T he internet black market is awash with stolen credit card information, mostly gleaned through large-scale database breaches of top online and brick-and-mortar retailers. For example, in the past year alone Hilton hotels and Bebe clothing had massive card breaches, causing thousands of credit card credentials to get plucked up and put up for sale by fraudsters.
However, with such a huge glut of credit card numbers for sale online these days (these hacks and breaches are unfortunately getting more and more common) there are several elite venues for the purchase of these types of merchandise. One such online merchant is called “Joker’s Stash”, and it has hundreds of thousands of card numbers for sale. Many buyers have spent upwards of five and six figures at the online store, often using the stolen card numbers to buy gift cards to large online retailers such as Walmart and Best Buy.
The difference with Joker’s Stash however is that they claim that all of the card numbers on their site are self-harvested, meaning they are not for sale anywhere else. Many online card hubs sell numbers stolen by other hackers.
The online card shop was introduced in 2014 via a forum post on a popular carding forum (as reported by Krebs On Security) and has steadily grown since then. It is hosted on a .sh domain, which is the official country domain for St. Helena, a remote British territory in the southern Atlantic with barely 4,000 residents. Anyone can buy a .sh domain name – you don’t need credentials or residency proof. However the operation is likely not taking place anywhere inside the borders of St. Helena. The entire site and its subdomains are all hosted on the Tor network, a highly encrypted network that routes visitor traffic through several encrypted locations around the globe in order to obscure their real location and identity.
The popular carding site offers incremental discounts based on how much a customer spends, and special membership domains for “high roller” customers who spend 10,000 or more.
This look into sophisticated carding sites is more proof that the credit card system needs a boost in security. Our present method is just not secure enough. This is why the United States is already in the process of switching to chip based cards that are much harder to duplicate. But what implications does this have for online merchants?
The best way for you to protect yourself in the event that your card number gets sold on one of these sites (and it has happened to me) is to constantly monitor your credit card account for strange charges. Smart fraudsters will get cards in their geographic location in order to have the least likelihood of tripping a bank’s security fraud sensors. Luckily the fraud triggers are fairly advanced but they don’t always catch everything.
Keep an eye on your accounts and perhaps think about a credit monitoring system in order to protect your identity from hackers and these all too common data breaches at huge corporations.