On Sept. 1, the website Rescator.cc alerted customers to a new batch of stolen credit card numbers about to hit its digital shelves. “Load your accounts and prepare for an avalanche of cash!” read a post on the site’s news page. The card numbers appeared as promised the next day, spurring a huge response that crashed the site.
Rescator is the Amazon.com (AMZN) of the black market—an efficient, easy-to-use purveyor of reliable stolen credit card numbers that cybercriminals can purchase in bulk. The account numbers released on Sept. 2 were most likely pilfered from a data breach of almost all of Home Depot’s (HD) U.S. stores, first reported by security blogger Brian Krebs on the same day and confirmed by the company on Sept. 8.
Card numbers stolen from the Home Depot breach have been released by Rescator in batches, 12 so far, under the name “American Sanctions,” according to Krebs and Mark Lanterman, who runs Computer Forensic Services in Minnetonka, Minn. Lanterman applied for a Rescator account using an assumed identity. He monitors the site as part of his work helping local law enforcement track cybercrime. Lanterman’s search of accounts in ZIP codes in the Minneapolis-St. Paul area alone has pulled up more than 80,000 cards.
Fraud monitoring screens for stolen card use far from a cardholder’s home, so stolen numbers typically are used in the ZIP code of the cardholder’s billing address. Rescator lets customers sort batches by ZIP code, as well as by the name of the issuing bank, the type of credit card, the expiration date, and even the last four digits of the card number.
The Rescator site claims a 100 percent validity rate—meaning the card numbers still work—on the American Sanctions batches, Lanterman says. It guarantees the card numbers will work when they are released and doesn’t allow any replacements. The first American Sanctions batches sold for about $50 to $100 per card; as more batches have been added, the price has dropped to $9 to $50 per card, according to Daniel Ingevaldson, chief technology officer at Easy Solutions, which provides antifraud services to banks. Business cards and platinum cards command higher prices, and debit cards cost less.
The validity rate falls—as does the price per card—depending on how old the card lots are. One set of cards labeled “Jackie Chan”—data stolen in June from the restaurant chain P.F. Chang’s China Bistro, according to Lanterman—has a validity rate of about 50 percent. Most cards in this batch sell for $8 to $20. Rescator does offer replacements on older, less reliable cards if buyers have trouble using them.
“The thing is, only criminals are selling these, and most of the criminals out there do not have great customer service,” Lanterman says.
It’s not clear who’s behind the Rescator site. The word Rescator was embedded in malware used in the Target (TGT) data breach last December. Someone posting to a Russian hacker forum using the handle has also used the nickname Helkern. The Helkern alias has been linked to a man in Odessa, Ukraine, named Andrey Khodyrevskiy, an investigation by Bloomberg Businessweek found earlier this year. Khodyrevskiy received a three-year suspended sentence for a poorly executed 2011 hack into a local Web portal in Odessa.
Whoever’s behind Rescator, he’s been receiving high compliments from customers for the site’s American Sanctions offerings. “They’re praising the guy like a rock star over the quality of these numbers,” Lanterman says. “They love him. They think he’s the second coming of Elvis.”