Carding, phishing and skimming: what is it and how to protect your funds?

[Carder]

In April, the Ministry of Internal Affairs of the Russian Federation announced the arrest of a group of people who sent messages to citizens with information about blocking a card and a number to call to unblock it. The attackers learned from the victims their personal data and card details, after which they got access to the funds.

Fraudulent schemes are constantly changing. According to the FinCERT survey, the volume of unauthorized transactions made using payment cards issued in the Russian Federation in 2018 amounted to 1.4 billion rubles, which is 44% more than last year. According to the Prosecutor General's Office, the number of cybercrimes detected in Russia has grown almost 16 times over six years, to 174,000 (this also includes illegal transactions with cards).
It is important for owners to remain vigilant and not fall for the tricks of scammers. Let's figure out what types of carding you can face and how to protect your funds.

​

Carding​

The term carding refers to fraudulent transactions with payment cards (card details) that are not approved by the cardholder. Carding involves a variety of ways to defraud the rightful owner of material assets.
Alexey Sizov, head of the anti-fraud department of the Center for Applied Security Systems Jet Infosystems, identifies three basic directions of fraudulent activities:

1. Theft or illegal receipt of a card is either a physical impact on the owner, or a search for vulnerabilities in the process of issuing, delivering or registering a banking product and using the card by an attacker.
2. Compromise of card data for the subsequent manufacture of a forgery. First of all, we are talking about copying the data of the magnetic stripe of the card and stealing the PIN code. This type of fraud was most widespread before the massive transfer of cards to chip technology. Today, such a scheme is rare, since in Russia about three years ago, a ban on the issuance of non-chip cards was introduced, and Chip Liability Shift operates almost all over the world - the acquiring bank's obligation to service a card with a chip is based on the chip.
3. Compromise of card details for CNP transactions (without the presence of the card). A striking example is paying for purchases or services on the Internet.

The ultimate goal of criminals in all cases is to gain access to money. To implement their plans, fraudsters invent very cunning schemes, often taking advantage of the credulity and inattention of citizens. One of the popular ways to fool the owner of the card is phishing.

​

Phishing​

Phishing (phishing from English fishing - fishing, throwing a fishing rod) - literally fishing for card details from its holder. It is noteworthy that the owner himself transfers the necessary data. Typically, they resort to several types of phishing.

​

SMS phishing​

A message is sent to the phone:

• about blocking the card, allegedly on behalf of the bank and the phone number, by calling, you can solve the problem;
• about the winnings, which can be collected by paying for delivery.

There are a lot of SMS phishing variations, but they all boil down to an offer to transfer card data. In such cases, you need to be vigilant.

If you receive information about the blocking, you should call the bank at the official number, and clarify the authenticity of the message about the win by contacting the store or service holding the promotion.

Internet phishing​

Fraudsters create phishing (fake) pages that imitate the official websites of banks, payment services or stores, changing a few letters or signs in the name. Alas, not everyone carefully checks the web address, boldly clicking on the link.
Often, cybercriminals lure you to phishing sites by sending fake emails composed by bank technical support, for example, about blocking a card. Under the pretext of checking information about the holder, they ask to enter all the details, having learned which, they freely gain access to the money. They steal data and hide behind the sale of goods.

Before leaving the card details on the site, you need to carefully check the web address with the official name of the store, service or payment system, and also check the links on the page: if the resource is phishing, most likely they do not work. When you need to use the website of a credit institution, it is better to immediately refer to the official list posted on the website of the Central Bank.

​

Wishing​

Vishing (English vishing - from voice phishing) is identical to phishing, with the only difference that cybercriminals call on the phone, posing as bank employees, buyers of goods, and so on, thus trying to deceive the holder of a PIN-code or force him to perform certain actions with account.

The cardholder should remember that the bank employees do not require to provide the PIN-code, and in case of blocking the card, they will most likely offer to drive to the office in person. Buyers of goods, in principle, do not need to know confidential information about the merchant's card, so requests for such information should be alarming.

​

Skimming​

Another method actively used by scammers is skimming. Skimming is the copying of payment card data using a special device (skimmer). The card data is read when the cardholder inserts it into the ATM. To obtain a PIN code, attackers install mini cameras or keyboards.

https://psm7.com/how-to/ostorozhno-skimming-kak-ne-stat-zhertvoj-bankomatnyx-moshennikov.html

Shimming​

Shimming is a modernized form of skimming. The scheme of deception is similar: all important data is read from the cards inserted into the ATM, the only difference is that there are no visual signs of the presence of a shima inside the device.
Fraudsters, instead of very bulky and visually noticeable overlays on the card reader, use a thin, flexible, almost invisible device that is located inside the card reader. It reads the card data later used by attackers.

