For so long as con artists have been with us so too have opportunistic robbers who concentrate in pulling down other scam artists. This is the story about a small grouping of Pakistani Web page makers who apparently have produced an impressive living impersonating some of the most used and popular “carding” markets, or online stores that offer stolen credit cards.
One extremely popular carding site that has been included in-depth at KrebsOnSecurity — Joker’s Deposit — brags that the an incredible number of credit and debit card reports available via their service were stolen from retailers firsthand.
That is, the people running Joker’s Stash state they’re coughing vendors and immediately offering card knowledge stolen from these merchants. jokerstash Deposit has been linked to many new retail breaches, including these at Saks Sixth Avenue, Lord and Taylor, Bebe Stores, Hilton Accommodations, Jason’s Deli, Whole Ingredients, Chipotle and Sonic. Certainly, with these types of breaches, the very first signs that some of the organizations were hacked was when their customers’charge cards began arriving available on Joker’s Stash.
Joker’s Deposit maintains a presence on a few cybercrime boards, and its homeowners use these community reports to remind potential consumers that its Internet site — jokerstashdotbazar — is the only path into the marketplace.
The administrators constantly advise consumers to keep yourself informed there are lots of look-alike shops set up to steal logins to the actual Joker’s Stash or to create off with any resources settled with the impostor carding shop as a prerequisite to shopping there.
But that did not stop a outstanding safety researcher (not this author) from lately plunking down $100 in bitcoin at a niche site he thought was run by Joker’s Deposit (jokersstashdotsu). Instead, the entrepreneurs of the impostor website said the minimal deposit for watching stolen card data on the market had risen up to $200 in bitcoin.
The researcher, who asked not to be called, claimed he obliged by having an additional $100 bitcoin deposit, only to find that his username and code to the card store no longer worked. He’d been fooled by scammers conning scammers.
As it occurs, just before reading from this researcher I’d acquired a hill of research from Jett Chapman, yet another security researcher who swore he’d unmasked the real-world identity of the folks behind the Joker’s Stash carding empire.
Chapman’s study, comprehensive in a 57-page record shared with KrebsOnSecurity, pivoted from community information primary from exactly the same jokersstashdotsu that scammed my researcher friend.
“I’ve gone to some cybercrime boards wherever individuals who have used jokersstashdotsu that were puzzled about who they really were,” Chapman said. “Many of them left feedback expressing they’re scammers who will only ask for cash to deposit on the webpage, and then you may never hear from their store again.”
But in conclusion of Chapman’s record — that somehow jokersstashdotsu was related to the true criminals running Joker’s Deposit — didn’t ring fully accurate, although it was professionally documented and carefully researched. So with Chapman’s blessing, I provided his report with both researcher who’d been scammed and a police supply who’d been checking Joker’s Stash.
Equally established my suspicions: Chapman had unearthed a huge network of websites documented and set up around several years to impersonate a number of the greatest and longest-running criminal charge card robbery syndicates on the Internet.