Senate Republicans were skimmed for six months, quietly fix store
Did you order anything from the Senate Republicans in the last half year? In that case, your name and credit card details have been skimmed and sent to a Russian server. And subsequently sold on the dark web for $30.
Update Oct 6th: The Republicans have rushed to secure their store today. But no word about the skimming between March 16th and October 5th.
See a short video where I demonstrate how the skimming works. And read on to find out how I traced the culprits to a hornet’s nest of criminal activity.
I think I’ll pass on the Never Hillary sticker for now.
The crime scene
So our evidence consists of one compromised Republican store, which was fitted with hidden skimming software at least 6 months ago (dissection of the malware here). And we have two Russian credit card harvesters with the rather boring names jquery-cloud.net (March) and jquery-code.su (October).
Follow the money
The older harvester jquery-cloud.net was registered in December 2015 by an American lady with a Chinese fax number and a fake email address. The newer harvester, jquery-code.su, is registered anonymously per 24th of August.
Both domain names are hosted by a company called Dataflow, as is shown by the nameservers and IP addresses. Curiously, the Dataflow network and the jquery-cloud.net domain name were created in the same week:
route: 80.87.205.0/24
descr: DDoS Protected Network DATAFLOW.SU
origin: AS203624
mnt-by: MNT-DATAFLOWSU
created: 2015-12-28T22:37:25Z
A hornet’s nest
Dataflow has a Russian language website but is registered in Belize on November 3rd, 2015. It advertises with:
Offshore […] Solutions with protection from DDoS to 350 Gbit : Belize, Panama, Seychelles
Its office is registered here:
This address shows up in the Panama Papers and is - coincidentally - also the home of a trust office called Alpha Offshore, who
is an international provider of legal corporate tax planning services. Mainly, we focus on registering companies in countries that use preferential taxation policies and in offshore jurisdictions
Dataflow has a very small network of just 2 blocks (512 IPs) and you can look up what else runs on that network. Its owners deserve praise for collecting about every kind of online fraud known to man: money laundering, synthetic drug trade, darknet messaging, phishing and spam.
Estimated black market yield
I do not know how many credit cards were stolen from the Republican store but I can make an educated guess. According to TrafficEstimates, the Republican store has received some 350K visits per month lately. A conservative conversion ratio of 1% yields 3500 stolen credit cards per month, or 21K stolen credits cards since March. Black market value per card is between $4 and $120, so I assume a modest $30 per card. The villains could have made roughly $600K on this store alone.
Note, this is just the criminal yield. The monetary loss for society is higher, as credit card companies reimburse their clients for fraudulent deductions (actual deductions are much higher than the black market value!) and conduct investigations. They shift these fraud handling costs to their clients, so that merchants pay a higher transaction fee and, in turn, shift this to their customer (you).
Conclusions
This clever form of card skimming has been going for a while, at least since March. The culprits are hiding behind an shelf company in Belize. Their business is growing rapidly, which I will illustrate in a next post.