6 Nov 2014

Why your credit cards aren’t as safe as you think

Where does a cybercriminal go to fence their virtual stolen goods? This seemingly simple question leads down a rabbit hole of hacker hangouts, sun-soaked islands and criminals who think they’re beyond the reach of the law.

As Channel 4 News has discovered, Rescator.cc is a giant store of stolen credit card information, freely accessible to anyone who wants to buy (using the virtual currency bitcoin).

It fulfils a vital role in the cybercrime economy: hackers who’ve successfully raided websites for card info can sell it to Rescator, who then sell it on to those who want to commit fraud. Some of those fraudsters will, in turn, commit hacking offences. And so it goes on.

The site provides an anonymous contact for instant messaging, and it’s this method that put me in touch with the site’s owners. I raised the possibility that the site is being used as a “honey trap” by law enforcement, who are gathering details of its users.

Rescator’s owner not only refuted that, but insisted that its users are “virtually untraceable” if they operate wisely. What’s fascinating about our exchange is that the site’s owner at no point seemed to feel that they might be a target for law enforcement themselves; clearly they feel safe.

Rescator does not allow you to search for your name among its millions of stolen credit cards. So how do you protect against fraud?
– Carry out regular credit checks which will flag up credit card fraud
– Consider having two cards: one for online purchases, one for “real world” (that way if one card gets compromised you’re not left cardless)
– Consider using a top-up or pre-paid card for online shopping; that way your losses are limited if something goes wrong

Obviously we have no firm information on where those behind the operation are based. The language used online is a mix of English and Russian, and Rescator contains links to a Russian-English hacker hangout called Lampedusa Republic. But regardless of the language they use, the crooks could be based anywhere in the world.

Verisign, the giant US tech company that oversees the .cc internet addresses, says it will only act against Rescator after a lawful court order: one imagines that wouldn’t be too difficult to get. But even if Verisign pulls the plug on the .cc site, Rescator proudly boasts of duplicate sites at other internet addresses. Shutting the site down may not be that easy.

Follow @geoffwhite247 on Twitter