For provided that fraud artists have existed so too have opportunistic robbers who specialize in pulling down other fraud artists. This is the history about a small grouping of Pakistani Web page developers who apparently have created an impressive living impersonating a number of the most used and well known “carding” markets, or online retailers that provide taken credit cards.
One quite common carding website that has been featured in-depth at KrebsOnSecurity — Joker’s Deposit — brags that the an incredible number of credit and debit card accounts on the market via their service were stolen from vendors firsthand.
That is, individuals operating Joker’s Stash claim they’re hacking retailers and straight offering card information stolen from these merchants. Joker’s Deposit has been tied a number of new retail breaches, including these at Saks Sixth Avenue, Lord and Taylor, Bebe Stores, Hilton Lodges, Jason’s Deli, Full Meals, Chipotle and Sonic. Certainly, with most of these breaches, the first signals that any of the organizations were hacked was when their customers’credit cards started showing up for sale on Joker’s Stash.
Joker’s Deposit retains a presence on a few cybercrime forums, and its owners use those community accounts to tell potential customers that its Site — jokerstashdotbazar — is the only path into the marketplace.
The administrators continually advise consumers to keep yourself informed there are many look-alike shops collection as much as grab logins to the true Joker’s Stash or to make down with any funds transferred with the impostor carding shop as a prerequisite to searching there.
But that did not stop a prominent safety researcher (not that author) from recently plunking down $100 in bitcoin at a site he thought was work by Joker’s Deposit (jokerstash). Alternatively, the masters of the impostor website claimed the minimal deposit for viewing taken card knowledge on the marketplace had risen up to $200 in bitcoin.
The researcher, who requested never to be called, claimed he obliged with an additional $100 bitcoin deposit, only to get that his username and code to the card store no further worked. He’d been fooled by scammers conning scammers.
As it happens, prior to hearing using this researcher I’d obtained a mountain of study from Jett Chapman, another protection researcher who swore he’d unmasked the real-world identification of the folks behind the Joker’s Stash carding empire.
Chapman’s research, step by step in a 57-page report distributed to KrebsOnSecurity, pivoted away from community information major from the exact same jokersstashdotsu that cheated my researcher friend.
“I have removed to a couple cybercrime boards wherever people who have used jokersstashdotsu that were confused about who they really were,” Chapman said. “Many of them left feedback saying they’re scammers who’ll only question for cash to deposit on the webpage, and then you might never hear from their store again.”
But the final outcome of Chapman’s report — that somehow jokersstashdotsu was linked to the real thieves operating Joker’s Stash — didn’t ring entirely accurate, though it was properly noted and totally researched. So with Chapman’s blessing, I distributed his record with the researcher who’d been scammed and a police source who’d been tracking Joker’s Stash.
Equally established my suspicions: Chapman had uncovered a large system of internet sites documented and put up around many years to impersonate a number of the greatest and longest-running offender credit card robbery syndicates on the Internet.