37 comments

[ 5.8 ms ] story [ 87.0 ms ] thread

  "Evolution has also had much faster pageload times than competitors, most of whom
  run painfully slowly thanks to Tor’s process of routing web traffic among random-
  ly chosen computers around the world. (Just how Evolution managed those speeds de-
  spite running on Tor itself isn’t clear.)"
I can't really investigate myself currently and I've never visited but is anyone here know if/why Evolution is faster?
I'd guess multiple domains for hosting stuff like CSS and images to better exploit parallelism, and massive compression where possible.
"And in addition to drugs, counterfeits and guns, Evolution also sells stolen credit cards, a kind of crime never allowed on the Silk Road."

A sort of natural selection that favors more evil apparently.

A very interesting equilibrium too. As law enforcement increases the risk premium of running a drug market, rational markets need to compensate for that increased risk by diversifying into more lucrative activities, which in this case means adding more "evil" goods to the market.

The interesting part is that it further enables LEOs to further justify a drug war that is increasingly seen as unjustified by tying it to other law enforcement activities.

I recently took a look at Evolution's fraud offerings, as I do anti-fraud work for an online company and was curious to see where the masses of fraudsters I deal with were getting their CC number and bank account info from.

It's actually pretty incredible; I was expecting to see simple "dumps" of CC info and bank login credentials, but it was much more sophisticated. Sellers were offering "packages" that would include bank login information (priced according to account balance), lists of IP addresses that were known to be flagged, SSNs and address information to help with security questions, and guides for how to best use this information.

Definitely seems like it'd be easy for a criminal with a little tech know-how to make a full time job of buying and exploiting this info. Based on the prices I saw, it would only take one successful fraudulent transaction out of many attempts for it to be profitable.

I wonder why the prices are low compared to the expected returns?

Perhaps there aren't many buyers out there, or there are just too many stolen CCs that the market is swamped by them.

OTOH, maybe the payoffs for CC fraud are actually lower than you might expect... could the banks be getting better at blocking cards sooner?

It's because actually cashing out is extremely risky.
It's a combination of both.

There are far FAR too many CC numbers available out there and when you consider the work needed to find a viable one, not to mention the legal issues resulting from this...it's pretty clear why they are so "cheap".

It's pretty comparable to the current stolen iPhone market(assuming iCloud locked), as they are basically a paperweight in that configuration, which makes them a "traders" commodity of sorts. Much like this, I've seen CC "packages" used as a sort of commodity, where the partners aren't as much interested in using the CCs, as they are merely selling them off later.

Risk. The payoffs are there but if the account info is changed or you get caught, you lose big. That's why they're selling them rather than cashing out.
When you REALLY look into how the carding operations work. All the major banks backends are compromised, constantly. They simply "zero" any liability to the government.
But how do you turn those credentials into cash, ideally cash that wouldn't get you arrested if deposited into a checking account? (I have no plans to do this, but I'm curious.)

It seems like the common route is to to purchase expensive items and resell them, but you take a big hit on the value. Plus if you do this too much, more and more things are very trackable -- any computer/phone/tablet is covered with unique ids that can be tracked, so too can craigslist ads -- should you ever get big enough to be worth the hassle. Am I wrong?

Bank xfers they will transfer to a cashing service, somebody willing to use fake identity to open business accounts to receive stolen funds and show up in person to a bank to withdraw it, then pay back a percentage to whoever sent the funds via bitcoins or other method. A good fraudster will ddos the bank after the transfer(s) to prevent the mark from logging into online banking and discovering the fraud.

Credit cards they make their own fake stores by the hundreds and pay themselves small amounts, or they do instore fraud which is extremely risky. In the UK they simply card Tesco and then sell the groceries half price. Can also fraud bitcoins now as services exist to buy small amounts. None of this is easy, profits aren't huge it's all very small time unless you're the guy getting and selling the data to the legions of petty hustlers worldwide.

Evolution is primarily resellers too, the majority of org fraud is on Russian forums like infraud.cc where they sell by bank identification number and entire databases of stolen financial data.
How "immoral" is it really, facilitating the sale of stolen CC info? Clearly, it is a bad thing to do. But it seems to me that the CC companies are at least as much to blame for having such a crappy system. Anti-fraud is one of the few things that they can point at as justifying their exorbitant fees for sending a couple of packets. The fact is, their system allows fraud and they are not doing anything about it.
Given that stolen credit cards create a lot of headaches for the people who actually use the credit cards, I'd say it's pretty immoral.

(Yes, yes, the CC companies are on the hook for it, and you're not liable for any money charged to a stolen card, etc., etc., but it doesn't make it pleasant. It's stressful.)

> (Yes, yes, the CC companies are on the hook for it, and you're not liable for any money charged to a stolen card, etc., etc., but it doesn't make it pleasant. It's stressful.)

