©2020 by Q6 Cyber.

All rights reserved.

TLP: Amber
A Worrisome Evolution
in Carding Markets

September 2020

©2018 by Q6 Cyber. All rights reserved.

TLP: Amber 1
A Worrisome Evolution in Carding Markets

Executive Summary
• Carding markets – illicit e-commerce platforms that facilitate the trafficking of huge
volumes of compromised payment card data - have been a staple of the ‘Digital
Underground’ for many years.
• Carding markets have evolved over the years in various ways. A recent trend suggests
another evolution that is worrisome for financial institutions, merchants, consumers,
and other payments stakeholders.
• Historically, carding markets offering compromised card-not-present (‘CNP’) data
provided the compromised card number, expiration date, CVV, accountholder name,
address, and occasionally the cardholder’s phone number and / or email address.
• Recently, an increasing number of carding markets started providing a wider range of
compromised and even more sensitive accountholder information such as the
accountholder’s social security number, date of birth, mother’s maiden name, IP
address, email account password, ATM PIN, and even mobile phone account PIN.
• This increase in the availability of victims’ personally identifiable information (‘PII’),
alongside compromised payment card data, is of great value to cybercriminals and
fraudsters and is likely to result in a near-term escalation of fraudulent activities, both
in magnitude and sophistication.
• Threat actors can – and already do - exploit the newly available PII in multiple ways
(beyond traditional payment card fraud), for example:
o Online banking account takeover.
o Fraudulent new account application.
o ATM cash-out.
o 2FA bypass.
o Online card enrollment.
• To protect against these threats, financial institutions and merchants can take
proactive steps to identify compromised accounts early and set rules to action these
accounts in ways that prevent unauthorized activity.

©2020 by Q6 Cyber. All rights reserved. 2

TLP: Amber
A Worrisome Evolution in Carding Markets

Carding Markets – Then and Now

Until recently, carding markets offering compromised card-not-present (‘CNP’) data
usually provided the card account number and related fields, as well as limited information
about the accountholder. Over the past few months, we have observed a worrying trend,
wherein numerous carding markets feature large volumes of compromised payment
cards with additional accountholder PII such as social security number, date of birth,
mother’s maiden name, email account password, IP address, last paid amount, ATM PIN,
and wireless account PIN.

It is worth mentioning that even in the past, certain carding markets occasionally offered
‘premium’ card inventory which included the cardholder’s SSN and/or DoB (such cards
are often referred to as “fullz”). However, such data was relatively rare.

©2020 by Q6 Cyber. All rights reserved. 3

TLP: Amber
A Worrisome Evolution in Carding Markets

Underground carding market listing the “extra” information available with compromised card data

Carding market advertising a database of compromised cards that includes the cardholders’ SSN, DOB, AT&T PIN, and ATM PIN

Origins of the Data

The obvious question is where threat actors are sourcing the sensitive PII alongside the
compromised payment card data. As there is far too much data across many carding
markets spanning several months, there is not one single source or set of sources. It
appears that the sources fall into several categories:
• Malware victims – both desktop and mobile malware families are capable of
harvesting sensitive information such as email account password and mobile
account PIN.
• Phishing attacks – advanced phishing attacks have been successful at
manipulating victims into providing sensitive information.
• Advanced magecart-like campaigns – cybercriminals engaged in digital credit card
theft by skimming online payment forms.

©2020 by Q6 Cyber. All rights reserved. 4

TLP: Amber
A Worrisome Evolution in Carding Markets

It is also likely that certain threat actors analyze leaked databases containing PII (large
volumes of which are easily accessible on the Digital Underground) and match the data
with compromised payment cardholders to produce a more complete, enriched victim
profile. Regardless of the source or method utilized, leading card vendors are improving
the quality and value of their supply.

Example of cards offered for sale, including the victim’s IP address and credentials to an e-commerce account

A carding market offering several card databases with different PII combinations

Vectors of Attack
Using the additional PII and account information that is increasingly available on carding
markets, cybercriminals and fraudsters can pursue more methods of exploiting victims

©2020 by Q6 Cyber. All rights reserved. 5

TLP: Amber
A Worrisome Evolution in Carding Markets

and committing financial crimes other than payment card fraud. Some of the methods that
we have observed are outlined below.

©2020 by Q6 Cyber. All rights reserved. 6

TLP: Amber
A Worrisome Evolution in Carding Markets

Of course, the above-mentioned attack vectors do not represent an exhaustive list of

fraudulent schemes. Threat actors leverage the additional PII and accountholder
information to facilitate other schemes and financial crimes, as well as identity theft.
Additionally, fraudsters leverage the enhanced data to inform or support elementary fraud
schemes. For example, the last amount paid can be used by fraudsters to estimate the
available line of credit on the card and remain below it when executing transactions, and
much of the accountholder information can be used to pass verification challenges when
calling a financial institution call center.

Recommendations
In the face of this threat, financial institutions, merchant, and payments companies need
not be reactive. On the contrary, such organizations can deploy proactive measures to
preempt cybercriminals from carrying out payment card fraud and other financial crimes
using the compromised data that is increasingly available on carding markets. Leveraging
Digital Underground intelligence to continuously and effectively monitor carding markets,
organizations can proactively identify and flag compromised customers. Then,
organizations can initiate actions and processes to protect these customer accounts
(including payment cards, online banking, e-commerce, payments, and more), even
deploying different strategies depending on the range of the compromise (e.g., treating a
customer with compromised email account and mobile account PIN as a greater risk than
one without). Furthermore, analyzing the compromised accountholders can generate
insights on the source of the breach and enable actions to “stop the bleeding”. Finally,
tracking fraud and takeover attempts of the compromised accounts can yield valuable
insights on the latest schemes used by threat actors.

©2020 by Q6 Cyber. All rights reserved. 7

TLP: Amber