Forums selling stolen credit card information - “CVV shops” and “Dumps”

In a recent analysis of Validin, LLC’s DNS dataset, we uncovered a cluster of domains and IPs that are associated with websites engaged in the sale of stolen credit card information. These illicit online marketplaces are commonly referred to as credit card "dumps." We initiated our investigation when we flagged a name-server ns1.kak-prigotovit-spagetti[.]ru, which exhibited the characteristics of fast-flux, a technique used by threat actors and cybercriminals to avoid detection and circumvent law enforcement takedown efforts. This evasion tactic involves rapid changes to their IP addresses, sometimes occurring within minutes.

Upon crawling these domains, we noticed another pattern – the majority of their webpage titles included keywords such as "dumps," "CVV," and "buy." Further analysis of the webpage architecture revealed a commonality among them: each site featured a registration button linked to the same website shoploginredirect[.]su. This website redirected to yet another site, dumpkingdom[.]biz. Our subsequent research led us to a Reddit post, where someone is advertising the website: <link placeholder>.

We checked VirusTotal to see how these suspicious websites were classified by other cybersecurity professionals and vendors. Our analysis indicated that approximately one-third of the currently active domains had been flagged by one or two vendors as either suspicious or malicious. While this finding underscores the malevolent activities associated with this group, it also suggests that the collective network hasn't been entirely exposed due to the absence of flags on the remaining two-thirds.

Here's a non-exhaustive list of active domains we discovered:

• bankomatcc[.]ru
• bilaushopme[.]ru
• blekcheckerga[.]ru
• buycvvfullzcom[.]ru
• carding-forumcc[.]ru
• cardingstore[.]ru
• cc-stock[.]ru
• cc-stockhk[.]ru
• ccfullzshopcom[.]ru
• ccst0re[.]ru
• cvvstorecc[.]ru
• dumpscc[.]ru
• dumpshoppin[.]ru
• feacc18-store[.]ru
• fullzbuycom[.]ru
• fullzdumpscc[.]ru
• fullzinfo[.]ru
• goodbrocc[.]ru
• jstash-bazarcm[.]ru
• king11[.]ru
• link-kingorg[.]ru
• loginzcouk[.]ru
• madstoresk[.]ru
• mn0g0[.]ru
• mrwhite-shop[.]org
• omertacc[.]ru
• omertawf[.]ru
• paypalacc[.]ru
• rdpdedic[.]ru
• russiancarderscc[.]ru
• usassndob[.]ru
• vclubshop-store[.]ru

Identifying Fast Flux

At Validin, we employ an active DNS collection method to gather historical information on internet infrastructure. This approach affords us a higher degree of data granularity, enabling us to capture rapidly-changing infrastructure that might not be recorded through passive DNS collection. The initial evidence of fast-flux manifests in the swift rotation of IP addresses, sometimes within the same day or a twenty-four-hour span. Moreover, these changes often involve shifts to a diverse set of hosting companies, indicating the domain owners' direct management of the process as opposed to that of the hosting providers.

In this specific case, our investigation further revealed that the domains were all registered under REGRU and undergo hosting company changes every few days along with the almost daily ip changes. Among the recent hosting companies, there is a notable concentration among Russian-based entities, including:

• Cloudx-netv4
• CloudBackbone
• MACLOUD
• RU-VDSINA-20181115

CVV Online Forums and marketing

A cursory Google search using these terms reveals numerous illicit domains, often misleadingly labeled as "legitimate," some of which are even registered for Google Ads. This dubious online behavior can also be seen in a Quora post, where different users (likely bots) share about how legitimate this is as well as the best website to make a purchase, until someone actually shares about the illicit behavior. These forums are frequently utilized by cybersecurity professionals to determine the offerings and demands within the cybercriminal underground. Such insights empower them to improve their defenses against future attacks.

Conclusion

This cluster of domains is an example of how suspicious infrastructure and DNS activity can be used to identify malicious actors. In this case, we employed our fast-flux domain detection technology to identify the nameserver and used it to pivot off of our extensive dataset. Validin’s dataset allows for quick and deep enrichment of identified ips and domains, including ownership, crawled web page information, historical DNS, and associated open source intelligence. Interested in learning more? Contact us.