Cybercriminals can take a class on stealing credit cards

Posted at 1:46 PM, Jul 19, 2017

Your credit card information is valuable, and for criminals who want to learn how to find and use it — there’s a class for that.

One six-week program, taught in Russian, includes lectures on finding legitimate credit card data for sale and hacking into PayPal accounts.

Security firm Digital Shadows discovered the cybercrime class taught by five instructors and sold on a deep web forum. The class was revealed in research published Wednesday investigating credit card fraud and a criminal activity called “carding,” or stealing and using payment card data.

“The curriculum and rigor associated with it is not like most of the training materials that are out there,” Rick Holland, vice president of strategy at Digital Shadows, told CNN Tech. It’s more in-depth than other trainings, like PDFs that criminals can buy much cheaper.

The class, which costs about $945 with the materials, consists of 20 different lectures and allows the students to chat with the instructors.

Carding is a popular type of cybercrime. Thieves will steal credit card data from insecure databases, by hacking into companies or just buying it on the dark web on hidden sites you wouldn’t find with a Google search. Digital Shadows estimates $24 billion will be lost to credit card fraud next year.

Criminals can also take emails and passwords leaked from other data breaches, and test them on banking websites. For instance, credentials from LinkedIn, Dropbox, and Adobe have previously been leaked online.

Related: Identity thieves used stolen data 9 minutes after it was posted online

According to Digital Shadows, the course recommends visiting one of six different sites to get credit card data. On two of those forums, more than 1.2 million card numbers were advertised for sale — nearly half of them in the U.S. CNN Tech is not publishing the names of the sites on the deep web where criminals can buy credit cards.

Carders will often buy vacation packages, plane tickets, hotel reservations, or gift cards with stolen credit cards.

Digital Shadows said they have disclosed the scheme to law enforcement in the U.S. and Europe.

A common scheme

According to Norman Barbosa, the assistant U.S. attorney for the Western District of Washington and the office’s Computer Hacking and Intellectual Property Crimes coordinator, it’s common for credit card fraudsters to work with networks of people.

Barbosa helped prosecute Roman Valerevich Seleznev, one of the world’s most notorious carders. Seleznev stole millions of credit card numbers and sold them to other criminals. Prosecutors said known fraud loss associated with his efforts totaled $170 million. He was sentenced to 27 years in prison in April.

Seleznev trained fraudsters on how to use stolen credit cards to increase demand for the product he stole. His training, though more rudimentary than the lectures discovered by Digital Shadows, helped boost his own business. He also advertised his products on different hacker forums, Barbosa said.

Seleznev’s prosecution was a major victory for the U.S. Department of Justice.

“It’s somewhat common to identify them,” said Barbosa, adding that card hackers and sellers are based in Russia and Eastern Europe, while the buyers are often in the U.S. “It’s a little more more difficult to prosecute them. Much of the investigations in computer crimes are focused on trying to pull back layers to find out who is behind the criminal activity.”

Consumers should be aware

The FTC tested how long it takes for criminals to use personal data dumped online, including credit card information, and found it can take just nine minutes before thieves try to use it.

Related: Two hours and 1,600 fake credit cards later: $13 million is gone

To test the validity of credit cards, criminals will try processing small amounts — less than $5 — to see if the card works. Holland suggests putting alerts on your credit card and bank for purchases less than $5 and more than $100 to detect fraud.

Carders may try to trick you into giving them your pin by posing as your bank. Holland says you should never give out your pin number to anyone, and always confirm communications, like phone calls or emails, are coming from your bank. Further, you should not use the same passwords for your bank or credit card that you use for other websites.

Barbosa says carders are increasingly smarter and making fewer mistakes in their work.

“It’s not unlike any other criminal area where the bad guys find a way to hide, and we look for a way to find them again,” he said.