To improve our tools and algorithms, part of our daily work at Flare Systems is to read advertisements for illicit goods and services. Our job is to understand who the threat actors are, who they are targeting, and how they are targeting so we can help our customers stay ahead of the threats.
Because of this, we have developed a a set of tools that understand fraudsters and extract actionable intelligence out of their communications. We read between the lines and more importantly understands the subtle meanings of the specific fraudster jargon (in addition to knowing which passwords they use).
In this blog post, we analyze the 10 most common words from fraud advertisements. We explain what they mean and provide you with an example of advertisement for each so you can understand fraudster speak as well.
YOU CAN SEND ME A MESSAGE WITH YOUR PREFERENCE FOR
CC BIN LEVEL AND CITY/COUNTRY
AND YOUR PREFERENCE VISA/MASTER/AMEX OR DISCOVER
BIN refers to the bank identifier number at the start of debit and credit cards. Each network (Visa, Mastercard) and financial institution has its own BIN that identifies its customers. Fraudsters often buy credit card numbers based on a BIN that is close to them. It is easier for them to impersonate someone from their region as they have a more intimate knowledge of the institutions and have an IP that is local to the victim.
In the example above, a fraudster is offering to sell credit cards based on their BIN. Once a BIN is selected, there is no need however to specify the country or network as they are already included in the BIN.
NO IDENTIFICATION FOR SENDING CC TO BTC. INSTANT RETURN TO YOUR BITCOIN WALLET OF CHOICE!! GET IN ON THIS METHOD BECAUSE IT MAY NOT BE AROUND FOREVER !!! EASY EASY EASY
BTC refers to bitcoin, the most popular cryptocurrency used on the darknet. Fraudster take advantage of the anonymous nature of bitcoin to launder their funds before sending the stolen funds back into the banking system. Bitcoins are also used to empty out hacked bank accounts by transferring funds from these accounts to a bitcoin exchange. These exchanges convert the dollars to bitcoins and vastly facilitate money laundering.
In the example above, the fraudster is offering a method to buy bitcoins with a stolen credit card without having to provide any identity documents. This will limit the ability of law enforcement to find the fraudster should they investigate the credit card fraud.
SEND EMT FROM BANK LOGIN!!! THIS METHOD WILL BYPASS THE 2FA CODE TO ADD A NEW E-TRANSFER RECIPIENT!
THE GLITCH IS GONNA BYPASS THE SMS CODE IN FEW SECOND AND YOU WILL BE ABLE TO DEPOSIT THE MONEY IN ANY DROP OF ANY RECIPIENT!
Bypass refers to methods that evade security measures such as 2 factor authentication (2FA) codes sent by SMS, the security questions at the time of login and verification codes sent via SMS any the time of any major changes made to the back accounts. Some times logic flaws in web applications result in bypasses becoming available that can be exploited by hackers.
In the example above, the fraudster is advertising a method to add a new payee to a hacked bank account. The fraudster can then send the funds to another bank account/payee from which it may be easier to cashout (see below).
YOU’RE SICK OF YOUR LOGS BURNING? EVEN WHEN YOU’VE USE A CLEAN DEVICE AND SOCKS? I’M GOING TO SHOW YOU HOW YOU CAN GET THE MOST OUT OF YOUR LOGS.
THIS WAY YOU’LL CASH OUT FOR SURE.
When fraudsters have taken control of a bank account they need to transfer the funds to other accounts through which they can launder them. Cashout is the name of a mixture of techniques used to steal the funds. The techniques include adding new payees and finding drop accounts (see further below).
In the example above, the fraudster advertises a technique to transfer the funds out of a hacked bank account. The fraudster claims to know a method that will help others who have failed to cashout in the past even when they were using some of the best practices such as using a VPN.
CANADA RANDOM VISA/MASTER/AMEX CVV WITH BILLING INFO. SUPER VALID FAST-DELIVERY CVV. 100% VALID.
ALL CVV CHECKED BEFORE SENDING .
CVV (Card Verification Value) refers to stolen financial information that is used to make online purchases. Also known as fullz, CVV information includes the name of the victim, the address, a card number, expiration date and the code at the back of the card. Some CVV also include more personal information such as mother maiden name and phone number.
In the example above, the fraudster is offering stolen credit cards from Canada with the billing information of the card’s owner. The credit cards are usually not reported stolen at the time of the sale.
YOU CAN LEARN HOW TO CREATE YOUR VERY OWN BANK DROPS. WITHOUT HAVING TO WORRY ABOUT SPENDING MONEY ON THESE. AND THEN PUTTING MONEY INTO THEM AND CASHING THEM OUT. WITHOUT EVEN KNOWING IF THEY WERE CREATED PROPERLY.
