Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Crime

Cybercriminals Learning To Filter Out Undercover Cops (krebsonsecurity.com) 63

An anonymous reader writes: Credit card numbers are constantly being stolen, but the people who take them don't usually use them. Instead, they sell them to others who will. Many cards are traded at online forums and markets. Law enforcement investigators know this, and they use these forums to gather intelligence on breaches. But Brian Krebs writes that one of the biggest markets, Rescator, has implemented methods to screen out suspected law enforcement agents. Krebs says of a law enforcement source of his: "The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source's screen — effectively stealing hundreds of taxpayer dollars directly from the authorities. .. I found his case fascinating and yet another example of the growing sophistication of large-scale cybercrime operations."
This discussion has been archived. No new comments can be posted.

Cybercriminals Learning To Filter Out Undercover Cops

Comments Filter:
  • by TWX ( 665546 ) on Tuesday December 08, 2015 @07:18PM (#51085025)

    Krebs says of a law enforcement source of his: "The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source's screen — effectively stealing hundreds of taxpayer dollars directly from the authorities..."

    I think it's hilarious that the angle they took was the seizing of the police's resources committed to the transaction system. The point wasn't to steal the police's resources, that was a drop in the bucket compared to the size of the operation. The point was to prevent the suspected law enforcement agency from continuing to play and to preserve the information that might be linked with the account to use that information to help spot other law enforcement accounts.

    If anything, the lack of size of the law enforcement operation was probably the initial red flag. Sure, actual criminals will start out small too, but usually an unwillingness to go all-in is a warning flag. Flat out, usually the, "good guys," have limits on their behavior either because they're attempting to do as little harm as possible or being limited in funding since they're not actually running a criminal for-profit enterprise, or a combination thereof.

    It'll probably take a turned-insider to break this stuff. That's what it usually takes. Actually find a person involved, use the carrot-and-stick approach to give them reduced charges or some degree of immunity in exchange for breaking the organization from within, and let that person both take the risks associated with data collection and give them time to build up enough information to make further prosecution possible.

    • I think it would have been funnier if the cop had called the support line to get his account unlocked. That's one conversation I would like to hear.
  • amateurs (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 08, 2015 @07:28PM (#51085089)

    When you detect the unwanted customer, don't block them ... sell them randomized fake CC info. Their evil genius is weak sauce.

  • by k6mfw ( 1182893 ) on Tuesday December 08, 2015 @08:25PM (#51085329)
    Maybe have it such that taking a credit card number is not as easy as getting a number. Let me explain: Someone commented getting a credit card even using someone else's name and address, all you have to do is fill out a form and put down a bunch of numbers. Unlike getting a car, you have to show them that it is really you is you getting the car. But I guess credit cards are becoming more commonplace (damned as I see someone buying lousy cup of coffee for $1.25 with their credit card), so with more of these but less of honest jobs that pay a livable wage only bound to have more credit card number thefts.
    • But I guess credit cards are becoming more commonplace (damned as I see someone buying lousy cup of coffee for $1.25

      Yeah, so? You should be able to make small purchases with them, because the real costs to provide the service are 1) reliably communicate an almost vanishingly small amount of data over a vast network that is mostly used for streaming video, 2) production of the cards themselves.

      Why should you have to carry cash around and make change and carry that any more if you don't want to? Because some people don't get finances and will overspend, therefore all uses of credit cards are irresponsible?

      • by AmiMoJo ( 196126 )

        Stored value cards are better for that use case. No loan so no need for a credit check, you just load them up front with cash and then spend. No need to handle loss of the card like credit cards do for fraud prevention; it's essentially the same as losing cash.

        Such cards are also somewhat anonymous, in that the card ID isn't tied to an individual and cards can easily be shared or traded.

        • You must be using a really crappy card issuer. I've had my cards comprised and all I have to do is give them a call that takes at most 2 minutes(or it can be done through the website) and they always eat any unauthorized transactions and send out a new card Next day air. So there is zero risk and I end up with thousands of dollars in points every year that I wouldn't get with a prepaid card also I can use my card to rent cars and other things that can't be done with a prepaid card.
    • by rtb61 ( 674572 )

      Credit card fraud is an easy problem to solve, one simple solution. Gather biometrics of the purchaser at point of sale or product receipt (for online sales). Fraudulent purchase and they have given themselves away and even if they use a gullible mule, that mule will turn them in. So easiest way to gather biometric data, require a finger print on a seal able adhesive material along with a photo, that is kept and turned in at end of shift and stored (you gain the print and skin cells and an image of the per

    • I live in northern Europe. I never carry cash around. Stores and coffee shops don't want to handle cash. They want me to pay by card. And I want to pay by card, using chip and PIN, because that is safer for me than carrying around cash.

