What is Carding? Inside Russian Carding Fraud Part 1

Carding fraud is a financially devastating attack made more damaging by bot-based automation that allows it to run at scale.

Russian cybercriminals are especially prolific in the carding space. The Netacea threat research team recently conducted an in-depth investigation into this notorious carding fraud ecosystem.

Click here to access an exhaustive whitepaper covering detailed definitions of carding attacks; the Russian carding market landscape, who Russian cybercriminal gangs target and the tools they use; a deep dive into the nuances of how attacks operate and key terminology; and finally, prevention measures against such attacks.

Ahead of the whitepaper’s release, in a four-part blog series we’ll give a summary of each of these topics. In part one, learn what a carding attack is, how bots are involved in carding fraud, and some key terms in the Carder’s Dictionary.

Read part two: Russian Carding Landscape

What is carding?

Carding is the unauthorized trading and use of stolen payment card data. Juniper research indicates payment fraud will cost merchants over $343 billion worldwide between 2023 and 2027.

Those executing carding fraud are called “carders”. They use stolen payment card information for financial benefit. These activities include:

• Acquiring and validating stolen card information,
• Making unauthorized purchases and withdrawals, and
• Selling card information to other criminals.

Who does carding fraud impact?

Carding results in the theft of money from the legitimate cardholder, who may also suffer damage to their credit score and must spend time and effort to resolve the issue.

Merchants are also victimized by carders, losing revenue for goods and services provided for fraudulent transactions and being responsible for chargeback fees. Their reputation with affected customers may also be harmed, losing more revenue in the long term.

Finally, banks lose out in reimbursing their customers who suffer carding fraud losses. They also incur operational costs in detecting and investigating card fraud.

How do carders make a profit?

The key to making money through carding is not just accessing stolen payment card details and validating them, but also in cashing out without being caught – after all, prosecution leads to lengthy prison sentences.

The most popular revenue source from carding attacks are online purchases using the stolen card details. Carders can also transfer money to their own account; however, this is more complex and will require money laundering to achieve.

A more complex means of extracting value from stolen card details is to create a duplicate card, using specialist equipment, for use offline in ATMs and point of sale (POS) machines. In contrast, one of the simplest methods is simply to sell the card details to another carder on a carding forum or underground marketplace.

How are bots involved in carding?

Bots – automated processes on the internet that exploit business logic weaknesses – make up nearly two-thirds of internet traffic, according to Barracuda. Malicious bots account for 39% of web traffic, beating out human-generated traffic, which only accounts for 36%.

Bots play a significant role in carding fraud globally by automating many of the steps involved and increasing the scale and efficiency of carders’ operations, making it more challenging for law enforcement, financial institutions, and individuals to prevent, detect and respond to their activities.

Bots increase the speed and scale of carding operations in the following ways:

Automated validation of credit cards

Carders program bots to test card details against retailer checkout pages by making small purchases with large quantities of card details. If the transaction succeeds, these details can be used to make larger purchases or sold on to other criminals.

Card cracking

A type of brute force attack, card cracking takes incomplete card details, for example where the CVV code or expiry date is missing, and uses automated bots to enumerate the missing values in the same method as the previous tactic.

Credential stuffing

Credential stuffing is the automated validation of leaked username and password combinations from one service on the user login pages of other services, taking advantage of the tendency for people to reuse passwords across multiple services. Once the account takeover is complete, criminals can exfiltrate sensitive information including payment details.

Fake account creation

Many retail websites require an account to make payments or have limits on how many cards can be registered to each account. Bots can automate the process of fake account creation to facilitate testing and validating stolen card details.

Automated purchases

Similar to scalper bots, carders program bots to automate the purchasing process once they have validated payment details, so they can buy valuable stock at scale.

Botnets

Carders use botnets, which are networks of computers infected by malware and controlled remotely, as infrastructure from which to launch volumetric carding attacks on retailers and payment processors.

The Carder’s Dictionary

Russian carding communities use a combination of slang, codewords and jargon which may be unfamiliar to those outside the communities or the payment industry. Here are some key terms you need to know as we get deeper into the Russian carding ecosystem in part two:

AVS (Address Verification System) – A security measure that enables merchants to detect suspicious credit card transactions and prevent credit card fraud. For card-not-present transactions, it verifies that the billing address entered by the customer matches the one associated with the cardholder’s credit card account. AVS typically looks at the numeric portion of the address, the ZIP code, or both. The system will then return a response code indicating the degree of address matching and determining whether to accept or reject a transaction.

BIN (Bank Identification Number) – A unique sequence of digits at the start of the payment card number that identifies the issuing bank. The BIN can provide information such as the name, address, and phone number of the issuing bank, the card brand (Visa, Mastercard, American Express, etc.), the card type (debit, credit, prepaid), the card level (black, platinum, business, etc.), level of security (for example the presence of 3D Secure), and whether the issuer is in the same country as the device used in the transaction. Knowing some of this information is crucial for carders and helps them to avoid detection by fraud prevention systems.

Buyer [Russian: Scup] – A person who buys goods acquired by the means of carding for further resale.

Cash out [Russian: Obnal] – The process of converting the stolen credit card information into actual money, cryptocurrency, goods or services, gift cards, loyalty points, etc.

