In much of our recent analysis of threat infrastructure, we've seen the digital credit card skimming ecosystem grow as we uncover more actors, tooling, services, and economies that comprise it. We also see distinct patterns emerge in the infrastructure used and shared by these entities.
Over the last few years, Alibaba IP space has hosted many domains used for digital skimming and other malicious behavior. As bulletproof hosting providers host a considerable portion of skimming campaigns, the popularity of Alibaba IP space may result from one of these bulletproof services abusing Alibaba hosting services. Recently, some of these domains have also abused Google user content hosting.
While investigating infrastructure related to the MobileInter skimmer, our researchers found that a Google IP address briefly played host to one of its skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers, allowing them to authenticate stolen payment data for a fee. From this data point, RiskIQ's Internet Intelligence Graph helped our researchers identify several related websites, services, and social media accounts connected to this authentication activity known as bit2check. Some bit2check domains share the same hosting pattern as Magecart domains observed abusing Alibaba and Google hosting services.
Upon further analysis, our researchers found that the individual behind bit2check is a Kurdish actor who calls themself Hama. Until now, there has been no clear link between an individual and the bulletproof hosting activity observed on Alibaba. However, this link could lead to further insights on who is provisioning these malicious hosting services.
Bit2Check is Part of a Card-Skimming Network
The bit2check website bills itself as the "best CVV/cc checker in town" and promotes a bit2check Telegram channel. Several Kurdish language telegram channels also link to the bit2check site and others, such as bin-checker[.]net, a free version of bit2check.
Via a shared Google Analytics account number, RiskIQ's Internet Intelligence Graph led our researchers to a network of related sites, including similar credit card validators and stolen credit card data shops. Many of these sites were authored by Hama.
To explore these IOCs, visit our Threat Intelligence Portal.
Connections to Other Card Skimming Actors and Activity
These card-skimming services cross-promote one another via links on their domains and the use of Telegram channels. The bin-checker page, the free version of bit2check mentioned above, promotes a carding shop at cvvshop[.]lv. The Telegram channel realcvvshoplv promotes this shop and another domain, cvvshop[.]sc, by posting every few days about adding thousands of new stolen "CVV" for sale. The 'cvvshop' website also features a Jabber IM username, ganjapreneur@xabber[.]de, giving us more insight into the individuals involved in these operations.
The domains and accounts connected to Hama also connect to the activity carried out by other actors in the carding space. Some of Hama's websites include code created by another actor known as namso. Hama's Github repository features a directory named ‘namso_files.’
There's a .js file in this directory that generates the random credit numbers provided by the website. RiskIQ crawl data associates this filename with 47 unique hosts focused on generating credit card numbers. Among these is a Google tag manager ID that connects several other Namso domains. Namso even has an app in the Google Play store named "Namso Gen," which, shockingly, generates fake credit card numbers. This app is connected to a Github bearing a possible real name for this actor.
You can explore each of the IOCs surfaced in this research by visiting the bit2check card in the RiskIQ Threat Intel Portal.
Bit2check: Another Cog in a Massive Ecosystem
RiskIQ has been tracking browser-based card skimming since we revealed Magecart in 2016 and its landmark attack against British Airways in 2018. Since then, our Internet Intelligence Graph has illuminated an entire universe of skimming infrastructure, revealing an interconnected, and in many cases, interdependent skimming ecosystem.
Bit2check is yet another corner of this massive ecosystem, catering to skimmers trying to validate their plunder or purchase more stolen data. RiskIQ is finding that many of the entities in this ecosystem network—both the skimmers and the services that cater to them—share many of the same techniques and infrastructure.
With so much shared infrastructure and similar TTPs, leveraging relationships across the web to expose new skimming threats is essential to protecting your organization. Visit our Threat Intelligence Portal for the full technical analysis of bit2check and more information about how RiskIQ is detecting this highly successful breed of phishing kit. To find out how RiskIQ can defend your organization's digital attack surface, get started today.