"Evolution has also had much faster pageload times than competitors, most of whom
run painfully slowly thanks to Tor’s process of routing web traffic among random-
ly chosen computers around the world. (Just how Evolution managed those speeds de-
spite running on Tor itself isn’t clear.)"
I can't really investigate myself currently and I've never visited but is anyone here know if/why Evolution is faster?
A very interesting equilibrium too. As law enforcement increases the risk premium of running a drug market, rational markets need to compensate for that increased risk by diversifying into more lucrative activities, which in this case means adding more "evil" goods to the market.
The interesting part is that it further enables LEOs to further justify a drug war that is increasingly seen as unjustified by tying it to other law enforcement activities.
I recently took a look at Evolution's fraud offerings, as I do anti-fraud work for an online company and was curious to see where the masses of fraudsters I deal with were getting their CC number and bank account info from.
It's actually pretty incredible; I was expecting to see simple "dumps" of CC info and bank login credentials, but it was much more sophisticated. Sellers were offering "packages" that would include bank login information (priced according to account balance), lists of IP addresses that were known to be flagged, SSNs and address information to help with security questions, and guides for how to best use this information.
Definitely seems like it'd be easy for a criminal with a little tech know-how to make a full time job of buying and exploiting this info. Based on the prices I saw, it would only take one successful fraudulent transaction out of many attempts for it to be profitable.
There are far FAR too many CC numbers available out there and when you consider the work needed to find a viable one, not to mention the legal issues resulting from this...it's pretty clear why they are so "cheap".
It's pretty comparable to the current stolen iPhone market(assuming iCloud locked), as they are basically a paperweight in that configuration, which makes them a "traders" commodity of sorts. Much like this, I've seen CC "packages" used as a sort of commodity, where the partners aren't as much interested in using the CCs, as they are merely selling them off later.
Risk. The payoffs are there but if the account info is changed or you get caught, you lose big. That's why they're selling them rather than cashing out.
When you REALLY look into how the carding operations work. All the major banks backends are compromised, constantly. They simply "zero" any liability to the government.
But how do you turn those credentials into cash, ideally cash that wouldn't get you arrested if deposited into a checking account? (I have no plans to do this, but I'm curious.)
It seems like the common route is to to purchase expensive items and resell them, but you take a big hit on the value. Plus if you do this too much, more and more things are very trackable -- any computer/phone/tablet is covered with unique ids that can be tracked, so too can craigslist ads -- should you ever get big enough to be worth the hassle. Am I wrong?
Bank xfers they will transfer to a cashing service, somebody willing to use fake identity to open business accounts to receive stolen funds and show up in person to a bank to withdraw it, then pay back a percentage to whoever sent the funds via bitcoins or other method. A good fraudster will ddos the bank after the transfer(s) to prevent the mark from logging into online banking and discovering the fraud.
Credit cards they make their own fake stores by the hundreds and pay themselves small amounts, or they do instore fraud which is extremely risky. In the UK they simply card Tesco and then sell the groceries half price. Can also fraud bitcoins now as services exist to buy small amounts. None of this is easy, profits aren't huge it's all very small time unless you're the guy getting and selling the data to the legions of petty hustlers worldwide.
Evolution is primarily resellers too, the majority of org fraud is on Russian forums like infraud.cc where they sell by bank identification number and entire databases of stolen financial data.
How "immoral" is it really, facilitating the sale of stolen CC info? Clearly, it is a bad thing to do. But it seems to me that the CC companies are at least as much to blame for having such a crappy system. Anti-fraud is one of the few things that they can point at as justifying their exorbitant fees for sending a couple of packets. The fact is, their system allows fraud and they are not doing anything about it.
Given that stolen credit cards create a lot of headaches for the people who actually use the credit cards, I'd say it's pretty immoral.
(Yes, yes, the CC companies are on the hook for it, and you're not liable for any money charged to a stolen card, etc., etc., but it doesn't make it pleasant. It's stressful.)
> (Yes, yes, the CC companies are on the hook for it, and you're not liable for any money charged to a stolen card, etc., etc., but it doesn't make it pleasant. It's stressful.)
I think this really depends on who you are. I find it pretty entertaining every time and enjoy trying to figure out where it was, knowing full well I just bitch at the bank and have little to no issue replacing the card.
The CC companies pass it down to the retailers in terms of transaction fees, who in turn pass it down to the consumers.
