This part of Kevin Poulsen’s talk narrates about a very crafty strategy that Max Vision and his companion Chris Aragon adopted to get hold of stolen credit card data from carder forum users, and monetize it with remarkable efficiency.Chris’ money was running out. So Max did the logical thing and he googled it: “How do you make money off of computer crime?” And that is how he discovered what is probably one of the biggest developments in cybercrime over the last 10 years, the signature development, really, which are the carder forums.
I can spend a huge time on this because it’s been a subject of a lot of discussion at the RSA over the last couple of years. Basically, in the early 2000s this grew out in Eastern Europe, but it spread to the U.S. The cyber crooks decided that doing business in IRC, in chat rooms the way they used to, was inefficient. It was hard to build a reputation and to do business with other people when you are nothing but a nick, a handle in an IRC chat room, which anybody can change at any time. And all the knowledge that they had about how to exploit different vulnerabilities or how to carry out different schemes was transient, it was ephemeral, it would vanish; you could explain something to somebody in an IRC chat room, and then it’s gone as soon as the chat session is over.
So they created these carders forums which were websites dedicated to crime. In a carder forum you give advice to other people about how to carry out credit card fraud and things like that. More importantly, you can buy and sell identity information in a very structured environment. So you get approved to be a vendor in a carder forum. That means that you’re selling maybe credit card numbers or hacked bank accounts, you give a sample to somebody who runs the forum; they will write a review of it. So they’ll try out your stolen credit card numbers and make sure that they have decent limits on them, that most of them, if not all of them, actually work, and they’ll write up a review, just like reviewing a business on Yelp. Then you start doing business. So you’ll have one person selling stolen credit card numbers, you’ll have somebody else who sells the blank plastic cards that you use to make fake credit cards out of the stolen credit card numbers; you’ll have somebody else selling safety paper to make counterfeit checks with; and then somebody else will sell the special magnetic print cartridges that you need to print on the counterfeit checks.Max discovered the carders forums. He had no reputation in this community, so what he did instead was that he decided to hack everybody that was using them to get an inside look at what was going on. So he posed as a well-known vendor of credit card data and sent out a message to everybody saying that he had an excess amount of American Express credit card data, so he was just giving away his excess, so: “Click here and can get your free Amex”.
If you made the mistake of clicking there, as a lot of people did, you wound up being infected with a brand-new Internet Explorer vulnerability that would give Max root on your system, or administrative capabilities on your system.
So he got 30 or 40 hits instantly as soon as this message went out, and he continued to roll it afterwards. He instantly backdoored all of these carders, and one undercover FBI agent. He could see exactly how everything worked. He was wired right into the system at that point, and he immediately started stealing credit card data. In particular, he went for dumps – these are kind of the pork bellies of the underground. When you hear about people being arrested for stealing or selling credit card numbers, most of the time this is actually what they went after. This is the magstripe data on the back of the credit card.The magstripe contains the same information on the face of the credit card – the account number, the name, the expiration date, but it also contains the secret code called a Card Verification Value on Visa cards and something else on MasterCard. It’s a cryptographically generated checksum that ensures that you can’t take a credit card number from the face of a card and make a working counterfeit card from it because you don’t know the secret code. You can’t phish the secret code, you can’t trick somebody into giving it to you, because the consumer doesn’t know it – it’s on the magstripe. There’s another secret code printed on the back of your credit card – that’s a completely different code. So it’s not credit card numbers that have value in the underground world; it’s these dumps, the magstripe data. Max started getting these dumps, they typically sell for anywhere from 8 dollars for like Visa Classic – to 50 for a corporate card or gold card. He would steal it from criminals who’d already stolen it or bought it from somebody who had stolen it, and he would send it down to Orange County to Chris Aragon, the former bank robber, who in the meantime had set up a complete credit card counterfeiting factory.
Thanks to the carder forums it’s relatively easy to learn how to counterfeit a credit card: you have to start with the blank plastic which you can buy through the forums, there are people who specialize in it; you buy templates which will be the design on the face of a particular card done by a Photoshop expert; and then you emboss it and you have to tin it to get the metal on the raised numbers and letters; and then you have to put the magstripe data on it.So Chris did all of this from a hotel room; actually, not a hotel room, he actually rented an apartment under an alias that he dedicated to nothing but turning out fake credit cards by the hundreds. And these were the results (see left-hand section of the image). He had a talent for this. He produced very, very nice cards. The holograms came from China.
The next step is monetizing this, so he would make fake IDs for himself and for his employees – here are some of his driver’s licenses (right-hand part of the image above). One of them was Chris Anderson who was editor-in-chief of the Wired magazine, but I think it’s no relation.And he would give the credit cards, and he would give the accompanying fake IDs to his employees. He learned that the best workers – they’re not all pictured here – are young college-age women, preferably attractive, who can walk into a store and just take everybody by surprise. It’s not the type of person that you normally expect to be a credit card swindler, and they can act like privileged Orange County youth.
So they would go in, he would pass out credit cards to them at the beginning of the day, they would hit the malls and they would buy designer purses and other hi-end material, which Chris’ wife would then sell on eBay. So this was the scam for a long time. Max would be stealing stolen dumps from other criminals, giving it to Chris Aragon who would have to scramble to make fake credit cards, give them to his crew, send them out to do shopping – all before the actual crooks that Max stole them from were able to use them. So there were some very frustrated crooks and some very happy hacker and former bank robber.
Read previous: From White Hat to Black 2: The Robin Hood Hacker
Read next: From White Hat to Black 4: ATM Fraud and Point of Sale Hacks