We updated this article on August 3, 2023 to include fraudster terms from Telegram.
To improve our tools and algorithms, part of our daily work at Flare is to read advertisements for illicit goods and services in illicit communities such as dark web forums and marketplaces. Our job is to understand who the threat actors are, who they are targeting, and how they are targeting organizations so we can help our customers stay ahead of the threats.
Because of this, we have developed a set of tools that understands fraudsters and extracts actionable intelligence out of their communications. We read between the lines and more importantly understand the subtle meanings of the specific fraudster jargon (in addition to knowing which passwords they use).
In this blog post, we analyze the most common words from fraud advertisements. We explain what they mean and provide you with an example of advertisement for each so you can understand fraudster speak as well.
BIN
YOU CAN SEND ME A MESSAGE WITH YOUR PREFERENCE FOR
CC BIN LEVEL AND CITY/COUNTRY
AND YOUR PREFERENCE VISA/MASTER/AMEX OR DISCOVER
BIN refers to the bank identifier number at the start of debit and credit cards. Each network (Visa, Mastercard) and financial institution has its own BIN that identifies its customers. Fraudsters often buy credit card numbers based on a BIN that is close to them. It is easier for them to impersonate someone from their region as they have a more intimate knowledge of the institutions and have an IP that is local to the victim.
In the example above, a fraudster is offering to sell credit cards based on their BIN. Once a BIN is selected, there is no need to specify the country or network as they are already included in the BIN.
BTC
NO IDENTIFICATION FOR SENDING CC TO BTC. INSTANT RETURN TO YOUR BITCOIN WALLET OF CHOICE!! GET IN ON THIS METHOD BECAUSE IT MAY NOT BE AROUND FOREVER !!! EASY EASY EASY
BTC refers to bitcoin, the most popular cryptocurrency used on the darknet. Threat actors take advantage of the anonymous nature of bitcoin to launder their funds before sending the stolen funds back into the banking system. Bitcoin is also used to empty out hacked bank accounts by transferring funds from these accounts to a bitcoin exchange. These exchanges convert the dollars to bitcoins and greatly facilitate money laundering.
In the example above, the fraudster is offering a method to buy bitcoin with a stolen credit card without having to provide any identity documents. This will limit the ability of law enforcement to find the threat actor if they try to investigate the credit card fraud.
BYPASS
SEND EMT FROM BANK LOGIN!!! THIS METHOD WILL BYPASS THE 2FA CODE TO ADD A NEW E-TRANSFER RECIPIENT!
THE GLITCH IS GONNA BYPASS THE SMS CODE IN FEW SECOND AND YOU WILL BE ABLE TO DEPOSIT THE MONEY IN ANY DROP OF ANY RECIPIENT!
Bypass refers to methods that evade security measures such as 2 factor authentication (2FA) codes sent by SMS, the security questions at the time of login and verification codes sent via SMS any the time of any major changes made to the back accounts. Sometimes logic flaws in web applications result in bypasses becoming available, which can then be exploited by threat actors.
In the example above, the fraudster is advertising a method to add a new payee to a hacked bank account. The fraudster can then send the funds to another bank account/payee from which it may be easier to cashout.
CARDING
THE FIRST RULE TO SUCCEED IN THE CARDING AND HACKING FIELD IS TO KEEP A LOW PROFILE! THANKS TO BITCOIN WE EARN ABSOLUTE PRIVACY AND YOU EARN THE OPPORTUNITY TO CHANGE YOUR FINANCIAL SITUATION.
Carding generally refers to credit card fraud, with an unauthorized user abusing the credit card for their financial gain.
In the example above, the fraudster advertises their credit card fraud tool. Their advertised tool and method prioritizes anonymity, which would help them continue carding.
CASHOUT
YOU’RE SICK OF YOUR LOGS BURNING? EVEN WHEN YOU’VE USE A CLEAN DEVICE AND SOCKS? I’M GOING TO SHOW YOU HOW YOU CAN GET THE MOST OUT OF YOUR LOGS.
