Last Friday, we came across an interesting site: a message board where stolen credit card numbers have been published since August 2005. The site included over 300 credit card numbers and additional information. On Friday more than 60 numbers were posted, showing that the site is definitely active.
It was clear that the information came from a variety of sources – the entries varied from basic (card number, three digit pin code, validity, name and address of the owner) to comprehensive (all the data above, plus phone number, email address, ATM pin code and account details).
Having looked at the site, we decided to call one of the victims to check that the information was authentic. Once he got over his surprise, he confirmed that the details we’d found were his. And that was the start of our telephonic odyssey.
15.30 – Telephoned the Bundeskriminalamt (German Federal Office of Criminal Investigation)
We were given the names of three people to talk to. After a few unsuccessful attempts to get through, it turned out that these three people were either on holiday, or had already gone home. We were finally told to send an email to firstname.lastname@example.org.
16.00 – Telephoned the Landeskriminalamt (German State Office of Criminal Investigation)
Our last phone call made it seem pretty likely that no-one would read our email (let alone do anything with it) before Monday. So we decided to call the local branch of the criminal investigation office – unfortunately, with the same lack of success. The result: we sent another email.
16.15 Telephoned the credit card companies
The situation wasn’t any better when we called Visa and Mastercard – we couldn’t get through to anybody. As a last resort, we called the customer emergency number:
“We’re calling from Kaspersky Lab, an IT security company; we’ve found a website which has hundreds of your customers’ credit card numbers on. Could you please tell us who in your company we should contact?”
“Er – could you please give me your credit card number, Sir?”
In order not to waste any more time, we got our US local office involved. They contacted the credit card companies and the FBI. Meanwhile, our Russian office started the process of getting the website taken down.
So everything’s been set in motion, but the whole thing still makes me a bit uneasy. If you lose your credit card, you’re obliged to inform the card issuer asap. And credit card companies do provide emergency numbers to make this easier. But the story above shows that if, like us, you come across more than 300 stolen numbers, it’s going to be a bit more difficult. Yes, all of this happened on Friday afternoon, but criminals don’t take weekends off!
We’ll see how everything develops over the next couple of days and keep you posted. We’ll also be publishing a short article about this case, with further details, in the very near future.