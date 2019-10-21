(Bloomberg) -- BriansClub is one of the top underground destinations for buying and selling stolen credit cards, according to security experts. It is known for good customer service, a steady stream of stolen credit-card information and expert quality control.

BriansClub also appears to enjoy goading Brian Krebs, a cybersecurity journalist who runs his own blog, Krebs on Security. The online store claims to offer “the best quality cards from the Legendary Brian Krebs.” It also uses his picture on its advertising, and the name itself, BriansClub, is a play on his name, Krebs said.

On Oct. 15, it was revealed that BriansClub’s data had been breached, and information on approximately 26 million credit and debit cards had been taken, creating angst among its customers. The reporter who got the scoop? None other than Krebs himself.

Krebs, a former Washington Post reporter who started his own blog in 2009, discovered the breach while he was vacationing on Australia’s Hamilton Island, a car-free oasis near the Great Barrier Reef. While scanning his inbox, a weeks-old email caught his attention, which he says contained a link to a trove of stolen credit-card information.

Krebs said he contacted BriansClub through its customer ticketing system, and then received a response, which he reproduced on his blog. “No. I’m the real Brian Krebs here,” it said, along with a smiley face emoji and a confirmation that the data center serving the website had been hacked.

‘Strong Karma’

BriansClub declined to respond to subsequent questions, said Krebs, including why they use his name to sell stolen credit cards. “At least part of the appeal is that my surname means ‘crab’ (or cancer) and crab is Russian hacker slang for ‘carder,’ a person who engages in credit card fraud,” he wrote on his blog.

BriansClub has latched onto the crab theme, using crab images and claiming to be copyrighted by Crabs on Security, an apparent nod to the name of Krebs’s blog.

Independent experts verified the data, he said, and then he posted his article. BriansClub didn’t respond to a message sent through its website seeking comment. The site has operated since 2015 and exists on both the standard and the dark web, according to Krebs.

Krebs said he wasn’t surprised or particularly bothered by BriansClub’s needling, and considers the attention a compliment. His reporting has become so well known in the world of carders and hackers that he has more than once played a cameo role in their capers -- including adding his name to countless pieces of malware, he said.

“Almost every time some cyber criminal tries to mess with me or use my name or something like that, it usually ends up backfiring for them, and I usually get one or two stories out of it,” Krebs said. “At least in this space there’s some pretty strong karma.”

Data Trove

Allison Nixon, director of security research at Flashpoint Inc., a security firm, said she was one of the researchers who verified the data for Krebs. She said her team then worked to package relevant information and send it to banks, credit-card providers and other financial organizations that could take action to prevent fraud and block the compromised cards.

The trove of data about stolen credit cards will be “the gift that keeps on giving” for researchers, Nixon said, because high-quality fraud data of this kind and scale is hard to come by.

BriansClub is one of roughly a dozen major destinations on the dark web for buying and selling stolen credit-card information, said Andrei Barysevich, co-founder of the fraud intelligence company Gemini Advisory.

Sites like BriansClub serve as middlemen, evaluating the quality of stolen credit-card information, pricing it accordingly in Bitcoin and selling the data in exchange for a percentage of profits, Nixon said.

Estimates of the number of debit and credit cards for sale in the cyber underground range from tens of millions to hundreds of millions. Some of the cards are expired, and U.S. cards make up the largest single country share of the stolen cache, says Mark Lanterman, a former member of the U.S. Secret Service Electronic Crimes Task Force who currently serves as the chief technology officer of Computer Forensic Services.

Caused Outcry

The cards usually sell for anywhere from $3 to $50 -- and sometimes more -- depending on quality, predicted reliability and type of card, such as credit versus debit, he said.

The main thing keeping people from safe from credit-card fraud is that the supply of cards greatly exceeds the demand, lowering the odds that any individual is targeted, said Nixon.

BriansClub’s administrator confirmed the breach on two chat forums, one in English and another invite-only forum in Russian, Barysevich said. The disclosure caused an outcry with forum users wondering whether the usernames and information utilized to purchase stolen credit cards had been taken in the breach, he said. On the chat forums, BriansClub denied the customer data was taken.

“You never want to get a lot of attention from criminal actors,” Nixon said. “There are a lot of upset resellers that just lost all their stock.”