THIS WAY YOU’LL CASH OUT FOR SURE.
When fraudsters have taken control of a bank account they need to transfer the funds to other accounts through which they can launder them. Cashout is the name of a mixture of techniques used to steal the funds. The techniques include adding new payees and finding drop accounts (see further below).
In the example above, the fraudster advertises a technique to transfer the funds out of a hacked bank account. The fraudster claims to know a method that will help others who have failed to cashout in the past even when they were using some of the best practices such as using a VPN.
CVV
CANADA RANDOM VISA/MASTER/AMEX CVV WITH BILLING INFO. SUPER VALID FAST-DELIVERY CVV. 100% VALID.
ALL CVV CHECKED BEFORE SENDING .
CVV (Card Verification Value) refers to stolen financial information that is used to make online purchases. Also known as fullz, CVV information includes the name of the victim, the address, a card number, expiration date, and the code at the back of the card. Some CVV also include more personal information such as mother maiden name and phone number.
In the example above, the fraudster is offering stolen credit cards from Canada with the card owner’s billing information. The credit cards are usually not reported stolen at the time of the sale.
DROP
YOU CAN LEARN HOW TO CREATE YOUR VERY OWN BANK DROPS. WITHOUT HAVING TO WORRY ABOUT SPENDING MONEY ON THESE. AND THEN PUTTING MONEY INTO THEM AND CASHING THEM OUT. WITHOUT EVEN KNOWING IF THEY WERE CREATED PROPERLY.
A drop refers to a physical space or a bank account that receives stolen goods or funds. The advertiser most often does not provide or rent out physical drop space. Instead, malicious actors sell their method for selecting safe delivery addresses (ex. an abandoned house) or how to safely use one’s home or a post office mailbox to receive goods bought online with a stolen credit card. The method commonly includes using fake identity cards and bribing a post office worker.
For drop bank accounts, fraudsters use bank accounts from individuals – known as mules – recruited through work from home job postings. The individuals keep a share of the money they receive in their bank account and wire the rest to the threat actors’ accounts, usually in a country where it is unlikely to be traced or seized. Organized crime groups are often behind the drop bank account services. They charge a commission of about 50% for every transfer they launder. The groups hire the mules and trains them to feign ignorance if they are arrested.
In the example above, the fraudster is selling a technique to use bank drop account. This method likely involves how to hire a bank drop account service and set up a foreign bank account in a country where account seizures are difficult and rare.
DUMPS
FRESH SNIFFED DUMPS FROM POS USA/CANADA/WORLDWIDE.
100% LIVE TRACK2. SERVICE CODE 101/201.
YOU WILL RECEIVE FROM ME TRACK 2
Dumps refers to the information stored on a card’s magnetic stripe. This information includes the card owner’s name, credit card number, and expiration date. It is replicated on two tracks (Track 1 or 101 and Track 2 or 201). Dumps are usually stolen using malware on point of sale systems (POS). Every card that is used on those terminals is copied and transferred to a malicious actor.
In the example above, the malicious actor is offering credit card dumps that were stolen from a point of sale system either in the USA, in Canada, or in some other country. They promise that all their dumps will not be reported stolen at the time of sale.
EMT
LEARN HOW TO SEND EMT WITH ANY LOG TO YOUR BANK DROP UNDETECTED. DON’T BURN YOUR LOGS;
LEARN TO USE THEM EFFICIENTLY FOR MAXIMUM SUCCESS.
EMT stands for an electronic money transfer. Most banks limit where an EMT can be sent and have time-out periods when adding new payees. The methods enable fraudsters to send any amount to any account instantaneously.
In the example above, the fraudster is offering a method to send an EMT to a bank account controlled by them.
LOAD
I LOAD ALL BANK ACCOUT UP TO 14K.
ALL I NEED IS ONLINE BANKING.
100% WORKING WITH PROOF.
Load refers to sending money to an account under the control of a malicious actor. The loaded account is used to launder the money by transfering it on to a cryptocurrency exchange or by cashing out the account in an ATM.
