Phishing websites are a potential trap that every Internet user comes across regularly — cybercriminals are no different. Group-IB Threat Intelligence
analysts have identified several large groups that make money by taking advantage of inexperienced newbie carders. The more experienced cybercriminals create and spread phishing websites that copy card shops, i.e. underground stores that sell compromised bank card data. Group-IB analysts have codenamed such websites fake shops
A large number of online fake shops create problems for underground forum users (cybercriminals) on the one hand, and can complicate work for cyber intelligence specialists on the other. Fake data published on such resources can skew statistics when monitoring and describing card shops, while designs copied from original sites can mislead even seasoned anti-fraud analysts.
As a rule, fake shops are not created one by one. To reach more users (i.e. buyers of compromised bank card data), creators of fake shops place ads on underground forums and Telegram chats and trick users into visiting their resources, as ironic as it sounds, which damages the reputation of the original websites. They also merge their sites into large networks.
Group-IB Threat Intelligence analysts identified three large fake-shop networks that they codenamed UniFake
. The latter (which is the largest of all the networks discovered) includes more than 3,000
domain names, many of which are copies of some of the most popular underground card shops such as Joker's Stash, BriansClub, Uniсс, Ferum shop,
SPAGETTI's creators have managed to generate more than 9,200
incoming transactions to various cryptocurrency wallets, amounting to more than $1,200,000
(most of which were received in Bitcoin, namely 23 BTC according to the exchange rate on October 12, 2021).
Unlike other fake-shop networks, SPAGETTI also spreads malware through its websites. The network creators placed a stealer called Taurus Project
as a downloadable file on their websites to collect user data from browsers, banking app logins and passwords, and cryptocurrency wallets.
Group-IB experts analyzed how fake-shop networks are created and maintained. This blog post describes how analysts distinguish between an original card shop and a fake one, and how to correctly attribute fake resources. To illustrate by means of an example, we will analyze one of the largest fake-shop networks using Group-IB Threat Intelligence & Attribution