We explained in a previous blog where stolen data goes. Last week, Brian Krebs reported that the Russians had shut down a huge card fraud ring. The FSB (Russian Federal Police) arrested 25 individuals connected with 90 online illicit markets. These websites specialized in the sale of stolen financial information. This provides us with a case study to better understand the impact of police operations on the criminal underground. We find evidence that the takedown impacted a criminal organization but that parts of the group survived the blow and are still active.

Websites down

Krebs explains that the arrested actors were selling stolen information to resellers. The resellers in turn operated multiple online platforms – known as autoshops – independently. The figure below presents the look and feel of most autoshops.

Autoshops are automated websites where customers search for credit cards to buy by their issuing bank, country or price. Purchases are automated with a cart system and payments are made in cryptocurrencies. Credit card information can be emailed or presented directly on the autoshop.

Around the same time as the arrests, we witnessed a number of large autoshops go offline. We believe these autoshops are connected to the police operation. The police disrupted their activities by arresting their suppliers and even perhaps the actors running them. This suggests a restructuring of the criminal underground and a decrease in the number of frauds, but only for a short period of time. Indeed, many small actors will seek to fill the void left by the arrested actors and future blog posts will follow their trajectories.

A connected web

In addition to warning us of a disruption in autoshop activities, Kreb’s blog post Krebs reminds us that a single criminal group can have a significant impact on the criminal underground. We had suspicions that many of the large autoshops were run by the same actors. The 3 main reasons for this were:

  1. The autoshops all used the same backend database. We collected data on autoshops by connecting directly to their databases using unpublished access methods. Since the same method worked on multiple autoshops, they were all using the same software architecture. The various graphical interfaces of the autoshops were meant to make visitors believe that they were accessing a different autoshop.
  2. The autoshops used the same Google Analytics identifier (GAI). Google Analytics is a free tool to monitor website traffic. Users add the GAI to their website source code and this information is often used to connect websites to actors. There is simply no reason for anyone to insert someone else’s GAI to a website.
  3. The autoshops sold many of the same cards. We analyzed all the cards on sale on the autoshops that were recently shut down over the past months. As shown in the figure below 41% of these cards were for sale on 5 different autoshops, 28% were for sale on 4 different autoshops and only 11% were advertised on 1 autoshop. This means that 89% of cards were for sale on more than one autoshop.

 

Number of autoshops where each stolen credit card is offered for sale

Taken together, these findings strongly suggested that a single group operated multiple autoshops and hid behind multiple fake identities. The question now is whether all of the group’s members were arrested in the police sting?

A group that is still active?

Prtship [dot] com is a criminal underground forum active since 2017. It is hosted by Nforce Entertainment B.v., an infamous hoster. Prtship [dot] com facilitates the sale of stolen personal and financial information – in other words, stolen credit cards. Our monitoring system connected the autoshops that shut down recently with this forum as both used the same Google Analytics identifier. This once again strongly suggests that the group described above also hosts Prtship [dot] com.

 

The homepage of Prtship [dot] com

Surprisingly, the Prtship [dot] com is still online at the time of writing. This suggests that some of the group’s members evaded arrest. A competing hypothesis is that law enforcement took over forum management and is now running the forum and impersonating its administrators.

To find out if that is the case, we analyzed the behavior of Prtship [dot] com’s leadership. The forum is run by 1 administrator and 2 moderators. If law enforcement indeed took over the forum, we would expect to have a period with no posts from the forum leadership (transition period) and then a period with heavy activity (intelligence gathering period) where law enforcement sollicits members to extract information form them.

 

Daily activity of Prtship [dot] com leadership

The figure above shows the number of posts for each day for the past 3 weeks of the forum leadership. This does not yield any indication that the forum was seized by law enforcement at this point.

The administrator of the forum and one moderator show little to no activity for the past weeks. They have not however had much activity since the beginning of the year so this behavior is expected. One moderator has a declining activity over the past two weeks. There is, however, no absence of forum leadership. It is then possible that members of the group evaded arrest and is still active in the criminal underground.

 


 

If you are monitoring autoshops on your own, you will need to update your list of targets in the coming days as carding activity moves to new platforms. You should also look for clues about the ownership of the autoshops you monitor. You are likely to find duplicate information on different platforms and Google Analytics identifiers are one way to reduce the noise. This enables you to concentrate on platforms that are run by different criminal organizations.

If you wish to automate your protection and ensure that you have the highest quality of monitoring of the criminal underground, contact us to request a demo of our Firework platform. Our system will warn you when the criminal underground slows down and update you on the latest autoshops that carders are using.

Comments are closed.