Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cybercriminals Learning To Filter Out Undercover Cops (krebsonsecurity.com)

Posted by Soulskill on from the cybersecurity-arms-race dept.

An anonymous reader writes: Credit card numbers are constantly being stolen, but the people who take them don't usually use them. Instead, they sell them to others who will. Many cards are traded at online forums and markets. Law enforcement investigators know this, and they use these forums to gather intelligence on breaches. But Brian Krebs writes that one of the biggest markets, Rescator, has implemented methods to screen out suspected law enforcement agents. Krebs says of a law enforcement source of his: "The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source's screen — effectively stealing hundreds of taxpayer dollars directly from the authorities. .. I found his case fascinating and yet another example of the growing sophistication of large-scale cybercrime operations."

63 comments

  1. Oink! by Anonymous Coward · · Score: 0

    I wonder how many false positives this system has.

    1. Re: Oink! by Anonymous Coward · · Score: 1

      My thoughts exactly. They're just stealing from customers under the premise they're a pig.

      Maybe there is a customer service number to get your bitcoin back.

    2. Re:Oink! by Anonymous Coward · · Score: 0

      Doesn't matter. They don't care about being fair and they are not expecting to be sued just because they accidentally blocked a gay criminal.

    3. Re:Oink! by peragrin · · Score: 1

      They are crooks, do false positives matter?

      only those who care about innocents worry about false positives.

      --
      i thought once I was found, but it was only a dream.
    4. Re:Oink! by Golddess · · Score: 1

      Yes they are crooks, but they want people to go to them to purchase these things. Too many false positives, and people stop going to their "business".

      --
      "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
    5. Re: Oink! by Anonymous Coward · · Score: 1

      They're fellow criminals, not customers. Some criminals stealing from other criminals. No big deal.

    6. Re:Oink! by Anonymous Coward · · Score: 0

      Surprisingly enough even crooks have morals to some extent. They are different from politicians in that regard.

    7. Re:Oink! by 91degrees · · Score: 1

      It is something they have to be careful with. These places are unregulated. They are trading entirely on their reputation. It's not like you can file a complaint with the regulators if something goes wrong. Reputation matters. And if a lot of people say they had their accounts stolen, they're not going to have a business any more.

  2. Oink oink, motherfuckers! by Anonymous Coward · · Score: 0, Insightful

    Dirty feebs get what they deserve...

    1. Re:Oink oink, motherfuckers! by xevioso · · Score: 1, Flamebait

      Ah, I see you support criminals who steal from innocent people. Well done.

    2. Re:Oink oink, motherfuckers! by narcc · · Score: 0

      We have here two competing criminal gangs. I can't see how express some joy at seeing one take a hit is the same as a show of support for the other criminal gang.

      Isn't it good when any criminal organization takes a knock on the chin?

      --
      Required reading for internet skeptics
    3. Re:Oink oink, motherfuckers! by Zero__Kelvin · · Score: 1

      Unless the Government is one of those gangs you are enumerating, then there are actually 3

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re:Oink oink, motherfuckers! by kilfarsnar · · Score: 1

      Ah, I see you support criminals who steal from innocent people. Well done.

      No, I think he is opposed to the police in this matter.

      https://www.aclu.org/issues/cr...

      --
      "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
  3. Stealing wasn't the point by TWX · · Score: 5, Insightful

    Krebs says of a law enforcement source of his: "The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source's screen — effectively stealing hundreds of taxpayer dollars directly from the authorities..."

    I think it's hilarious that the angle they took was the seizing of the police's resources committed to the transaction system. The point wasn't to steal the police's resources, that was a drop in the bucket compared to the size of the operation. The point was to prevent the suspected law enforcement agency from continuing to play and to preserve the information that might be linked with the account to use that information to help spot other law enforcement accounts.

    If anything, the lack of size of the law enforcement operation was probably the initial red flag. Sure, actual criminals will start out small too, but usually an unwillingness to go all-in is a warning flag. Flat out, usually the, "good guys," have limits on their behavior either because they're attempting to do as little harm as possible or being limited in funding since they're not actually running a criminal for-profit enterprise, or a combination thereof.

    It'll probably take a turned-insider to break this stuff. That's what it usually takes. Actually find a person involved, use the carrot-and-stick approach to give them reduced charges or some degree of immunity in exchange for breaking the organization from within, and let that person both take the risks associated with data collection and give them time to build up enough information to make further prosecution possible.

