Please don’t jump to any conclusions, that title does not mean we are accusing outgoing U.S. President Joe Biden of being a thief! It’s just a harmless riff on ‘Hail to the Chief,’ the familiar march the President’s Own Marine Band always plays to announce the commander-in-chief’s arrival somewhere and whenever a new POTUS is sworn into office.
As Joe Biden prepares to relinquish the presidency, we hope he can forgive us this play on words, but we doubt he’ll be forgiving the namesake that inspired it, and nor should he! The provocatively titled BidenCash is a criminal Dark Web ‘carding’ market, a type of store that peddles stolen credit cards. In December 2023 it made headlines by holding a huge giveaway, releasing the details of 1.9 million cards for free, most likely to attract new customers.
The fact that this store is still going strong is alarming, but that’s why criminals love the Dark Web. It’s a place where ‘alarming’ thrives. In this article, we look at what BidenCash is, how it works, and how you can make sure your customers’ payment card details don’t appear in its next big giveaway.
Background and Operations
The BidenCash site launched to grab its share of this huge market in early 2022, on both the Dark Web and Clearnet, which is the name for the ‘daylight’ portion of the internet, the one we get to through standard web browsers, and that’s indexed by traditional search engines. There are many different Clearnet web domains bearing different variations of the BidenCash name, and they were created to boost visibility and steer people toward the Dark Web service.
They are much safer there because it’s easier to hide on the Dark Web. Sites typically use the .onion domain, which is only accessible via the Tor browser, and users need to know specific URLs because these sites are not indexed by the likes of Google and Bing.
The most common way of accessing them is through the Tor browser, which anonymizes internet traffic by routing it through a network of volunteer-operated servers, making it difficult to trace user activity. While using Tor is safer, many users also add a Virtual Private Network (VPN) connection to the mix, making them even harder to trace.
From behind its wall of anonymity, BidenCash sells stolen credit and debit card data that it obtains through skimming, phishing, and other methods, sometimes for as little as 15 cents per item. Apart from its secure nature, another part of the site’s appeal to criminals is that it uses verification and automated checks to validate that the cards are genuine, so its fraudster customers have a guarantee that they’re usable.
Once they have the cards, they can use them for:
- Online Purchases: buying goods and services from e-commerce sites, often targeting high-value items.
- Account Creation: Criminals may create accounts on various platforms (like streaming services or e-commerce sites) using stolen card information to exploit free trials or gain access to paid services.
- Reselling Goods: Items purchased with stolen card details can be resold for profit on the black market or via online marketplaces.
- Digital Currency: Some criminals may convert stolen card information into cryptocurrencies, making it harder to trace the funds.
- Gift Cards: Purchasing gift cards is a common tactic, as they can be quickly resold or used anonymously.
- Fraudulent Subscriptions: They may use stolen information to subscribe to services, often leading to ongoing charges that can go unnoticed.
This kind of crime is called Card-Not-Present (CNP), because the fraudster has the card information but not the card itself. Worldwide CNP losses are forecast to hit $28.1 billion by 2026, a 40% increase over 2023, so it’s no wonder that carding stores like BidenCash are flourishing.
Types of Data Sold
Many of the BidenCash listings are what those in the trade call ‘fullz’, meaning a complete set of information about each carding victim. A fullz listing typically includes full name, date of birth, Social Security number, address, phone number, email address, bank account details, credit card information, and other personally identifiable information.
These complete sets place victims at a heightened risk of fraud, identity theft, and being targeted for future scams via their e-mail addresses. Even after their cards have expired or been blocked, they are still vulnerable due to this kind of PII still being available.
Promotional Tactics
That big free data dump we mentioned wasn’t BidenCash’s first. Previous leaks include 1.2 million sets of credit card details in October 2022 and 2 million in February 2023 (to mark its first anniversary). These free releases have totaled 5 million sets of card details to date, helping to raise BidenCash’s profile among cybercriminals and attracting new users to the platform. It’s quickly become one of the top carding marketplaces, reaching the fifth spot by popularity and total volume according to a threat intelligence firm.
SSH Access
Its growth in popularity may explain why BidenCash has branched out and started offering SSH (Secure Shell) server access on behalf of sellers for as little as $2. The initial listings included access to 850 machines (it may be more by now) with different configurations. Some of the most powerful seen so far offer 196GB of RAM and 104 CPU cores, but what are customers doing with all this high-end processing power?
Well, the folks behind BidenCash have probably guessed that anyone interested in buying stolen credit card details might also be interested in launching DDoS, ransomware, and other online attacks, either to make money or disrupt victims’ services for political or ideological reasons. Customers get all this power virtually risk-free because SSH access encrypts the data transmitted between the user and the server, making it difficult for anyone (including law enforcement agencies) to snoop on their activities.
