A steady stream of card breaches at retailers, restaurants and hotels has flooded underground markets with a historic glut of stolen debit and credit card data. Today there are at least hundreds of sites online selling stolen account data, yet only a handful of them actively court bulk buyers and organized crime rings. Faced with a buyer’s market, these elite shops set themselves apart by focusing on loyalty programs, frequent-buyer discounts, money-back guarantees and just plain old good customer service.

Today’s post examines the complex networking and marketing apparatus behind “Joker’s Stash,” a sprawling virtual hub of stolen card data that has served as the distribution point for accounts compromised in many of the retail card breaches first disclosed by KrebsOnSecurity over the past two years, including Hilton Hotels and Bebe Stores.

Since opening for business in early October 2014, Joker’s Stash has attracted dozens of customers who’ve spent five- and six-figures at the carding store. All customers are buying card data that will be turned into counterfeit cards and used to fraudulently purchase gift cards, electronics and other goods at big-box retailers like Target and Wal-Mart.

Unlike so many carding sites that mainly resell cards stolen by other hackers, Joker’s Stash claims that all of its cards are “exclusive, self-hacked dumps.”

“This mean – in our shop you can buy only our own stuff, and our stuff you can buy only in our shop – nowhere else,” Joker’s Stash explained on an introductory post on a carding forum in October 2014.

“Just don’t wanna provide the name of victim right here, and bro, this is only the begin[ning], we already made several other big breaches – a lot of stuff is coming, stay tuned, check the news!” the Joker went on, in response to established forum members who were hazing the new guy. He continued:

“I promise u – in few days u will completely change your mind and will buy only from me. I will add another one absolute virgin fresh new zero-day db with 100%+1 valid rate. Read latest news on http://krebsonsecurity.com/ – this new huge base will be available in few days only at Joker’s Stash.”

As a business, Joker’s Stash made good on its promise. It’s now one of the most bustling carding stores on the Internet, often adding hundreds of thousands of freshly stolen cards for sale each week.

A true offshore pirate’s haven, its home base is a domain name ending in “.sh” Dot-sh is the country code top level domain (ccTLD) assigned to the tiny volcanic, tropical island of Saint Helena, but anyone can register a domain ending in dot-sh. St. Helena is on Greenwich Mean Time (GMT) — the same time zone used by this carding Web site. However, it’s highly unlikely that any part of this fraud operation is in Saint Helena, a remote British territory in the South Atlantic Ocean that has a population of just over 4,000 inhabitants.

This fraud shop includes a built-in discount system for larger orders: 5 percent for customers who spend between $300-$500; 15 percent off for fraudsters spending between $1,000 and $2,500; and 30 percent off for customers who top up their bitcoin balances to the equivalent of $10,000 or more.

For its big-spender “partner” clients, Joker’s Stash assigns three custom domain names to each partner. After those partners log in, the different 3-word domains are displayed at the top of their site dashboard, and the user is encouraged to use only those three custom domains to access the carding shop in the future (see screenshot below). More on these three domains in a moment.

REFUNDS AND CUSTOMER LOYALTY BONUSES

Customers pay for stolen cards using Bitcoin, a virtual currency. All sales are final, although some batches of stolen cards for sale at Joker’s Stash come with a replacement policy — a short window of time from minutes to a few hours, generally — in which buyers can request replacement cards for any that come back as declined during that replacement timeframe.

Like many other carding shops, Joker’s Stash also offers an a-la-carte card-checking option that customers can use an insurance policy when purchasing stolen cards. Such checking services usually rely on multiple legitimate, compromised credit card merchant accounts that can be used to round-robin process a small charge against each card the customer wishes to purchase to test whether the card is still valid. Customers receive an automatic credit to their shopping cart balances for any purchased cards that come back as declined when run through the site’s checking service.

This carding site also employs a unique rating system for clients, supposedly to prevent abuse of the service and to provide what the proprietors of this store call “a loyalty program for honest partners with proven partner’s record.”

According to Joker’s Stash administrators, customers with higher ratings get advance notice of new batches of stolen cards coming up for sale, prioritized support requests, as well as additional time to get refunds on cards that came back as “declined” or closed by the issuing bank shortly after purchase.

To determine a customer’s loyalty rating, the system calculates the sum of all customer deposits minus the total refunds requested by the customer.

“So if you have deposited $10,000 USD and refunded items for $3,000 USD then your rating is: 10,000 – 3,000 = 7,000 = 7k [Gold rating – you are the king],” Joker’s Stash explains. “If this is the case then new bases will become available for your purchase earlier than for others thanks to your high rating. It gives you ability to see and buy new updates before other people can do that, as well as some other privileges like prioritized support.”

HIGH ROLLERS

It would appear that Joker’s Stash has attracted a large number of high-dollar customers, and a good many of them qualify for the elite, “full stash” category reserved for clients who’ve deposited more than $10,000 and haven’t asked for more than about 30 percent of those cards to be refunded or replaced. KrebsOnSecurity has identified hundreds of these three-word domains that the card site has assigned to customers. They were mostly all registered across an array of domain registrars over the the past year, and nearly all are (ab)using services from a New Jersey-based cloud hosting firm called Vultr Holdings.

All customers — be they high-roller partners or one-card-at-a-time street thugs — are instructed on how to log in to the site with software that links users to the Tor network. Tor is a free anonymity network that routes its users’ encrypted traffic between multiple hops around the globe to obscure their real location online.

The site’s administrators no doubt very much want all customers to use the Tor version of the site as opposed to domains reachable on the open Internet. Carding site domain names get seized all the time, but it is far harder to discover and seize a site or link hosted on Tor.

What’s more, switching domain names all the time puts carding shop customers in the crosshairs of phishers and other scam artists. While customers are frantically searching for the shop’s updated domain name, fraudsters step in to take advantage of the confusion and to promote counterfeit versions of the site that phish account credentials from unwary criminals.

Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI), said it looks like the traffic from the three-word domains that Joker’s Stash assigns to each user gets routed through the same Tor hidden servers.

“What he appears to be doing is throwing up an Nginx proxy on each Internet address he’s using to host the domain sets given to users,” Weaver said. “This communicates with his back end server, which is also reachable as one of two Tor hidden services. And both are the same server: If you add to your shopping cart in Tor, it shows up instantly in the clearnet version of the site, and the same with removing cards. So my conclusion is both clearnet and Tornet are the same server on the back end.”

By routing all three-word partner domains through server hidden on Tor, the Joker’s Stash administration seems to understand that many customers can’t be bothered to run Tor and if forced to will just go to a competing site that allows direct access via a regular, non-Tor-based Internet connection.

“My guess is [Joker’s Stash] would like everyone to go to Tor, but they know that Tor is a pain, so they’re using the clearnet because that is what customers demand,” Weaver said.

Interestingly, this setup suggests several serious operational security failures by the Joker’s Stash staff. For example, while Tor encrypts data at every hop in the network, none of the partner traffic from any of the custom three-word domains is encrypted by default on its way to the Tor version of the site. To their credit, the site administrators do urge users to change this default setting by replacing http:// with https:// in front of their private domains.

I’ll have more on Joker’s Stash in an upcoming post. In the meantime, if you enjoyed this story, check out a deep dive I did last year into “McDumpals,” another credit card fraud bazaar that caters to bulk buyers and focuses heavily on customer service.

Tags: .sh, carding site, dot-sh, eNom, ICSI, Joker's stash, McDumpals, Namecheap, Nicholas Weaver, Tor, Vultr Holdings