    --
    Do not look into laser with remaining eye.
    1. Re:Stealing wasn't the point by KenDiPietro · · Score: 4, Insightful

      After Snowden sold the US out, it was quietly reported about a large number of people on the US payroll in other countries (and their families) disappearing quietly, and permanently.

      It was quietly reported by the very same people who have evidence that 9/11 was in inside job, if I'm not mistaken. Maybe a better quality source of information would be the best way forward, don't you think?

    2. Re:Stealing wasn't the point by Anonymous Coward · · Score: 0, Funny

      And where was the "disappearance" of "large numbers of people" reported, exactly? Because so far all I see is a lot of talk and nothing about the supposed "reports."

      Good on you for clicking the anonymous posting box though, you tinfoil-hat wearing faggot.

    3. Re:Stealing wasn't the point by Anonymous Coward · · Score: 0

      With the OPM hacks that establish a trail of people, then other hacks to establish chains of communication and friends, I am not surprised that this is happening.

      Plausible. Unlikely if OPM was a Chinese intel operation, but plausible.

      After Snowden sold the US out, it was quietly reported about a large number of people on the US payroll in other countries (and their families) disappearing quietly, and permanently.

      Flag on the play: Non-sequitur alert. Entirely concievable that foriegn agencies have used that information to compromise US workers. But Snowden had nothing to do with the OPM hack. Bad framing attempt, grossly diminishes any credibility the reader might assign to all otherwise-plausible statements you made. Five yard penalty, Agent Smith. Still first down.

    4. Re:Stealing wasn't the point by Zero__Kelvin · · Score: 1

      "After Snowden sold the US out"

      Lucky you, AC! You haven't picked a Slashdot name yet. Might I suggest an appropriate one such as " Captain Douchebag?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    5. Re:Stealing wasn't the point by Zero__Kelvin · · Score: 1

      "Good on you for clicking the anonymous posting box though, you tinfoil-hat wearing faggot."

      That's ironic. maybe you don't wear a tin-foil hat while sucking dick, but the fact that you remove it to get a better angle for your mouth doesn't really help your AC ass.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re:Stealing wasn't the point by TWX · · Score: 1

      I checked, CaptainDouchebag is still available.

      --
      Do not look into laser with remaining eye.
    7. Re:Stealing wasn't the point by Zero__Kelvin · · Score: 1

      I'm assuming you aren't the AC ;-)

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    8. Re:Stealing wasn't the point by sandbagger · · Score: 1

      [Citation]

      --
      ---- The above post was generated by the Turing Institute. Maybe.
    9. Re:Stealing wasn't the point by Anonymous Coward · · Score: 0

      Or perhaps the law enforcement will start to follow the easy (and most obvious) tactics of rubber-hose hacking. I'd bet that authorities worldwide are increasingly eager to do that, with the current trend of implementing default mobile encryption and whatnot.

    10. Re:Stealing wasn't the point by freeze128 · · Score: 1

      I think it would have been funnier if the cop had called the support line to get his account unlocked. That's one conversation I would like to hear.

    11. Re:Stealing wasn't the point by KenDiPietro · · Score: 1

      Yes, a citation would be nice.

    12. Re:Stealing wasn't the point by Whorhay · · Score: 2

      Oh please! If the government had lost a single agent that they could tie in anyway to the Snowden leak they would have trumpeted that from the mountain tops. As it is they've yet to put forward a single case where his actions resulted in the death or capture of a single person. Which is unsurprising considering they've yet to put forth a single creditable incident that was prevented by the systemic abuses Snowden revealed.

    13. Re:Stealing wasn't the point by TWX · · Score: 1

      No. Can't remember the last time I posted AC even.

      --
      Do not look into laser with remaining eye.
  4. What was he thinking by Anonymous Coward · · Score: 0

    Has a carding store account with money in it meant to be used to be given to criminals -- complains that they take it

  5. amateurs by Anonymous Coward · · Score: 5, Insightful

    When you detect the unwanted customer, don't block them ... sell them randomized fake CC info. Their evil genius is weak sauce.

  6. Yawn by Anonymous Coward · · Score: 0

    So there is a sophisticated ecosystem of criminals and undercover cops that exists because credit card transactions are insecure. Make credit card transactions secure using cryptography available in 1980 and it all goes away.

