The Great Credit Card Bazaar

From a user called The Khameleon looking for credit card data on a site called

  • “Here’s what I need. Decent Novs in any state, just decent. Not perfect but OK. eBay or any other auction account that can be sold from, and that has some decent feedback. The more FB the better.
  • “Here’s what I have a surplus of: full CC info including Cvv2 and billing adr to your drop or wherever, as well as phone number. Complete with full online account access etc. All accounts have around 10k bals. They include FULL info sets that include MMN soc dob, all adrs in the last 10 yrs, all jobs in the last 10 yrs, dl# and much more. Basically what the credit report says on steroids.”

    Bigger, bolder and more brazen than ever — that appears to be the current state of the Internet’s black market for stolen credit card numbers.

    Spread out from one country code to another, this international bazaar for fraudsters is a place where you can find everybody from script kiddies to career criminals and terrorist supporters.

    And you can buy everything from stolen credit card accounts (in bulk or one-by-one) to Social Security numbers or birth certificates, passports, diplomas, even hacked auction site accounts. They’ll even change the billing address of credit card accounts for you, so you can purchase stuff online and have it shipped to a safe location.

    But with much of the activity originating from the former Soviet Union and Southeast Asia, law enforcement agencies face a tough time cracking down on the fraud perpetrators. Still, undercover cybercops are trying.

    “We have a couple of undercover operations working,” said Don Masters, head of a Secret Service high-tech crime unit in Los Angeles. “We jump into these cases. We look at those that are a threat to the nation’s banking and financing infrastructure.”

    The state of the black market

    The sale of illegally obtained credit card account numbers — and the related data that makes them appear to be genuine — remains a thorn in the side of overworked law enforcement agencies everywhere as well as smaller online merchants who may not have state-of-the-art security.

    And the “carders” — as they call themselves — actually operate members-only Web sites with names like, (which offers ID supplies from various vendors as well as links to anonymous Web hosting and domain registration offerings) and WARNING: Clicking on the above links will lead you to the illicit underworld of the Internet. In no way does JupiterMedia these activities., which bills itself as “the expert’s guide to anonymity,” offers, among other things, various forums where more or less open discussions are held regarding the sale of stolen credit card numbers. Ditto for

    “We live this every day,” said Jeff King, director of product management for risk management products at CyberSource, the electronic payments and risk management company. “We have people on staff constantly monitoring this kind of activity. It definitely keeps you busy.”

    And what keeps all the authorities and law-abiding folks especially busy is the shifting overseas locations of the perpetrators. King told that the former Soviet Union “clearly is a hot spot. Fraudsters tend to move around. It’s a moving target. There are sophisticated users there, and in Singapore and Indonesia, too. Very sophisticated users. Basically those are the kind of guys we worry about. Not script kiddies.”

    It didn’t take too much drilling down at the CounterfeitLibrary site to discover offers of card numbers for sale. No longer limiting their deal-making process to e-mail and furtive IRC conversations, these carders operate a bulletin board for all to see.

    Membership was advertised as “only $4 for 1 month,” which lets users read articles with headlines such as:

    • Social Security Death Index (SSDI) – SSN numbers of dead people
    • Types of Fake IDs – Counterfeit, Altered and Forged ID Cards
    • Social Security Number Report – Look up the SSN Database
    • ID Hopping for Fun and Profit Part 1 – Requested article on Identity theft
    • Identity Hopping Part 2 – Requested article on Identity theft the second part
    • Anatomy of a Security ID Card – The tricks used by the professionals to prevent counterfeiting
    • How to build a fake College ID – a how-to-make article
    • Magnetic Strips for ID cards – all you need to make magnetic stripes is just black electrical tape, scissors, and an iron

    In the forums, someone with the screen name of Script, who may or may not be one of the people behind the site, appeared to be offering Visa and MasterCard account numbers with a “guaranteed” $4,000 balance, for $140. Card numbers with spendable amounts of $5,000 to $7,000 were going for $200 and payment could be made by Western Union or any of several other Internet payment services.

    Billing addresses and phone numbers on some offerings were said to be changeable “to meet your needs.”

    English did not appear to be the first language of the purported seller. “I am accept E-gold, wire transfer, Western union..” Accordng to some accounts, Script is a Ukrainian teenager, maybe 18 or 19, living in Odessa.

    One newbie inquiring about a fake ID in the forums was told that “Novelty is the word we use here — not fake.”

    The Secret Service’s Masters explained a lot of the fraudsters are located in various parts of the former Soviet Union, where of course the U.S. law enforcement agency has no jurisdiction. But authorities aren’t helpless.

    “We have agents that liaison with local police departments in other countries. Some of these countries have neither the equipment nor the training to handle these kinds of cases,” Masters said.

    He added that hundreds of kids are involved, but there are also serious career criminals out there, as well as terrorist supporters.

    Criminals have been known to put up bogus Web sites to get users to voluntarily input credit card information. But just how else is the stolen information obtained? For that and more, see Page 2.