External Threat Management Magecart

Bit2check: Stolen Card Validation Service Illuminates A New Corner of the Skimming Ecosystem

In much of our recent analysis of threat infrastructure, we've seen the digital credit card skimming ecosystem grow as we uncover more actors, tooling, services, and economies that comprise it. We also see distinct patterns emerge in the infrastructure used and shared by these entities. 

Over the last few years, Alibaba IP space has hosted many domains used for digital skimming and other malicious behavior. As bulletproof hosting providers host a considerable portion of skimming campaigns, the popularity of Alibaba IP space may result from one of these bulletproof services abusing Alibaba hosting services. Recently, some of these domains have also abused Google user content hosting.

While investigating infrastructure related to the MobileInter skimmer, our researchers found that a Google IP address briefly played host to one of its skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers, allowing them to authenticate stolen payment data for a fee. From this data point, RiskIQ's Internet Intelligence Graph helped our researchers identify several related websites, services, and social media accounts connected to this authentication activity known as bit2check. Some bit2check domains share the same hosting pattern as Magecart domains observed abusing Alibaba and Google hosting services.

Upon further analysis, our researchers found that the individual behind bit2check is a Kurdish actor who calls themself Hama. Until now, there has been no clear link between an individual and the bulletproof hosting activity observed on Alibaba. However, this link could lead to further insights on who is provisioning these malicious hosting services. 

Bit2Check is Part of a Card-Skimming Network

The bit2check website bills itself as the "best CVV/cc checker in town" and promotes a bit2check Telegram channel. Several Kurdish language telegram channels also link to the bit2check site and others, such as bin-checker[.]net, a free version of bit2check. 

The bit2check site

Via a shared Google Analytics account number, RiskIQ's Internet Intelligence Graph led our researchers to a network of related sites, including similar credit card validators and stolen credit card data shops. Many of these sites were authored by Hama.

Facebook account operated by Hama.

To explore these IOCs, visit our Threat Intelligence Portal

Connections to Other Card Skimming Actors and Activity

These card-skimming services cross-promote one another via links on their domains and the use of Telegram channels. The bin-checker page, the free version of bit2check mentioned above, promotes a carding shop at cvvshop[.]lv. The Telegram channel realcvvshoplv promotes this shop and another domain, cvvshop[.]sc, by posting every few days about adding thousands of new stolen "CVV" for sale. The 'cvvshop' website also features a Jabber IM username, ganjapreneur@xabber[.]de, giving us more insight into the individuals involved in these operations. 

CVV Shop

The domains and accounts connected to Hama also connect to the activity carried out by other actors in the carding space. Some of Hama's websites include code created by another actor known as namso. Hama's Github repository features a directory named ‘namso_files.’

There's a .js file in this directory that generates the random credit numbers provided by the website. RiskIQ crawl data associates this filename with 47 unique hosts focused on generating credit card numbers. Among these is a Google tag manager ID that connects several other Namso domains. Namso even has an app in the Google Play store named "Namso Gen," which, shockingly, generates fake credit card numbers. This app is connected to a Github bearing a possible real name for this actor. 

You can explore each of the IOCs surfaced in this research by visiting the bit2check card in the RiskIQ Threat Intel Portal

Bit2check: Another Cog in a Massive Ecosystem

RiskIQ has been tracking browser-based card skimming since we revealed Magecart in 2016 and its landmark attack against British Airways in 2018. Since then, our Internet Intelligence Graph has illuminated an entire universe of skimming infrastructure, revealing an interconnected, and in many cases, interdependent skimming ecosystem.

Bit2check is yet another corner of this massive ecosystem, catering to skimmers trying to validate their plunder or purchase more stolen data. RiskIQ is finding that many of the entities in this ecosystem network—both the skimmers and the services that cater to them—share many of the same techniques and infrastructure. 

With so much shared infrastructure and similar TTPs, leveraging relationships across the web to expose new skimming threats is essential to protecting your organization. Visit our Threat Intelligence Portal for the full technical analysis of bit2check and more information about how RiskIQ is detecting this highly successful breed of phishing kit. To find out how RiskIQ can defend your organization's digital attack surface, get started today

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor