Network News

X My Profile
View More Activity

Web Fraud 2.0: Validating Your Stolen Goods

If there is any truth to the old saying that there is no honor among thieves then it is doubly true for thieves who transact with one another yet never actually meet face-to-face. Perhaps that explains the popularity of certain services in the underground cyber crime economy that make it easy for crooks to purchase stolen credit and bank accounts in bulk and check whether the accounts are legitimate and active.

From the many hours Security Fix spent skulking around some of the more active cyber crime communities online recently, I saw a site called mentioned quite a bit. I managed to acquire an account on this exclusive service, and found some 78,628 individual MasterCard and Visa credit and debit accounts for sale at various prices there.

sh0pcardsed copy1.jpg

As one can see from the screen shot to the left, users can select cards that come from victims in particular cities, states or countries. For instance, I sorted the list by my home state of Virginia and found exactly 2,149 accounts for sale, each entry including the victim's account number, expiration, name, address, and phone number. The average price currently is about $1.20 apiece.

Alternatively, sh0pp0rtal users can enter the unique bank identification number (BIN) assigned to the financial institution for which they're seeking active accounts. Don't know the BIN of the bank you're targeting? No problem: the site includes an archive listing thousands of BIN numbers.


Sh0pp0rtal also sells PayPal accounts. The prices fluctuate between $3 USD and $50 USD, depending on a number of factors, such as whether the accounts are PayPal "verified," and whether they were recently active. PayPal accounts that have not been used by their owners for extended periods of time are more valuable in the underground because those victims are considered less likely to log back into their accounts and potentially notice any unauthorized activity.

According to the price list posted at sh0pp0rtal, for PayPal accounts with balances greater than $1,000, the purchase fee is a flat 5 percent of the total balance. "Balance is shown for each account. Special prices and discounts for bulk purchases greater than $500 WMZ, you will have to talk with SUPPORT." [WMZ is the Americanized version of the Webmoney virtual currency, and currently $1 WMZ~=$1 USD]. Oh no! Not tech support!

But hang on, you say: Why should any thief trust these chaps? After all, they could be just scamming the scammer, no? Absolutely, and that's the impetus behind this next site I will feature, although, at the request of a source with ties to this site, I've agreed not to mention its Web address or its trademarked name.

(Yes, these guys take their businesses very seriously, often tacking trademark or copyright symbols next to their brand names. Not that the irony of the whole thing is necessarily lost on the crooks. Sh0pp0rtal, for instance, makes a sly dig at Master Card's ubiquitous television ads, with its slogan: "There are Some Things Money Can't Buy. For Everything Else, there are Credit Cards.")


Check out the screen shot to the right. What you will see is another software-as-a-service type model for checking the validity and current balance of stolen accounts for sale. Authorized users can check single accounts, or in automated batches of 150 accounts at a time, provided the user has the purloined data arranged in the proper format.

Just like with sh0pp0rtal, the prices per transaction decrease as the user increases his purchase volume. $25 USD buys you 50 credit checks; 200 checks can be had for $75; 4,000 credit and debit card checks can be had for $700, and users who pay $1,500-$2,000 up front are entitled to as many checks per month as they want.

Here's the utterly fascinating part about this service. Examine the screen shot above a bit closer, and you will see on the right some dates and information about merchants added. "Fresh merchants," refers to merchant accounts that established businesses have with the credit card issuers.

Most merchant accounts can be used to conduct "pre-authorization requests," which credit card companies use to place a temporary charge on the account to make sure that the cardholder has sufficient funds to pay for the promised goods or services. Such pre-auths are typical for businesses that rent equipment or vehicles, where the customer pays in full when he or she returns the equipment or vehicle. This is just an example; pre-auths are actually quite common. In fact, every time you slip your credit card into the machine at the gas pump before filling up you are prompting the station to issue a pre-auth request to your bank.


Peruse the "Help" page at this online thieves den and you'll get a much better feel for how this service works (see screen shot to the left). It looks like the scammers who run this portal have designed their system to make it appear that the pre-authorization checks they use to determine the validity of the stolen accounts are coming from the merchants who accounts have been hijacked.

Users are warned not to try to exceed the portal's limits on checking more than a certain number of accounts at any given time. "As you see we set a limit for checking in Gate 1 and Gate 3. It should stop killing a merchant so fast. Also in this case a Processing [processor] will think that our merchant is legit and it will be more safely for your card."

By Brian Krebs  |  August 20, 2008; 7:00 AM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Web Fraud 2.0: Cloaking Connections
Next: Web Fraud 2.0: Digital Forgeries


Brian - your first screen shot seems to have left one person's full name and almost complete address visible. You probably ought to obfuscate that. Also, the "for everything else" ad slogan is from Mastercard, not Visa.

Posted by: LarryMac | August 20, 2008 8:02 AM | Report abuse

If you're trying to obscure personal data, re-check the PayPal screen shot also.

