Professional Documents
Culture Documents
A Worrisome Evolution in Carding Markets: September 2020
A Worrisome Evolution in Carding Markets: September 2020
September 2020
Executive Summary
• Carding markets – illicit e-commerce platforms that facilitate the trafficking of huge
volumes of compromised payment card data - have been a staple of the ‘Digital
Underground’ for many years.
• Carding markets have evolved over the years in various ways. A recent trend suggests
another evolution that is worrisome for financial institutions, merchants, consumers,
and other payments stakeholders.
• Historically, carding markets offering compromised card-not-present (‘CNP’) data
provided the compromised card number, expiration date, CVV, accountholder name,
address, and occasionally the cardholder’s phone number and / or email address.
• Recently, an increasing number of carding markets started providing a wider range of
compromised and even more sensitive accountholder information such as the
accountholder’s social security number, date of birth, mother’s maiden name, IP
address, email account password, ATM PIN, and even mobile phone account PIN.
• This increase in the availability of victims’ personally identifiable information (‘PII’),
alongside compromised payment card data, is of great value to cybercriminals and
fraudsters and is likely to result in a near-term escalation of fraudulent activities, both
in magnitude and sophistication.
• Threat actors can – and already do - exploit the newly available PII in multiple ways
(beyond traditional payment card fraud), for example:
o Online banking account takeover.
o Fraudulent new account application.
o ATM cash-out.
o 2FA bypass.
o Online card enrollment.
• To protect against these threats, financial institutions and merchants can take
proactive steps to identify compromised accounts early and set rules to action these
accounts in ways that prevent unauthorized activity.
It is worth mentioning that even in the past, certain carding markets occasionally offered
‘premium’ card inventory which included the cardholder’s SSN and/or DoB (such cards
are often referred to as “fullz”). However, such data was relatively rare.
Underground carding market listing the “extra” information available with compromised card data
Carding market advertising a database of compromised cards that includes the cardholders’ SSN, DOB, AT&T PIN, and ATM PIN
It is also likely that certain threat actors analyze leaked databases containing PII (large
volumes of which are easily accessible on the Digital Underground) and match the data
with compromised payment cardholders to produce a more complete, enriched victim
profile. Regardless of the source or method utilized, leading card vendors are improving
the quality and value of their supply.
Example of cards offered for sale, including the victim’s IP address and credentials to an e-commerce account
A carding market offering several card databases with different PII combinations
Vectors of Attack
Using the additional PII and account information that is increasingly available on carding
markets, cybercriminals and fraudsters can pursue more methods of exploiting victims
and committing financial crimes other than payment card fraud. Some of the methods that
we have observed are outlined below.
Recommendations
In the face of this threat, financial institutions, merchant, and payments companies need
not be reactive. On the contrary, such organizations can deploy proactive measures to
preempt cybercriminals from carrying out payment card fraud and other financial crimes
using the compromised data that is increasingly available on carding markets. Leveraging
Digital Underground intelligence to continuously and effectively monitor carding markets,
organizations can proactively identify and flag compromised customers. Then,
organizations can initiate actions and processes to protect these customer accounts
(including payment cards, online banking, e-commerce, payments, and more), even
deploying different strategies depending on the range of the compromise (e.g., treating a
customer with compromised email account and mobile account PIN as a greater risk than
one without). Furthermore, analyzing the compromised accountholders can generate
insights on the source of the breach and enable actions to “stop the bleeding”. Finally,
tracking fraud and takeover attempts of the compromised accounts can yield valuable
insights on the latest schemes used by threat actors.