Phishing websites are a potential trap that every Internet user comes across regularly — cybercriminals are no different. Group-IB Threat Intelligence analysts have identified several large groups that make money by taking advantage of inexperienced newbie carders. The more experienced cybercriminals create and spread phishing websites that copy card shops, i.e. underground stores that sell compromised bank card data. Group-IB analysts have codenamed such websites fake shops.

A large number of online fake shops create problems for underground forum users (cybercriminals) on the one hand, and can complicate work for cyber intelligence specialists on the other. Fake data published on such resources can skew statistics when monitoring and describing card shops, while designs copied from original sites can mislead even seasoned anti-fraud analysts.

As a rule, fake shops are not created one by one. To reach more users (i.e. buyers of compromised bank card data), creators of fake shops place ads on underground forums and Telegram chats and trick users into visiting their resources, as ironic as it sounds, which damages the reputation of the original websites. They also merge their sites into large networks.

Group-IB Threat Intelligence analysts identified three large fake-shop networks that they codenamed UniFake, JokerMantey and SPAGETTI. The latter (which is the largest of all the networks discovered) includes more than 3,000 domain names, many of which are copies of some of the most popular underground card shops such as Joker's Stash, BriansClub, Uniсс, Ferum shop, and ValidCC.

SPAGETTI's creators have managed to generate more than 9,200 incoming transactions to various cryptocurrency wallets, amounting to more than $1,200,000 (most of which were received in Bitcoin, namely 23 BTC according to the exchange rate on October 12, 2021).

Unlike other fake-shop networks, SPAGETTI also spreads malware through its websites. The network creators placed a stealer called Taurus Project as a downloadable file on their websites to collect user data from browsers, banking app logins and passwords, and cryptocurrency wallets.

Group-IB experts analyzed how fake-shop networks are created and maintained. This blog post describes how analysts distinguish between an original card shop and a fake one, and how to correctly attribute fake resources. To illustrate by means of an example, we will analyze one of the largest fake-shop networks using Group-IB Threat Intelligence & Attribution.

In the underground segment, there are resources for trading in compromised information such as credit and debit card details, access to user accounts, access to computers through RDP or SSH, passport details or other personal information about residents in various countries, access to servers and website administrator panels, and more.

Such resources are called underground markets.

The main characteristic of such markets is a large number of sellers. The platforms themselves are like Amazon or eBay, but on the dark web.

Card shops are a type of underground market. They are used to sell stolen bank card data in the form of full cardholder records (including name, card number, CVV, expiration date) or dumps – copies of a magnetic strip of a bank card. Other types of compromised data are not usually sold on card shops.

Card shops and markets are the main types of resources used by criminals who engage in small-scale fraud such as carding, scams, spamming, and similar types of cybercrime.

Carding (bank card fraud) is one of the simplest forms of cybercrime. It does not require any additional training apart from general computer skills.The low threshold for entering the "industry" creates a high demand for services provided by card shops and markets.

In fact, high demand and low skills among newbie carders create the perfect conditions for fraudsters who make money off creating fake shops, i.e. websites that pose as card shops or underground markets. Their purpose is to create an illusion of an actual resource so that users spend their money there. In addition, fraudsters sometimes use names of existing underground resources or even completely copy their design.

In the case of genuine underground card shops and markets, users are required to first deposit money into their accounts in order to then be able to use it to buy compromised data. A common practice among card shops is paid account activation, which means that after registering users must pay between $20 and $200. Fake shops take advantage of these well-established systems involving pre-paying for services in order to mislead carders.

As can be seen from the screenshot below, according to the BriansClub's administrator, the domain briansclub[.]ru previously belonged to a card shop. However, It now hosts a fake shop.

Underground forums often have topics and messages with lists of fake shops. This is how forum users try to fight fake shop ads.

It is not rare to see messages from tricked carders on various forums, as in the screenshot below where a user deposited money into their account on a market but could not purchase the desired "services."

