In the internet underground, cybercriminals regularly exchange stolen credit card and debit card numbers and people's personal information—data they usually refer to as "dumps." But having someone's credit card number isn't great if you just want to get some cash. For that you'd need their ATM pin too.
That's where a relatively new dark web service comes in. It claims to offer a simple, automated way to trick targets into giving up their PINs or other data such as mother's maiden name. With this information, malicious hackers could access the target's online banking accounts or other sensitive accounts.
Essentially, the customer pays to become a subscriber, then gives the details (name, phone number, bank) of the person they want to target, and the service calls the target with an automated message—a robocall—to trick the target into giving out their PIN. In other words, it's automated phishing or social engineering as a service.
"The system is simple," the website, which doesn't have a specific name, states. "The system will ask them to confirm their atm pin number. If the victim puts in their pin number you will see it in your panel. After that you just go cash out."
While the service seems a little rough around the edges—and it might just be an elaborate scam—it's definitely innovative, according to security firms and researchers that monitor the dark web.
For Andrei Barysevich, a researcher at security firm Recorded Future, "the service seems to be ingeniously clever."
"We've not seen this level of automation paired with a phone social engineering service before," Mark Arena, the CEO of dark web monitoring firm Intel 471, told Motherboard in an online chat.
Researchers from Digital Shadows, another company that scours the dark web, traced the origins of the site back to July of 2016, when a hacker named goldrose advertised it on the popular dark web cybercrime bazaar AlphaBay. Since then, goldrose has advertised the site on other cybercrime sites where people exchange stolen credit card numbers, also known as "carding" forums.
Goldrose did not immediately respond to a series of questions Motherboard sent via AlphaBay's messaging service.
The site works with a subscription model. Users pay $250 per month and supposedly have access to the automated calling service. It's unclear how many people have subscribed.
The criminal, according to Digital Shadow's vice president of strategy Rick Holland, "has spotted a gap in the market; there are plenty of CC dumps circulating, but a lack of PINs and [mother maiden names] that enable users to cash out effectively."
"If the individuals behind the site can attract users and have an efficient, automated way to gather these details, it would be a novel and potentially lucrative business model," Holland told Motherboard in an email.
But some reviewers on AlphaBay said the site is glitchy.
"Good idea but very scetchy [sic] execution, much improvement needed for recording of the message," one user of the service wrote in the AlphaBay forum.
Goldrose offered potential subscribers the chance to test the service, which has no name right now (missed branding opportunity!). The samples of the automated social engineering samples have poor sound quality, and the site's user interface and functionality are both sloppy at best.
There is no clear way to guarantee that the service will be able to actually trick victims into giving up their PIN number, making the $250 monthly fee more like a gamble for paying subscribers. Also, not all "dumps" provide the target's name, credit card details, and their phone number—without the number, the service is useless.
In any case, this shows that, once again, online criminals will come up with innovative ways to monetize stolen data, and get some bucks from fellow criminals as well.
Correction: an earlier version of this story defined Rick Holland the founder of Digital Shadows. He is actually the company's Vice President of Strategy. We regret the error.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.