It also helps with housekeeping, allowing administrators to manage their servers remotely, reducing the risk they’ll be caught. With SSH they can automate regular maintenance tasks such as backups and updates to keep their operations running smoothly, and then there’s the robust authentication features used to keep out unauthorized users. In effect, BidenCash is now selling secure, enterprise-level criminal infrastructure to its customers that could be netting it at least $9,000 a month and the sellers over $20,000 a month.
Web Skimmers
BidenCash’s main source of income is still the sale of stolen payment data. It uses several techniques to get its hands on card details, and web skimmers are the main method it uses to steal them.
A skimming attack starts with an attacker gaining unauthorized access to a website that accepts customer payments such as an e-commerce store, often through vulnerabilities in the site’s code, outdated software, or compromised credentials.
Next comes the injection of malicious JavaScript code into the site’s checkout pages or forms where users enter their sensitive information. The injected JavaScript knows when a user is interacting with a payment form, so when they type in their credit card details, the skimmer is poised to siphon it off, and then forward the data to a remote server controlled by the attacker, often via a hidden network request or by posting it to a malicious URL. Meanwhile, the customer probably won’t suspect that any of this is going on because skimmers are designed to blend in seamlessly with the website.
Magecart Attacks
Magecart attacks are also web skimming attacks, but the term is also an umbrella term for several threat actor groups that carry them out against stores powered by Magento and other e-commerce platforms. Many of the cards will likely have been harvested in this way.
Avoiding Law Enforcement
Dark Web marketplaces like BidenCash use several techniques to avoid detection and takedown efforts by authorities. Aside from using the Tor anonymity network, with its strong encryption, BidenCash, and sites like it use cryptocurrency transactions for payments because they are difficult to trace.
Owners of such sites also frequently switch their domain names to avoid blocking and tracking. They will also implement DDoS protection measures to prevent distributed denial-of-service attacks that could expose their server locations, and they protect messages between their users and administrators with PGP encryption.
Operational Security
Sites like BidenCash will often run decentralized operations, distributing their infrastructure and personnel across multiple jurisdictions. They will also compartmentalize, limiting information access among team members so that if one person is compromised, they won’t know enough to jeopardize the rest.
Mitigation
An interview exists with someone who claims to run this card shop, and it gives the impression that he is extremely careful to avoid any security mistakes that could expose his identity to the authorities. He only shares information about what he does on a need-to-know basis and even abstains from alcohol to avoid making a mistake that could expose his activities.
If there is one decent thing that such a person can offer business owners, it’s the lesson that they should all have this almost paranoid level of security awareness. He knows that one slip-up could cost him everything, and that holds true for companies, too.
To prevent customers’ credit card information from ending up on illicit sites like Bidencash, businesses should take a leaf out of his book and adopt a comprehensive security strategy that prioritizes the protection of sensitive data. One of the foundational steps is implementing strong security measures, including the use of secure socket layer (SSL) encryption. This ensures that data transmitted between the website and users is protected from interception. Additionally, conducting regular security audits and vulnerability assessments can help identify and address potential weaknesses in business systems before they can be exploited by cybercriminals.
It’s important to partner with reputable payment gateways. These providers often offer robust fraud protection and security features of their own, such as tokenization and encryption, which further safeguard customer transactions. Moreover, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is essential. Its evolving guidelines help businesses secure credit card transactions and protect cardholder data.
The standard requires businesses to put systems in place to monitor for unusual activity and detect suspicious behavior, such as unusual spending patterns or multiple transactions from the same IP address, to help catch potential fraud early. It also requires employers to educate their staff about security best practices. Training employees to recognize phishing attempts (the first step in a great many skimming attacks) and understand the importance of safeguarding customer data can significantly reduce the risk of a breach.
Limiting data retention is also recommended. Businesses should only collect and retain customer data that is necessary for transactions and securely delete any information that is no longer needed. Additionally, employing multi-factor authentication (MFA) for both employees and customers adds an extra level of security when accessing accounts.
How Reflectiz Can Help
Web skimming attackers often exploit vulnerabilities in third-party plugins, themes, and ad networks to clear the way for those malicious script injections. By targeting the supply chain, they can reach many websites through a single point of compromise, which makes these attacks highly effective and difficult to detect. Fortunately, one of the first things that Reflectiz does is to map every last app in a store’s supply chain and then continuously monitor them for signs of tampering and unusual behavior.
The Reflectiz proprietary browser continuously scans retailer websites for suspicious and unauthorized code changes, which may go unnoticed by traditional embedded security solutions. Reflectiz can pick these up even if they’ve been disguised by obfuscation, thanks to its advanced deobfuscation tool.
The Reflectiz solution knows when code is attempting to access sensitive user data, and when it’s trying to forward it to suspicious domains. It protects customers at every stage of their online journey, from landing page to checkout, ensuring their credentials are safe and fully protected. But it won’t overwhelm security teams with false positives because, through the approvals process, it adapts to your level of risk appetite.
Keep your customers’ cards away from BidenCash and other carding sites with Reflectiz. Sign up here today!
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!