'Shopadmins' And the ID Theft Cycle
washingtonpost.com today published a story based on the 10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.
I gathered piles of data from talking with nearly two dozen victims whose personal and financial information was posted into the fraud forums. Some of more colorful material from those interviews was left out of the story, mainly for flow and length reasons. Anyway, several chilling and common threads were clear from the interviews with victims.
First, the initial credit-card theft is only the first step in a larger identity theft scam.
Second, far too many sites are compromised each month by hackers and scammers while their owners remain completely oblivious or in denial.
Finally, many of the victims of credit-card theft interviewed for this piece said they decided to shop at the sites that lost their data because they were the least-expensive vendor found through bargain shopping sites.
The text below goes into some of the above points in more detail (and it makes a bit more sense if you've already read the story):
In the same underground chat channels I monitored for the story, solicitations can regularly been seen for "shopadmins" -- the slang term in fraud circles for paid, illicit access to Web sites whose databases have been hacked.
In the world of credit-card theft, obtaining "fresh" account numbers is the most important part of the game, as many stolen credit cards that scam artists sell in bulk online are usually either sold multiple times or canceled by the time the fraudster purchases them. But by gaining real-time access to a shopadmin, thieves can retrieve active credit cards from a Web site's database shortly after customers place an order at the hacked online store.
In most cases, the criminals who steal credit-card data do not use the information themselves, but rather sell it in bulk to other crooks or criminal rings. Under federal law, consumers are not liable for more than $50 worth of charges that result from credit-card fraud, and most issuers will even waive that amount and simply issue the victim a new credit-card number. But experts say credit data stolen along with other personal information can provide identity thieves with the ability to glean even more information about victims.
Nearly all of the victims contacted for this story reported between $50 and $600 charges made at various sites that sell background checks on consumers, such as Ancestry.com, Peoplefinders.com, and USSearch.com. Security experts say these types of charges are increasingly common against victims of credit-card theft, as they allow thieves to build more complete dossiers on victims that further aid in identity theft or add value to the records in case they are re-sold on the black market.
"What's happening is these guys will steal a credit-card number and then start compiling any information about these individuals that's available," said Jay Foley, executive director of the San Diego based Identity Theft Resource Center. "Most people aren't aware that if your credit-card data is stolen from XYZ company, most likely the thieves have also got your address, home phone number, e-mail address and other data that can be used to turn around and get more data, or even open up new lines of credit in your name."
Case in point is Hawaii resent Schuyler Cole, whose credit-card information was stolen after he made a purchase on Cellhut.com. He said thieves made charges at Peoplefinders.com, and tried to wire $550 dollars from his credit-card account using Western Union, which declined the transaction. Other charges against his card were made to cover a Paypal transaction, as well as purchases at Netdragon.com, an e-mail marketing company, and at Yahoo! Voice, an Internet based telephone service.
A Charity Case?
Many of the fraudulent charges made against stolen credit cards fit a similar pattern and include small one-dollar "donations" at the Web sites of charities that thieves use to tell whether the card is still active.
As Security Fix has noted before, it is not uncommon for various fraud groups to use their victim's credentials to donate to relief efforts of their choice, but in this case the fake donations serve a more expedient purpose.
Credit card and personal data for Misti Morris of Memphis also was posted into the online chat channel. Morris was contacted by washingtonpost.com nearly an hour before her bank called her to report a slew of new, suspicious charges. Among the fraudulent transactions made on the morning of Aug. 30 were $1 donations to Unicef and the Red Cross. Morris said her bank also told her about purchases made at USSearch.com and Register.com (the latter ostensibly to allow the thieves to register a new Web site that could be used in future fraud scams.
Morris said she buys "tons of stuff online," but did not know which site had failed to secure her data, which also was pasted into the fraud forum along with shipping information such as method of shipping and weight of a package she had ordered.
"I guess I look like a good person because my credit card was used to donate to all these charities, but now I'm going to look like a jerk because it's all going to be taken back," she said in a phone interview.
