解密被盗信用卡数据销赃过程

过去一年严重的数据泄漏事件层出不穷。最近的大案是家得宝（美最大家居建材零售商）在长达5个月的时间里被盗取5600万客户个人和信用卡信息。

这是一波使用复杂尖端科技的电子盗窃的最新案例，之前的受害企业包括塔吉特（美第二大折扣超商）、尼曼百货（连锁高端百货）、麦可斯（美加工艺品连锁店）、华馆（美最大连锁中餐馆）和超价（美第三大食品零售商）。与其它的攻击相似，家得宝数据泄露疑凶是被称为内存刮刀的恶意软件。加密的信用卡信息在销售终端（POS)需要被短暂解密以取得支付授权，这款软件即利用这个间隙盗取数据。从塔吉特的大批信用卡信息被盗开始，这类事件几个月以来越来越普遍。

不管是内存刮刀，销售终端磁条盗读，网络钓鱼攻击或是信用卡信息储存缺乏安全防护，结果都是一样：数以百万计的信用卡资料落到不法之徒的手中，然后被售出牟利。信用卡资料通过什么渠道销赃呢？

基本过程：

从信用卡资料的被盗到最终被盗刷中间要经过好几个步骤。一般来讲偷盗者并不是最终的使用者。

首先，黑客或黑客团队以电子渠道偷取信用卡信息。大多数这类盗窃行为都从俄国或其它东欧国家开始，那一带是所谓“梳卡交易”的中心。

接下来，经纪人（或者成为经销商）成批买入信用卡号和相关信息，再拿到进行梳卡交易的在线论坛交易。黑客也可能直接在论坛出售赃物以获取更高的利润，但那样风险和耗时也比使用经纪人要高。这些交易中心都在暗网上。暗网是互联网上搜索引擎触及不到的一部分，各种非法勾当和不良分子出现的地方。被盗信息的价位由以下因素决定：

- 卡的种类
- 信用额度（如果有此信息）
- 有多少附加信息（如CVV校验码和邮编号可以让被盗卡更有价值)
- 卡主的地理位置（在同一地区使用被盗卡比较不易引起怀疑）
- 卡号何时开始在黑市上出现（即卡号已被注销的可能性）

近年来因为市面上被盗卡信息数量激增，单张卡价格下降了不少，不过经纪人还是可以通过批量交易曾加收入。虽然是在暗网上，很多经纪人可是盗亦有道，如果从其手中买入的卡号不能用，还可以退换相同类型的卡号。

购入被盗卡信息的人叫梳卡人，信息到手后盗用方法主要有两种类型。

两种盗用方式：

（1） 直接在实体店盗刷

（2） 用被盗卡给预付的信用卡充值，再用其购买某些商家的礼品卡（没购买通用礼品卡那么可疑）

第一种（“神秘顾客”）：梳卡人要先印制可使用的仿制卡。只要有信用卡信息，印卡设备并不是很昂贵。梳卡人一般会雇佣一两个人负责招募去店里使用仿制卡的人（他们有时也自己干招募）。招募方法通常是通过广告电邮或分类广告，宣称“市场调研项目”需要“神秘顾客”或“卧底消费者”，或是其它什么貌似正当的事情。

持卡人被要求购买的当然都是些便于转卖的商品。这些“神秘顾客”被要求把货物发送给招募人/梳卡人（通常是空置办公室之类的安全地点）或是直接发给在招募人/梳卡人的拍卖网站标下这些商品的客户。如果货物是发给招募人/梳卡人集中处理，他/她通常会把商品放到易趣、分类广告或者暗网的地下交易论坛上出售。

作为“神秘顾客”的持卡人有时根本不知道他们成了犯罪活动的一环（虽然有时持卡人是知情的主动参与者，或者是低层的犯罪分子）。他们只是赃物的搬运工，在整个信用卡盗窃过程中承担风险最大而获利最小。

你可能见过零售商家采取这种方式防范“神秘顾客”盗刷信用卡。印制一卡一号的仿制卡成本太高，所以通常一批仿制卡表面都是同样的号码，只有磁条内卡号信息不同。所以有的商家会让收银员刷了卡之后再人工输入卡片表面的最后四位卡号。如果输入的和磁条上读到的不一致，就可以确认卡是伪造的，系统会拒绝支付。

第二种（“转运工”）：这种方法不用印制仿造卡。梳卡人用被盗卡给预付卡充值，再用其购买某些零售商（如亚马逊、百思买）的礼品卡。和第一种方法相似，招募人通过广告电邮或分类广告吸引人参与。不过这回找的是那些寻求“在家工作的机会”的人（尤其是在美国）。招募人有时甚至不惜花费精力和招募对象建立一对一的联系。用礼品卡购买的商品被发送给回应广告电邮的分类广告的人再转发。这就是所谓“在家工作的机会”。

这些收到礼品卡购买的商品的人称为“转运工”。招募人最喜欢地址在美国的“转运工”，因为美国地址最不易引起零售商的怀疑。和“神秘顾客”们一样，“转运工”在信用卡盗窃过程也不过就是送货的小喽罗。也和“神秘顾客”相似，“转运工”被要求把收到的商品后转发给招募人/梳卡人，或是在招募人/梳卡人手上买下商品的客户。

这过程听起来有点复杂，但用被盗卡充值预付卡再购买礼品卡这么绕一圈之后，商家很难在商品发货前意识到发生了什么事。等他们搞清楚状况，通常已经太迟了。

英语原文：

What Happens to Stolen Credit Card Data?

