SecTor Speaker Shows How Credit Card Thieves Get Caught

Credit card theft is a common digital crime, but there are a few ways law enforcement tracks down carders, a Nuix consultant says.

Catching carders

TORONTO—Credit card theft continues to be among the most common and widespread forms of digital crime. Speaking at the SecTor security conference here Oct. 22, Grayson Lenik, principal security consultant at Nuix, outlined how these credit card thieves—known as "carders"—operate and how they eventually get caught.

The world of carders is a highly hierarchical one of carding forums and carding groups. The business of credit card theft is discussed and taught in these online carding forums, which are sites that provide users with information and tools on how to steal credit card numbers. Lenik noted that one of the most popular carding forums is a site called Carding Mafia, though he suspects that most of site's viewers are law enforcement professionals looking to track down thieves and obtain information.

"Probably 70 percent of the users are law enforcement at this point," Lenik said.

In terms of how carding groups operate, there is an organizational hierarchy in place. At the top is the leadership—the people who actually own the carding forums and write the malware that is used to steal user information. Lenik said it's unlikely that leadership of carding groups is a state-sponsored activity, though he noted that carding might well be state condoned in certain countries, such as Russia, for example.

Underneath the carding leadership are the middlemen, who keep the carding forums full with fresh dumps of credit card information and credentials. The middlemen in turn employ the services of what are known as "money mules," who are essentially the common criminals of the carding world.

"Money mules are people looking to make a quick buck," Lenik said.

Getting Caught

When carders do get caught, several common reasons why and how may factor in, Lenik said.

The first reason is laziness. Some carders hold the misplaced belief that they won't get caught, and that false sense of security leads them to not taking the necessary precautions to hide their locations or identities, Lenik said. Lazy activities that lead to carders being caught include hacking from home, not using some form of anonymizing service and hard-coding their IP addresses in malware.

Carders can also get caught by virtue of bad luck. For example, a carder might be stopped by police officer for a traffic violation and the officer sees carding equipment in the car. Lenik also said carders who have been caught often will give up their accomplices and other members of their group in order to receive a better deal from law enforcement.

Use of social media is another way carders can be caught. Lenik said he has seen carders post things to their Facebook or Twitter accounts that reveal information about where they are going. That information sometimes can be used by law enforcement officials to track down the carder.

The Carder Who Loved Me

One particularly interesting case of how a carder was apprehended involved a law enforcement professional who was working undercover in the carding world. The female agent befriended a carder and over time developed a relationship. As the relationship matured, the female agent convinced the carder to come to Las Vegas to marry her.

Once the carder arrived in the United States, he was apprehended. However, that wasn't the end of the story. The agent took her carder "fiancé" to various locations in Las Vegas and took pictures of both of them at various landmarks, and later posted the photos on social media. The agent then invited the carder's friends to come to the wedding in Las Vegas. In total, Lenik said, four people were arrested after traveling to Las Vegas for the wedding.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.