• Resources
  • Blogs
  • Russian Carding Landscape: Inside Russian Carding Fraud Part 2

Russian Carding Landscape: Inside Russian Carding Fraud Part 2

Netacea logo
Threat Research Team
31/08/23
4 Minute read
russian carding banner image post 3

Article Contents

    In part one of this four-part series on card cracking fraud, we covered the basics of what carding is, how carders use bots to power their attacks, and defined the most important terms and phrases within the carding vocabulary in our Carder’s Dictionary. Click here if you missed it or need a recap.

    In part two, we’ll be talking more specifically about the carding landscape in Russia and on Russian-speaking forums and online communities. As part of our Business Logic Intelligence Service, our threat research team keeps close tabs on these communities, compiling information on how they operate, who they target, and how the landscape is evolving.

    Want the full story on Russian carding? Click here to read the full whitepaper, which documents an in-depth investigation into these murky criminal operations.

    What is the scale of Russian carding?

    Although carding attacks regularly originate from countries across the world, Russia is a notorious hotbed of card cracking activity. In recent years, organized crime groups in Russia have exploited the growing popularity of eCommerce, which has increased the proliferation of stolen credit card information available online.

    These groups are highly capable, well-resourced and well-connected. They operate across geographical borders, making it difficult for law enforcement agencies to effectively target them.

    Russian carders have a significant presence within underground forums, marketplaces and messaging channels that serve as platforms for carders to communicate, exchange information and buy and sell compromised payment card data, carding tools or supporting services.

    Learn more about how criminals communicate across encrypted messaging apps like Telegram in the Cybersecurity Sessions podcast, featuring Netacea Principal Security Researcher Cyril Noel-Tagoe.

    Russian speaking cybercriminals are widely regarded to be among the most active and sophisticated actors in the cyber underground. According to cyber threat intelligence provider Recorded Future, “Russian-language actors dominate the majority of fraud-focused dark web forums and top-tier carding marketplaces… Recorded Future analysts expect that an increase in Russian cybercrime would correspond to an expansion of Russian carding targeting vulnerable entities, financial organizations, merchants, and individuals that store valuable repositories of card data.”

    However, quantifying the exact size of the Russian carding market is impossible. Its landscape is constantly shifting and much of it remains hidden and secretive to avoid prosecution.

    Carders hide behind anonymity services, encrypted communications, middlemen, puppet accounts and pseudonyms. This makes it challenging for security researchers and law enforcement to track and identify prominent carders, and assess the scale and success of their operations.

    Who do Russian carders target?

    As with any cyber-attack, carding is often targeted based on opportunity and what will net the greatest reward, weighed against the risk of being caught or stopped. However, there are geopolitical factors that influence Russian carder targets.

    Of the 60 million stolen card details found on the dark web in 2022, 70% were issued by financial institutions in the USA. It is perhaps unsurprising that Russian carders would target the United States, however, the most likely reason for this is to avoid prosecution from Russian law enforcement.

    While some Russian crime groups do target victims in countries within the Commonwealth of Independent States (former Soviet states including Russia), doing so puts them in the firing line of the Federal Security Service (FSB) who have cracked down on cybercrime in recent years. Prominent marketplaces such as Trump’s Dumps, UniCC and Ferum Shop have been shut down as the FSB arrested those running the sites, sending a clear warning to others in the space.

    This makes Western targets preferable for Russian criminals. There is no extradition treaty between Russia and NATO so the likelihood of Russian carders facing prosecution for attacking Western targets is very low – it would cost prosecutors in these countries more than the money lost in most attacks to chase down the perpetrators.

    Overall, a Russian carder’s targets can vary depending on a range of factors, including legal risks, profitability, and market conditions. Generally, any individual or organization that does not adequately protect cardholder information can fall victim to an attack. At an industry level, common targets include retail, hospitality, and financial services organizations.

    What tools do Russian carders use?

    Russian carding groups have developed a reputation for being particularly skilled. They are known for developing sophisticated malware and hacking tools that are used to breach payment systems, steal card data, and compromise online accounts.

    In part one of this series, we discussed some of the bots used in carding and why these are necessary to run carding operations at scale. Russian carders have also developed a kit of specific tools to facilitate attacks, predominantly focused on stealing card details or gaining access to accounts. Here are some examples:

    Digital skimmers

    Digital skimmers are malicious JavaScript programs used to steal payment card details from websites. The code is injected into the website’s payment page and captures any payment card details entered by the customers at the checkout.

    Magecart is a collective term for disparate hacking groups that notoriously use digital skimmers. They have been responsible for several high-profile data breaches, including attacks on British Airways and Ticketmaster.

    Although the link between Magecart groups isn’t known, most of the tools are advertised in Russian and on Russian-speaking forums.

    Banking trojans

    Banking trojans are a type of malware that disguises as a legitimate program, entering the networks of financial institutions before stealing financial information, banking credentials and personally identifiable information (PII).

    UK and US authorities sanctioned the operators of Russian cybercrime-as-a-service group TrickBot in February 2023. The group operated a prominent banking trojan responsible for bank account takeovers and ransomware attacks.

    Many other banking trojans including Q-bot, Emotet, IcedID, Godfather and InTheBox have also been connected to Russian-speaking ransomware groups, although their membership is spread across various nationalities.

    OTP Bots

    One Time Password/Passcode (OTP) bots allow carders to bypass OTP, two-factor authentication, and SMS verification. The OTP bot captures verification codes by spoofing a bank or company’s caller ID, calling the victim, and then tricking them into providing the code.

    Read some more methods adversaries use to bypass multifactor authentication and one-time passwords.

    Coming up in part three: Deep dive into carding

    In our next post, we’ll go even deeper into the practicalities of how carders operate, the forums and marketplaces they frequent, and some advanced tactics they use to acquire and use stolen card details without getting caught.

    Read the full series on Russian carding

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.
    Book

    Related Blogs

    Knight chess piece
    Blog
    Threat Research Team
    |
    04/06/24

    What is a Sophisticated Bot Attack?

    Learn about the growing sophistication of bot attacks. Find out how to improve defenses and detect these attacks effectively.
    Robot
    Blog
    Threat Research Team
    |
    28/05/24

    Offensive AI Lowers the Barrier of Entry for Bot Attackers

    Explore the impact of offensive AI and automated attacks. Discover how AI is changing the landscape of cybersecurity.
    Worker helmet
    Blog
    Threat Research Team
    |
    22/05/24

    What is Defensive AI and Why is it Essential in Bot Protection?

    Discover the potential of defensive AI in bot protection. Explore how machine learning can protect against automated attacks.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats
    Book a Demo

    Address(Required)