On Sept. 1, the website Rescator.cc alerted customers to a big new batch of product about to hit its digital shelves. ”Load your accounts and prepare for an avalanche of cash!” a post on its News page read. The items, marketed under the names American Sanctions and European Sanctions, appeared as promised the next day, spurring such an enthusiastic response that the site was pushed offline at times by the high demand.
Looking for stolen credit cards? The Rescator site has become something like the Amazon.com of the black market—an efficient, easy-to-use purveyor of quality products for cyber criminals. The latest batches were likely pilfered from Home Depot (HD), as reported on Sept. 2 by the security blogger Brian Krebs. The American Sanctions cards are broken into two installments, 1 and 2, and those who monitor the Rescator site expect many more to come.
“He doesn’t do that unless there are millions,” says Mark Lanterman, who runs a digital forensics company, Computer Forensic Services, in Minnetonka, Minn. He applied for an account using an assumed identity and keeps an eye on the site as part of his work with law enforcement. Lanterman’s search of cards with mailing addresses in five Zip codes around Minneapolis has pulled up more than 12,000 cards. Krebs found that 1,822 postal codes were represented in the card data in the Sanctions batches, only 10 of which don’t have a Home Depot store, he posted on krebsonsecurity.com.
If you’re buying stolen cards, you purchase them to use in your local area because one of banks’ most basic fraud monitoring techniques is to screen for card use that’s far removed from the card billing address. Hence the importance of the Zip code. On the Rescator site, you can also filter, if you want, by bank, by card type, by expiration date, and even by the last four digits of the card number.
The newest batches claim a 100 percent validity rate, meaning cyber criminals won’t run into the embarrassment of having a stolen card declined while trying to make some illicit purchase. “No replacements!” the website says. For earlier lots, the validity rate appears next to the name. For one labeled “Jackie Chan”—data stolen from the restaurant chain P.F. Chang’s China Bistro, according to Lanterman—the validity rate is now 50 percent, and Rescator does offer replacements in such cases.
That’s a level of care you don’t often find on the black market. ”The thing is, only criminals are selling these things, and most of the criminals out there do not have great customer service,” Lanterman says.
It’s not clear who’s behind the Rescator site. The word Rescator was embedded in malware used in the Target (TGT) last December, and a hacker posting to some forums using that handle has also gone by the nickname Helkern. The Helkern alias can be linked to a man in Odessa, Ukraine, named Andrey Khodyrevskiy, an investigation by Businessweek earlier this year found. Not that Khodyrevskiy displayed much of a genius for online crime: He received a three-year suspended sentence for a poorly executed 2011 hack into a local Web portal in Odessa.
Whoever the Rescator.cc mastermind is, customers—those to be found lurking on underground bulletin boards where cyber thieves congregate—give the latest offering five stars. ”They’re praising the guy like a rock star over the quality of these numbers,” Lanterman says. “They love him. They think he’s the second coming of Elvis.”