Russian Carding Landscape: Inside Russian Carding Fraud Part 2
In part one of this four-part series on card cracking fraud, we covered the basics of what carding is, how carders use bots to power their attacks, and defined the most important terms and phrases within the carding vocabulary in our Carder’s Dictionary. Click here if you missed it or need a recap.
In part two, we’ll be talking more specifically about the carding landscape in Russia and on Russian-speaking forums and online communities. As part of our Business Logic Intelligence Service, our threat research team keeps close tabs on these communities, compiling information on how they operate, who they target, and how the landscape is evolving.
Want the full story on Russian carding? Click here to read the full whitepaper, which documents an in-depth investigation into these murky criminal operations.
What is the scale of Russian carding?
Although carding attacks regularly originate from countries across the world, Russia is a notorious hotbed of card cracking activity. In recent years, organized crime groups in Russia have exploited the growing popularity of eCommerce, which has increased the proliferation of stolen credit card information available online.
These groups are highly capable, well-resourced and well-connected. They operate across geographical borders, making it difficult for law enforcement agencies to effectively target them.
Russian carders have a significant presence within underground forums, marketplaces and messaging channels that serve as platforms for carders to communicate, exchange information and buy and sell compromised payment card data, carding tools or supporting services.
Russian speaking cybercriminals are widely regarded to be among the most active and sophisticated actors in the cyber underground. According to cyber threat intelligence provider Recorded Future, “Russian-language actors dominate the majority of fraud-focused dark web forums and top-tier carding marketplaces… Recorded Future analysts expect that an increase in Russian cybercrime would correspond to an expansion of Russian carding targeting vulnerable entities, financial organizations, merchants, and individuals that store valuable repositories of card data.”
However, quantifying the exact size of the Russian carding market is impossible. Its landscape is constantly shifting and much of it remains hidden and secretive to avoid prosecution.
Carders hide behind anonymity services, encrypted communications, middlemen, puppet accounts and pseudonyms. This makes it challenging for security researchers and law enforcement to track and identify prominent carders, and assess the scale and success of their operations.
Who do Russian carders target?
As with any cyber-attack, carding is often targeted based on opportunity and what will net the greatest reward, weighed against the risk of being caught or stopped. However, there are geopolitical factors that influence Russian carder targets.
Of the 60 million stolen card details found on the dark web in 2022, 70% were issued by financial institutions in the USA. It is perhaps unsurprising that Russian carders would target the United States, however, the most likely reason for this is to avoid prosecution from Russian law enforcement.
While some Russian crime groups do target victims in countries within the Commonwealth of Independent States (former Soviet states including Russia), doing so puts them in the firing line of the Federal Security Service (FSB) who have cracked down on cybercrime in recent years. Prominent marketplaces such as Trump’s Dumps, UniCC and Ferum Shop have been shut down as the FSB arrested those running the sites, sending a clear warning to others in the space.
This makes Western targets preferable for Russian criminals. There is no extradition treaty between Russia and NATO so the likelihood of Russian carders facing prosecution for attacking Western targets is very low – it would cost prosecutors in these countries more than the money lost in most attacks to chase down the perpetrators.
Overall, a Russian carder’s targets can vary depending on a range of factors, including legal risks, profitability, and market conditions. Generally, any individual or organization that does not adequately protect cardholder information can fall victim to an attack. At an industry level, common targets include retail, hospitality, and financial services organizations.
What tools do Russian carders use?
Russian carding groups have developed a reputation for being particularly skilled. They are known for developing sophisticated malware and hacking tools that are used to breach payment systems, steal card data, and compromise online accounts.
In part one of this series, we discussed some of the bots used in carding and why these are necessary to run carding operations at scale. Russian carders have also developed a kit of specific tools to facilitate attacks, predominantly focused on stealing card details or gaining access to accounts. Here are some examples:
Digital skimmers
Digital skimmers are malicious JavaScript programs used to steal payment card details from websites. The code is injected into the website’s payment page and captures any payment card details entered by the customers at the checkout.
Magecart is a collective term for disparate hacking groups that notoriously use digital skimmers. They have been responsible for several high-profile data breaches, including attacks on British Airways and Ticketmaster.
Although the link between Magecart groups isn’t known, most of the tools are advertised in Russian and on Russian-speaking forums.
Banking trojans
Banking trojans are a type of malware that disguises as a legitimate program, entering the networks of financial institutions before stealing financial information, banking credentials and personally identifiable information (PII).
UK and US authorities sanctioned the operators of Russian cybercrime-as-a-service group TrickBot in February 2023. The group operated a prominent banking trojan responsible for bank account takeovers and ransomware attacks.
Many other banking trojans including Q-bot, Emotet, IcedID, Godfather and InTheBox have also been connected to Russian-speaking ransomware groups, although their membership is spread across various nationalities.
OTP Bots
One Time Password/Passcode (OTP) bots allow carders to bypass OTP, two-factor authentication, and SMS verification. The OTP bot captures verification codes by spoofing a bank or company’s caller ID, calling the victim, and then tricking them into providing the code.
Read some more methods adversaries use to bypass multifactor authentication and one-time passwords.
Coming up in part three: Deep dive into carding
In our next post, we’ll go even deeper into the practicalities of how carders operate, the forums and marketplaces they frequent, and some advanced tactics they use to acquire and use stolen card details without getting caught.