I think this really depends on who you are. I find it pretty entertaining every time and enjoy trying to figure out where it was, knowing full well I just bitch at the bank and have little to no issue replacing the card.

the CC companies are on the hook for it

The CC companies pass it down to the retailers in terms of transaction fees, who in turn pass it down to the consumers.

It doesn't matter whether your card gets stolen or not. It doesn't matter whether you even have a credit card or not. Everyone is paying for the cost of credit card fraud in one way or another. Even people who only pay with cash still bear the burden of credit card fraud, since they're still paying the credit-card-fee-inclusive price (unless they only shop at retailers with cash discounts).

It's not even in the form of transaction fees.

Fraudulent charges are withdrawn from the retailers. Even if it has already posted to the bank account, they will take it back.

The CC companies never absorb the cost for fraud. Their greatest trick is convincing everyone they do.

> the CC companies are on the hook for it

In the end, consumers and businesses are on the hook for it.

Theya re doing something about it, which is why chip-and-pin will become the norm in the Us in the next couple of years. From October 2015 liability falls on whoever is the weakest link in the security chain, so get used to online vendors demanding a lot more personal info from you so they don't get left holding the bag.
How does chip and pin help with card not present transactions?
>From October 2015 liability falls on whoever is the weakest link in the security chain, so get used to online vendors demanding a lot more personal info from you so they don't get left holding the bag.

Merchants are already 'holding the bag'... if they accept a fraudulent card for an order, the bank simply reverses the charge (and the merchant eats whatever they lost filling the order). So how does this change anything?

> Currently, POS counterfeit fraud is largely absorbed by card issuers.

It's a lie. Why do you think so many stores ask to see ID?

From what I've seen, the accepting merchant account is always debited for every chargeback and the card issuers rarely bear any burden from fraud.

(comment deleted)
(comment deleted)
POS counterfeit fraud is one type of fraud.. but it's hardly all fraud, and it doesn't apply to online transactions (there's no POS involved in an online transaction).

If chip and pin gets anywhere in the US, it'll be because of association requirements, not because they've pushed responsibility for one minute type of fraud on to merchants.

> How "immoral" is it really, facilitating the sale of stolen CC info?

Very.

It's pretty immoral in the grand scheme of things, as the costs are incurred by ALL consumers, regardless if they pay via CC or cash.

Yes, CC companies can do a better job of mitigating risk, but it's hardly a case to blame "only" them for this.

I'm sorry if this is an unpopular opinion on here, but the CC companies are equally as culpable for this as any dark market.
I'd say they are more culpable. They have created a payments system that demands that merchants trust them without reservation, and failed to back that up with technology that makes them unassailably trustworthy.

Then, when the fraud inevitably occurs--the crime as old as money itself--the credit card provider disclaims responsibility and places the onus upon the merchant.

The banking industry should arguably be a larger employer of top-tier cryptographers and cryptanalysts than the espionage and counter-espionage industry, but instead we get half-assed schemes from them like "How about we just print a secret code on the back of the card and don't write it to the magnetic strip?" Well, your helpful waiter then just swipes the card with his skimmer and photographs both sides before selling the info down the chain of fraud.

This is why new tech like digital blockchain currencies are coming into existence. The banks simply are not providing the level of service commensurate with the fees charged, and people are latching on to any available alternative, no matter how much it stinks, just because it is an alternative. Paypal, hawala, eGold, Bitcoin, Rixty, or whatever. People simply don't want to be vulnerable to a replay attack on their bank accounts. The market for credit card numbers and associated personal data would not exist if the issuers had a truly secure means of validating identity and authorizing payments instead of the hand-wavey pretend-secure system they already have in place on thousands of point-of-sale terminals.

What is immoral is all the regulation around it that forbids new credit card companies from entering the playing field.

That's why now, instead of the existing companies fixing the mechanisms that allow for fraud to take place, they can afford to ignore that market signal (that their product has a bug) by forcing their customers to pay for it (the retailers, who in turn force their customers, us, to pay for it).

This is how, in very real terms, the lack of competition literally hurts everyone, by making everyone pay for thieves, instead of making just incompetent private companies (trying to compete in this market) pay for it.

What is the .onion for this service?

EDIT: Seems to be listed on the hidden wiki. A clearnet mirror of which exists here: http://hiddenwiki.me/

Just a reminder that the hidden wiki is, indeed, a wiki. People can go in there and change the onion link to a fraud site such as the ones referenced in the article. Since onion addresses are not nearly as memorable as domain names this is actually a pretty big problem.
Presumably they are smart enough to operate in a jurisdiction where the law enforcement agencies are more of a strategic partner rather than an operational risk. Given the guy running it is a former carder, and Krebs seems to think that all carders are Ukrainian or Russian, perhaps Evolution is based out there? If so that would make it pretty hard for the FBI I suspect.
I did wonder why you couldn't set up silk road 3 in eg russia and merely avoid selling drugs into russia. No tor required, and you can stick your middle finger up to the US/EU authorities. Though you probably have to be willing to never leave Russia ever...