Some resource owners, in an attempt to prevent losing customers and damaging their reputation, go so far as to post lists of fake shops that impersonate them.

It is not always easy to recognize a fake shop. Similarly to creators of ordinary phishing pages, owners of fake shops try to copy original websites as accurately as possible. Below you can find a comparison of the login pages of the original Ferum shop and a fake one. At first glance, the differences are barely noticeable. For instance, the banner ads are copied exactly. However, the CAPTCHA systems (highlighted in red) look different. In addition, the designs of the tabs (highlighted in green) and buttons (highlighted in blue) have been copied incorrectly.

Such differences can easily mislead inexperienced users, especially when the creators of the fake Ferum shop actively promote forum ads saying that the original market's domain name has "changed".

Fake shops are rarely created one at a time. To attract more traffic, threat actors create large networks of domains.

Links between domain names within the network can be detected through identical hashes of domain owner registration data (information from the domain name registrar) and the same IP addresses or SSL certificates for different websites.

Such networks can have between several dozen and a thousand domains. Usually, creators of fake shops choose domain names that are similar to the URLs of existing card shops.

However, creating copies of existing card shops can also be lucrative. It is possible to trick both newbie carders and experienced cybercriminals. One such example discovered by Group-IB analysts was the UniFake network, which copies the famous card shop called Unicc. The UniFake network includes both copies of other card shops and unique domain names, but most of the network's websites mimic Unicc.

Unicc is one of the biggest underground card shops. It was launched in 2012 and soon became popular among carders due to the large number of updates, but also among card shops that act as intermediaries and sell Unicc data for a commission using their own API systems for selling cards.

These factors have most likely contributed to the emergence of many fake shops copying Unicc. Users must themselves create long lists of fake domains to determine which ones are authentic.

Group-IB Threat Intelligence analysts discovered more than 100 domain names in the UniFake network. Most of them (66 domain names) bear a striking resemblance to the Unicc design. They all use "uni," "cc," "cvv," "shop," "store," "bazar," and hyphens in their names and are hosted in different domain zones, including .onion and .bazar. The main difference between them and the original card shop is that the crypto wallets in the account activation are controlled by the fake shop owners.

It should be noted that fake shops have a fictitious login/password check. Entering any data will give users access to the fake shop.

There are currently 22 active Unicc copies in one fake-shop network, nine of which redirect to the same resource.

While analyzing the network of fake shops masquerading as Unicc, Group-IB Threat Intelligence analysts detected a total of 21 cryptocurrency wallets for various currencies. The cryptocurrency wallets are controlled by the fake-shop owners and used for receiving payment for "activating" user accounts.

Fake shops are a lucrative business. Group-IB analysts identified 150 transactions made on the UniFake network amounting to $17,377 at the October 12, 2021 exchange rate.

The data may not be complete, however, because fake-shop creators occasionally change crypto wallet addresses on their resources. By doing so they try to avoid raising suspicion among experienced carders who know that genuine card shops create new wallets to make it more difficult to track the movement of funds. Wallets are often generated for every transaction individually, which is why it is only possible to track resources where wallet generation does not work for whatever reason.

In January 2021, a Joker's Stash owner with the username JokerStash announced that their platform for selling bank card data was closing.

The original website has gone on a "well-deserved vacation", but that did not stop its many fake "followers" from continuing to operate on the dark web. For example, Jstashbazar[.]com is one of the most famous and oldest fake shops masquerading as the Joker and is still active.

JokerStash wrote about the fake shop until the original card shop closed in April 2019. The owners of the fake marketplace tried to fully copy the original website's design, from the registration form and the unique CAPTCHA system to card databases.

Experienced carders would be able to recognize a fake shop, however, simply by looking at the names of the databases with compromised cards put up on the website. The names of the databases on the original Joker's Stash were always written in capitals and included specific keywords. Such keywords can be seen on the screenshot below.

The creators of the JokerMantey network did not take this feature into account.

