PoS malware has been in the news lately due to data breaches in various high-profile retailers. Card information stolen from these attacks have ended up on the well-known underground shop Rescator. We prefer to refer to the people behind this shop as the Lampeduza gang, as Rescator is not the only person running this business.
We have found that other cybercrime gangs are using the fame of the Lampeduza gang to lure other cybercriminals into accessing fake online credit card shops.
During one of our research projects, we came across a C&C server hosting a KINS control panel at resurspowerlbc.su. This was registered on May 9, 2014, with the email address firstname.lastname@example.org. The same email address was used to register other domains that hosted host a fake version of the Lampeduza card shop.
Some of these domains included
Included in the above list was one fake jobs site (safegs.su) and two fake shipping sites (shipping-panel.su and shipping-panel.us).
Credit card shops and the Lampeduza gang
The online credit card shops mentioned above are forgeries of the infamous shop called Rescator or Octavian. The main page is very similar to the original page.
Below is the forged version of the shop’s login page:
Figure 1. Fake Rescator credit card shop
Once you login, this pop-up appears and asks you to pay a fee of $49 via Bitcoin to activate the account.
Figure 2. Fake credit card shop asking for a fee to activate account
The text in the alert reads as:
For account activation New members.
Accept the BitCoin. After paying the fee once all options are open. Balance will be credited immediately. Protection from bots, thank you for your understanding.
For security and anonymity we offer BitCoin service for our clients. You can exchange your PM, WMZ, etc in Jabber – email@example.com icq: 242200 and btc-e.com
1. Make a transaction to the purse above; 17n37iJqQn1aHQqMsoYsXYNfQ5hR646zeq
2. Amount BTC – 49usd (0.1 BTC)
3. Your money will be received within ~15 minutes, your balance will be automatically updated
4. Refresh page. Start shopping
Status – Activation wait
For comparison, the actual login page of Rescator looks like this:
Figure 3. Actual Rescator login page
Here is the page that a user sees after logging in:
Figure 4. Actual Rescator panel
All of these online credit card shop are claimed to be forgeries of original shops owned and run by Rescator. Rescator is well known for running online credit card shops and is also the administrator of the carding forum Lampeduza. The “official” shops run by Rescator are:
In this announcement, Rescator explicitly calls other Rescator-branded shops as scams:
Figure 5. Announcement of actual Rescator domains
These fake online credit card shops are definitely scams, but we cannot rule out that the Lampeduza gang are behind these as well. This intriguing post suggests that Rescator is responsible for these fakes as well, however again this could be a false claim:
Figure 6. Complaint about 24exchange shop
The fake sites looks like the old version of the actual shop (as seen in this xylitol blog post), which shows what the Rescator site looked like in February 2013. We have seen multiple posts from Rescator warning users about forgeries, and that he has nothing to do with them.
It is still unclear who is behind these fake credit card shops. However, it is clear that whoever is responsible is using the fame of the Lampeduza shop, which is well known in the cybercriminal community for providing high-quality credit card information directly related to data breaches in the United States, among other countries.
The Bitcoin address appears to have received 55 BTC at this time. Some of these transactions are worth 0.1 BTC (approximately $50), the amount that the fake sites ask from their victims. In addition, this address has only been in use since July 15 of this year.
We will continue to monitor this gang and report any new developments. We urge any law enforcement agencies investigating the Lampeduza gang or these fake shops to reach out to us, as we have additional information that is not in this blog post.