite. Since its conception, it has become a tool for the entire world used to socialize, create, explore, and learn. Many of us can agree that our smartphones have allowed us to have almost anything we want at our fingertips, including knowledge. Search engines like Google can provide us with answers to almost any question, and even access to tangible items through online shopping. Imagine the amount of credit card numbers that must pass through the internet each and every day.
Picture waking up one morning and finding all your money and identity stolen. This is what can happen when your credit card number falls victim to then hands of the World Wide Web’s alter ego; the deep Web.
It’s is hard to get away with illicit activities in the wide open space of the web due to online surveillance systems, but what if there was a part of the Web that was invisible to common search engines? Actually such an entity does exist, and it is the ICT known as the deep Web. Within it, personal information, such as credit card numbers, is being stolen and monetized. Just like having two dimensions, when most of society is clicking away in the World Wide Web, the deep Web is where the underbelly of the internet exists, and never sleeps.
My name is Emilia Vieni, and in today’s episode is Lurking in the Depths: Credit Card Fraud in the Deep Web.
If the internet is the land, then the deep Web is the sea. The search engine Tor, which is the required component one needs in order to access the deep Web’s links, is like a fisherman’s net that is cast out in order to capture the treasure underneath.
As Michael Bergman, chairman and VP of Brightplanet Corporation states: “if the most coveted commodity of the information age is indeed information, then the value of the deep Web content is immeasurable.” To learn more about the deep Web, in particular its political uses, click here: BLOG URL
It also “provides more relevant and high-quality information in comparison with the ‘crawlable’ part of the Web, such as Google,” (Denis Shestakov, 2008).
Because of the deep Web’s anonymity, it has also become an outlet for cyber criminals worldwide, and credit card fraud in particular is an extremely common practice that is organized throughout .onion links (.com links for the deep Web). Imagine one day you wake up and find your credit account emptied, and your identity stolen.
credit card sound
But where do these cyber criminals come from, and who are their main targets?
How does a cyber-attack lead to the monetization of stolen data?
What does stolen information cost, and where does one obtain it?
What can someone do to protect themselves from credit card fraud?
Let’s take a closer look at how credit fraud begins in the deep Web.
Everyone in North America should by now be aware of Target, the mega department store coveted by U.S shoppers. This retail chain in 2013 also became a ‘target” so to speak for hackers when it was met with an enormous security breach. Bloomberg news reports the following:
“In the days prior to Christmas 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 US stores.
At the critical moment-when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe-the malware would step in, capture the shopper’s credit card number and store it on a Target server commandeered by the hackers,” (Riley et al., 2014). You can read more on the Target and Home Depot hacks here: BLOG URL
This led to many questions as to how the hackers were able to enter Target’s security base, and a lot of heat was placed on the chain, which to many was seen as a secure way to purchase goods with the use of one’s credit card.
“It’s a measure of how common these crimes have become, and how conventional the hacker’s approach in this case, that Target was prepared for such an attack,” (Riley et al. 2014).
It should be noted that “many countries, including the US, still use credit cards based on a magnetic strip that are quite easy to clone; the lack of security chips aids cyber criminals,” according to the InfoSec Security Institute.
*que background music
But what happens once this information has been stolen? Where and how do they process this information? Well, this is where the deep Web comes in. As we know, credit card information would be considered a hot item, and it would be difficult to sell it within the World Wide Web, for almost everything there is filtered or has some kind of security enforced upon it. The deep Web’s anonymity is what allows for ease of access when it comes to the buying and selling of illegal goods and services. As well, the only way to gain access to the deep Web is to utilize what is called a Tor browser, which searches for .onion links, essentially the websites of the deep Web.
Aaron Sankin of The Kernel, The Daily Dot’s digital Sunday magazine, explains: “Developed by the U.S Navy just over a decade ago, Tor is a system designed to let users surf the Web while largely preventing their browsing activity from being traced back to them. Sections of the Internet that can only be accessed by Tor-equipped browsers have become havens for illicit activity, most notably drug dealing. Silk Road, the notorious, multibillion-dollar online haven for the drug trade that was shuttered by law enforcement officials last year, was only accessible through Tor,” (2014)
The Hidden Wiki.org, a public website that provides Tor users with .onion links and deep Web information, has an article pertaining to credit card fraud which describes some of the illicit black market websites that can be used for the trade of illegal goods. Black Market Reloaded being one of them. According to the Hidden Wiki:
“Here you are able to buy guns. Actual firearms, that really arrive- if you are able to pay enormous prices! Perhaps some ricin, one of the most deadly poisons, for half a Bitcoin would be more your taste. If neither of that appeals to you-which I hope it all didn’t-you might however be interested in the last very interesting product…credit cards.”
