This study was first reported in the 2017 CLUSIT REPORT – https://clusit.it/rapporto-clusit/
This report, edited by Lutech Cyber Threat Intelligence Team, has the aim of presenting the current scenario relative to the illegal trade of credit cards on blackmarkets.
From the data collected by our proprietary research systems, active on public and private sources, many resources referable to blackmarkets, present both in the deepweb and in the darkweb have been identified. The identified blackmarkets have been analyzed and classified with the purpose of identify the distinctive features of each of them, such as:
- Access mode
- Presence on the network (Darkweb, Deepweb)
- Market typology
- Supported languages
- Cards sales volume
In the following sections the blackmarkets phenomenon is described in general (section “The blackmarkets phenomenon”) and some statistics obtained directly from our analysis on carding-specialized markets are presented (section “Analysis”), with a focus on italian data.
The Blackmarkets Phenomenon
The need of illegal items exchange has determined in the years the affirmation of websites dedicated to their trade, the blackmarket, in which anyone can buy or sell these items in an anonymous way.
Because of the type of treated items, most successful blackmarkets guarantees the anonymity both for resellers and users, transactions take place only through crypto coin (and therefore anonymous) and implement a mechanism of trust for the resellers, so that the most reliable have more visibility and build themselves a reputation.
These sites are often hosted in the darkweb, mainly in Tor and I2P networks, but just as often they are reachable through the normal Internet network; more precisely they reside in the deepweb, since the content of these stores is not indexed by the traditional search engine and is therefore necessary both to know the exact address of the market you want to reach and to have a private access to it.
At the beginning, the blackmarkets scene was composed of few websites of big dimensions, on which it was possible to find any kind of illegal items, such as drugs, credit cards, fake documents and even weapons.
The one that has absolutely dominated the underground scene it has been Silk Road, also named “the Amazon of drugs” for the vastness of items of that type (but not only) present in the website and for the number of users that was usually visiting it.
In the image below (“Blackmarkets activity period”, source https://www.gwern.net/Black-market%20survival) it is shown the duration of the activity period of the 87 most famous english blackmarkets, related to the 2011-2016 period. The different colors show the methodology of the markets shutting, according to the following legend: in dark green the ones that have been suffered a hacking/have been de-anonymized, in light green the ones that have been shut by the police, in violet the ones that have been voluntarily closed, in blue the ones shut for fraud to their own users and in red the ones still open.
From this image you can see a turning point in the underground market scene, that coincides with the shutting of Silk Road, made after an FBI operation on 2013 October, 3rd (after a short reopening, it has been definitely shut on 2014 November, 6th).
Silk Road has been targeted by the FBI in particular for its huge exposures and notoriety; for this reason, in response to its closure, many smaller blackmarkets have born, often specialized in a single typology of items to avoid attracting too much police attention.
Blackmarkets activity period
From the data shown in the image, three main differences before and after Silk Road are deduced: before its shutting a small number of big marketplaces, with a rather long life duration, were present. After Silk Road instead, many more, smaller, with a shorter life duration (on average, less than a year) markets were born.
Analysis – Introduction
This analysis, based on data obtained by Lutech research systems, focuses in particular on carding-specialized blackmarkets, that is blackmarkets in which only credit cards data or items relative to financial frauds, such as banking, PayPal, eBay accounts are sold.
After some targeted researches more than 900 addresses related to the illegal trade of these items, present both in the deepweb and in the darkweb have been found; they have been analyzed and a total of 85 active carding blackmarkets has been extracted and classified.
The data obtained from this classification activity confirm the current trend on the life duration of illegal markets, because the identified addresses have been actually related to carding websites in different temporal periods, but less than 10% of them resulted active at the moment of analysis.
Below some charts related to the presence on the web of these markets and to their protection are shown. In the following section (Analysis – Blackmarkets features), an insight on their features is presented.
Analysis – Blackmarket features
In this section some charts related to the analyzed blackmarkets features are shown. Among the features, there are sold items search options, language distribution, data updates and other information.