It doesn't matter whether your card gets stolen or not. It doesn't matter whether you even have a credit card or not. Everyone is paying for the cost of credit card fraud in one way or another. Even people who only pay with cash still bear the burden of credit card fraud, since they're still paying the credit-card-fee-inclusive price (unless they only shop at retailers with cash discounts).
Theya re doing something about it, which is why chip-and-pin will become the norm in the Us in the next couple of years. From October 2015 liability falls on whoever is the weakest link in the security chain, so get used to online vendors demanding a lot more personal info from you so they don't get left holding the bag.
>From October 2015 liability falls on whoever is the weakest link in the security chain, so get used to online vendors demanding a lot more personal info from you so they don't get left holding the bag.
Merchants are already 'holding the bag'... if they accept a fraudulent card for an order, the bank simply reverses the charge (and the merchant eats whatever they lost filling the order). So how does this change anything?
POS counterfeit fraud is one type of fraud.. but it's hardly all fraud, and it doesn't apply to online transactions (there's no POS involved in an online transaction).
If chip and pin gets anywhere in the US, it'll be because of association requirements, not because they've pushed responsibility for one minute type of fraud on to merchants.
I'd say they are more culpable. They have created a payments system that demands that merchants trust them without reservation, and failed to back that up with technology that makes them unassailably trustworthy.
Then, when the fraud inevitably occurs--the crime as old as money itself--the credit card provider disclaims responsibility and places the onus upon the merchant.
The banking industry should arguably be a larger employer of top-tier cryptographers and cryptanalysts than the espionage and counter-espionage industry, but instead we get half-assed schemes from them like "How about we just print a secret code on the back of the card and don't write it to the magnetic strip?" Well, your helpful waiter then just swipes the card with his skimmer and photographs both sides before selling the info down the chain of fraud.
This is why new tech like digital blockchain currencies are coming into existence. The banks simply are not providing the level of service commensurate with the fees charged, and people are latching on to any available alternative, no matter how much it stinks, just because it is an alternative. Paypal, hawala, eGold, Bitcoin, Rixty, or whatever. People simply don't want to be vulnerable to a replay attack on their bank accounts. The market for credit card numbers and associated personal data would not exist if the issuers had a truly secure means of validating identity and authorizing payments instead of the hand-wavey pretend-secure system they already have in place on thousands of point-of-sale terminals.
What is immoral is all the regulation around it that forbids new credit card companies from entering the playing field.
That's why now, instead of the existing companies fixing the mechanisms that allow for fraud to take place, they can afford to ignore that market signal (that their product has a bug) by forcing their customers to pay for it (the retailers, who in turn force their customers, us, to pay for it).
This is how, in very real terms, the lack of competition literally hurts everyone, by making everyone pay for thieves, instead of making just incompetent private companies (trying to compete in this market) pay for it.
Just a reminder that the hidden wiki is, indeed, a wiki. People can go in there and change the onion link to a fraud site such as the ones referenced in the article. Since onion addresses are not nearly as memorable as domain names this is actually a pretty big problem.
Presumably they are smart enough to operate in a jurisdiction where the law enforcement agencies are more of a strategic partner rather than an operational risk. Given the guy running it is a former carder, and Krebs seems to think that all carders are Ukrainian or Russian, perhaps Evolution is based out there? If so that would make it pretty hard for the FBI I suspect.
I did wonder why you couldn't set up silk road 3 in eg russia and merely avoid selling drugs into russia. No tor required, and you can stick your middle finger up to the US/EU authorities. Though you probably have to be willing to never leave Russia ever...
37 comments
[ 5.8 ms ] story [ 87.0 ms ] threadA sort of natural selection that favors more evil apparently.
The interesting part is that it further enables LEOs to further justify a drug war that is increasingly seen as unjustified by tying it to other law enforcement activities.
It's actually pretty incredible; I was expecting to see simple "dumps" of CC info and bank login credentials, but it was much more sophisticated. Sellers were offering "packages" that would include bank login information (priced according to account balance), lists of IP addresses that were known to be flagged, SSNs and address information to help with security questions, and guides for how to best use this information.
Definitely seems like it'd be easy for a criminal with a little tech know-how to make a full time job of buying and exploiting this info. Based on the prices I saw, it would only take one successful fraudulent transaction out of many attempts for it to be profitable.
Perhaps there aren't many buyers out there, or there are just too many stolen CCs that the market is swamped by them.