  7. "Credit card numbers are constantly being stolen" by k6mfw · · Score: 3, Interesting

    Maybe have it such that taking a credit card number is not as easy as getting a number. Let me explain: Someone commented getting a credit card even using someone else's name and address, all you have to do is fill out a form and put down a bunch of numbers. Unlike getting a car, you have to show them that it is really you is you getting the car. But I guess credit cards are becoming more commonplace (damned as I see someone buying lousy cup of coffee for $1.25 with their credit card), so with more of these but less of honest jobs that pay a livable wage only bound to have more credit card number thefts.

    --
    mfwright@batnet.com
  8. maybe all by Anonymous Coward · · Score: 0

    Heck, just throw that up on every (new) account.

    If they don't come back cussing at you then block em. Did they act all insulted or just logout?
    If it was a 'legit' customer, you got they money they were going to spend anyway!

  9. Great Article....uh... by mythosaz · · Score: 2

    ....exactly what countermeasures beyond them mentioning they used to use IP range blacklists, exactly?

    Where are the details?

    This is like some old story about a guy he used to know who did some thing one time...

    1. Re:Great Article....uh... by PPH · · Score: 2

      Perhaps they have blacklisted some Bitcoin based upon its previous seizure by law enforcement.

      --
      Have gnu, will travel.
  10. Re:"Credit card numbers are constantly being stole by Anonymous Coward · · Score: 0

    Capital One actually called my parents when I got a card from them to confirm that I was myself. Never told em any information on my parents.

  11. Fuck the popo by Anonymous Coward · · Score: 0

    Dirty pigfuckers...

  12. Immature Terminology by Dominare · · Score: 5, Interesting
    Okay, I know this is off topic and I apologize, but can we agree that its time to stop calling them "Cybercriminals"? It's not 1997 anymore and internet-enabled devices are deeply integrated into most aspects of all our lives - they're just criminals.

    I'm serious by the way, this isn't an attempt to be funny. Appending the cyber- prefix automatically sets them apart and I think that's a bad thing. They're thieves, and we already have plenty of words for those.

    1. Re:Immature Terminology by Anonymous Coward · · Score: 0

      No, cybercriminals should just be defined as those who commit thought crimes. That or something out of the movie Time Cop.

    2. Re:Immature Terminology by mysidia · · Score: 4, Insightful

      Okay, I know this is off topic and I apologize, but can we agree that its time to stop calling them "Cybercriminals"?

      These people are called cybercriminals to provide information about what kind of criminals they are; it doesn't mean they are to be looked at as privileged or special; You don't call a serial killer just a "criminal"; These people who deal in batches of stolen credit card or social security numbers for mortgage or Tax Refund fraud are much worse than common criminals, just like you refer to criminals who are serial killers differently than you refer to muggers or jaywalkers. A thief probably only robs from a few people, cybercriminals are "Mass Thieves", and the penalties should be more severe --- they are criminals that use what the average person would consider technically sophisticated methods or tools involving the abuse of technology as a fundamental aspect in the commission of their crimes.....

      They are not thieves in the traditional sense, other than their intention is essentially to get money they have not earned, E.g. those selling copies of other peoples' credit card numbers, And their chance at a profit is supported by another criminal's expectation of using those numbers to defraud banks out of $$$, but some of these criminals are also referred to as frausters and identity thieves.

    3. Re: Immature Terminology by Anonymous Coward · · Score: 0

      But how are we supposed to locate them on the information superhighway if we don't have a clear term!

    4. Re:Immature Terminology by N1AK · · Score: 1

      Then use fraudsters, hackers, identity thieves or whatever better characterises their crimes. Someone who, for example sells illegal drugs online rather than by phone, is a drug dealer and the moniker cyber-criminal is far to vague.

    5. Re:Immature Terminology by Talderas · · Score: 1

      Cyber drug dealers.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    6. Re:Immature Terminology by Anonymous Coward · · Score: 0

      Drug Cyber-Dealers sell physical drugs over the internet.
      Cyber-Drug Dealers sell the internet as a drug (see: facebook).

    7. Re:Immature Terminology by mysidia · · Score: 1

      Someone who, for example sells illegal drugs online rather than by phone, is a drug dealer

      It's not cybercrime for some guy to be selling illegal drugs online. The guy already broke the law in the real world, and the actual exchange will definitely occur in the real world (If he he/she is indeed selling), the online / website type platform is just a communication channel.

      That's like suggesting that if he used a telephone to make the deal, that it would be a phone crime.

