Data Leakage, Threat Intelligence

How cybercriminals donate to NGOs using stolen credit cards

By Andre Luiz R. Silva on
SHARE

If we are in the information age, we’ve also entered the age of information security. Therefore, credit card companies and payment gateways such as PayPal and Stripe, which are intermediaries between merchant and consumer, bet all their chips on hunting down the cybercriminals who use stolen credit cards.

And cybercriminals try their best not to be seen! To find valid credit cards (which are like needles in a haystack), they often use checkers. Some even make donations to NGOs in the midst of it all! Don’t know what I'm talking about? Let me explain.

 

First, let’s talk about how credit cards are stolen


There are a lot of different ways a credit card leak can occur. Some hackers use techniques like
SQL Injection. Others use credit card skimming devices to capture data from unwary consumers.

In this dark venture, millions of complete credit card numbers circulate throughout the Internet, either on the surface web (through paste services) or on the deep e dark web. Not all of these card numbers will work, of course. So, to separate the gold from the dross, criminals create platforms that can test credit card numbers in batch.

 

Checkers: testing, testing, testing


Checkers are testing platforms where criminals can enter a batch of credit card numbers that were illegally acquired. They function through many small-value transactions. Those that prove out are placed on a short list of "Approved" numbers while those that don’t work are "Disapproved."

The idea of all this is to speed up the process while avoiding detection, which might occur if a lot of card attempts were tried at the same register or location. Easy, huh? Not really. There's a lot of illegal stuff involved in making the scheme work.

Preparing the checker

The vast majority of checkers use a gateway, which is a service such as PayPal or Stripe and the like. This doesn't mean that these gateways have a security breach. In fact, cybercriminals find a way to get passwords (stealing from merchants and shopkeepers, for example) to access these Application Programming Interfaces (APIs). When you make a purchase on an e-commerce site or in the physical marketplace using a credit card, you're actually making a transaction with these gateways, not directly with the seller.

From that point on, fraudsters use a lot of trickery to foil any kind of detection of their crimes. The robots created can randomly populate various names, addresses, and Social Security numbers, and also use proxy services, which hide the IP of the location where the transaction is being initiated.

 

A new twist: checkers that make donations!


Creativity is a really beautiful thing. Here at Axur, we recently detected some php codes for hosting these checkers. The discovery was made right on the surface web, on a text file sharing site. Analyzing one of these codes, we saw that the destination of all the transactions was an international NGO! Charitable criminals... What a sweet idea, huh?

Right there at CURLOPT_REFERER is the URL where the entire donation process is done:

CheckerDonate

 

This type of checker facilitates transactions for those who do not have access to an API from a payment gateway. It would be necessary to know how to host the php, but organizations like this one get so many donations from so many places around the world every day that the criminals believed this was the easiest way to avoid being discovered, provided, of course, the NGO didn't find out and bring the party to an end.


Here at Axur, our robots and humans scour the Internet every day for credit card checkers and other violations affecting brands, businesses, and people. To understand our deep and dark web monitoring, take a look at how our
Threat Intelligence solution works.

event-image

ESPECIALISTA CONVIDADO

Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware

AUTHOR

Andre Luiz R. Silva

A journalist working as Content Creator at Axur, in charge of Deep Space and press activities. I have also analyzed lots of data and frauds here as a Brand Protection team member. Summing up: working with technology, information and knowledge together is one of my biggest passions!