ENGLISH
ENGLISH
28.10.2021

Cannibal Carders

Group-IB uncovers largest networks of fake shops – phishing websites disguised as card shops
Ruslan Chebesov
Head of Underground Markets Research, Group-IB
Sergey Kokurin
Underground Markets Analyst, Group-IB
This is the first comprehensive analysis of fake underground marketplaces that claim to sell compromised bank card data. Carding is a crime. Selling bank card data is a crime. And creating fake websites that imitate "original" card shops is also a crime. We believe that the more in-depth the underground industry is examined, the more possibilities it creates for tracking, analyzing and fighting cybercrime. That is why, for the first time, we are publishing an investigation into phishing resources that copy card shops. In this case, card shops refer to "original" websites that sell bank card data and dumps, while fake shops refer to phishing resources that copy such websites. Users refer to buyers of compromised bank card data.

As you have probably understood, this particular investigation does not involve "users" in the traditional sense of the word, namely people who have fallen victim to fraudsters. Our report describes a form of cannibalism in the underground as part of which cybercriminals target other cybercriminals.

Phishing websites are a potential trap that every Internet user comes across regularly — cybercriminals are no different. Group-IB Threat Intelligence analysts have identified several large groups that make money by taking advantage of inexperienced newbie carders. The more experienced cybercriminals create and spread phishing websites that copy card shops, i.e. underground stores that sell compromised bank card data. Group-IB analysts have codenamed such websites fake shops.

A large number of online fake shops create problems for underground forum users (cybercriminals) on the one hand, and can complicate work for cyber intelligence specialists on the other. Fake data published on such resources can skew statistics when monitoring and describing card shops, while designs copied from original sites can mislead even seasoned anti-fraud analysts.

As a rule, fake shops are not created one by one. To reach more users (i.e. buyers of compromised bank card data), creators of fake shops place ads on underground forums and Telegram chats and trick users into visiting their resources, as ironic as it sounds, which damages the reputation of the original websites. They also merge their sites into large networks.

Group-IB Threat Intelligence analysts identified three large fake-shop networks that they codenamed UniFake, JokerMantey and SPAGETTI. The latter (which is the largest of all the networks discovered) includes more than 3,000 domain names, many of which are copies of some of the most popular underground card shops such as Joker's Stash, BriansClub, Uniсс, Ferum shop, and ValidCC.

SPAGETTI's creators have managed to generate more than 9,200 incoming transactions to various cryptocurrency wallets, amounting to more than $1,200,000 (most of which were received in Bitcoin, namely 23 BTC according to the exchange rate on October 12, 2021).

Unlike other fake-shop networks, SPAGETTI also spreads malware through its websites. The network creators placed a stealer called Taurus Project as a downloadable file on their websites to collect user data from browsers, banking app logins and passwords, and cryptocurrency wallets.

Group-IB experts analyzed how fake-shop networks are created and maintained. This blog post describes how analysts distinguish between an original card shop and a fake one, and how to correctly attribute fake resources. To illustrate by means of an example, we will analyze one of the largest fake-shop networks using Group-IB Threat Intelligence & Attribution.
Part 1. What are fake shops?
In the underground segment, there are resources for trading in compromised information such as credit and debit card details, access to user accounts, access to computers through RDP or SSH, passport details or other personal information about residents in various countries, access to servers and website administrator panels, and more.

Such resources are called underground markets.

The main characteristic of such markets is a large number of sellers. The platforms themselves are like Amazon or eBay, but on the dark web.
    The Amigos market homepage
    Card shops are a type of underground market. They are used to sell stolen bank card data in the form of full cardholder records (including name, card number, CVV, expiration date) or dumps – copies of a magnetic strip of a bank card. Other types of compromised data are not usually sold on card shops.
    Card search section of the card shop Bestvalid
    Card shops and markets are the main types of resources used by criminals who engage in small-scale fraud such as carding, scams, spamming, and similar types of cybercrime.

