The New York Times

June 21, 2005

Black Market in Stolen Credit Card Data Thrives on Internet

By TOM ZELLER Jr.

"Want drive fast cars?" asks an advertisement, in broken English, atop the Web site iaaca.com. "Want live in premium hotels? Want own beautiful girls? It's possible with dumps from Zo0mer." A "dump," in the blunt vernacular of a relentlessly flourishing online black market, is a credit card number. And what Zo0mer is peddling is stolen account information - name, billing address, phone - for Gold Visa cards and MasterCards at $100 apiece.

It is not clear whether any data stolen from CardSystems Solutions, the payment processor reported on Friday to have exposed 40 million credit card accounts to possible theft, has entered this black market. But law enforcement officials and security experts say it is a safe bet that the data will eventually be peddled at sites like iaaca.com - its very name a swaggering shorthand for International Association for the Advancement of Criminal Activity.

For despite years of security improvements and tougher, more coordinated law enforcement efforts, the information that criminals siphon - credit card and bank account numbers, and whole buckets of raw consumer information - is boldly hawked on the Internet. The data's value arises from its ready conversion into online purchases, counterfeit card manufacture, or more elaborate identity-theft schemes.

The online trade in credit card and bank account numbers, as well as other raw consumer information, is highly structured. There are buyers and sellers, intermediaries and even service industries. The players come from all over the world, but most of the Web sites where they meet are run from computer servers in the former Soviet Union, making them difficult to police.

Traders quickly earn titles, ratings and reputations for the quality of the goods they deliver - quality that also determines prices. And a wealth of institutional knowledge and shared wisdom is doled out to newcomers seeking entry into the market, like how to move payments and the best time of month to crack an account.

The Federal Trade Commission estimates that roughly 10 million Americans have their personal information pilfered and misused in some way or another every year, costing consumers $5 billion and businesses $48 billion annually.

"There's so much to this," said Jim Melnick, a former Russian affairs analyst for the Defense Intelligence Agency who is now the director of threat development at iDefense, a company in Reston, Va., that tracks cybercrime. "The story that needs to be told is the larger, long-term threat to the American financial industry. It's a cancer. It's not going to kill you now, but slowly, over time."

No one is willing to estimate how many cards and account numbers actually make it to the Internet auction block, but law enforcement agents consistently describe the market as huge. Every day, at sites like iaaca.com and carderportal.org, pseudonymous vendors do business in an arcane slurry of acronyms.

"Cobs," or changes of billings, are a hot commodity. Typically, a peddler of cobs is offering fresh bank or credit card accounts, along with the ability to change the billing address through a pilfered PIN. In other cases, a vendor selling cobs is offering to change billing addresses himself, as a service. Sometimes the address is changed to a safe "drop," which might be an empty apartment in a local building, or some other scouted locale where goods can be delivered. (Information on reliable drops is also bought and sold.)

Lengthy tutorials posted at online "carding" forums indicate that the cob art form is highly developed. A patient criminal will wait until the day a victim receives a billing statement. "That way you have a full 30 days" before the victim is likely to look over his account again, explained one frank tutorial collected by the F.B.I.

A user going by the name "mindtrip" had cobs for sale recently: "I'm selling cobs from at this time only banks Discover and American Express t'ill further notice," he wrote in brusque English. "The cobs come with full info including MMN" (mother's maiden name). Discover Card cobs with any balance were on special: $50. American Express, a more exclusive and potentially more lucrative account, commanded $85.

Alongside advertisements for cobs are pitches from malicious-code writers, who sell their services to the con artists, known as phishers, who contract with spammers to send out millions of increasingly sophisticated phony e-mails designed to lure victims into revealing their account information.

A successful phishing operation might bring in thousands of fresh account numbers, along with other identifying details: names, addresses, phone numbers, passwords, PIN's, and mothers' maiden names. The richer the detail (and the higher the account balance), the better the asking price.

A user by the nickname Sirota is peddling account information so detailed, and so formatted, that it clearly came from a credit report. He is asking $200 per dump on accounts with available balances above $10,000, with a minimum order of five if the buyer wants accounts associated with a particular bank. "Also, I can provide dumps with online access," he wrote. "The price of such dumps is 5% of available credit."

Every day brings more. "These things have a short shelf life," said Dan Larkin, the unit chief at the F.B.I.'s Internet Crime Complaint Center in West Virginia. "The criminal value of a compromised credit card is very short term, so there's a constant need to keep backfilling their resources."

A Full-Service Black Market

Those buying fresh batches of account numbers may try to make purchases online, having goods delivered to a drop and then fencing them through online auctions.

More sophisticated thieves will seek out a vendor of encoding devices, and others who sell "plastic," or blank credit cards, and "algos," algorithms that are needed to properly encode the magnetic strip and produce a usable card. And "cash out" services can be arranged with those offering to take the encoded plastic to a cash machine and make daily withdrawals until the account is depleted. (The cash-out risk commands a premium - often 50 percent or more of the total balance.)