Let’s take a look at how these credit cards are obtained and circulated.
Ken Westin in his article *Stolen Credit Cards and the Black Market: How the Deep Web Underground Economy Works *states that:
“First the card numbers are sold to brokers who acquire the stolen cards numbers in bulk. These are then sold to carders. The price for valid credit cards can be as high as $100 per card depending on the status of the card.”
So once a hacker or group of hackers can gain access to any kind of system that takes credit card information for payments, such as Target, it is then sold within websites and forums in the deep Web.
InfoSec Security describes the deep Web criminal environment as an “underground ecosystem”, which they describe as the following:
“The term underground ecosystem is usually used to refer a collection of forums, websites and chat rooms that are designed with the specific intent to advantage, streamline and industrialize criminal activities.
The underground ecosystem represents a portion of cyberspace that is considered vital for criminal communities, where criminals can acquire and sell tools, services and data for various kinds of illegal activities.
Recently a team of experts from Dell SecureWorks released a report on black hat markets, titled Underground Hacker Markets http://www.secureworks.com/assets/pdf-store/white-papers/wp-dell-secureworks-underground-hacking-report.pdf (PDF), which reported a number of noteworthy trends, the most interesting of which is the growing interest in personal data.
Criminal crews are offering any kind of documentation that could be used in sophisticated frauds. Passports, driver’s licenses, Social Security numbers and even utility bills are commonly exploited by hackers as a second form of authentication by service providers. For this reason they are purchased by criminals in the underground.”
*“The markets are booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards and driver’s licenses … It is apparent that the underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud,” **states the report published by Dell SecureWorks.”*
We have a special guest in today who will remain anonymous due to the nature of this episode; however this individual who we will call John Liu has extensive background experience in computer technology, and first-hand experience dealing with credit card fraud rings and deep Web intelligence.
Me: Thanks for coming in today, Chris. Now tell us, do you think that the government will one day be able to fully regulate, and perhaps shut down, these illicit activities that occur within the depths of the Web?
John: No, because it is growing way too fast for regulations to catch up. As soon as the government or any type of authority figures figure out how to catch an exploit, a new one will come out. A good example is Pirate Bay. They’re a torrent sharing website, and they were shut down for a bit but in its absence, a lot of new servers came up, which is actually similar to the Greek legend of the hydra, where if you chop off one head, another one will come up.
Me: interesting, so the internet’s seemingly limitless boundaries can also be its downfall, for it allows a lot of space for new threats and illegal websites to plant their space. Tell us, how can one protect themselves from hackers and identity theft?
John: Don’t use unknown, random websites. Make sure it has a reputation. Google a name before you use it. You should always change your password every few months. It only takes one day to completely empty a person’s whole bank account.
Me: So always take precautions. I know a lot of people who have been long time internet users, and they often take their security for granted. A lot of us are willing to hand out our information to websites when doing online shopping but we don’t always think of the implications! Now my last question for you, is how are these card numbers physically created so that carders can use the information and make purchases?
John: There’s an archive of stolen card numbers on the deep Web. Anyone can just access these card numbers and then transfer all the information onto the cards using an actual card reader and a pin pad. Anyone can buy one of these for $500.00.
Me: It is so simple and easy to access, if one has the will to exploit someone for their credit information it would be up to the person to do so. Thanks John!
So not only can someone easily use someone’s credit card, but at the same time the forums and websites where this information is circulated are numerous, so precaution must always be taken when purchasing goods both online and in store.
Bergman states that “public information on the deep Web is 400 to 500 times larger than the commonly defined World Wide Web, and contains 7,500 terabytes of information compared to nineteen terabytes of information on the surface Web. 95% of the deep Web is publicly accessible information not subject to fees or subscription.” (2013)
In the information age that we now all find ourselves living in, online transactions are always unavoidable at some point. But are there efforts being made to crack down on this cybercrime?
Linda Delamaire in Banks and Banks Systems, Volume 4 makes a point that not only are civilians at risk, but the retail stores as well.
