Blog

Cybercriminals Abuse Donation Sites for Card Testing

Posted: 23rd September 2021
By: Gemini Advisory

This blog post, initially published on the Gemini Advisory Blog, has been formally migrated to Recorded Future to ensure its continued exploration and insight.

Key Findings

  • When selling stolen payment cards, dark web marketplaces or individual fraudsters often use “testing services”, which allow them to test whether a card is valid for conducting fraudulent activity or whether it has been flagged as stolen.
  • Gemini analysts have uncovered a method in which cybercriminals use nonprofit organizations that accept donations to test a stolen card’s validity. Fraudsters on the dark web recommended different donation sites to test stolen cards, including one actor who provided a tutorial on testing card validity using the Red Cross’ website.
  • High volumes of small-dollar payments can bury merchants under transaction fees, and the cost of mitigating damages post-fraud can be prohibitive. Charities can also be left in the unenviable position of returning donated money to the defrauded individual.
  • The challenges that donation sites pose to financial institutions attempting to monitor card testing activity makes these sites particularly appealing to cybercriminals. Given the viability and discretion of donation sites for card testing, they are likely to remain popular in dark web carding communities.

Background

Often, purchasing stolen payment cards from the dark web is just the first step in a fraudster’s efforts to make illicit purchases. In some cases, the fraudster may have purchased a card that has already been flagged as stolen by the issuing financial institution, barring the fraudster from placing illicit purchases with that card. As a result, dark web marketplaces or individual fraudsters often use “testing services”, which allow them to test whether or not a card is valid for conducting fraudulent activity or whether it has been flagged as stolen.

Some testing services are operated by cybercriminals themselves. These are known as “checkers”, and they come in two forms. The first is transaction-based card testing. This method involves placing a small transaction to verify that a card is active. If the transaction goes through, fraudsters consider the card to be valid.

The second method is authorization-based card testing. This method involves linking a card to an account on an e-commerce, social media, or other site. To link the card, the site conducts a “transaction” for $0.00 that does not appear on the customer’s statement. The card is only linked—or “authorized”—if it is an active card. If the authorization is successful, fraudsters consider the card to be valid.

For example, Joker’s Stash, previously the largest dark web marketplace for compromised payment cards, used the “Try2Check” checker. Try2Check would calculate a “validity rate” among a selection of stolen cards based on how many cards in a sample can successfully place test transactions. Joker’s Stash would then advertise the validity rate to accurately market the cards it sells. 

Gemini has determined that the following cybercriminal checkers are still operational:

  • 4Check
  • Best Check
  • Bit2Check
  • Cardok
  • LuxChecker
  • Paris Checker
  • Try2Check
  • Undefined

Financial institutions routinely monitor for testing activity in an attempt to convert a step in the fraud process into a red flag for card issuers. When successful, this turns cybercriminals’ diligence against them, since the very act of verifying a stolen card’s validity actually alerts the bank that the card was stolen, thus informing the bank to cancel the card. In response, fraudsters have developed more complex ways to conduct testing while circumventing financial institutions’ detection.

In-Depth Analysis

Donation Sites as Testers

Fraudsters are constantly searching for and developing ways to steal money through non-cash payments. They also seek legitimate services that improve the efficiency of carding activities by accurately establishing the validity of the stolen credit card data. Gemini analysts have uncovered a nearly foolproof method in which cybercriminals use nonprofit organizations that accept donations to test a stolen card’s validity. Cybercriminals make donations from stolen payment cards, and if these donations go through, then it confirms the card is valid. Analysts discovered several actors who recommended 20 different sites to test stolen cards, including one actor who provided a tutorial on testing card validity using the Red Cross’ website.

Using donation sites is particularly advantageous to fraudsters because the amount of money and type of merchant involved in these donations often mirrors actual donations. Even for financial institutions that monitor common card testing merchants for small dollar transactions to flag in order to identify stolen payment cards, it can be very difficult to distinguish fraudulent donations from legitimate transactions. As an added benefit, the payment process itself is very straightforward for many donation sites. While certain e-commerce merchants require online accounts or profiles, donation sites often request only the minimum billing information necessary for a transaction.

Image 1: Payment portal for Red Cross donations online.

