SOCA shuts down network of CVV sellers' carder sites

The Serious Organised Crime Agency shut down 36 CVV sellers who were selling stolen credit card and banking credentials to buyers around the world.

The Serious Organised Crime Agency (SOCA), working in collaboration with the FBI and the US Ministry of Justice, has shut down 36 major CVV sellers’ websites that were trading in stolen credit card details and online banking credentials. SOCA says the closures will reduce international fraud by more than £500 million a year.

This approach makes sense since it can help eliminate a swath of criminal activity while potentially scaring others from filling the void.

Rob Rachwald,

The carder sites acted as online marketplaces for stolen card data, using e-commerce platforms known as Automated Vending Carts (AVCs) to collect the card data from criminals and then resell the account details to buyers around the world.

SOCA, the UK national police agency whose auspices include fraud and computer crime, said it has been tracking the development of AVCs and monitoring their use for some time. Over a two-year period, it worked with the FBI in the US, the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police and the Romanian National Police, to recover more than 2.5 million cards and credentials of compromised personal and financial information. It said the recovered data has been passed to UK and overseas financial institutions to help prevent further fraud from taking place against the accounts.

Earlier this week, SOCA arrested two men suspected of making large-scale purchases of stolen data from the sites. In addition, the UK’s Dedicated Cheque & Plastic Crime Unit (DCPCU) seized a number of computers suspected of being used to facilitate related Fraud Act offences. The Macedonian Ministry of Interior Cyber Crime Unit, acting on information supplied by SOCA, arrested an AVC operator based in Macedonia.

“This operation is an excellent example of the level of international cooperation being focused on tackling online fraud,” said Lee Miles, head of cyber operations for SOCA, in a prepared statement.

At this time, website visitors who access any of the 36 seized CVV sellers' sites see a notice that says, “The United States Government has seized this domain name pursuant to a seizure warrant issued by the United States District Court… If you registered this domain name, or otherwise claim an ownership interest in this domain name, you should consult an attorney about your rights.”

CVV sellers shut down by SOCA

One of the affected operators, CVV Plaza, marketed its illegal wares with a video it placed on YouTube. (The CVV Plaza name refers to the card verification value, or CVV code, that is used to validate credit cards.) The CVV Plaza video shows how slick and professional some of the operators were. The video featured a representative who asked viewers: “Are you tired of looking through legit CVV websites with low-quality cards and low balance (sic)? Search no more. CVV Plaza has hand-picked cards with high balances and high valid rates, and our starting prices are as low as one dollar a card.” She then went on to promise a money-back guarantee if the purchased card turned out to be invalid.

"Cybercrime is very much on the agenda of governments and businesses alike, and cross industry cooperation is bearing fruits,” said Neira Jones, head of payment security for Barclaycard in the UK. “We cannot stress enough the need to deploy information security practices, in particular when it comes to cardholder information. Cardholder information is very valuable to criminals and it is our collective duty to ensure its protection."

Mathieu Gorge, CEO for Dublin-based consultancy VigiTrust, welcomed the high level of co-operation between different police forces, but warned against complacency. "The fact that 36 sites have been shut down is a welcome boost for the fight against fraud,” Gorge said. "The reality, though, is that new sites may already have been set up. It is not unusual for these sites to be up for a short period of time under one name, only to see similar sites appear under a different name as soon as the initial sites get shut down."

Gorge said the case underlines the need for merchants and service providers to "ensure they comply with the requirements of PCI DSS to protect card holder data and prevent it from ending up on sites where the data can be sold for a couple of pounds."

Writing on Sophos’ Naked Security blog, Graham Cluley, senior security consultant with Sophos, welcomed the swift response of the law enforcement agencies. “We should all be grateful that the authorities are taking action against those who are turning cybercrime into such a significant underground industry,” Cluley said.

The view was echoed by Rob Rachwald, director of security strategy for security vendor Imperva. “Although hacktivism has gotten a ton of attention in recent months, for-profit hacking continues at a costly rate and taking these sites offline is a serious blow [to the hackers],” Rachwald said in a written statement. “Now a network of carder sites is paralysed.”

Rachwald likened SOCA’s operation to the LulzSec arrests in the US. “Law enforcement seems to be conducting arrests in batches - arresting or suspending criminal gangs as a network versus individually," Rachwald said in the statement. "This approach makes sense since it can help eliminate a swath of criminal activity while potentially scaring others from filling the void.”

Read more on Data breach incident management and recovery

Data Center
Data Management