• Resources
  • Blogs
  • Protection from Carding: Inside Russian Carding Fraud Part 4

Protection from Carding: Inside Russian Carding Fraud Part 4

Netacea logo
Threat Research Team
14/09/23
4 Minute read
russian carding banner image post 4

Article Contents

    Welcome to the fourth and final part in our series on credit card fraud originating in Russia. After covering the basics of what carding is, why so much of it is perpetrated by Russian speakers, then digging deeper into how carders operate, in this part we’ll explore ways to protect yourself and your business from this pervasive financial threat.

    Click here to download the full report: “Inside Russian Carding” (PDF)

    Recapping Russian carding fraud

    In part one we covered the basics of what carding is – the fraudulent acquisition of credit card details, which are exploited by criminals for profit in various ways known as “cashing out”. We also introduced the Carder’s Dictionary to demystify some of the insider terms and jargon used by Russian carders not only to both obscure their actions from law enforcement, but also to restrict access to their communities and sort the pretenders from the hardened cybercriminals.

    Part two focused on the carders themselves and sought to answer why so much carding activity is carried out by Russian speakers. We looked at the political and legal reasons Russian cybercriminals most commonly target the West, and the penalties they often face when victimizing Russia and other former soviet states.

    In part three we took a more detailed look at the tactics and tools used by carding fraudsters to steal card details and cash out whilst avoiding detection, arrest or prosecution. These included obtaining membership to carding marketplaces, laundering money through SIM cards, and proxying through residential internet connections to match the geolocation of the victim cardholder.

    Preventing the impact of carding attacks

    The damage caused by card fraud is wide ranging, affecting individuals, businesses and even entire economies. Worldwide credit card fraud losses exceeded $32 billion in 2021, with this figure expected to reach over $40 billion by 2027.

    As such, preventative measures are constantly evolving to keep up with carders and stop these attacks from succeeding.

    What is PCI DSS and how does it tackle card fraud?

    The Payment Card Industry Data Security Standard (PCI DSS) was formed in 2004 to merge the previous disparate security programs of the major card providers into one standard to tackle credit card fraud in unison. Any card issuer must adhere to the twelve compliance requirements; this is enforced via quarterly or annual assessments by the PCI Security Standards Council.

    The goal of PCI DSS is to ensure entities that store, process or transmit cardholder data protect such data from theft, cutting off carders at the source. As of v4.0, the twelve requirements for compliance with PCI DSS are:

    1. Install and maintain network security controls.
    2. Apply secure configurations to all system components.
    3. Protect stored account data.
    4. Protect cardholder data with strong cryptography during transmission over open, public networks.
    5. Protect all systems and networks from malicious software.
    6. Develop and maintain secure systems and software.
    7. Restrict access to system components and cardholder data by business need to know.
    8. Identify users and authenticate access to system components.
    9. Restrict physical access to cardholder data.
    10. Log and monitor all access to system components and cardholder data.
    11. Test security of systems and networks regularly.
    12. Support information security with organisational policies and programs.

    Preventing card validation and use

    While PCI DSS compliance reduces the risk of cardholder data getting into the hands of criminals, stolen card information is already abundant on dark web forums and marketplaces. With the genie already out of the bottle, it falls upon merchants and payment portals to cut off the cashing-out phase of carding attacks – where carders turn stolen cards into profits by the means we discussed in part three of this series.

    Here are some ways of preventing cashing out of stolen credit cards:

    Location checks

    As we discussed in part two of this series, Russian carders typically attack international targets, most commonly in the West. Together, Address Verification Systems (AVS) and IP geolocation checks can confirm that the person attempting to verify or use a card is doing so from the location associated with that card.

    However, these detection methods can be highly sensitive to location forgery in isolation. As mentioned in part three of this series, carders regularly employ advanced tactics like residential proxy networks and SOCK5 solutions to change their apparent location.

    Velocity checks

    Sudden changes in how often transactions occur or are attempted are a dead giveaway of card fraud. Carders tend to work quickly so they can cash out before they’re detected or get away with the goods before there’s time for merchants or banks to react.

    In some cases, more detailed data analysis can uncover attacks made by one group of carders using a batch of card details rather than just one card. Therefore, merchants and payment gateways should also monitor other factors such as IP address and device fingerprint for suspicious activity.

    Fraud Detection Systems

    Leading on from the last point, banks and payment gateways assess the identity of the card holder by “fingerprinting” them whenever they make a transaction, based on their device characteristics.

    Beyond this, fraud detection systems also look for rogue patterns of behavior. Given the huge quantities of payments made every second, machine learning is an invaluable tool for automating the detection of anomalous payment attempts that don’t follow the regular pattern of a customer using their card. Suspicious activity can quickly be flagged for further investigation to prevent fraud and catch out criminals (or verify the identity of the card holder manually).

    Bot Management

    Bots are an essential tool for carders as they obtain, validate and use stolen card details at scale. For example, bots can automate the process of validating card details within a payment portal or brute force missing details like CVVs and expiry dates. Bots can also be used to perpetrate credential stuffing attacks, whereby fraudsters takeover accounts in large volumes to obtain payment information or hide a payment request within usual activity of a trusted user’s account.

    Advanced bot management solutions like Netacea detect this activity automatically using machine learning to quickly identify anomalous traffic and requests to servers. They can distinguish whether traffic is coming from a real user or an automated tool in real time and mitigate the bad requests instantly.

    Organizations utilizing effective bot management solutions such as Netacea severely limit the productivity and profitability of carding attacks against them, which is ultimately the best deterrent for criminals largely out of the reach of prosecution.

    Get the full threat report

    Although we’ve covered a lot in these four blog posts, the full breadth of our investigation is available from today as a 37-page annotated digital threat report to be freely downloaded and shared with your colleagues and network.

    Click here to download “Inside Russian Carding” (PDF)

    Read the full series on Russian carding

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.
    Book

    Related Blogs

    Hand holding magazine
    Blog
    Threat Research Team
    |
    10/10/24

    Combating Content Theft: Maximize Revenue by Securing Your Content

    Discover the impact of content theft and web scraping on your business. Find out how to handle this growing issue and protect your digital assets.
    Fingerprint
    Blog
    Threat Research Team
    |
    24/09/24

    The Truth About Why Server-Side Bot Management Beats Client-Side

    Learn why server-side bot management outperforms client-side detection. Discover how Netacea’s server-side solution enhances security, reduces risks, and scales efficiently.
    Rock music
    Blog
    Threat Research Team
    |
    11/09/24

    How Scalper Bots Evaded Detection to Snatch Oasis Tickets

    Delve into the world of scalper bots and their impact on ticket sales for the highly anticipated Oasis reunion. Learn how they exploited the demand for tickets.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats

    Book a Demo

    Address(Required)
    Privacy Policy(Required)