    Carding (bank card fraud) is one of the simplest forms of cybercrime. It does not require any additional training apart from general computer skills.The low threshold for entering the "industry" creates a high demand for services provided by card shops and markets.

    In fact, high demand and low skills among newbie carders create the perfect conditions for fraudsters who make money off creating fake shops, i.e. websites that pose as card shops or underground markets. Their purpose is to create an illusion of an actual resource so that users spend their money there. In addition, fraudsters sometimes use names of existing underground resources or even completely copy their design.

    In the case of genuine underground card shops and markets, users are required to first deposit money into their accounts in order to then be able to use it to buy compromised data. A common practice among card shops is paid account activation, which means that after registering users must pay between $20 and $200. Fake shops take advantage of these well-established systems involving pre-paying for services in order to mislead carders.
    Example of account activation on the Amigos marketplace

    All fake shops can be divided into three types:
    1
    Resources that are made to look like a new card shop or market. This is the easiest way to deceive users. A threat actor creates a resource whose design elements give the impression of a card shop or market: it includes lists of databases, cart, news and updates, support system, and so on. In addition, the names of such fake shops and their domain names involve commonly used carding terms and abbreviations such as "cc," "dump," "cvv," "shop," "carding," "pin," "swipe," "sniff," and "money."
    Screenshot of the fake shop cvvunion
    2
    Phishing resources that imitate the original card shop. In such cases, a threat actor creates a website with a domain name resembling the original, changes the order of the letters or words in the name, adds abbreviations, makes intentional mistakes, or adds one of the words mentioned in the point above. To further mislead carders, the threat actor might copy the design of the original website, including the HTML code, CSS styles, and images. This is not difficult and makes the fake resource look more authentic to inexperienced carders.
    Screenshot of the Unicc fake shop homepage, which completely copies the original
    3
    Resources that hijack the domain names of actual card shops or markets. This is one of the most sophisticated methods of creating a fake shop. Threat actors take over domains by buying domain names that previously belonged to a card shop or market. This is entirely possible if the original website's owners have failed to pay the registrar for renting the domain name or if the delegation of their domain name has been terminated for any reason. In such cases, the fake shop is visited by users who use the same link as the one they used in the past to access the previous resource.

    The takeover of the unicc[.]cm and briansclub[.]ru domains are examples of this scenario. As we can see, angry users who suspect a scam send messages to the administration teams of the original card shops. Admins often have to additionally inform users about their domain name changes.
    A message on the altenens[.]org forum (Source: Group-IB Threat Intelligence & Attribution)
    As can be seen from the screenshot below, according to the BriansClub's administrator, the domain briansclub[.]ru previously belonged to a card shop. However, It now hosts a fake shop.
    A message on the omerta forum (Source: Group-IB Threat Intelligence & Attribution)
    Underground forums often have topics and messages with lists of fake shops. This is how forum users try to fight fake shop ads.
    A message on the forum crdclub[.]ws (Source: Group-IB Threat Intelligence & Attribution)
    It is not rare to see messages from tricked carders on various forums, as in the screenshot below where a user deposited money into their account on a market but could not purchase the desired "services."
      A message on the forum carder[.]uk
      Some resource owners, in an attempt to prevent losing customers and damaging their reputation, go so far as to post lists of fake shops that impersonate them.
        The Valcc marketplace login page
        It is not always easy to recognize a fake shop. Similarly to creators of ordinary phishing pages, owners of fake shops try to copy original websites as accurately as possible. Below you can find a comparison of the login pages of the original Ferum shop and a fake one. At first glance, the differences are barely noticeable. For instance, the banner ads are copied exactly. However, the CAPTCHA systems (highlighted in red) look different. In addition, the designs of the tabs (highlighted in green) and buttons (highlighted in blue) have been copied incorrectly.
          Such differences can easily mislead inexperienced users, especially when the creators of the fake Ferum shop actively promote forum ads saying that the original market's domain name has "changed".
          A message on the sky-fraud[.]ru forum (Source: Group-IB Threat Intelligence & Attribution)
          Part 2. The largest fake-shop networks
          UniFake
          UniFake is a fake-shop network specialized in websites that copy a famous underground card shop called Unicc. The network includes more than 100 domain names, 66 of which are variations on the name Unicc. The crypto wallets controlled by the UniFake network received more than 150 incoming transactions from users, amounting to over $17,000.
          Fake shops are rarely created one at a time. To attract more traffic, threat actors create large networks of domains.
          Source: Group-IB Threat Intelligence & Attribution, Graph Network Analysis Tool
          Links between domain names within the network can be detected through identical hashes of domain owner registration data (information from the domain name registrar) and the same IP addresses or SSL certificates for different websites.
          Source: Group-IB Threat Intelligence & Attribution, Graph Network Analysis Tool
          Such networks can have between several dozen and a thousand domains. Usually, creators of fake shops choose domain names that are similar to the URLs of existing card shops.

