For so long as con artists have been with us so also have opportunistic thieves who concentrate in pulling off different con artists. This is actually the story about several Pakistani Web page manufacturers who seemingly have produced an extraordinary residing impersonating a number of typically the most popular and well known “carding” markets, or online retailers that promote stolen credit cards.
One quite popular carding website that has been featured in-depth at KrebsOnSecurity — Joker’s Stash — brags that the countless credit and debit card records for sale via their service were stolen from retailers firsthand.
That is, individuals operating Joker’s Deposit state they are hacking retailers and right offering card data taken from those merchants. Joker’s Deposit has been attached to many recent retail breaches, including those at Saks Sixth Avenue, Lord and Taylor, Bebe Stores, Hilton Lodges, Jason’s Deli, Whole Meals, Chipotle and Sonic. Certainly, with most of these breaches, the initial signals that some of the organizations were hacked was when their clients’bank cards began turning up on the market on Joker’s Stash.
Joker’s Deposit keeps a existence on several cybercrime forums, and its homeowners use these forum reports to tell potential customers that its Web page — jokerstashdotbazar — is the only way in to the marketplace.
The administrators constantly advise buyers to keep yourself updated there are numerous look-alike stores collection around take logins to the true Joker’s Deposit or to create off with any funds transferred with the impostor carding store as a prerequisite to looking there.
But that didn’t stop a outstanding protection researcher (not this author) from lately plunking down $100 in bitcoin at a niche site he thought was run by Joker’s Stash (jokersstashdotsu). Instead, the masters of the impostor website claimed the minimum deposit for viewing taken card data on the market had risen up to $200 in bitcoin.
The researcher, who requested to not be named, said he obliged having an additional $100 bitcoin deposit, only to find that his username and code to the card store no more worked. He’d been fooled by scammers scamming scammers.
Since it happens, just before hearing out of this researcher I’d received a mountain of research from Jett Chapman, another safety researcher who swore he’d unmasked the real-world identification of individuals behind the Joker’s Deposit carding empire.
Chapman’s research, comprehensive in a 57-page report shared with KrebsOnSecurity, pivoted away from public information leading from exactly the same jokersstashdotsu that scammed my researcher friend.
“I have gone to some cybercrime forums where individuals who have used jokersstashdotsu that have been confused about who they really were,” Chapman said. “Most of them remaining feedback stating they are scammers who will just ask for money to deposit on the webpage jokerstash, and then you may never hear from them again.”
But the final outcome of Chapman’s report — that somehow jokersstashdotsu was linked to the actual criminals working Joker’s Deposit — didn’t ring fully exact, although it was skillfully recorded and totally researched. So with Chapman’s blessing, I shared his record with both researcher who’d been scammed and a police force resource who’d been checking Joker’s Stash.
Both confirmed my suspicions: Chapman had uncovered a large system of sites documented and setup over many years to impersonate a few of the biggest and longest-running offender bank card theft syndicates on the Internet.