A drop refers to a physical space or a bank account that receives stolen goods or funds. The advertiser most often does not provide or rent out physical drop space. Instead, fraudsters sell their method for selecting safe delivery addresses (ex. abandoned house) or how to safely use one’s home or a post office mailbox to receive goods bought online with a stolen credit card. The method commonly includes using fake identity cards and bribing a post office worker.
For drop bank accounts, fraudsters use bank accounts from individuals – known as mules – recruited through work at home job postings. The individuals keep a share of the money they receive in their bank account and wire the rest to the fraudsters’ account, usually in a country where it is unlikely to be traced or seized. Organized crime groups are often behind the drop bank account services. They charge a commission of about 50% for every transfer they launder. The groups hire the mules and trains them to feign ignorance if they are arrested.
In the example above, the fraudster is selling a technique to use bank drop account. This method likely involves how to hire a bank drop account service and set up a foreign bank account in a country where account seizures are difficult and rare.
FRESH SNIFFED DUMPS FROM POS USA/CANADA/WORLDWIDE.
100% LIVE TRACK2. SERVICE CODE 101/201.
YOU WILL RECEIVE FROM ME TRACK 2
Dumps refers to the information stored on a card’s magnetic stripe. This information includes the card owner’s name, credit card number and expiration date. It is replicated on two tracks (Track 1 or 101 and Track 2 or 201). Dumps are usually stolen using malware on point of sale systems (POS). Every card that is used on those terminals is copied and transfered to a malicious actor.
In the example above, the fruadster is offering credit card dumps that were stolen from a point of sale system either in the USA, in Canada or in some other country. They promise that all their dumps will not be reported stolen at the time of sale.
LEARN HOW TO SEND EMT WITH ANY LOG TO YOUR BANK DROP UNDETECTED. DON’T BURN YOUR LOGS;
LEARN TO USE THEM EFFICIENTLY FOR MAXIMUM SUCCESS.
EMT stands for an electronic money transfer. Most banks limit where an EMT can be sent and have time-out periods when adding new payees. The methods enable fraudsters to send any amount to any account instantaneously.
In the example above, the fraudster is offering a method to send an EMT to a bank account controlled by the fraudster.
I LOAD ALL BANK ACCOUT UP TO 14K.
ALL I NEED IS ONLINE BANKING.
100% WORKING WITH PROOF.
LOAD refers to sending money to an account under the control of a malicious actor. The loaded account is used to launder the money by transfering it on to a cryptocurrency exchange or by cashing out the account in an ATM.
In the example above, the fraudster is offering to send a payment of up to CAD $14,000 to a bank account. The fraudster is only responsible for the service and charges a fee for facilitating the transfer of the money.
SELLING BANK LOGS NOW.
IN STOCK: 5-10K / 10K-30K / 100K / 600K.
YOU CAN REQUEST BAL. PRICES ARE DIFFERENT FOR EACH.
THIS LISTING IS FOR 600K.
YOU CAN REQUEST BC OR ONTARIO / AB SOMETIMES.
LOGS refer to bank credentials. The credentials sometimes include the answers to the security questions asked at login in addition to the username and password. The price for logs varies depending on the balance of the bank account.
In the example above, the fraudster is offering the credentials for a bank account with a balance of CAD $600,000. The bank account is likely to be in British Columbia, Ontario, or perhaps Alberta.
THIS METHOD WILL SHOW YOU IN A FEW STEPS HOW TO SHIP FROM HOLT RENFREW’S WEBSITE DIRECTLY TO ANY ADDRESS.
METHOD HAS BEEN TESTED SEVERAL TIMES.
I CAN PROVIDE PROOFS.
WILL SELL THIS SAUCE A FEW TIMES ONLY.
YOU’LL SEE THE TRANSACTION SAY APPROVED AND IT’ll BE BEAUTIFUL!
Ship refers to the shipment of a physical item to an address controlled by the carder. Fraudsters use social engineering on call center employees to add new addresses to online accounts or by modifying databases through hacks.
In the example above, the fraudster is offering a method to force a well-known retailer to send a purchase to a different address than the credit card’s billing address.
Malicious actors communicate a lot with each other – sometimes even too much. When malicious actors communicate, their goal is to make it difficult for a neophyte to easily understand what they are saying. The social nature of the Darkweb forums and marketplaces where malicious actors sell their products and services however prevents them from using a jargon that is too specialized. If no one can understand them, how are they supposed to buy and sell goods and services from each other? Speaking fraudster appears complicated but understanding 10 small words can already make a significant difference.