Using fast flux to sell stolen credit cards

Today we’re sharing another excerpt from our report about the Dark Cloud fast flux network.

Some of the oldest active domains hosted on the fast flux network are carder1 sites aimed at selling stolen credit card data to other criminals. So-called “dumps” contain all information needed to make a replica of a stolen credit card. This includes the entire contents of the magnetic stripe, and sometimes, the CVV code from the back of the card. These carder sites have been around for years, using a lot of IP addresses. In one 24-hour example, the carder websites rotated through 1,886 unique IP addresses a total of 38,605 times. The majority of the Zbot related IP addresses used by these carder sites are based in the Ukraine.

Each of the dump stores require customers to pay in anonymous currency and communicate with the seller via various instant messenger protocols. Most of the sites seem to be built from the same template, so it’s likely that they are all run by the same cartel. Some carder sites are written in broken English and have unique ICQ # associated with them, and many feature popular characters. Some of the site names are McDuck, Mr. Bin, Royal Dumps, Popeye Dump Store, Try2Swype and Uncle Sam.

One question from the carder site findings is, “why are they using the fast flux infrastructure?” These sites buck the trend of other carding sites that use commercial reverse proxy services.2 The carder sites could be renting access to the network to keep the hosting hidden and difficult to track. The link between the fast flux proxy infrastructure and the longstanding carder site domains that use it is hard to ignore. The fact that credential stealing crimeware and POS malware also use this network leads us to believe this is not a coincidence.

Get the full report here. 2