​

Fake ATMs​

Sometimes fraudsters create fake ATMs and leave them in unguarded locations. Such devices outwardly completely copy the real ones, but the "filling" contains a built-in computer with a system installed on it, a skimmer and keyboard overlays. The victim inserts the card, tries to perform some action, but the ATM issues an error. The person takes the card, but all information has already been read from it.
You can fall for the bait of intruders not only by using an ATM, but also by paying with a card, say, in restaurants or shops. The algorithm is similar: a waiter, salesperson, or cashier can use a skimmer or a portable device attached to the terminal.

You can protect yourself from skimming if you use ATM machines located in bank branches. The level of protection in credit institutions is several times higher, and it is much more difficult to install readers there.
Well, when there is no way to go to the branch, try to choose ATMs, standing under the cameras, in protected places. Visually check the device, say, the cover on the card capture reader: if it is wobbling, it means that something is wrong with it. When paying with a card, make sure that no one photographs its data on the phone.

​

Embedded viruses​

In this case, intruders introduce a program into an electronic device (phone, computer) that can read card data. Such viruses can transmit to scammers information that the user has entered into an Internet browser: logins and passwords from social networks, Internet banks, electronic wallets, various sites, and so on.
A malicious program can get on a phone or laptop by accident, disguised as another program that was inadvertently downloaded from an email or from an unverified website.

To avoid deception, it is important to update the antivirus on time and use only licensed software.

​

Protection methods​

The list of the described types of fraud is not exhaustive. Alexey Sizov, head of the anti-fraud department of the Center for Applied Security Systems Jet Infosystems, notes that among the fraudulent schemes there are:

1. The use of card details to gain access to other products, for example, RBS or online lending, where information about the card, recent transactions, and even more so confirmation codes and passport data are sufficient information to change passwords in an online or mobile bank and perform other manipulations with accounts.
2. Theft of funds from contactless cards. This scheme made a lot of noise some time ago, but no large losses were recorded, and one can hardly expect significant problems in this direction.

Deception schemes have only improved over time. Naturally, banks themselves are actively fighting against cybercriminals.

Alexey Sizov
Jet Infosystems
“Fraud is fought by specialized anti-fraud monitoring systems that monitor the behavior of cards (a set of characteristics in terms of the number of transactions, amounts, location and type of transactions). Such systems have become mandatory since 2003-2004, when monitoring requirements appeared on the part of the international payment systems Visa and Mastercard.
In addition to automated systems, the technology of "chip" cards made a great contribution to security, which almost completely ruled out the possibility of effective cloning. In addition, banks are constantly involved in the control of key processes for the issuance of cards, their remote delivery and others, which is actually related to the tasks of identification and authentication of the holder in person or remotely".
However, not only banks, but also the cardholders themselves must take precautions. Alena Tsyganova, senior legal counsel at the Alta Via consulting company, advises everyone who cares about the safety of their funds to follow a few simple rules:

1. Store the PIN code, as well as the data for entering the Internet Bank (login, password, verification words or special codes) in a safe place, and best of all, in your memory.
2. Do not disclose card details and one-time SMS passwords to third parties to confirm transactions.
3. Be discreet when shopping online. Use only verified and official sites. Goods / services on unfamiliar sites at clearly understated prices should alert you. And also choose ATMs located in bank offices or large shopping centers with video surveillance.

Alexey Sizov recommends that you carefully study the notifications from the bank about the transactions being performed, use a separate card for payment on the Internet, set daily limits (if the bank provides such an opportunity) and not keep all savings on one card account.
If it was still not possible to save the money, Alena Tsyganova recommends that you immediately contact the bank with a statement of disagreement with the operations performed (clause 11 of article 9 of the Federal Law No. 161-ФЗ), as well as the police.

 

[Carding 4 Carders]

Types of phishing​

What is it?
Phishing is a type of email distribution under the name of a popular brand or social network administration. The goal is to get encrypted user data.
This is a subspecies of social engineering that relies on users ' poor knowledge of Internet security.

In practice, I have encountered three types of phishing:

• Online - using an identical design and a similar domain;
• Mail - creating emails with a fake string on behalf of any organization;
• Combined - designing a fake site where a person must enter all the information themselves.

Most of the techniques are limited to distributing masked links.

A common trick is to use images instead of text. The security systems of some web resources do not recognize spam or threats in them. This way you can bypass the lock. But now there are servers that scan text on an image. This complicates our task.

Today, several types of phishing have appeared:

Vishing is the use of Internet telephony to transfer Bank funds to malicious accounts. The essence is quite simple: the Fraudster calls from an unknown number, confuses the client, and at the end asks for confirmation of the data - account number, password, code word, PIN code, etc.

Smishing - fraud by SMS. The phone receives a message supposedly from the Bank or the site administrator. The victim is asked to go to the specified web resource and enter data for initialization.

Pharmacy services - this method involves replacing the DNS address. When clicking on the "original" address, the user is redirected to the fake page. It is very difficult to recognize a fake in this case.

The most common form of phishing at the moment is mass mailing. It's effective because it doesn't have a specific purpose. If the attack is directed at one person, they may simply have doubts and not go to the fake page. This means that there will be no result. But when a large group of people is attacked, someone is bound to get caught.

