Introduction
On January 28, 2021 the dark web community was informed that “ValidCC”, one of the leading marketplaces for compromised payment card details, was unexpectedly closing its services for good. This happened less than a month after “Joker’s Stash”, another popular dark web payment card marketplace, announced its retirement. The announcement was distributed via a post, that was published on popular underground fraud forums by a threat actor dubbed “SPR” who is known as the official speaker for the “ValidCC” marketplace.
Background
Last year, a Singapore-based threat hunting and intelligence company published a report concerning the threat actor group associated with “ValidCC”, which is dubbed “UltraRank”[1].
“UltraRank” has been associated with Magecart, a loosely organized crime group composed of multiple entities employing JavaScript-sniffer families to scrape payment card information from e-commerce websites. The security firm distinctly dubbed one of these entities as “UltraRank” because, unlike the others which monetize the stolen data by carding them on luxury items and reselling them, or utilizing third-party carding services, UltraRank set up its own native marketplace: “ValidCC”[2].
“UltraRank” were observed conducting waves of activities in November 2020, although they have been active since 2015 and have targeted over 700 websites, including US telco operator T-Mobile, French advertising group Adverline, and Block and Company, the U.S.’s largest manufacturer for cash handling supplies.
While “UltraRank” uses dozens of Javascript-sniffer variants, the most recently observed is SnifLite. Malicious code is embedded in the infected e-commerce website through a link to a Javascript package file located on the website hxxp[:]//googletagsmanager[.]co/, which is a typo-squatting domain impersonating googletagmanager.com. This malicious website is also used to gather sniffed payment card data as a gateway.
The IOCs detected in this latest campaign are now inactive[3]:
- googletagsmanager[.]co
- googletagsmanager[.]info
- s-panel[.]su
The Publication
As this surprising announcement is still fresh and unexpected, researchers focus on the publications left by “SPR” in order to learn about the sudden decision.
Originally written in Russian, the message reveals that some of the site’s servers were seized by a law enforcement organization, including encrypted backup servers. “SPR” is assuring the readers that although this prevents them from operating the marketplace, their details will not be exposed thanks to the site’s encryption. However, as the servers stored information regarding the users, including identifiers and balance information, “SPR” claims it is impossible to refund the users.
“SPR” publication on a fraud forum as detected on Argos™
This aroused the suspicion that the abrupt shutdown is actually an exit scam, for two main reasons. First, “ValidCC” is known as a successful and profitable payment card shop, estimated to be earning up to $100,000 a day in revenues, according to “SPR”[4]. Second, law enforcement agencies have yet to confirm or take credit for the server seizure described by “SPR”.
For comparison, on January 15, 2021, “Joker’s Stash” announced their site will be shutting down on February 15, 2021. Though they were a profitable site as well, handling similar sums of money, “Joker’s Stash” announced they were shutting down a month in advance to allow users to make final transactions and withdraw the balances left in their accounts.
Forecast
In the past few days, Cyberint has leveraged Argos™ to detect several threat actors already searching for alternatives to “ValidCC”, after learning about the closing.
Example post on a criminal forum asking for alternatives to “ValidCC”
Therefore, rival carding marketplaces and similar platforms will emerge as alternatives. Threat actors on “ValidCC” also conduct activities in:
- Vclub, BriansClub and Fe-Shop payment card marketplaces
- Dread forum
- Altenen forum and its mirrors
- CardPro, Club2Card and CardClub forums
- Omerta forum
- XSS forum, which is known for exploits for sale but has been increasingly populated by carders during the COVID-19 period
Cyberint will continue monitoring trends in the migration of threat actors from “ValidCC” to alternative dark web marketplaces and forums.
References
[1] https://www.group-ib.com/media/ultrarank/
[2] Kovacs, Eduard. “UltraRank Group Stole Card Data From Hundreds of Sites Using JS Sniffers.” Security Week, 27 Aug. 2020, www.securityweek.com/ultrarank-group-stole-card-data-hundreds-sites-using-js-sniffers
[3] “New Attacks by UltraRank Group.” Group-IB Blog, 23 Dec. 2020, www.group-ib.com/blog/ultrarank
Related Articles