          However, creating copies of existing card shops can also be lucrative. It is possible to trick both newbie carders and experienced cybercriminals. One such example discovered by Group-IB analysts was the UniFake network, which copies the famous card shop called Unicc. The UniFake network includes both copies of other card shops and unique domain names, but most of the network's websites mimic Unicc.
            Source: Group-IB Threat Intelligence & Attribution, Graph Network Analysis Tool
            Unicc is one of the biggest underground card shops. It was launched in 2012 and soon became popular among carders due to the large number of updates, but also among card shops that act as intermediaries and sell Unicc data for a commission using their own API systems for selling cards.
              A message on the forum fl.l33t[.]su (Source: Group-IB Threat Intelligence & Attribution)
              These factors have most likely contributed to the emergence of many fake shops copying Unicc. Users must themselves create long lists of fake domains to determine which ones are authentic.
                A Reddit post with a list of fake Unicc domains
                Group-IB Threat Intelligence analysts discovered more than 100 domain names in the UniFake network. Most of them (66 domain names) bear a striking resemblance to the Unicc design. They all use "uni," "cc," "cvv," "shop," "store," "bazar," and hyphens in their names and are hosted in different domain zones, including .onion and .bazar. The main difference between them and the original card shop is that the crypto wallets in the account activation are controlled by the fake shop owners.
                The login page of the fake shop unicc[.]cx
                It should be noted that fake shops have a fictitious login/password check. Entering any data will give users access to the fake shop.

                There are currently 22 active Unicc copies in one fake-shop network, nine of which redirect to the same resource.

                While analyzing the network of fake shops masquerading as Unicc, Group-IB Threat Intelligence analysts detected a total of 21 cryptocurrency wallets for various currencies. The cryptocurrency wallets are controlled by the fake-shop owners and used for receiving payment for "activating" user accounts.