Bargain Shopping Gone Bad
These anecdotes were cut from the story for length reasons, but they're too good not to relate here:
Custom bones crafted from tennis balls were the only chewy toys Vicky Keslar's Golden Retriever couldn't destroy in short order, so on Sept. 10 the Crofton, Md., resident went online and bought a package of the hard-to-find bones from Phydeauxpets.com, the first site listed in the results of an online search for the item.
Three days after that purchase, a record bearing the exact date and time stamp of that transaction, her name, address, phone and debit card number was among several records from the store that showed up in a shadowy online chat room frequented credit card and identity thieves.
When contacted by me after I saw the stolen data being traded online, Keslar and nearly a half dozen other victims reported having shopped at that same pet store at the times specified in their records.
Phydeauxpets.com owner Frank Papa of Carrboro, N.C., shut down the Web site on Sept. 15 pending an investigation of the data theft. Keslar didn't have any fraudulent charges against her debit card, but the thought of someone cleaning out her checking account right when all of her monthly bills come due prompted her to swear off shopping online with a debit card. Now, she uses a credit card with a $250 limit when she buys online. But she is still shopping around for another vendor of the scarce doggie bones.
"That will be the last time I shop there," she said. "But I'm still not sure where else I'm going to get them. They're hard to find without the squeaker, which makes the dog go nuts and tear the thing apart trying to find the noise inside."
Another group of credit-card records and transaction data posted into the online chat room led back to six individuals who all said they shopped at camera and computer bargain site Leobarnet.com at the same time as the time stamp attached to their records, transactions that spanned from Sept. 2 to Sept. 8.
Mihyun Chang of Northridge, Calif., learned that more than $1,600 in fraudulent charges were made on her credit card within days of shopping at Leobarnet.com. David Guo of Houston shopped there and soon after received a call from Discover about fraud on his account.
Both Chang and Guo found the site through price-comparison Web sites, and each said they bought from Leobarnet.com because the company advertised the lowest prices they could find. After placing orders at the site, both also received e-mails that they would have to wait an additional two weeks for the products to be shipped. Each canceled their orders, but by then the damage was done.
Pulaski, Va., resident David Doolittle said his son purchased an Apple laptop from Leobarnet.com in the early morning hours of Aug. 20. Over the span of the next few days, thieves tried to initiate nearly $2,000 worth fraudulent charges to his MasterCard account. MasterCard declined all of the bogus charges, save one -- a $39.95 purchase at PublicBackgrounds.com. Doolittle didn't find out that MasterCard had cancelled his card due to fraud until he tried to check out of his hotel while on travel and was told that the card had been declined.
Doolittle said he advised his son Adam to research sites before buying from them, but acknowledges that Adam probably did not do his homework.
"I told him to go straight to the Apple store, but he said "Dad, I can get it over [at Leobarnet.com] for $200 less," Doolittle said.
A software programmer by trade, Doolittle said he has worked on the Internet for 30 years and was growing increasingly dismayed at the state of software and Web site security. "I just can't believe where this has all progressed to."
Verification Code Abuse
One final note about the data kept by the online merchants mentioned in this piece: Three-out-of-four stored CVV2 numbers in their databases. CVV2, or "Card Verification Value," is the three or four digit code printed on the back of all credit cards. These security codes were created by the credit issuers as a way to ensure that the person submitting a credit-card number is in fact the person holding the card. The payment card industry standards issued by all credit-card companies emphatically state that this code is to be used for verification purposes only and is under no circumstances supposed to be stored by online merchants.
As you might imagine, stolen credit-card records that also include this CVV2 number are far more valueable for data thieves, mainly because most sites these days require the entry of the codes before accepting an order.
Update, Sept. 29, 10:30 a.m.: Kevin Liston, an incident handler for the SANS Internet Storm Center, today wrote about his experience with a friend of his who recently had their checking account drained. Liston writes: "....They also used funds in this account to purchase background checks at certain people-search/information-broker companies. Most likely this is an attempt to gather further identities in a way that won't tip-off the broker." Nice to know I'm not the only one seeing this out there.
The comments to this entry are closed.