      It's not (But there really are telephone crimes that exist, such as toll fraud). The phone or internet is not part of the criminal act; it's just a communication channel between actors in this case, Unless you're talking about the "thought crime" of two people discussing or using the online medium to advertise / agree to / and moving forward with an act or transaction participants know to be illegal.

      And there are activities that are cybercrime, such as hacking / stealing and distributing stolen digital information.

      With stolen information, the actual goods are likely exchanged online, so that's quite different, and is cybercrime...

      There's a difference between true cybercrime and using internet-connected personal electronic devices, networks, or telephone services, in a way that furthers a crime which is a totally materialized crime that occurs in the physical world.

  13. your faith in cryptographic pixie dust is cute by david_bonn · · Score: 2

    So there is a sophisticated ecosystem of criminals and undercover cops that exists because credit card transactions are insecure. Make credit card transactions secure using cryptography available in 1980 and it all goes away.

    Nearly all cryptography in use in 1980 would be trivially breakable from even a brute-force attack today.

    We humans are very poor at building secure systems. We don't really have any theoretical basis for building cryptographic algorithms. The methodology used is basically propose some idea and if enough people look at it and can't compromise it generally after a few years we figure it is good to go. In practice what happens with most public-key systems is that some special cases are discovered where the system is easily breakable. This translates into an ever-growing stop list of mathematical properties to search at key generation time. Note that won't help you if you generated your key thee years ago and you are unlucky.

    The fun really begins when we implement systems using cryptography. Think about the guy in the cubicle down the hall. The one you'd never trust with sharp objects. The one who can't debug his way out of a paper bag. That's the guy who will implement the major security holes in your product. And you only need one. Given some of the boneheaded stuff I have seen (e.g. cleartext left laying around where it is easily located, "key generators" for 128-bit session keys that only have around 16 bits of entropy, &c) I really don't believe we humans are smart enough for this.

    And that is just the stupid and incompetent. What about the smart and lazy person on deadline? What about someone genuinely malicious implementing something "secure" that you depend on?

    I'd recommend buying a tinfoil hat and hoping for the best.

  14. cyber by Anonymous Coward · · Score: 1

    Unfortunately, this is just horrible. It doesn't even help the little guy who cannot himself check through the forums and have to wait for second-third hand information to stop this nonsense.

  15. civil forfeiture? lol by Anonymous Coward · · Score: 1

    civil forfeiture? lol

    or should this have another name?

    and ironically this presents the same problems for the 'legitimate' clientele who now have to be worried about being falsely 'forfeited'.

  16. Re:"Credit card numbers are constantly being stole by bughunter · · Score: 2

    Your credit reports contain that information: past addresses, known family members, etc.

    (So never use that kind of info as an answer for a secret security question.)

    --
    I can see the fnords!
  17. fuck by Anonymous Coward · · Score: 0

    they are criminals. they'd take your money even if you were not a pig

  18. Puritan virtue by zippthorne · · Score: 2

    But I guess credit cards are becoming more commonplace (damned as I see someone buying lousy cup of coffee for $1.25

    Yeah, so? You should be able to make small purchases with them, because the real costs to provide the service are 1) reliably communicate an almost vanishingly small amount of data over a vast network that is mostly used for streaming video, 2) production of the cards themselves.

    Why should you have to carry cash around and make change and carry that any more if you don't want to? Because some people don't get finances and will overspend, therefore all uses of credit cards are irresponsible?

    --
    Can you be Even More Awesome?!
    1. Re:Puritan virtue by AmiMoJo · · Score: 1

      Stored value cards are better for that use case. No loan so no need for a credit check, you just load them up front with cash and then spend. No need to handle loss of the card like credit cards do for fraud prevention; it's essentially the same as losing cash.

      Such cards are also somewhat anonymous, in that the card ID isn't tied to an individual and cards can easily be shared or traded.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Puritan virtue by cciechad · · Score: 1

      You must be using a really crappy card issuer. I've had my cards comprised and all I have to do is give them a call that takes at most 2 minutes(or it can be done through the website) and they always eat any unauthorized transactions and send out a new card Next day air. So there is zero risk and I end up with thousands of dollars in points every year that I wouldn't get with a prepaid card also I can use my card to rent cars and other things that can't be done with a prepaid card.