                Fake shops are a lucrative business. Group-IB analysts identified 150 transactions made on the UniFake network amounting to $17,377 at the October 12, 2021 exchange rate.
                The data may not be complete, however, because fake-shop creators occasionally change crypto wallet addresses on their resources. By doing so they try to avoid raising suspicion among experienced carders who know that genuine card shops create new wallets to make it more difficult to track the movement of funds. Wallets are often generated for every transaction individually, which is why it is only possible to track resources where wallet generation does not work for whatever reason.
                  JokerMantey
                  JokerMantey is a fake-shop network with more than 20 domain names. It includes fake shops masquerading as the infamous Joker's Stash and BriansClub card shops. The network owners actively support the fake websites. In total, more than 300 incoming transactions from tricked users have been secured, amounting to over $220,000.
                  In January 2021, a Joker's Stash owner with the username JokerStash announced that their platform for selling bank card data was closing.
                    A message from JokerStash about the resource closing down
                    The original website has gone on a "well-deserved vacation", but that did not stop its many fake "followers" from continuing to operate on the dark web. For example, Jstashbazar[.]com is one of the most famous and oldest fake shops masquerading as the Joker and is still active.
                    A message on the forum wwh-club[.]net (Source: Group-IB Threat Intelligence & Attribution)
                    JokerStash wrote about the fake shop until the original card shop closed in April 2019. The owners of the fake marketplace tried to fully copy the original website's design, from the registration form and the unique CAPTCHA system to card databases.
                    Fake Joker's Stash login page
                    Fake Joker's Stash card database
                    Experienced carders would be able to recognize a fake shop, however, simply by looking at the names of the databases with compromised cards put up on the website. The names of the databases on the original Joker's Stash were always written in capitals and included specific keywords. Such keywords can be seen on the screenshot below.
                    Original Joker's Stash card database names
                    The creators of the JokerMantey network did not take this feature into account.
                    Fake Joker's Stash card database names
                    To create the appearance of bank card data available for purchase, fraudsters can generate seemingly masked data using the "*" symbol. To do so, they must know the Bank Identification Number (BIN, the first six digits of the card number), the bank name, and the country. As a rule, this information can be found on specialized resources. Data missing from the fake lot (expiration date, address, ZIP code, and cardholder name) can be generated using the BIN. An alternative scenario is to copy masked data posted on other resources.

                    In either case, providing full card data is not required. Buyers interested in the "goods" on the fake shop will lose money twice: first by "activating" access to the resource, then by "purchasing" fake cards.

                    The website jstashbazar[.]com generates new Bitcoin wallets with every attempt to activate an account, which means that it is impossible to track how much money the site owners make. Nevertheless, we were able to determine a list of other domains that are part of the same fake-shop network as jstashbazar[.]com.
                    Source: Group-IB Threat Intelligence & Attribution, Graph Network Analysis Tool
                    Among JokerMantey domains, Group-IB specialists discovered Brian's Club fakes (briansclub[.]store, briansclub[.]shop, briansclub[.]me), another address for the Joker's Stash fake (jokerstash[.]cc), a Unicc copy (unicc[.]me), and individual fake shops with no links to existing original card shops (cvv2me[.]com, cryptonshops[.]com). In total, more than 20 domain names were identified by Group-IB researchers.

                    In the case of the JokerMantey network of fake shops, Group-IB specialists also identified two related Bitcoin wallets, one Litecoin and one Dash, retrieved from payment forms.

                    A total of 304 transactions had been received to the crypto wallets controlled by JokerMantey owners amounting to $220,587 at the October 2021 exchange rate.
                    SPAGETTI
                    SPAGETTI is one of the largest fake-shop networks, with more than 3,000 domain names. For all the network's cryptocurrency wallets, more than 9,200 transactions were generated, amounting to over $1,200,000. Unlike other networks, SPAGETTI spreads malware through its websites: a stealer called Taurus Project. This fake-shop network was codenamed after one of the DNS servers that the owners of the network used for their fake shops.
                    SPAGETTI's main "asset" are fake shops masquerading as one of the oldest and largest card shops called BriansClub, which was launched as early as 2014.

                    As with other major players on the carding market, BriansClub has a few clones. One of them is briansclub[.]ru. whose creators went beyond the usually required account activation fee.
                    A fake BriansClub account activation system
                    After the activation fee for the fake briansclub[.]ru was paid, users saw the following message "Your account is activated! For safe use of the store. Download the protected app" and a link to an archive called "panelcontorl.rar."
                    Message and download link
                    The archive contained two files: "PanelControl.exe" and "LitePanel.exe."

