Operation Card Shop

News outlets throughout the US reported last week about “Operation Card Shop” a series of crimes related to stolen credit card information.. The press release from the US Attorney’s Office for the Southern District of New York is titled Manhattan U.S. Attorney And FBI Assistant Director-In-Charge Announce 24 Arrests In Eight Countries As Part Of International Cyber Crime Takedown. It is clear that this was a big operation. The press release is a very interesting read describing the methods used to catch the alleged criminals and details on their alleged crimes. Since many of these activities are described in Learning Tree’s System and Network Security course and some aren’t, I’d like to mention those here along with the names “carders” (those who steal credit card numbers and/or related information) use for them, according to the press release. Some of the items that were allegedly sold include:

  • “RATS” – remote access tools that allowed keyboard recording (keylogging) and control of a victim’s PC or laptop camera. In this case the keyboard recording tools were claimed to steal usernames and passwords for bank accounts. Interestingly, the reported cost of the tool was USD50, and copies were reportedly sold worldwide.
  • “CVVs” – the “complete” informatoin for a card holder including name, address, sip code, card number, expiration date and the Card Verification Value (the short number printed on the card).
  • “fulls” – all the CVV info, plus Social Security Number, mother’s maiden name and so forth including banking information!
  • “drop services” – places to ship merchandise purchased with stolen cards

One person was arrested for allegedly trying to sell counterfeit credit cards. Another was arrested for “instoring” – using stolen credit information inside a brick and mortar store (instead of online) to purchase merchandise.

So, does this deter me from using credit cards online? No. It appears that most of the credit information was not acquired from individual users, but rather from larger databases. Yes, the RAT software did steal usernames and passwords. Maybe “thousands” of computers were infected with that software. But large databases seem to be a better target. Even offline-only use of the credit card would let the card info be in the database so whether I use my card online or offline in that case is immaterial.

But the RAT keylogger idea does bring up an interesting question: “are keyloggers detected by antivirus and other PC protection software?”  I have not done any testing on particular products, but I do have a few thoughts: first, if one searches for keylogger software, a few products turn up that claim to be undetectable by anti-virus software. The sites for the products claim that they are to be used by parents, CEOs and others who rightfully want to see what computers they own are being used for. It is possible that most or all anti-virus software and maybe personal firewall software will allow that software to run and even store and send out data. Second, bad guys have what are likely more sophisticated tools.

I am hoping that anti-virus vendors soon respond to these news stories claiming that their software would have detected the specific keylogging and camera hijacking tools the US Attorney’s office says were used in these attacks. The FBI notified affected individuals and institutions along the course of this operation. I hope the institutions took advantage of the opportunity to secure their databases further.

John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.