Taken together, carder IRC channels and Web sites have removed the technical and logistical barriers to large-scale online identity theft and credit card fraud, said Lance Spitzner, president of the Honeynet Project, a volunteer security research organization that studies new trends in Internet crime.
"What was surprising to us was all the novice users we saw on these channels and how many people that are just starting to get into this kind of fraud," Spitzner said. "The scary part is that what we're seeing here is probably just the low-hanging fruit. The serious criminals on the Internet are usually too paranoid to communicate out in the open like this, so it makes you wonder just what kinds of information the organized mafia types have access to."
Catch the Phish: Take the Quiz
Companies Forced to Fight Phishing (washingtonpost.com, Nov 19, 2004)
Phishing Feeds Internet Black Markets (washingtonpost.com, Nov 18, 2004)
Phishing Schemes Scar Victims (washingtonpost.com, Nov 18, 2004)
A Brief History of Phishing (washingtonpost.com, Nov 18, 2004)
How to Fend off Phishing (washingtonpost.com, Nov 18, 2004)
Complete Cybercrime Coverage
Honor Among Thieves?
Innovation has made it easier for phishers to separate unwitting consumers from their financial information, but in the underground world of hacking for profit, stealing credit card numbers is considered the easy part; it is in selling and purchasing that information where things become more complicated.
The seller must find a trustworthy "casher" -- someone who will convert stolen credit cards into cash without absconding with more than their agreed-upon portion of the money -- while trying to stay one step ahead of law enforcement and corporate sleuths. For the buyer, the tough part is verifying that the data for sale is legitimate and usable.
But experts say that over the past year and a half, some of the more popular carder IRC channels have been taken over by anonymous individuals who help members verify the authenticity of stolen credit card data while blacklisting "rippers" -- people who sell the same list of stolen credit cards to multiple clients -- or deadbeat buyers who never pay for their cards.
On any one of nearly a dozen IRC channels dedicated to financial fraud, 16-digit credit card numbers can be found sandwiched between snippets of churlish chat conversation scrolling across the computer screen. Each credit card number is preceded by a two- to three-letter "command" that tells the channel operator what type of information the poster is seeking.
In most cases, the operator responds instantaneously with the requested data, notifying the poster whether the card is still active, its spending limit, the bank issuer, the expiration date, or even its "CVV2" number, the three- or four-digit code on the back of credit cards that many online merchants use to verify that the buyer is the same person holding the card.
Members of Spitzner's Honeynet Project spent several weeks studying IRC activity. The project found that the verified credit data appears to be automated by a program that is drawing information from e-commerce sites whose credit card records have been compromised. Thieves also can check the validity of a credit card by creating fake merchant accounts, services that legitimate businesses use to verify an account with the bank that issued the credit card.
Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers. But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers.
"As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."
Hooking the Phishers
The major credit card companies monitor known fraud sites and IRC channels for stolen credit card information, but experts say that in many cases thieves have stolen as much as they can by the time a credit card gets posted online.
Online financial fraud resources are difficult for authorities to shutter because their operators move them from one hijacked Web server to another -- often several times a day.
"We had one that we shut down three times in one week. Each time we closed it down, it would appear in another country," said Sergio Pinon, senior vice president of global security for MasterCard International Inc.
Last fall, in an undercover investigation dubbed "Operation Firewall," the U.S. Secret Service and international authorities shut down some of the most popular carder Web sites by infiltrating a service that credit card thieves used to check whether stolen accounts were still active. In that case, Secret Service agents forwarded submitted numbers to their respective bank issuers, all the while building trust with a core group of more than three dozen thieves they would later arrest.
Since then, however, a number of new carder Web sites have sprung up to fill the void, driven by continuing high demand, Pinon said.
But Pinon and sources in the law enforcement community said ongoing investigations into online financial fraud rings will yield numerous arrests in the very near future.
"So many of these criminals think the Internet gives them the freedom to take whatever they want from people," Pinon said. "We're working very hard to let them know that they're not going to get away with it."