                    Instead of access to the card shop panel, however, when users clicked on the files, they launched a stealer called Taurus Project (aka Taurus).
                    Group-IB Threat Hunting Framework detecting the "panelcontrol.rar" file structure
                    The Taurus Project stealer not only collects information from Chrome, Opera and Firefox browsers, but also gains access to the camera and collects login details from multiple cryptocurrency wallets such as Bitcoin, Ethereum, and Bytecoin.This means that after launching the file, an inexperienced user could lose the login details for their cryptocurrency wallets used to pay for the activation as well as lose access to other resources, including other card shops.

                    Taurus Project, which appeared in April 2020, is a more advanced version of the stealer called PredatorTheThief. They were both developed by the same threat actor nicknamed Alexuiop1337 and share many similarities: how the initial configuration is loaded, the same obfuscation method, similar functionalities.

                    Analyzing the Taurus stealer, which was spread through the SPAGETTI network of card shops, revealed requests sent to the IP addresses 104.21.52.20 and 172.67.194.75.
                    Source: Group-IB Threat Intelligence & Attribution, Graph Network Analysis Tool
                    Group-IB Threat Intelligence analysts established that the IP addresses belonged to the website monerdomen[.]ru and were attributed to the Taurus botnet.
                    HTTP POST requests were also sent directly to the website URL.
                    Source: Group-IB Threat Intelligence & Attribution
                    To attract traffic, the creators of SPAGETTI maintain a vast network of fake shops, both independent ones and copies of famous card shops such as BriansClub.
                    Source: Group-IB Threat Intelligence & Attribution, Graph Network Analysis Network
                    In total, the Group-IB Threat Intelligence team identified more than 3,000 domains belonging to the SPAGETTI network of card shops.

                    Most domains were registered in March 2021 or later. At this time, two websites appeared: monerdome[.]ru (which serves as the controller for the Taurus stealer) and panelshopload[.]su (where the archive containing the Taurus Project stealer's files was placed for download). The reason could be a change in how the fake-shop network operates or its owner changing. It is currently impossible to determine which.

                    It is noteworthy that all the websites look identical. Only the domain name, authorization page, and resource name are different. Authorization pages are either unique, that is created or generated separately for each website, or one that copies the design of a famous card shop.
                    The authorization page of the fake shop briansclub[.]ru
                    The original login page of the card shop Trump's Dumps
                    The fake shop festore-dumps.ru, which copies the login page of the card shop Trump's Dumps
                    After authorization, however, the website always stays the same.
                    The fake shop festore-dumps[.]ru
                    After the user signs up, every website shows an activation window and suggests that the user download files containing the stealer, supposedly to work with the card shop.

                    Interestingly, the Bitcoin amount mentioned in the activation form often differs from the initially announced $30 and can reach up to $100. We most often observed the sum 0.00088 BTC, which amounts to $50 according to the exchange rate on October 12, 2021.
                    The fake shop festore-dumps[.]ru
                    Occasionally, for no apparent reason, the sum can be 0.00316 BTC, which amounts to $181 according to the same exchange rate.
                    This is another way of tricking inexperienced users, who enter the specified sum in Bitcoin without checking how much it equates to in dollars.

                    Bitcoin wallets that change are another characteristic of this fake-shop network. A new Bitcoin wallet address appears with each new visit to the activation page or every time it is refreshed. Some of the network's resources have a script that creates a new empty wallet with each new request, but most resources use a list of nine Bitcoin wallets. Etherium, Litecoin, and Dash wallets are static, however.

                    To promote their fake shops, SPAGETTI network owners create publicly accessible online resources with information about carding. This means that the websites appear in users' search results without violating search engine rules.
                    Often, such promo resources have links to Telegram bots, where resources belonging to the SPAGETTI fake-shop network are advertised.
                    In addition to showing ads, Telegram bots can be used to "buy" non-existing compromised bank cards or accounts.
                    Screenshot of a Telegram bot that sells Paypal accounts
                    Screenshot of a Telegram bot that sells textual bank card data
                    Owners of fake-shop networks do not provide additional information when stolen bank accounts are sold. Nevertheless, in the case of compromised bank cards, Group-IB analysts established that the card data was copied from the genuine card shop BingoHi, which uses a specific method of masking data.
                    Source: Group-IB Threat Intelligence & Attribution, Compromised & Leaks section
                    The owners of the fake shop changed the details relating to card expiration dates so that cards appeared to be valid seeing as cards copied from BingoHi were put up for sale in 2019.