In the example above, the fraudster is offering to send a payment of up to CAD $14,000 to a bank account. The fraudster is only responsible for the service and charges a fee for facilitating the transfer of the money.
LOGS
SELLING BANK LOGS NOW.
IN STOCK: 5-10K / 10K-30K / 100K / 600K.
YOU CAN REQUEST BAL. PRICES ARE DIFFERENT FOR EACH.
THIS LISTING IS FOR 600K.
YOU CAN REQUEST BC OR ONTARIO / AB SOMETIMES.
Logs refer to bank credentials. The credentials sometimes include the answers to the security questions asked at login in addition to the username and password. The price for logs varies depending on the balance of the bank account.
In the example above, the fraudster is offering the credentials for a bank account with a balance of CAD $600,000. The bank account is likely to be in British Columbia, Ontario, or Alberta.
SHIP
THIS METHOD WILL SHOW YOU IN A FEW STEPS HOW TO SHIP FROM HOLT RENFREW’S WEBSITE DIRECTLY TO ANY ADDRESS.
METHOD HAS BEEN TESTED SEVERAL TIMES.
I CAN PROVIDE PROOFS.
WILL SELL THIS SAUCE A FEW TIMES ONLY.
YOU’LL SEE THE TRANSACTION SAY APPROVED AND IT’ll BE BEAUTIFUL!
Ship refers to the shipment of a physical item to an address controlled by the carder. Fraudsters use social engineering on call center employees to add new addresses to online accounts or by modifying databases through hacks.
In the example above, the threat actor is offering a method to force a well-known retailer to send a purchase to a different address than the credit card’s billing address.
TELEGRAM
SUBSCRIBE TO OUR TELEGRAM CHANNEL, YOU WILL ALWAYS BE AWARE OF THE LATEST NEWS AND UPDATES!
Monitoring telegram is now a must to learn more about what threat actors discuss and how they evolve their techniques to attack organizations. Watch our Research team’s latest discussion about the new dark web also known as illicit Telegram channels.
Because of threat actors’ growing usage of Telegram, we’ve updated our article with a few popular Telegram fraudster terms. Malicious actors do have some terms they commonly use on Telegram, and there are also terms used across the dark web and Telegram.
COMBOLIST
PRIVATE COMBO CLOUD WE OFFER YOU ♦️ UPLOAD EVERYDAY ♦️ PRIVATE COMBOLIST ♦️ NO DUPLICATE LINE ♦️ FRESH COMBOLIST ♦️ PRIVATE COMBOLIST
Combolists/combo lists are a collection of stolen usernames and passwords. Threat actors can take combo lists to run through their automated brute-forcing tools. Combolists usually include information from several breaches, and often do not have a standardized format.
Malicious actors determine a combolist’s value through several factors:
- The type of account/service the credentials provide access to
- How recently the credentials were stolen
- The number of breaches in the combolist
FULLZ
HOME OF FULL CARDING TUTORIALS AND FREE METHODS AND GIVEAWAY ???? FULLZ ????METHODS????ALL BANK LOGS ????VALID SSN
Fullz refers to full name, address, date of birth, and Social Security number. Fullz is often associated with bank/carding logs.
PROS
SELLING US/UK PROS PM ME
Pro is everything included in fullz (full name, address, date of birth, and Social Security number) along with a profile on the person with ID verification. Pros is also typically associated with bank/carding logs.
Monitoring Threat Actor Conversations with Flare
Malicious actors communicate a lot with each other – sometimes even too much. When malicious actors communicate, their goal is to make it difficult for a beginner to easily understand what they are saying.
However, the social nature of dark web forums and marketplaces where malicious actors sell their products and services prevents them from using a jargon that is too specialized. If no one can understand them, how are they supposed to buy and sell goods and services with each other?
Speaking fraudster appears complicated but understanding ten words can make a significant difference. And Flare’s AI Powered Assistant can automatically create summarized actionable reports, that you can understand, regardless of the language or jargon. Learn more about the new capabilities of Threat Actor Profiling and Autonomous Takedown:
