Carding Forum – What is a Credit Card Fraud Forum

What Is a Carding Forum?

A carding forum is an illegal website dedicated to sharing stolen credit card information. The forum usually includes credit card information that has been illegally obtained.  There is also a discussion board in which members of the forum may share techniques used in obtaining credit card information.  The primary objective is to exchange information and technical savvy about the illicit trade of stolen credit or debit card account information.

A carding forum is a place to share stolen credit card information and discuss methods on how to steal card information.  Carding forums primarily focus on ways that individuals can verify stolen credit card information.  “Fullz” is a term used for a complete credit card profile of information needed for a thief to make a purchase using the stolen card. These forums enable criminals to quickly distribute compromised information and to profit from its subsequent fraudulent use.

How a Carding Forum Works

When an individual or group steals credit or debit card numbers, it is not immediately clear whether the number and identifying information will work if used for other transactions. For example, if stolen, the cardholder may have already canceled their cards, or the debit card account may contain insufficient funds. In these two examples, the card data would be worthless. The credit card thief needs to verify that the card information is valid in order to be able to use the card for fraudulent purchases.

Additional Financial Information

Carding forums primarily focus on ways that individuals can verify stolen credit card information. They may even offer advice.  For example, suggest that the stolen cards be used to make small transactions.  Small purchases are unlikely to trigger a warning to the rightful cardholder. Most perpetrators initially verify the information by attempting to make small test purchases that the legitimate cardholder is not likely to notice. Then, they can make larger subsequent purchases until the fraud is detected by the cardholder or credit card company.

Or, they may advise transactions to be made at a business or venue that does not immediately process the card transaction.  Carding forums are ultimately used by thieves who want to use stolen card information to make purchases.  Sometimes organized crime groups look to purchase bulk stolen card numbers. These thieves may then solicit buyers on the forum, or move their offers for sale to black markets on the dark web.  Bulk credit card information can sell for hundreds to thousands of dollars.

Credit and debit card numbers that have been verified through carding techniques that obtain them directly from cardholders by tricking them into giving up their own information are referred to as “phishing”. Thieves will typically sell this information to other parties, who will ultimately use this information to make fraudulent purchases. (Source: investopedia.com)

Carding Forum Example Transaction

The details are split by country and or type of card and sold on to wholesalers. The information available may include much more than just the cc details.  Other financial information may include the pin number, billing address, date of birth, and mother’s maiden name.  In other words, enough information to enable the account to be taken over completely.  It is even possible to create entirely new accounts and change billing addresses.

Dumps Vendor

For example, Johanne Smythe’s details together with many others are purchased by a person based in Eastern Europe. He is known as a dumps vendor. These forums bring together a number of specialists. Wholesalers can sell their credit card details, buyers can avail themselves of a number of specialist services, account balances can be checked or equipment purchased to enable a counterfeit card to be produced. The site administrators will provide an escrow service so that both buyer and seller can trade in confidence. Others will provide tutorials on various aspects of fraud; others will offer services such as addresses where goods purchased on the internet can be sent

The Eastern European dumps vendor advertises on the carding forum.  Eventually, he sells Johanne Smythe’s details to a Moldovan living in London. The Moldovian then uses the information to purchase a laptop which he has sent to a ‘drop’ address. The person operating the drop address will then send it to the Moldovan.  Or, he will sell it on eBay giving the Moldovan a percentage of the sale price.

Who are the Players on a Carding Forum?

Think of carding forums like an eBay for cybercriminals and hackers. Here is a look at the parties typically involved:

• Forum Operators act as the middleman or marketplace operator—like eBay, except this is illegal.
• Hackers are the sellers here – They break into computer networks and steal credit card and payment data. They want to sell it and make a profit for their time and the risk they took. They list it for sale on a carding forum.
• Cybercriminals are the buyers – Criminals of all types use the anonymity of the Dark Web to buy this stolen financial data. They might buy a few records, or they might buy 10,000.
• There are no guarantees – Many of the carding forums allow buyers and sellers to rate each other. There’s no honor among thieves, but there are online reviews.

How a Carding Attack Works

A carding attack typically follows these steps:

• Stolen credit card numbers – An attacker obtains a list of stolen credit card numbers, either from a criminal marketplace or by compromising a website or payment channel. Their quality is often unknown.
• Automated attack – The attacker deploys a bot to perform small purchases on multiple payment sites. Each attempt tests a card number against a merchant’s payment processes to identify valid card details.
• Validation – Credit card validation is attempted thousands of times until it yields validated credit card details. Successful card numbers are organized into a separate list and used for other criminal activity, or sold to organized crime rings.
• Rinse and repeat – Carding fraud often goes undetected by the cardholder until it is too late when their funds are spent or transferred without their consent.

Carding Forum and Identity Theft 

Complete credit card information, called “fullz” includes everything a fraudster would need to impersonate somebody.  They can then use the ill-gotten credit card information to make purchases online or in-person. Often carding forums are hidden online behind the dark web using TOR routing.  Transactions of credit card information are carried out with privacy-focused cryptocurrencies such as Monero or Zcash to cover the users’ tracks. Carding forum users also often go by aliases or “handles,” instead of using their real names or other identifying information.

However, there is good news. Card issuers are using enhanced security features like chip cards to help combat credit card theft. As a result, it is becoming more difficult to use stolen card information. Particularly, with the introduction of chip-and-PIN credit cards, as well as improved electronic security fraud countermeasures. There are still locations that do not process credit or debit transactions immediately, but these are rare. Most point-of-sale terminals require an immediate electronic approval response.

How to Protect Yourself Against a Carding Forum

In short, be smart about where you shop online.  Only provide your credit card information only to reputable retailers. Businesses are equally concerned by the fraud associated with carding forums.  The data breaches directly impact their reputation and ultimately profits. Thus, most larger retailers have implemented a multi-part payment process to verify transactions and filter out fraud. This includes the common ‘CAPTCHA’ which attempts to confirm human input.  The objective is to prevent automated scripts from processing batches of fraudulent card numbers.

The credit card industry is fighting back. Chip, RFID, and PIN-enabled cards as well as heightened electronic countermeasures have made stealing credit card information more difficult for would-be thieves. However, as prevention methods become more sophisticated, so do the criminals.  However, despite the best countermeasures, even the largest companies are susceptible to data breaches that release your credit and financial information across the dark web.