                    Despite all the complaints received from users and the owners of original websites, the fake-shop network continues to be active and their wallets regularly receive "account activation" fees.
                    Last transaction in a fake BriansClub Bitcoin wallet
                    The screenshot shows that on October 23, 2021, 0.00088 BTC were transferred to one of the network's nine wallets. As noted above, this is one of the sums that appear on the activation page.

                    Once every few days the money from all the network's wallets is transferred to a collector wallet.
                    Transaction to a collector wallet
                    All transfers are merged into one transaction on the side of the creator of the SPAGETTI fake-shop network in order to save on the commission for transactions. The transfer process is always the same for all wallets, which helped identify all the wallets belonging to the owner of this fake-shop network.

                    The money collected is then transferred to a cryptocurrency exchange.
                    A transfer to a cryptocurrency exchange
                    Bitcoin, Etherium, Litecoin, and Dash wallets, which have been active since early 2019, had over 9,200 incoming transactions amounting to more than $1,296,322 according to the exchange rate on October 12, 2021.
                    Distribution of incoming SPAGETTI transactions by cryptocurrency type
                    For the Bitcoin wallets, 33 outgoing transactions were identified. They amounted to more than $746,000 and led Group-IB experts to wallets at major cryptocurrency exchanges.

                    It should be noted, however, that the cryptocurrency wallet addresses may have changed since the SPAGETTI fake-shop network was created, while the stealer made it possible to gain access to user crypto wallets. This means that the actual revenue of SPAGETTI owners may be significantly higher.
                    Conclusion
                    Fake shops will continue to exist as long as there are underground marketplaces and card shops. Moreover, this underground segment will continue to develop because unlike representatives of legitimate websites, owners of illegal original underground resources cannot take legal actions against fake shops.

                    Nevertheless, we are far from thinking that the near future will bring new fake marketplaces linked to carding. Currently the fake-shop market is divided between a few large networks, as described in this report, and novices will struggle to build their own networks that would be able to meet all the requirements for creating, supporting and promoting such websites. The situation is likely to change only if someone comes up with a new way of deceiving inexperienced carders and buyers of stolen bank card data, but there is no basis for this so far.

                    In what way are fake shops dangerous for researchers who investigate the underground and threat intelligence specialists? The main risk is in false positives — without knowing that they are dealing with the fake shop threat intelligence specialists can alert customers and the public with inaccurate and misleading information. Another risk is misattribution of cybercriminals.

                    Even seasoned anti-fraud analysts can be misled by carefully copied designs, data reproduced from original resources, and active promotional campaigns. Studying fake shops helps investigators look into underground markets in a more comprehensive and in-depth manner because fake marketplaces are an inextricable part of the carding industry.
                    Legal Notice
                    1. The study provides information on how illegal acts are being committed in order to attract the attention of relevant authorized bodies. The study's goal is to minimize the risk of further illegal acts being committed, suppress any such activity in a timely manner, and raise legal awareness among readers.
                    2. The conclusions contained in this study are made as a result of Group-IB specialists analyzing open-source data. No part of the conclusions is the official position of competent authorities, including law enforcement agencies in any jurisdiction. Information that became publicly known before the study was released is reproduced unchanged in its original form. The study is analytical in nature and does not directly accuse any entities of crimes or other illegal actions.
                    3. The study is intended for information purposes only. Readers are not authorized to use it for commercial purposes and any other purposes not related to education or personal non-commercial use.
                    4. The entire study is subject to copyright and protected by applicable intellectual property law.