An introduction to eCommerce fraud in the travel industry: carding

Nethone observed that fraudsters increased eCommerce fraud attacks on travel industry businesses during the pandemic. We also noticed an expansion in the availability of “carding” resources. This points to a direct connection between the content of fraudster tutorials and the types of scams that are perpetrated. So we’ll define the jargon used in an actual carding tutorial from a darknet criminal forum, shedding light on fraud in the travel industry.

Travel has been a favourite target of fraudsters for some time now, and its popularity didn’t decline during the COVID-19 pandemic. Nethone observed that fraud in the travel industry increased during the pandemic. The relevant metric is called “% of transaction attempts with signals triggered.” Even with decreased overall transaction volume, the traffic with signals has almost doubled.

A signal is an observation regarding a user session that has inherently negative/suspicious characteristics and has a clear interpretation (i.e. 'Virtual Machine', 'User-Agent spoofing', 'Tor Network'). Nethone Guard is currently able to identify almost 100 signals and the list is growing.

Nethone has also noticed an expansion in the availability of carding resources. Carding isn’t the most “sophisticated” fraud, but it has become so much easier to get into even for casual newbies thanks to widely available tutorials on the Darknet, the Clearnet, and even Youtube. Carding used to be restricted to dedicated practitioners and devotees of the darkweb, but in the last year the pool of users has grown. The bottom line is that Carding has become product-ized, consumerized, even commodified allowing the emergence of a new breed of “casual carder.”

Of course COVID has been a force multiplier of eCommerce expansion and accompanying online fraud.

Today we’re going to look at an example of a carding tutorial. They’re step by step instructions on how to use stolen credit card information to buy goods and services. Let’s dig into a travel-targeted carding tutorial to see what we can learn. We have found that the study of fraudster tutorials pays off rather quickly -- there is a pretty clear connection between what is taught in tutorials posted to carder forums and the fraud techniques that are actually used to attack businesses in the subsequent months.

First off, what is carding fraud? Let’s turn to Nethone’s Fraudster Dictionary for definition help:

Carding is a process of using stolen credit cards to make a purchase. Fraudsters who use this technique are called carders. There are two different types of carding: real and virtual. In the first one, the carder uses a forged credit card – a plastic card with loaded data from a stolen credit card. This fraud is also called in-store carding. The second type of carding is a virtual one and doesn’t require a physical item but just its data: number, validation date and security code. Virtual carding is easier than in-store for several reasons:

• everything is done online
• the carder can card shops from all around the world
• no special equipment is needed to load data on physical credit cards
• less risk -- when something goes wrong with the transaction, it is only cancelled, and the card is burned
• Fraudsters increasingly prefer virtual carding to the in-store variety. It is the virtual form of carding that concerns us here today.

Let’s take a look at an airlines/flight carding tutorial. We spotted it in a darkweb forum for criminals and blanked out a few things because although we want to discuss carding tutorials, we don’t necessarily want to provide a complete tutorial.

Let’s define the jargon that is used in the tutorial.

Vbv stands for “verified by Visa.” A related term is “mscs,” which means “MasterCard Secure.” Fraudsters never use the phrase “3D security” for that type of payment protection. They always use the acronym “mscs” for Mastercards or “vbv” for Visa cards. One of the basic characteristics of stolen credit cards sold in the darkweb is the piece of information whether the given card is vbv/mscs or is no-vbv/mscs. Presence or absence of such protection changes the carder’s tactics in card usage. Carding with mscs or vbv requires much more knowledge and effort, while no-vbv and no-mscs are much easier in carding.

So “buy a good cc non vbv” means purchase stolen credit card information from a “vendor” that sells individual credit cards and batches on the darknet or Clearnet. Forums have lists of such vendors, or a newbie can just turn to Twitter, Telegram, Discord, or atshop to find others.

The tutorial also recommends “Use ccleaner.” CCleaner is a helpful (and legal) tool for carders to clean their browsing history, cookies, temp files, etc. It isn’t some exclusive tool for online criminals (although there are a number of those available)... It’s actually widely available to consumers. According to the CCleaner web site, “Advertisers and websites track your behavior online with cookies that stay on your computer. CCleaner erases your browser search history and cookies so any internet browsing you do stays confidential and your identity remains anonymous.”

Another tool mentioned in the tutorial is “MAC address changer.” MAC stands for Media Access Control. It is the unique address of every Network Interface Card or Controller (NIC).A MAC address changer allows you to change the MAC address of an NIC instantly. You can see why this would be useful to carders that are trying to cover their tracks. The NIC allows computers to communicate over a computer network, either by using cables or wirelessly. The NIC is both a physical layer and data link layer device, as it provides physical access to a networking medium and, for IEEE 802 and similar networks, provides a low-level addressing system through the use of MAC addresses that are uniquely assigned to network interfaces.

• The tutorial tells the user to “First like.” We are constantly surprised by how out in the open a lot of fraudsters operate, even on Clearnet social media platforms. They don’t hide in the shadows; these “vendors” sell stolen credit card numbers and accounts (for ATO) openly and compete for “likes.”
• Carding is pretty straightforward. The “tools” for carding are easy to acquire.
• There are good reasons why carding grows in popularity: COVID led to sharp growth in ecommerce activity. A lot of first-time internet users started to make big purchases online during 2020. There are a lot of newbie carders out there due to economic hardships brought on by the pandemic. Buying goods and services for a fraction of the price becomes much more attractive during difficult times.
• Fraudsters are open with their tutorials and methods. It's a big sharing community, but of course the quality of the tutorials differs.
• Fraudsters know your company’s security holes better than you do in some cases, and share the info with others.

We actually got our start in the anti-fraud software business thanks to companies from the travel industry, which were early adopters of our Machine Learning-based anti-fraud SaaS solution. So we’d like to give back because the travel industry has been hit hard by the pandemic.

Nethone wants to give back and would like to offer its anti-fraud solution (including dedicated Data Scientists’ support) to members of the travel industry at-cost (just covering the cost of technical infrastructure) until the situation of the sector is back on track. You will be paired with a dedicated Data Scientist to help you maintain, build the ML predictive models and create ground-breaking fraud prevention strategies. We’ll help you prevent fraud and increase your approval rate by 23%, as we already did for eDestinos (here’s the case study).

For more detailed information contact Hubert Rachwalski, Nethone CEO [hubert.rachwalski@nethone.com, LI profile]