It remains to be seen just how much actual hacking is to be had behind online ID theft and credit card scams - and the details in this story are likely to remain indefinitely unverifiable.
The results of one blogger's recent three-day IRC chat with an alleged Romanian credit card scammer give a peek into just how trivial the process could be.
Much like with the recent, now infamous "Epic Hack" of tech writer Mat Honan (where Amazon and Apple password reset were played off one another to gain account access), it appears that these techniques are performed by using available systems and playing their weaknesses off one another to get a desired result.
The methods are neither elegant nor particularly sophisticated. Still, the bar for entry isn't low enough to admit just anyone: it seems that some scammers will trade stolen identities or credit card information on IRC, but we're told that now most of this business looks to be conducted on a number of underground websites.
Freelance writer Patrick Lambert (Dendory) writes,
The purpose of writing this article isn't to incite anyone to do this, these acts are still obviously against the law, and any investigator that would have the resources and time to dedicate to catching these people could probably do it, but instead it's to show how incredibly widespread it is, and how trivial the whole process appears to be.
The interview underscores the notion that it's not all organized crime networks or malware coders doing the dirty ID deeds, but also fairly ordinary individuals who simply spend around 90% of their efforts in covering their tracks - and have no problem with breaking laws to make easy money.
Overall, the whole process for these people takes just minutes every day, and again, most of the time is spent covering their tracks by creating new accounts, switching to new VPNs, and going to anonymous cash sending and receiving stores, while the actual time spent doing any type of coding or interacting with other hackers is minimal. It's very easy to use, very tempting, and unfortunately, it still seems very low risk for them.
In IRC, Lambert met someone that identified themself as male, under 20, and Romanian who was willing to give select details about his alleged money making scams.
Taking to "d0g" Lambert said,
While some of them will trade stolen identities or full CC info on IRC, now most of that business seems to be done on a large number of underground web sites. This one for example shows a never ending list of items that get sold for as little as $3 each, available to anyone who registers for an account.
"d0g" explained to Lambert that after getting cheap European access to IP's (or getting hooked up otherwise for covering his tracks), the next step was to get money online and into an account (to purchase credit card numbers), and then money can be transferred from reputable entities such as Western Union.
After that, it's simply a matter of buying CC numbers, and then posting items for sale on eBay using fake identities.
Then according to "d0g" it was a matter of online money laundering in a sort of "matchmaking" exchange for goods, but without divulging an address:
(...) The way I was explained is that all he has to do is post ads on eBay for popular items that he doesn't actually have. Then, when someone buys it, he turns around and buys that same item from some online store with the bought CC numbers, and puts the eBay buyer's address as the shipping location.
He makes those stores send the products directly to his buyers, and gets clean cash for them, which he can spend any way he wants. It's a type of online money laundering.
And apparently, the reason why these stolen numbers are sold so cheaply is because a vast majority of them are either already canceled, or maxed out.
The interview concludes before explaining how the money is finally extracted, so we are once again reminded that we'll never know how much of this is true.