The Red Cross Abused as a Card Tester

On July 8, 2021, an actor operating under the alias "MS-13" on a mid-tier dark web forum created a thread providing step-by-step instructions on how to abuse the Red Cross’ website to test the validity of a stolen payment card. According to MS-13, to test the validity, cybercriminals need the payment card number, CVV code, expiration date, and a suitable VPN connection (or a SOCKS proxy). Once on the Red Cross site, the cybercriminal directs users to click the "Donate" button, choose to donate once, select the minimum amount of $10, enter credit card details, and then finish the process by clicking the final “Donate” button. If the payment goes through, the card is valid.

Image 2: MS-13’s post on a dark web forum instructs users on how to verify payment card validity through the Red Cross website.

An analysis of activity on other dark web forums from the summer of 2021 revealed that other cybercriminals are also using this technique on the Red Cross’ site, as well as on other donation sites. 

  • June 20, 2021: An actor operating under the alias “cedar” posted to a dark web forum asking for cardable donation sites. This refers to sites where fraudsters can use stolen credit card information in some way, including use as a tester or placing actual payments
  • June 23, 2021: Actor "Временный ник" responded and provided two links, one to the International Red Cross site, www.icrc.org, and the other a link to its US-based site, www.redcross.org
  • July 24, 2021: Actor “Lookingtobuy” pointed out that in the past, cybercriminals used specially designed scripts to test large volumes of cards on the Red Cross website
Additional Donation Sites for Card Testing

Gemini has discovered a specific checker service, “CHK.CARDS”, that “donates” very small amounts of money to a rotating cycle of different merchants. This checker specifically endorsed using a Ugandan non-governmental organization (NGO), the Peace for Paul Foundation, since charities or nonprofits are less likely to be flagged as suspicious. Cybercriminals have advertised additional testers in the past year.

On June 20, 2020, an actor operating under the alias “–•™_Z_e_u_s_™•–” created a thread on a top-tier dark web hacking forum advertising another payment card tester. According to the actor, a fraudster can test a card’s validity through the website of the UK-based international development NGO Global One, which accepts amounts from £1 to £1 million.

Image 3: Z_e_u_s advertises using Global One to validate stolen payment cards.

On November 23, 2020, an actor operating under the alias “Cxkeh” created a thread on this forum advertising a payment card tester. According to the actor, it is possible to test the validity of stolen payment cards through the website of the donation organization AVANCE-Houston.

Image 4: Cxkeh advertises another website viable for card testing.

Fraudsters across numerous dark web forums additionally mentioned the following charitable websites as viable for card testing:

Financial institutions have also detected testing activity at nonprofit organizations such as: 

Best Practices for Detecting Testing Activity

While detecting fraudulent testing activity is important for financial institutions to combat fraud conducted on cards that they issue, it is also important for merchants or charities to detect. High volumes of small-dollar payments can bury merchants under transaction fees, and the cost of mitigating damages post-fraud can be prohibitive. Charities can also be left in the unenviable position of returning donated money to the defrauded individual.

Certain best practices can help merchants or charities, individual cardholders, and financial institutions detect malicious testing activity. The e-commerce site belonging to the merchant or charity can implement 3DS 2.0 on its online payment portal as extra verification, as well as other standard best practices. Individual cardholders must be vigilant about their own accounts and monitor for unfamiliar purchases, including donations. Financial institutions can detect this kind of testing activity by searching for unusual activity related to charitable donations. This includes a sudden influx in donations to the same charity from a variety of different cards, large quantities of small-dollar donations (often under $10) to these charities, and short windows of time during which these donations take place. While fraudsters use donation sites for discrete testing, an informed and dedicated fraud team is capable of detecting illicit activity and canceling the stolen payment cards.

Conclusion

Profiting from stolen payment cards depends upon the cards’ validity, so card testers remain a crucial part of the fraud process. While there are a variety of different methods of card testing, utilizing donation sites remains popular among both individual fraudsters and full-fledged dark web carding services. The challenges that donation sites pose to financial institutions attempting to monitor for testing activity makes sites such as those belonging to the Red Cross, the Make-A-Wish Foundation, GoFundMe, and others particularly appealing to cybercriminals. Given the viability and discretion of donation sites for card testing, they are likely to remain popular in dark web carding communities.

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

Related