Posted by: RobinD | August 20, 2008 10:24 AM | Report abuse

I wonder how much the FBI Cybercrime unit chief you interviewed a few days ago knows about this and what they're doing about it.

Posted by: Gary | August 20, 2008 11:09 AM | Report abuse

This is like everything else in the world, for sale. Futhermore, with the Cyber thieves being well educated in the technology industry, the sky is the limit........ or should we say priceless

Posted by: Zenobia Robinson | August 20, 2008 2:40 PM | Report abuse

This is disturbing. But when you started mentioning the cost/fees for these illegal services and products, I had to start thinking about how much cheaper they appeared compared to current legal fees banks charge their customers.

Posted by: Bob | August 20, 2008 2:40 PM | Report abuse

Why doesn't the FBI launch DOS attacks on these sites?

Posted by: Garak | August 20, 2008 3:34 PM | Report abuse


scaring criminals away from their haunts != catching them.

attacking a site will make it go away, driving them further underground. (indeed, if they were smart they'd change domains after this story was published).

A DOS is criminal act, its against the law. (and may unintentionally affect innocent parties that are hosted by the same ISP).

Gary: its safe to assume there are many efforts to find the users of this site and/or sites like this one. its also safe to assume that the FBI wouldn't tip its hand and let the criminals know that they are investigating any specific site.

Brian: be very careful when attempting to black out data, a first name, a street name/city and a telephone prefix might be all one needs to get the full docs on these victims.

Just Curious... Would it be worthwhile for banks and credit card agencies to buy large lists just to close the accounts down? (would this be a savings rather than dealing with the fraud and associated expense around the fraud).

just curious.

Posted by: dos bad | August 20, 2008 4:08 PM | Report abuse

And how do you pay for these services, by credit card? :-)

Posted by: Simon | August 20, 2008 5:32 PM | Report abuse

And how do you pay for these services, by credit card? :-)

Posted by: Simon | August 20, 2008 5:32 PM

you pay for it with webmoney dude

Posted by: ;P | August 20, 2008 6:21 PM | Report abuse

Searching for:
US/UK Classic dump

and you end up with sites that simply says:
"Marketing Dumps Online (Stolen Credit Cards)" its all over the place these days. Unbelievable

Posted by: D | August 21, 2008 5:55 AM | Report abuse

Oh good show, Bk! It's hard to believe there are that many scummy people in the world. It's also something no one wants to believe. The Internet's a mess. Good show, Bk.

Posted by: Rick | August 21, 2008 6:43 AM | Report abuse

This is absolutely frightening. Beyond the damage being done to the victims, it makes you wonder how these enterprises are using these illicit gains to fund other more heineous crimes.

Posted by: Dan from Northwest Arkansas | August 21, 2008 10:04 AM | Report abuse

They have existing technology to make credit cards more secure. "They" for some
reason are relunctant to pursue it. I think its possibly because the credit card
companies can write off as a loss even more then the actual damages. I can't think of any other reason why they don't pursue instant incryption standards of their credit transactions and a lot more
security in their servors and web sites?
They could do this. They simply choose not to? John Hathaway

Posted by: John Hathaway | August 21, 2008 11:02 PM | Report abuse

This quote has precisely the same syntax errors one sees among Russians/Ukrainians with a passing command of English. No surprise on the source of lots of cyber-crime!

"As you see we set a limit for checking in Gate 1 and Gate 3. It should stop killing a merchant so fast. Also in this case a Processing [processor] will think that our merchant is legit and it will be more safely for your card."

Posted by: John Carragee | August 22, 2008 10:51 AM | Report abuse

Step One: Make people aware of this stuff (Good job, Brian!).
Step Two: Each of us should do much more than just lament the horrifics of these slime in this blog. Your voices are best heard (don't laugh) by your elected national reps. Granted, they are moved by several other incentives, but a powerful one is the concerted voice of voters. "What have you done for me recently about cyber-crime? If nothing, I will have to find someone else to vote for."
Step Three: These reps should make it mandatory for international trade agreements to contain reciprocal language providing for major assistance in putting these crooks out of business.

@ bad dos: yeah, DOS's are illegal, but that hasn't stopped some of our agencies from engaging in illegal acts of all kinds before in the name of "national security."

Posted by: Pete from Arlington | August 25, 2008 11:11 AM | Report abuse

One more thought: Brian, as you continue your superb investigative reporting on these powerful criminals, who operate with impunity, I hope you get in the habit of looking both ways as you cross the street, and behind you when going to your car at night. With this much money at stake and at risk because of you (WMZ or not), you might make them more than slightly cranky.

Whether or not there's a Pulitzer category for what you do, you deserve the highest consideration. Just be careful!

Posted by: Pete from Arlington | August 25, 2008 11:17 AM | Report abuse


Posted by: Alex | August 26, 2008 7:25 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company