How is it applied?
I want to explain the method to you:

• The hacker sends the victim an email with a link to a fake site;
• The victim goes to;
• Enters all personal data without suspecting anything;
• The attacker gets the information, and someone else's page is in his hands.

A fake site must be an exact copy of the original one, so that the person does not suspect anything. The domain must also be similar to the original one. For example: vk.com - inf.vk.com.

An important role in this operation is played by the email containing the link. It should be appropriately designed to inspire confidence. They often send a message under the guise of administration. Use prepositions such as:

• Your page will be frozen;
• Suspicious activity detected on your page;
• Go through re-identification to secure your account.

In addition, they send messages on behalf of banks, well-known companies, or with offers to buy something at a discount.

Example:
"In our online store today discounts up to 60%! Have time to buy products at ridiculous prices! To get a discount coupon for all products of the store, just log in to the site via the social network and log in to your personal account!".

The secret of success is in the email that the hacker sends. It carries a large semantic load, so it should be as convincing as possible for the user. You should take a closer look at the style of letters from the administration. You can't make mistakes, it will immediately give out a fake. It is necessary to use strong arguments so that the user enters all the data without hesitation.

How can I help you?

The method is quite simple, but does it bring results? Let's discuss what it can give us:

• Personal data (username and password) of a specific person;
• Information for filling in a special database that is created for the purpose of subsequent sales;
• Information about Bank cards;
• Access to other people's accounts.

However, it should be noted that 100% of the result is not worth waiting for. Especially if you need a specific person's password. Not everyone is careless about information security. Even if you follow all the necessary precautions, a person may not click on the link. But the technique will work if it is aimed at a person who is ignorant and poorly versed in social networks. Some people also go to the address due to inattention.

Advantages of this method:

• Easy to use, even a beginner can handle it;
• This method is still quite effective, especially if you do mass mailing;
• No programming skills required;
• With a responsible attitude, the probability of a positive outcome increases.

Disadvantages:

• Efficiency has been declining in recent years due to user awareness;
• Social media security systems recognize phishing emails as spam and block them;
• The method may not bring the expected result;
• Information security filters can detect a fake site and remove it.

The method is becoming more sophisticated every day, changing, and taking on new forms. But the security systems of social networks also do not stand still. Therefore, when using this method of extracting information, think carefully about the strategy of actions.

 

[Carding]

Theft of $ 8 million over the weekend​

Recently, all the news was blaring about a group that specialized in skimming.
I think many people know what skimming is. These are special pads that are attached to the ATM. The ATM is working normally, but the card passes through this overlay, while remembering your card details. This information is called a dump. Later, the hacker uses a completely legal card Reader to roll up your dump on a dummy card and withdraw all the money from your card.

A Russian group that specialized in skimming devices has already been detained in a suburban dacha. There was a dacha, something like a training camp, and it even had its own ATM for training. The guys got down to business with great enthusiasm. The amount of stolen funds is about 5 million dollars, an impressive amount, only over the weekend the guys managed, according to media reports, to steal more than 8 million rubles. These guys are usually looking for is not the usual police... Yes, and it is worth considering a slightly different side, rather moral.

There are different types of skimmers. There are some that transmit information over Wi-Fi. In case of suspicion, the hacker will not go to pick up the skimmer, but will leave it there. And there are some that need to be removed in order to get dumps.

There are many methods of ATM fraud, but this is the only one that is dangerous to the average user. Now skimming is actively developing, this is especially evident on shadow resources, where the brain of the operation is looking for so-called partners. Such equipment costs from $ 1,000 to $ 5,000, depending on the configuration.

Let's look at the main signs of a skimmer, as well as how to protect yourself from it.
In addition to the fact that attackers will copy your dump from the card, they need to find out the pin code. To do this, a mini-camera is attached to the ATM, which records keystrokes on the keyboard. Or the second option, an overhead keyboard is installed. It looks exactly like this:

Before using the ATM, make a visual check that there are no unnecessary fasteners on the ATM. When entering the pin code, cover it with your hand. Before entering the pin code, make sure that the keyboard is real, just try to move it several times from the edge.

This is what the overlay for inserting a card looks like:

Before using it, pull the card input. Within reason, of course, you should not try to pull it out. The skimmer itself is not attached with instant glue, so it will not be a problem to remove it, so before using it, conduct testing.

• Pull the entrance
• Try to move the keyboard
• Cover with the other hand when entering the pin code.

There is another popular method of embezzlement
This use of an additional bar that interferes with cash withdrawal looks something like this:

You tried to withdraw money from an ATM, but, however, you didn't receive it and went on your way, calling the bank. Further actions, I think, are clear. Scammers will approach and take your cash.
In this situation, in any case, do not leave the ATM and immediately call the bank.

Top 5 rules for protecting against fraudsters:

• Use a card with a chip
• When using the ATM, make sure that there are no foreign objects.
• When entering the pin code, cover it with your hand
• Use ATMs that are located in a Bank branch
• Use SMS notification