“Online merchants are at risk because they have to offer their clients payment by credit card. In cases where fraudsters use stolen or manipulated credit card data the merchant loses money because of so-called ‘charge backs’. Nevertheless, ATM transactions of large amounts are suspicious and demand contact with the customer. Purchases of goods for a larger amount than normal will also be notified to the customer as well as abnormal overseas spending patterns,” (2009).
You see, the issue of deep Web carding does not just mean that a few people may lose a few dollars; it is an issue that if not contained, could affect the economy at large. Everything monetary in our society is connected. One may argue that to gain someone else must lose-to some, stealing someone’s credit card is nothing near as bad as say, an act of violence. But if credit card fraud is not controlled and eliminated, it can eventually cause millions of fines, and damage to the economy.
A recent report from NASDAQ states that: Data breaches totaled 1,540 worldwide in 2014 -- up 46 percent from the year before -- and led to the compromise of more than one billion data records. 1 http://www.creditcards.com/#1-gemaltoTwelve percent of breaches occurred in the financial services sector; 11 percent happened in the retail sector. 1 http://www.creditcards.com/#1-gemaltoMalicious outsiders were the culprits in 55 percent of data breaches, while malicious insiders accounted for 15 percent. 1 http://www.creditcards.com/#1-gemalto
This data from NASDAQ proves that the main culprits within the credit fraud scene are indeed deep Web criminals, with a god portion of theft taking place within the retail sector.
Even more proof of this is the methods that carders use when purchasing in public stores and domains. Typically, a carder will send a runner to purchase gift cards with the credit cards, in the hopes that having a $100 Best Buy gift card appears less suspicious than having a large credit limit. Because of charge backs that may apply when a client notices suspicious credit activity, even retail stores cannot benefit from the use of stolen credit cards.
So you see, credit card fraud is not merely a petty crime. It affects your town, your city, and many others around the world. Not only that, but it is a form of identity theft. When someone has access to your credit card, they have access to your name, and your hard earned cash.
Looking at the deep Web, I can’t say I would be totally against it. Though we have highlighted one of the darker aspects of this universe, there are also many other productive ways in which the deep Web is used. For example, it can be a good educational tool for those who are trying to learn more about computers, and code. Many deep Web users are also computer experts. It can essentially be used for anything, both good and bad.
However, the reality is that there are illicit activities happening every day, not just credit card fraud, and though we may be ignorant at times to this fact, we must always remain vigilant for this is the only way to truly eliminate cybercrime. Keep your cash safe, and think twice before you carelessly swipe that credit card. cash register sound
Feel intrigued by the deep Web? Check out YouTube celebrity Takedown man for informative videos on websites and deep Web how-to’s: https://www.youtube.com/user/Takedownman
Paganini, P. (2014, January 14). Introduction to the Business of Stolen Card Data - InfoSec Resources. Retrieved November 18, 2015, from http://resources.infosecinstitute.com/introduction-business-stolen-card-data/
Shestakov, D. (May 2008). *Search Interfaces on the Web: Querying and Characterizing *(Doctoral Dissertation). Available from University of Turku database.
Bergman, M. (August 2001). *White Paper: The Deep Web: Surfacing Hidden Value*. Retrieved November 18, 2015 from http://quod.lib.umich.edu/j/jep/3336451.0007.104?view=text;rgn=main
Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Target Missed Warnings in Epic Hack of Credit Card Data. Retrieved November 18, 2015.
CCV – Buying stolen credit cards 3. (2013, August 24). Retrieved November 18, 2015.
Westin, K. (2014, September 15). Stolen Credit Cards and the Black Market: How the Deep Web Underground Economy Works. Retrieved November 18, 2015.
Delamaire, L., Abdou, H., & Pointon, J. (2009). Credit Card Fraud and Detection Techniques: A Review. Retrieved November 18, 2015, from http://businessperspectives.org/journalsfree/bbs/2009/BBSen20092_Delamaire.pdf
Holmes, Tamara. "Credit Card Fraud and ID Theft Statistics." NASDAQ.com. 16 Sept. 2015. Web. 20 Nov. 2015.
"A Buyers Guide to Stolen Data on the Deep Web." Darkmatters. Infosec Institute. Web. 20 Nov. 2015. < http://darkmatters.norsecorp.com/2015/04/07/a-buyers-guide-to-stolen-data-on-the-deep-web/ cite>.
Anonymous. "Credit Card Fraud." Personal interview. 15 Nov. 2015.