Traders - whether they deal in plastic, algos, cobs or other booty - build reputations first by earning the right to advertise, and then, in a black-market version of eBay buyer feedback, augment their status by receiving published kudos from other members. No one is permitted to post product or service offers at most of these Web sites without first having their wares vetted by site administrators, or by those who have been selected as trusted "reviewers."

At iaaca.com, for example, those wishing to sell cobs or cob services "will be required to provide ten (10) change of addresses, to be distributed to two reviewers," who "will test this service by either phone or Internet." New vendors of credit card numbers "will be required to furnish 20 VALID dumps (5 Classics, 5 business, 5 platinums, 5 corporate; 50 percent Visa, 50 percent MasterCard)," according to the site administrators. "The testers will determine the quality, in a percentage of valid numbers."

Once the wares are vetted, a vendor might then pay a fee to peddle them on a site's message boards. Banner ads can also be purchased.

Contacts among deal makers almost always move off the boards and onto ICQ, the instant-messaging program of choice among cyberthieves because of its easy anonymity (no names, no registration, no e-mail required). Payments often change hands in relative anonymity (and with little regulation) by e-gold, an electronic currency that purports to be backed by gold bullion and issued by e-gold Ltd., a company incorporated on the island of Nevis in the Caribbean. (Secret Service agents have expressed skepticism over the gold backing.)

Transactions might also be made in WMZ's, electronic monetary units equivalent to American dollars and issued by WebMoney Transfer, a company based in Moscow.

Plenty of noncriminal entities use such services to move money, Secret Service analysts said - although they added that the agency had conversations with some of the e-currency issuers to discuss ways to address the problem.

Thefts at Data Aggregators

Mark Rasch, the former head of cyberinvestigations for the Justice Department and now the senior vice president of Solutionary, a computer security company, said the numbers taken in the CardSystems breach - at least 200,000 are said to have been in stolen files - are almost certain to end up in one of these trading posts.

CardSystems represented a vital hub through which millions of account numbers passed. ChoicePoint, a data aggregator, was another gold mine; it announced in February that thousands of records had been downloaded from its databases by thieves posing as legitimate business clients (no hacking required).

"The pattern in the last six months is going after aggregators," Mr. Rasch said. "It used to be you'd get a few numbers from a few merchants and aggregate them yourself - a few numbers from a lot of people. But at some point they said, 'Wait a minute, there are other people who aggregate this stuff.' "

And, Mr. Rasch pointed out, it is nearly impossible to stop. For all the information that law enforcement and security experts can glean from sites like iaaca.com, "there are whole marketplaces of bulletin board systems and chats that are invisible," he said.

Still, law enforcement has made inroads. In October, the Justice Department and the Secret Service announced the internationally coordinated arrest of 28 individuals in eight states and several countries, including Sweden, Britain, Poland, Belarus and Bulgaria.

Among those arrested were Andrew Mantovani of Scottsdale, Ariz., David Appleyard of Linwood, N.J., and Anatoly Tyukanov of Moscow. The Justice Department says they are the ringleaders of Shadowcrew.com, the largest English-language Web bazaar trading in everything from stolen credit card, debit card and bank account numbers to counterfeit drivers' licenses, passports and Social Security cards.

The investigation, called Operation Firewall, broke up a 4,000-member underground that, according to the Justice Department, bought and sold nearly two million credit card account numbers in two years and caused over $4 million in losses to merchants, banks and individuals.

But eight months later, the traders have adapted and resumed business. They are a bit more skittish now, said John Watters, the chief executive of iDefense, which generates cybercrime intelligence for government and financial industry clients. Operation Firewall did take out some of the "low-hanging fruit," Mr. Watters said. But that has only caused the pricing models to become more refined, and the characters in this black-market economy to become more sophisticated.

A New Market for New Identities

Mr. Watters said there was also a small but growing market for the type of raw consumer information that has been pilfered from ChoicePoint, LexisNexis and other general data aggregators.

"We've observed people paying for identities," Mr. Watters said, describing Web forms where criminals could tick off the fields they had to sell or wanted to buy: address, date of birth, Social Security number, driver's license number, mother's maiden name. And as the traders slip deeper underground - or onto servers in regions with lax laws, overburdened or uninterested law enforcement and no real working relationship with American authorities - the odds of pulling off another Operation Firewall get worse.

"The next battle will be substantially harder," Mr. Watters said. "It's getting harder for us to do our job."

Asked at a symposium on cybercrime late last month if law enforcement was losing the battle against cybercriminals, Brian Nagel, assistant director for investigations at the Secret Service, said no, according to published reports.

But another panel member, Jody Westby, the managing director of security and privacy practice at PricewaterhouseCoopers, disagreed, insisting that based on Federal Trade Commission statistics on identity and credit card theft, only about 5 percent of cybercriminals are ever caught.

In an interview, Ms. Westby offered an assessment no less bleak. "We're not making an impact," she said. "The criminals are too hard to track and trace, too hard to prosecute, and the information they steal is too easy to use."

At one Russian-language site over the weekend, a user called Lexus celebrated the CardSystems breach, saying that "judgment day has come for the bourgeoisie." Another, Zer0, suggested on the site that the hacked numbers might represent new opportunities in the underground.

"It is a good occasion for us," Zer0 said. "Happy hunting."