The Anti-virus Times

Monday, February 7, 2022

Many of you have at least once paid for online purchases with a bank card. Moreover, if before the coronavirus pandemic this was just one of the ways to get a desired product, today using a bank card is a much more pressing need. And some of you are so accustomed to new technologies that you do not hesitate to pay online for every purchase. Out of porridge for breakfast? You can reorder it. No soap? Place an Internet order. Need a new towel? One more order! With this approach, sooner or later, you risk visiting a fraudulent site. In this case, your banking credentials can end up in the hands of carders. This is where it starts getting interesting.

How do carders get our data?

First, let's define the term "carding". Carding is a type of fraud involving the trafficking of bank cards. One of the most common schemes used by criminals involves the mass purchase of "dumps"—this is the slang term for the information written on the cards’ magnetic strips. Next, the attackers illegally copy the data to physical "blank" cards.

After all that, a fraudster has an illegally made bank card that can be used to make payments just like with a regular one. However, here is where problems may appear: for example, the owner of the real card can block it even before the carder gets to the store. Or this home-made card will fail because of technical issues.

This scheme is missing one very important point: it is possible to get a "dump" without buying it from third parties. To do this, criminals use skimmers—special removable devices for ATMs. However, this method is becoming a thing of the past, as banks tend to issue cards with chips. Today, almost all Russian cards are equipped with them.

Also, do not forget about social engineering methods. Of course, you cannot get a "dump" this way, but you can find out a lot of "important" information. Sometimes, attackers need to obtain additional data or clarify the correctness of already obtained information. That's how the culture of calls made by fake bank security officers came about. Usually, cybercriminals use various legends to find out the CVV2/CVC2 code, the bank card number, the holder's name, and also the codes from SMS or online banking. Remember that no real bank employee will try to find out such data. A real call from a bank will likely be related to the promotion of its services or a poll. Of course, sometimes a bank calls about a blocked card (after it’s been blocked) and other cases, but the lion's share of "bank calls" still belongs to fraudsters.

Often, fraudsters use various malware to get bank card details from your devices. One of the most common methods is phishing sites or mailings. Data obtained this way cannot be used to create a fake bank card, but it can definitely be used to pay for something in an online store. In this case, a scammer will need to figure out how to bypass two-factor authentication in order to make the purchase. We have devoted more than one issue to phishing, so this time we will not dwell on this in detail.

Another way to illegally obtain bank card information is using PoS trojans. This is malware that can extract information about the means of payment from the memory of PoS terminals.

As for mobile devices, owners of Android devices should be especially careful. There are trojans that can control online banking applications. Once a system is infected with one of them, the user is at risk of losing all their money. In the summer, we described Android.BankBot.Cooper, which was targeting Colombian users. When updated in a timely fashion, Dr.Web can save you from such threats.

How do scammers try to cash out money?

Traditionally, carding is considered to be one of the most studied types of modern fraud. In fact, this industry is much more complex and deeper than just "steal a dump, burn a card and pay in a store". Fraudsters can make many mistakes and get caught. Buying "dumps" is a dangerous business, and making counterfeit bank cards is a crime that is classified as "The Making or Sale of Counterfeit Credit or Debit Cards, and Other Payment Documents" (part 1, Article 187 of the Criminal Code of the Russian Federation). If a cybercriminal is caught, they will be sentence to correctional labour for up to five years, or imprisonment for a term of up to six years with a fine of one hundred thousand to three hundred thousand rubles.

It is also worth mentioning that not all cybercriminals solely perform all the actions of the described scheme. Many of them stop at the first stage, and then they sell the data they’ve received on the Darknet. There, the data is bought by another person who has equipment for making fake plastic cards, and the third participant of the scheme, the so-called “drop”, cashes out the money. Often the last link is the most vulnerable, and, therefore, the role of the “drop” goes to teenagers, students or people on the fringes of society. People who urgently need money.

It is quite difficult to catch a criminal during the first two stages, but a "drop" can be caught red-handed. True, such people probably will not give out any valuable information about their "employers" simply because they do not know anything really important. A "drop" is a bargaining chip in the world of carding. They are recruited in the same way as those who stash drugs for dealers—cybercriminals create ads in thematic chats and on forums. It is important not only to recognise the criminal scheme in time, but also to protect children from a potential crime. Young people do not always assess risks correctly, and, therefore, they can, unwittingly, become a “drop”.

Keep a close eye on the web pages and portals you leave your bank card details on. Perhaps your browser has automatically saved this information, including even the CVV2/CVC2 code. You can remove this information in the settings. Each browser has its own characteristics, but here are some general recommendations: open "Settings" and select "Clear data", and then select the item similar to "Passwords and other login data". This is how you can force the browser to “forget” your online banking credentials. Follow our Anti-virus Times tips, but remember that the security of your funds depends only on you.