      I can't even pay for the bus in my town using cash. There was one attempted robbery of a bus driver, and all buses went cashless overnight.

    • damned as I see someone buying lousy cup of coffee for $1.25 with their credit card

      I think this insinuates that people are using credit for small things because they lack funds, but there's plenty of other good reasons for this. I don't carry a lot of cash, particularly small change. I'm Canadian so mine might vary from yours a bit:
      a) In Canada, small change ($0.5, $0.10, $0.25, $1.00, $2.00) comes in the form of coins. These are heavy, bulky, and frankly most wallets don't even have a coin purse in them an

  • by mythosaz ( 572040 ) on Tuesday December 08, 2015 @08:46PM (#51085407)

    ....exactly what countermeasures beyond them mentioning they used to use IP range blacklists, exactly?

    Where are the details?

    This is like some old story about a guy he used to know who did some thing one time...

    • by PPH ( 736903 )

      Perhaps they have blacklisted some Bitcoin based upon its previous seizure by law enforcement.

  • Immature Terminology (Score:5, Interesting)

    by Dominare ( 856385 ) on Tuesday December 08, 2015 @09:22PM (#51085571)
    Okay, I know this is off topic and I apologize, but can we agree that its time to stop calling them "Cybercriminals"? It's not 1997 anymore and internet-enabled devices are deeply integrated into most aspects of all our lives - they're just criminals.

    I'm serious by the way, this isn't an attempt to be funny. Appending the cyber- prefix automatically sets them apart and I think that's a bad thing. They're thieves, and we already have plenty of words for those.

    • by mysidia ( 191772 ) on Tuesday December 08, 2015 @11:45PM (#51086275)

      Okay, I know this is off topic and I apologize, but can we agree that its time to stop calling them "Cybercriminals"?

      These people are called cybercriminals to provide information about what kind of criminals they are; it doesn't mean they are to be looked at as privileged or special; You don't call a serial killer just a "criminal"; These people who deal in batches of stolen credit card or social security numbers for mortgage or Tax Refund fraud are much worse than common criminals, just like you refer to criminals who are serial killers differently than you refer to muggers or jaywalkers. A thief probably only robs from a few people, cybercriminals are "Mass Thieves", and the penalties should be more severe --- they are criminals that use what the average person would consider technically sophisticated methods or tools involving the abuse of technology as a fundamental aspect in the commission of their crimes.....

      They are not thieves in the traditional sense, other than their intention is essentially to get money they have not earned, E.g. those selling copies of other peoples' credit card numbers, And their chance at a profit is supported by another criminal's expectation of using those numbers to defraud banks out of $$$, but some of these criminals are also referred to as frausters and identity thieves.

      • by N1AK ( 864906 )
        Then use fraudsters, hackers, identity thieves or whatever better characterises their crimes. Someone who, for example sells illegal drugs online rather than by phone, is a drug dealer and the moniker cyber-criminal is far to vague.
        • Cyber drug dealers.

        • by mysidia ( 191772 )

          Someone who, for example sells illegal drugs online rather than by phone, is a drug dealer

          It's not cybercrime for some guy to be selling illegal drugs online. The guy already broke the law in the real world, and the actual exchange will definitely occur in the real world (If he he/she is indeed selling), the online / website type platform is just a communication channel.

          That's like suggesting that if he used a telephone to make the deal, that it would be a phone crime.

          It's not (But there really a

  • by Anonymous Coward

    Unfortunately, this is just horrible. It doesn't even help the little guy who cannot himself check through the forums and have to wait for second-third hand information to stop this nonsense.

  • by Anonymous Coward

    civil forfeiture? lol

    or should this have another name?

    and ironically this presents the same problems for the 'legitimate' clientele who now have to be worried about being falsely 'forfeited'.

  • Essentially this boils down to the police lack the skills and sophistication of the people they're trying to stop, and in the process they're getting their asses handed to them and losing the money they have as bait.

    You have to admire the audacity, but you can't go around thinking law enforcement has the right skillset to fight these people on their own turf.

    In an ever on-going arms race, the bad guys are more numerous, likely have more resources and time, and are quite motivated.

    I mean, it's not like in th

The test of intelligent tinkering is to save all the parts. -- Aldo Leopold

Working...