To create the appearance of bank card data available for purchase, fraudsters can generate seemingly masked data using the "*" symbol. To do so, they must know the Bank Identification Number (BIN, the first six digits of the card number), the bank name, and the country. As a rule, this information can be found on specialized resources. Data missing from the fake lot (expiration date, address, ZIP code, and cardholder name) can be generated using the BIN. An alternative scenario is to copy masked data posted on other resources.

In either case, providing full card data is not required. Buyers interested in the "goods" on the fake shop will lose money twice: first by "activating" access to the resource, then by "purchasing" fake cards.

The website jstashbazar[.]com generates new Bitcoin wallets with every attempt to activate an account, which means that it is impossible to track how much money the site owners make. Nevertheless, we were able to determine a list of other domains that are part of the same fake-shop network as jstashbazar[.]com.

Among JokerMantey domains, Group-IB specialists discovered Brian's Club fakes (briansclub[.]store, briansclub[.]shop, briansclub[.]me), another address for the Joker's Stash fake (jokerstash[.]cc), a Unicc copy (unicc[.]me), and individual fake shops with no links to existing original card shops (cvv2me[.]com, cryptonshops[.]com). In total, more than 20 domain names were identified by Group-IB researchers.

In the case of the JokerMantey network of fake shops, Group-IB specialists also identified two related Bitcoin wallets, one Litecoin and one Dash, retrieved from payment forms.

A total of 304 transactions had been received to the crypto wallets controlled by JokerMantey owners amounting to $220,587 at the October 2021 exchange rate.

SPAGETTI's main "asset" are fake shops masquerading as one of the oldest and largest card shops called BriansClub, which was launched as early as 2014.

As with other major players on the carding market, BriansClub has a few clones. One of them is briansclub[.]ru. whose creators went beyond the usually required account activation fee.

After the activation fee for the fake briansclub[.]ru was paid, users saw the following message "Your account is activated! For safe use of the store. Download the protected app" and a link to an archive called "panelcontorl.rar."

The archive contained two files: "PanelControl.exe" and "LitePanel.exe."

Instead of access to the card shop panel, however, when users clicked on the files, they launched a stealer called Taurus Project (aka Taurus).

The Taurus Project stealer not only collects information from Chrome, Opera and Firefox browsers, but also gains access to the camera and collects login details from multiple cryptocurrency wallets such as Bitcoin, Ethereum, and Bytecoin.This means that after launching the file, an inexperienced user could lose the login details for their cryptocurrency wallets used to pay for the activation as well as lose access to other resources, including other card shops.

Taurus Project, which appeared in April 2020, is a more advanced version of the stealer called PredatorTheThief. They were both developed by the same threat actor nicknamed Alexuiop1337 and share many similarities: how the initial configuration is loaded, the same obfuscation method, similar functionalities.

Analyzing the Taurus stealer, which was spread through the SPAGETTI network of card shops, revealed requests sent to the IP addresses 104.21.52.20 and 172.67.194.75.

Group-IB Threat Intelligence analysts established that the IP addresses belonged to the website monerdomen[.]ru and were attributed to the Taurus botnet.

HTTP POST requests were also sent directly to the website URL.

To attract traffic, the creators of SPAGETTI maintain a vast network of fake shops, both independent ones and copies of famous card shops such as BriansClub.

In total, the Group-IB Threat Intelligence team identified more than 3,000 domains belonging to the SPAGETTI network of card shops.

Most domains were registered in March 2021 or later. At this time, two websites appeared: monerdome[.]ru (which serves as the controller for the Taurus stealer) and panelshopload[.]su (where the archive containing the Taurus Project stealer's files was placed for download). The reason could be a change in how the fake-shop network operates or its owner changing. It is currently impossible to determine which.

It is noteworthy that all the websites look identical. Only the domain name, authorization page, and resource name are different. Authorization pages are either unique, that is created or generated separately for each website, or one that copies the design of a famous card shop.

After authorization, however, the website always stays the same.

After the user signs up, every website shows an activation window and suggests that the user download files containing the stealer, supposedly to work with the card shop.