As you can see from the shown charts, the analyzed carding blackmarkets present features of real ecommerce systems, drawings and site structure, dynamic search, allowing the user to use different search filters.
The following section (Analysis – Centralshop Blackmarket) presents the details of one of these blackmarkets, named “Centralshop”.
Analysis – Centralshop Blackmarket
Below the Centralshop blackmarket is presented in detail. This market has been chosen as an example because it has been possible to verify the actual sold credit cards data validity and it is furthermore one of the markets that supports more features, including:
- Password-protected access (OTP generated on the fly)
- Present both in the deepweb and in the darkweb, with different mirrors (TOR network)
- Search filters (Country, Bank, card type, level, address, zip code, etc.)
- Multi language: english, russian, chinese, spanish
- Customer care service (by ticketing)
- Constant update of sold data
Figure 1 – Centralshop blackmarket homepage
From the Centralshop homepage (Figure 1) you can see a counter of the cards for sale in the market and some of the above described features, including other mirrors of the website, the checker and support services, the search links and others.
As you can see from the number of the cards for sale, most of such data is to be american, however it is present a considerable amount of information related to cards of european states, including Italy.
Figure 2 – Search filters and search by Country
Figure 3 – Search results (global)
The market provides different filters to search the cards for sale data (Figure 2), that are subsequently shown in a partially obfuscated view (Figure 3).
The data have been further obfuscated for privacy reasons.
In the two following screenshots (Figure 4, Figure 5) it is shown an extract of the FAQ (Frequently Asked Questions) section of the website, and it is in particular visible the support service.
Figure 4 – “Frequently Asked Questions” section
Figure 5 – FAQ: Support
Figure 6 – Checker system
Figure 7 – Supported payment systems
On the market it is also present a statistics section (Figure 8, Figure 9) about different data such as the databases uploaded by the vendors (how much cards data, validity percentage, uploading date) or the vendors themselves (how many uploaded databases, data quality, etc.)
Figure 8 – Cards for sale databases statistics
Figure 9 – Vendors statistics
Analysis – Payments card data
In this section are shown some statistics related to the data of the credit cards extracted from the carding-specialized markets on which it was possible to verify the actual presence of credit cards data (72), including the total number of cards present on the markets and the total number of italian cards present on the markets and the distribution of sale of such cards.
The numerical data related to each blackmarket have been extracted during the information gathering phase.
It is necessary to contextualize the number of credit cards information present on the different blackmarkets: the count may be referred to the only non-expired cards or to the total amount of the cards that have been put on sale since the opening of the market itself, therefore the only number of total cards is not sufficiently indicative of the actual volume of sale of that marketplace.
The payment cards data are sold on the markets at varying prices depending on several factors that could be specific to the card for sale as the circuit (Visa, Mastercard, JCB, American Express, …) or the level class (e.g. Visa Electron, Visa Classic, Visa Gold, …), or related to the information available and for sale, including:
- Card data only (Number, expiry date and CVV)
- Holder name
- Phone number
The completeness of the data and the available platfond on the card (dependent on the circuit and the level) are the main factors that determine the price variations of the sold payment cards.
In most markets, a card is sold at a variable price between 8 and 15 dollars.
Below is reported a chart showing the price distribution of the card selling on the different markets.
The data are related to the markets on which has been possible to obtain such information.
On average, the data of a payment card are worth less than 20 dollars in the illegal trade market.
Given the unlawful nature of the trade activities analyzed in this report, in most cases it has not been possible to obtain further indicators useful to establish the veracity or the reliability of the data of the card themselves.
Furthermore, most of the blackmarkets shows (for obvious reasons) only a partial or obfuscated view of the data of the sale cards.
Such data are very often too generic and do not allow a punctual reporting as they are not enough to uniquely identify a card.
Therefore, the analysis presented here shows that the illegal trade market of credit cards is florid and counts many marketplaces dedicated to it, indicating that there is a constant interest by criminals in the trade of such data that have, as shown, also direct impacts on the business of italian institutes.
Fabio Bellani, Francesco Faenzi, Roberto Romano