Have you ever wondered how hackers actually get value from millions of stolen credit cards (and debit cards)?
In short, there’s a big global market for stolen credit card numbers. When you hear about a big hack in which millions of credit card numbers here is what usually happens.
Hackers use a number of tools to steal data.
- For instance a Remote Access Trojan (RAT) conceals itself inside legitimate software and, once installed, gives a hacker complete remote control of the victim's system.
- Another popular tool is something called Angler exploit kits. These are programmes concealed in websites which look for weaknesses in the security of a computer system to install malicious software. There are other methods too and it’s fair to say that the hacker’s arsenal is constantly evolving though they do rely on tools that can exploit unprotected computers.
And these credit card hacks can be big.
- For instance, last year hackers stole credit card numbers and other sensitive information from 1,174 franchise hotels belonging to the InterContinental Hotels Group.
- A few months earlier an estimated 3.2 million debit card details were reportedly stolen from multiple banks and financial platforms in India
Generally these stolen credit card numbers are offered for sale in online markets located on the dark web.
- These markets are sometimes called carding forums.
- The stolen credit card numbers will generally be offered for sale in batches.
- On these forums are people who make fake cards. They take the card numbers and any other information such as the name of a bank, the card issuer, the name of the card holder and create legitimate looking credit cards.
- These cards are then resold to an army of buyers who use them to make purchases from shops.
- These sales are often supplemented with information on how to use the cards, their expected shelf life and what to do if a user is questioned by a shop assistant for instance, because the card is ringing alarm bells.
- That said large criminal enterprises also have an army of soldiers who are trained in exploiting the fake cards.
Alternatively, some dark web buyers just buy up lots of stolen credit card information and use it to make lots of online purchases.
- This is usually for high-end goods such as electronics and luxury items.
- These items are shipped to a number of temporary addresses; the exact number depends on the scale of the operation.
- The goods are collected and then resold
Sometimes these goods are offered for sale in dark web online stores.
- For instance the recently released iPhone X retails at approximately £999
- The dark web online store might offer it for £500
There are variations on these themes, but the point is that there is a vast and thriving global underground market for stolen credit card information.
- Law enforcement sometimes poses are buyers on these forums to buy up the stolen information
- Banks have also been known to buy up stolen information to minimise the cost of fraud following a major hack