Carding is a term used by information security professionals to describe the actions of threat actors to steal credit card information from businesses and sell the data to other criminals to use for fraudulent purchases. This information stolen includes data such as cardholder names, credit card numbers, expiration dates, CVV numbers (three-digit security code on the back of the card), and zip codes. Card numbers can be stolen through various techniques including electronic skimming (e-skimming), physical skimming, or malware attacks. Once card numbers are stolen, the data is distributed (usually for a price) online. These data dumps, many times known as FULLZ, can contain thousands or millions of card numbers to either be sold in bulk or individually. The buyers of the card numbers are able to create cloned physical cards to use in stores or use the card number to make online purchases, leaving the cardholder and the bank that issued the card to deal with the consequences.
How does carding work?
Carding can be done through various means collectively known as skimming, the act of stealing card data. Originally, most skimming was done by placing a physical device on a card reader. These physical devices, simply called skimmers, were able to read the credit card data from the magnetic strip when swiped but did not alter the card reader’s ability to process the payment card. By doing this, the threat actor that placed the skimmer was able to steal credit card information without anyone knowing, including the owner of the card reader. Physical skimming has been on the decline because of more widespread awareness of skimming and advancements in credit card security. Most physical card skimming that is still in operation today is used at self-service automobile fueling stations and stand-alone Automated Teller Machines (ATMs) in convenience stores or outdoor installations.
While most large-scale e-skimming attacks compromise the e-commerce website, some “banking trojan” malware threats infect consumer’s PCs, Macs and smartphones. That type of malware takes over the web browser to steal passwords, credit card numbers and any other sensitive information that is typed into any of its targeted websites.
In some cases, including the events from the Target breach in 2013, and the Dickey’s BBQ Pit data breach in October 2020, attackers stole credit card information from the Point of Sale (POS) systems by using malware. This attack is done remotely through software, which makes it different than physical or e-skimming. In this case, no physical skimming devices need to be connected to the POS system but the malware can still steal the information encoded into the magnetic stripe of every card that is swiped through the infected cash registers. These attacks originate after a company is compromised by a threat actor through various methods such as vulnerabilities or social engineering attacks. After the attacker has gained access to the company’s network, they can move to targeting the POS software. Once the malware has been planted, the attackers can use it to steal the credit card numbers from the POS system without touching the physical card readers. In some cases, the malware may be installed on hundreds of POS systems, quietly stealing payment card data for months without being detected, netting the attackers millions of cards that they can sell for enormous profit.
No matter how the credit card information is being stolen or the technique that is used, there are many criminals carrying out these attacks for financial gain. This can be accomplished through selling the card numbers that are stolen or the hackers use the cards themselves to purchase goods until they are reported.
Where Card Data is Sold
Credit cards can be sold on many forums throughout the Darknet[i]. Often times, these cards are sold on dedicated carding specific websites such as RobinHood, Anarplex, or one of the most notorious—Joker’s Stash. Some attackers will attempt to sell the cards through forum posts instead of using a marketplace. Stolen cards are sold on many different websites and can be purchased as entire dumps or as single card numbers. If a seller sells single card numbers, they are typically doing this for a smaller price but have a guarantee that the purchaser will be able to charge a certain amount on the card.
Other websites post cards for sale with the cost of the card listed along with the amount the card should be able to have charged to it. On RobinHood Market, the sales of cards are straightforward and can be accessed easily. Along with prices and card value, other details pertaining to the card are important. In the following example from RobinHood, details about what comes with the card number can also be seen.
The cost of the card is directly linked to how much money can be charged to the card. The higher the value of the card, the more it costs. The guaranteed cost of the card is important to display for any purchaser looking to buy cards. In many cases, the customer service provided by the criminals running these websites can be better than the level of customer service from legitimate businesses. Because most of the Darknet sales work on some form of trust and reputation, it is important for the sellers to hold up their ends of deals. Many times, if a card does not process for the amount that was advertised, the seller will provide the purchaser with a new card at no charge within 24 hours. This type of customer service keeps purchasers coming back to the same sellers which allows the sellers to keep their business running smoothly.
Recommendations for protection against credit card skimming
Physical skimming can be harder to detect, because the card user has to look at the card reader and try to identify any abnormalities with the reader. These usually consist of some type of covering that fits over the card reader that has a secondary reader inside of it or can be a small, hard-to-recognize piece of equipment placed where the card would be swiped. In any instance, advances in credit card safety have made it harder for physical skimming to happen. Using the “chip” part of a card or tapping a wireless card instead of swiping the card’s magnetic stripe when physically buying something is a great tool in combating skimming because of the tokenization feature with chip readers.
If someone finds fraudulent charges on their statements, they should contact their bank immediately and cancel the card. Often, the bank will contact the card user and ask them about charges that are out of their everyday routine. However, scammers also use this as an additional tactic to steal your card data. If you are asked for your card number over the phone, do not give it out—a real employee of your bank has all of your information already and would not ask you for this.
Risk for card theft during holiday season
It is important to note for all online shoppers that just because the major shopping days have passed, there is still an elevated risk of card theft in the days leading up to Christmas. With the current COVID-19 pandemic, we will likely see a high rate of online shopping vs. traditional shopping in a store. Because of this, threat actors are likely to try and take advantage of these situations. It is possible that threat actors already have websites compromised and are waiting for the holiday shopping rush to activate their skimmer. The FBI released an alert about the holiday shopping season and summarized in the Binary Defense Threat Watch resource.
Stay aware and follow best practices
Carding is a very lucrative business for many cybercrime groups and lone-wolf actors. This is because almost everyone uses a credit card and often times do not pay as much attention to the card statements as they should. This is also seen by some actors as not hurting the person they skim because when a credit card gets skimmed, the cost falls on the credit card company and not the card holder. Unfortunately for people that use debit cards, it could take days, weeks, or even months to get the money back into their account from the bank.
Skimming is hard for a consumer to avoid. It is likely that most people who use credit cards will become a victim of these attacks at some point. Following best practices after a skimming attack will help make the process of recovery and reimbursement easy.
More and more marketplaces are appearing on the Darknet every week—many being new websites that will sell credit cards. It does not appear that the act of skimming is going to die down at any point because of how much money can made. Threat actors are also working on new ways to not be caught by fraud departments. One instance of this included the card skimmer using the card for themselves to make purchases from online markets such as Amazon, then turning around and re-selling the goods they had purchased. By doing this, it makes it harder for charges to be marked as fraudulent, which is why it is falling more and more on the card holder to monitor the charges on their account.
An ever-changing threat landscape makes it harder and harder to identify cyberattacks. Online marketplaces and companies have a responsibility to make sure their checkout pages and POS systems are secure, and they should use routine monitoring to make sure they have not become compromised. Companies should consider using a Security Operations Center (SOC) such as Binary Defense’s Security Operations Task Force that operates on a 24/7 basis to detect any unauthorized access to systems.
 Binary Defense does not advocate these sites for purchase or sale of cards.