Reports of high profile data breaches have been hard to miss over the past year. Most recently, it was a breach involving 56 million customers’ personal and credit card information at Home Depot over a five-month period.

This is just the latest volley in a wave of sophisticated high profile electronic thefts including Target, Neiman Marcus, Michaels, P.F. Chang’s and Supervalu. Much like the other attacks, the suspected culprit in the Home Depot data breach is a type of malware called a RAM scraper that effectively steals card data while it’s briefly unencrypted at the point of sale (POS) in order to authorize a given transaction. Reports of this type of attack have become increasingly common in the months since the Target breach.

Whether it’s a RAM scraper or an “older” threat like a physical skimmer placed directly on a POS machine used to swipe a credit or debit card, phishing attack or simply storing customers’ card information insecurely, the result is the same: credit card data for millions of people winds up in the hands of criminals eager to sell it for profit. How does that process unfold? And how can you – or people you know – get sucked into it?

The Basic Process: The journey from initial credit card data theft to fraudulent use of that data to steal goods from other retailers involves multiple layers of transactions. The actual thief taking the card numbers from the victim business’ POS or database doesn’t use it him or herself.

First, a hacker – or a team of them – steals the credit card data electronically. Most of these schemes begin in Russia or other parts of Eastern Europe and much of what you might call the “carding trade” is centered there.

Next, brokers (also referred to as “re-sellers”) buy the stolen card numbers and related information in bulk and trade them in online carding forums. A hacker may also sell the card data directly to keep more of the profits, though that’s more risky and time-consuming than using a broker. These exchanges are found on the dark net (aka the dark web). That’s a part of the Internet you won’t find through Google, where all manner of illegal and unsavory things can take place. Online prices vary depending on:

• The type of card,

• Credit limit (if known),

• How much additional data is available (CVV codes from the backs of cards and associated zip codes make stolen cards more valuable),

• The card owner’s geographic location (a fake card used in the vicinity of the legitimate card holder is less likely to raise suspicion), and

• How recently the cards began appearing in the carding forums (i.e., likelihood of card cancellation).

Prices for the individual cards have come down significantly in the past few years due to the sheer amount of records available, though brokers can still do quite well from bulk sales of card data. Despite being on the dark web, many of the brokers conduct themselves like regular online businesses and will provide replacements or the equivalent of store credit if cards purchased from them don’t work.

The people who buy the card data from the brokers are called “carders.” Once the carders have the stolen card data, there are (at least)…

Two distinct variations on the scam:

1) Physical, in-store purchases using fake credit cards.

2) Stolen card numbers used to charge pre-paid credit cards that are, in turn, used to purchase store-specific gift cards (which are less suspicious than general gift cards) and purchases are made online.

Variant 1 (“Mystery Shopper”): This variation starts with carders printing up the fake credit cards for use in stores. Once they have the stolen card data, the equipment needed to make the fake cards isn’t that expensive. The carder then usually works with one or more recruiters to find people to use the fake cards (though a carder may do the recruiting him or herself). The enticement to get people to use the fake cards will generally be in the form of email spam and ads in Craigslist or similar sites offering easy money to be a “mystery shopper” or “secret shopper” as part of a “marketing study” or some other semi-plausible justification.

Not surprisingly, the items purchased tend to have high resale value. After the physical purchases are made, the “mystery shopper” can either send items to the recruiter/carder (generally via a secure drop site like a vacant office) or directly to someone who has “purchased” an item via an auction site in response to a posting from the recruiter/carder. If sent straight to the carder, he or she then auctions the items directly on eBay, Craigslist or an underground forum on the dark web.

The people who actually make the purchases with the fake cards may have no clue what they’re involved in (though sometimes they’re active participants in the scheme or simply low-level criminals looking to use the cards for themselves). They are effectively the “drug mules” of the credit card scam, taking the most risk and getting paid the least.

You’ve probably seen one step retailers take to try and stop in-person card fraud. On a counterfeit credit card, the numbers on the magnetic strip and the front of the card generally don’t match – it’s too expensive to create individual fakes. Some retailers have their personnel type in the last four digits on the physical card into the register after the card is swiped. If the numbers don’t match, the card is rejected as a fake.

Variant 2 (“Re-shipping”): Rather than making physical cards, in this variation carders use the stolen card data to purchase pre-paid credit cards that are then used to buy store-specific gift cards (Amazon, Best Buy, etc.). Like the “mystery shopper” scheme, recruiters typically use ads and spam emails to entice people, though this time it’s people (especially in the U.S.) seeing “work from home” promises. Sometimes the recruiters will employ a more personalized approach, even going so far as to start a fake “relationship” with the intended target. Then – wait, there’s more – the gift cards are used to purchase items online and those items are shipped to the people responding to the ads, spam or “relationship” overtures. That’s where the “work from home” angle comes in.

The people initially receiving the packages directly from an online retailer are called “re-shippers.” People in the United States are used because U.S.-based addresses raise fewer red flags with the retailers. Like the “mystery shoppers,” the re-shippers are the drug mules here (and they are sometimes referred to as “money mules” or “shipping mules”). And, as with the “mystery shopper” scheme, re-shippers can either send items to the recruiter/carder or directly to someone who has “purchased” the item through an auction site.

While this may sound a little convoluted, the shell game-like nature of using one card to buy another and then another makes it more difficult for stores to catch onto this scheme before the purchase has already been made and shipped out. After that, it’s generally too late.

译者： starshack 原作者：Scott Aurnou via：yeeyan