Chargeback – A credit or debit card charge that is forcibly reversed by an issuing bank. This typically happens after a cardholder claims a transaction was the result of fraud or abuse.

Dedicated server [Russian: Dedik] – A remote desktop or server with a powerful network and hardware configuration used for processing information and data storage. The server location is chosen based on the country where payment cards will be used.

Drop – A person who performs intermediate operations for carders, bearing most of the risk for a small cut of the money. The use of drops allows carders to avoid direct involvement in fraudulent transactions and makes it more difficult for law enforcement to track them down. Drops are commonly used to take delivery of the fraudulent purchases made with stolen credit card information. Once the goods are sent to the drop’s shipping address, the drop forwards them to either the carder, another designated location or the final buyer. A drop may also be used to launder illicitly obtained money, for example, by transferring money to or from a drop’s account to conceal the origin of money. Carders may also use a drop’s personal information to complete verification processes such as know-your-customer (KYC). Drops are typically recruited through carding forums or social media and promised a percentage of the proceeds in exchange for their service; however, some drops may be unknowingly facilitating in fraudulent activity.

Dump – Sets of payment card or cardholder data exfiltrated by physical skimming of the card, infecting point-of-sale devices with malware, or compromising computer systems and company servers. There are two types of dumps bought and sold on the darknet marketplaces:

• CC Dump – The raw data loaded on a credit card’s magnetic strip, usually consisting of track data and PIN. It includes data such as credit card number, first and last name, expiry date, CVV code.
• Fullz Dump – The CC dump plus personally identifiable information (PII) relating to the cardholder such as social security number, date of birth, mother’s maiden name, physical and email addresses, phone number, employment status and bank account details.

Enroll [Russian: Rollka] – The process of gaining access to personal online banking services. Online banking typically allows customers to view balances, account activity and statements; perform account transfers, payments, and deposits; set up security alerts and notifications; and more. Most importantly for carders, online banking allows them to change personal account data, such as phone number, address and email.

Input [Russian: Vbiv] – An attempt to make a fraudulent online purchase using stolen payment card data. Russian carders use the term “vbiv” to describe the process of entering stolen payment card data into payment forms.

Liquid goods – High-value goods that can be easily and quickly sold on the black market or online marketplaces for a fraction of their retail value. These items are usually electronic devices such as cameras, smartphones and laptops, or high-end fashion items like trainers, bags and jewelry. Liquid goods are an attractive target for carders, offering a high return on investment and quick conversion of stolen credit card information into cash.

Logs – An archive of compromised user data, such as usernames and passwords to websites visited, cookies, browsing history, IP addresses, device fingerprints and keystrokes, gathered from a hacked computer. Carders use logs to obtain sensitive information such as credit card numbers, bank login credentials, and personal identifiable information (PII) and use it to make fraudulent transactions. Additionally, logs can also be used to identify vulnerabilities in a system, which can be exploited in further attacks. Carders often sell or trade logs on underground marketplaces, making them a valuable commodity in the cybercrime world.

Magecart – A form of malware that infects online stores and eCommerce platforms to facilitate digital card skimming. In a Magecart-style attack, hackers steal credit card information from customers by embedding malicious code into the source code of pages with payment sections, for example, Checkout or Order Confirmation pages.

Material – A combined term for tools and resources that carders can use to carry out credit card fraud. This may include lists of stolen credit card numbers, physical payment cards, bank accounts, cardholder’s information or fullz, card verification codes (CVC) and proxies.

MCSC (Mastercard SecureCode) – Mastercard Identity Check, formerly SecureCode, is a 3-D secure service that provides an extra layer of security when paying with Mastercard debit or credit card. This may be a single-use code sent to mobile phone, or another form of two-factor authentication decided by the issuing bank.

Merchant account – A commercial bank account that help process online transactions for businesses.

POS (point of sale) – Payment card reading devices used to process transactions and accept payments.

Reroute – A service that arranges for a package to be redirected to a new address. In carding, orders are typically rerouted to the drop’s shipping address.

Self-registered bank account [Russian: Samoreg] – This term is used to describe manually registered online bank account using other people's data from purchased fullz. Carders use stolen personal identifiable information (PII) and credit card data without the knowledge or consent of legitimate cardholder.

SOCKS (proxy) – An intermediary used to hide IP address from online servers. SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server.

Stealer – A type of malware that gathers data and extracts logs from infected devices. The most common form of stealers is used to gather login information, such as usernames and passwords, and then send that information to another system either via email or over a network.

VBV (Verified by Visa) – Visa Secure is an advanced security feature from Visa that helps authenticate purchasers as authorized cardholders. Visa Secure is the card network-branded deployment of 3-D Secure technology and was formerly known as Verified by Visa.

Defending against carding attacks

As you can see, carding is a multifaceted threat that causes harm to various targets in many ways. We’ll cover defensive strategies in more detail in a later part, but until then, you can read through our dedicated Carding Fraud page for more information on stopping carding attacks.

Coming up in part two: Russian carding landscape

In the next part of this series, we describe the burgeoning Russian carding ecosystem, explore the reasons why the country has become a hotbed of carding activity, and who Russian carders target.

Read the full series on Russian carding

• Part one: What is Russian Carding?
• Part two: Russian Carding Landscape
• Part three: Carding Deep Dive
• Part four: Protection from Carding
• Full report (PDF): Inside Russian Carding