      --
      https://www.fsf.org/associate/support_freedom
  19. Re:"Credit card numbers are constantly being stole by rtb61 · · Score: 1

    Credit card fraud is an easy problem to solve, one simple solution. Gather biometrics of the purchaser at point of sale or product receipt (for online sales). Fraudulent purchase and they have given themselves away and even if they use a gullible mule, that mule will turn them in. So easiest way to gather biometric data, require a finger print on a seal able adhesive material along with a photo, that is kept and turned in at end of shift and stored (you gain the print and skin cells and an image of the person making the purchase or taking receipt of goods). You could even just do the photo but not as effective as skin cell samples.

    --
    Chaos - everything, everywhere, everywhen
  20. Re:"Credit card numbers are constantly being stole by Anonymous Coward · · Score: 0

    Has Anyone Really Been Far Even as Decided to Use Even Go Want to do Look More Like?

  21. Re:"Credit card numbers are constantly being stole by BadDreamer · · Score: 2

    I live in northern Europe. I never carry cash around. Stores and coffee shops don't want to handle cash. They want me to pay by card. And I want to pay by card, using chip and PIN, because that is safer for me than carrying around cash.

    I can't even pay for the bus in my town using cash. There was one attempted robbery of a bus driver, and all buses went cashless overnight.

  22. Double Standards Much? by wkwilley2 · · Score: 0

    Oh I see how it is, when someone steals from the cops, it's theft.

    But when cops steal from anyone else, it's civil asset forfeiture.

    --
    Have you ever fallen asleep at the keybhanusdiog?
  23. You Might Be Surprised By The Law by Anonymous Coward · · Score: 0

    In the U.S. it is illegal to sell fake illegal goods. So selling fake credit card numbers is still illegal just as selling oregano as pot is illegal. Then there's the add-ons like conspiracy to defraud and who knows what else.

  24. Credit card for small purchases by phorm · · Score: 2

    damned as I see someone buying lousy cup of coffee for $1.25 with their credit card

    I think this insinuates that people are using credit for small things because they lack funds, but there's plenty of other good reasons for this. I don't carry a lot of cash, particularly small change. I'm Canadian so mine might vary from yours a bit:
    a) In Canada, small change ($0.5, $0.10, $0.25, $1.00, $2.00) comes in the form of coins. These are heavy, bulky, and frankly most wallets don't even have a coin purse in them anymore (I've yet to find a decent wallet that does, sadly). They're even considering a $5 coin.

    b) Credit is safer than debit in terms of fraud. As a relative of mine experienced, a stolen CC # means getting the card cancelled, tracking down some bad purchases, and waiting for a new card. Having your debit card compromised can involve you account being drained, then locked for an extended period while the bank (maybe) does something to recover your funds

    c) Many credit cards come without fees so long as you pay them off in a timely manner. Debit accounts often do come with fees, limits on the number of "free" transactions, etc (not mine, because I do my banking somewhere sane, but most major banks are like this). Banks also like to change the terms on the debit accounts, so your free-if-you-keep-$1000-balance account may suddenly start getting fees when they raise the minimum to $2000.

    d) Paypass (paywave, tap-to-pay, etc). I have mixed feelings about this. From a security perspective it's pretty awful. For small items like a coffee or a donut, it's damn convenient, and faster than any other method. I've come to accept that so long as its limited to small purchases it's not that bad (if somebody steals my RFID they can't buy much) so long as one watches one's account.

    So personally, I don't have space for a lot of spare change. Plus that $1.25 coffee is pretty quick with my CC and not worth potentially compromising my main bank account. Bring on the plastic.

  25. LOL, pwn3d!! by gstoddart · · Score: 1

    Essentially this boils down to the police lack the skills and sophistication of the people they're trying to stop, and in the process they're getting their asses handed to them and losing the money they have as bait.

    You have to admire the audacity, but you can't go around thinking law enforcement has the right skillset to fight these people on their own turf.

    In an ever on-going arms race, the bad guys are more numerous, likely have more resources and time, and are quite motivated.

    I mean, it's not like in the real world you'd grab an officer, give him some slouchy shorts, a wallet chain and a beanie cap and send him in to pretend like he fits in with who you're looking for.

    So, yeah, organized crooks using the intertubes know more about the intertubes than the police trying to stop them. Film at 11.

    I absolutely LOVE the Pig Alert ... it's just so damned hilarious in a vaguely kind of cyberpunk sort of way.

    --
    Lost at C:>. Found at C.
  26. Details, please by Anonymous Coward · · Score: 0

    Learning to detect, avoid, and occasionally fuck over the police is something that everybody should master. At the end of the day they're just another gang, filled with criminals, murderers, and rapists (the numbers don't lie!)