Interestingly, the Bitcoin amount mentioned in the activation form often differs from the initially announced $30 and can reach up to $100. We most often observed the sum 0.00088 BTC, which amounts to $50 according to the exchange rate on October 12, 2021.

Occasionally, for no apparent reason, the sum can be 0.00316 BTC, which amounts to $181 according to the same exchange rate.

This is another way of tricking inexperienced users, who enter the specified sum in Bitcoin without checking how much it equates to in dollars.

Bitcoin wallets that change are another characteristic of this fake-shop network. A new Bitcoin wallet address appears with each new visit to the activation page or every time it is refreshed. Some of the network's resources have a script that creates a new empty wallet with each new request, but most resources use a list of nine Bitcoin wallets. Etherium, Litecoin, and Dash wallets are static, however.

To promote their fake shops, SPAGETTI network owners create publicly accessible online resources with information about carding. This means that the websites appear in users' search results without violating search engine rules.

Often, such promo resources have links to Telegram bots, where resources belonging to the SPAGETTI fake-shop network are advertised.

In addition to showing ads, Telegram bots can be used to "buy" non-existing compromised bank cards or accounts.

Owners of fake-shop networks do not provide additional information when stolen bank accounts are sold. Nevertheless, in the case of compromised bank cards, Group-IB analysts established that the card data was copied from the genuine card shop BingoHi, which uses a specific method of masking data.

The owners of the fake shop changed the details relating to card expiration dates so that cards appeared to be valid seeing as cards copied from BingoHi were put up for sale in 2019.

Despite all the complaints received from users and the owners of original websites, the fake-shop network continues to be active and their wallets regularly receive "account activation" fees.

The screenshot shows that on October 23, 2021, 0.00088 BTC were transferred to one of the network's nine wallets. As noted above, this is one of the sums that appear on the activation page.

Once every few days the money from all the network's wallets is transferred to a collector wallet.

All transfers are merged into one transaction on the side of the creator of the SPAGETTI fake-shop network in order to save on the commission for transactions. The transfer process is always the same for all wallets, which helped identify all the wallets belonging to the owner of this fake-shop network.

The money collected is then transferred to a cryptocurrency exchange.

Bitcoin, Etherium, Litecoin, and Dash wallets, which have been active since early 2019, had over 9,200 incoming transactions amounting to more than $1,296,322 according to the exchange rate on October 12, 2021.

For the Bitcoin wallets, 33 outgoing transactions were identified. They amounted to more than $746,000 and led Group-IB experts to wallets at major cryptocurrency exchanges.

It should be noted, however, that the cryptocurrency wallet addresses may have changed since the SPAGETTI fake-shop network was created, while the stealer made it possible to gain access to user crypto wallets. This means that the actual revenue of SPAGETTI owners may be significantly higher.

Fake shops will continue to exist as long as there are underground marketplaces and card shops. Moreover, this underground segment will continue to develop because unlike representatives of legitimate websites, owners of illegal original underground resources cannot take legal actions against fake shops.

Nevertheless, we are far from thinking that the near future will bring new fake marketplaces linked to carding. Currently the fake-shop market is divided between a few large networks, as described in this report, and novices will struggle to build their own networks that would be able to meet all the requirements for creating, supporting and promoting such websites. The situation is likely to change only if someone comes up with a new way of deceiving inexperienced carders and buyers of stolen bank card data, but there is no basis for this so far.

In what way are fake shops dangerous for researchers who investigate the underground and threat intelligence specialists? The main risk is in false positives — without knowing that they are dealing with the fake shop threat intelligence specialists can alert customers and the public with inaccurate and misleading information. Another risk is misattribution of cybercriminals.

Even seasoned anti-fraud analysts can be misled by carefully copied designs, data reproduced from original resources, and active promotional campaigns. Studying fake shops helps investigators look into underground markets in a more comprehensive and in-depth manner because fake marketplaces are an inextricable part of the carding industry.