OTOH, maybe the payoffs for CC fraud are actually lower than you might expect... could the banks be getting better at blocking cards sooner?
There are far FAR too many CC numbers available out there and when you consider the work needed to find a viable one, not to mention the legal issues resulting from this...it's pretty clear why they are so "cheap".
It's pretty comparable to the current stolen iPhone market(assuming iCloud locked), as they are basically a paperweight in that configuration, which makes them a "traders" commodity of sorts. Much like this, I've seen CC "packages" used as a sort of commodity, where the partners aren't as much interested in using the CCs, as they are merely selling them off later.
It seems like the common route is to to purchase expensive items and resell them, but you take a big hit on the value. Plus if you do this too much, more and more things are very trackable -- any computer/phone/tablet is covered with unique ids that can be tracked, so too can craigslist ads -- should you ever get big enough to be worth the hassle. Am I wrong?
Credit cards they make their own fake stores by the hundreds and pay themselves small amounts, or they do instore fraud which is extremely risky. In the UK they simply card Tesco and then sell the groceries half price. Can also fraud bitcoins now as services exist to buy small amounts. None of this is easy, profits aren't huge it's all very small time unless you're the guy getting and selling the data to the legions of petty hustlers worldwide.
(Yes, yes, the CC companies are on the hook for it, and you're not liable for any money charged to a stolen card, etc., etc., but it doesn't make it pleasant. It's stressful.)
I think this really depends on who you are. I find it pretty entertaining every time and enjoy trying to figure out where it was, knowing full well I just bitch at the bank and have little to no issue replacing the card.
The CC companies pass it down to the retailers in terms of transaction fees, who in turn pass it down to the consumers.
It doesn't matter whether your card gets stolen or not. It doesn't matter whether you even have a credit card or not. Everyone is paying for the cost of credit card fraud in one way or another. Even people who only pay with cash still bear the burden of credit card fraud, since they're still paying the credit-card-fee-inclusive price (unless they only shop at retailers with cash discounts).
Fraudulent charges are withdrawn from the retailers. Even if it has already posted to the bank account, they will take it back.
The CC companies never absorb the cost for fraud. Their greatest trick is convincing everyone they do.
In the end, consumers and businesses are on the hook for it.
Merchants are already 'holding the bag'... if they accept a fraudulent card for an order, the bank simply reverses the charge (and the merchant eats whatever they lost filling the order). So how does this change anything?
It's a lie. Why do you think so many stores ask to see ID?
From what I've seen, the accepting merchant account is always debited for every chargeback and the card issuers rarely bear any burden from fraud.
If chip and pin gets anywhere in the US, it'll be because of association requirements, not because they've pushed responsibility for one minute type of fraud on to merchants.
Very.
Yes, CC companies can do a better job of mitigating risk, but it's hardly a case to blame "only" them for this.
Then, when the fraud inevitably occurs--the crime as old as money itself--the credit card provider disclaims responsibility and places the onus upon the merchant.
The banking industry should arguably be a larger employer of top-tier cryptographers and cryptanalysts than the espionage and counter-espionage industry, but instead we get half-assed schemes from them like "How about we just print a secret code on the back of the card and don't write it to the magnetic strip?" Well, your helpful waiter then just swipes the card with his skimmer and photographs both sides before selling the info down the chain of fraud.
This is why new tech like digital blockchain currencies are coming into existence. The banks simply are not providing the level of service commensurate with the fees charged, and people are latching on to any available alternative, no matter how much it stinks, just because it is an alternative. Paypal, hawala, eGold, Bitcoin, Rixty, or whatever. People simply don't want to be vulnerable to a replay attack on their bank accounts. The market for credit card numbers and associated personal data would not exist if the issuers had a truly secure means of validating identity and authorizing payments instead of the hand-wavey pretend-secure system they already have in place on thousands of point-of-sale terminals.
That's why now, instead of the existing companies fixing the mechanisms that allow for fraud to take place, they can afford to ignore that market signal (that their product has a bug) by forcing their customers to pay for it (the retailers, who in turn force their customers, us, to pay for it).
This is how, in very real terms, the lack of competition literally hurts everyone, by making everyone pay for thieves, instead of making just incompetent private companies (trying to compete in this market) pay for it.
EDIT: Seems to be listed on the hidden wiki. A clearnet mirror of which exists here: http://hiddenwiki.me/