Early this week, Kenya woke up to news of the mysterious deaths of five young men whose bodies were found badly mutilated and dumped in Kiambu and Kajiado counties.
As police look into the matter, preliminary investigations show Frank Obegi, Elijah Omeka, Fred Mokaya, Perminus Wanjohi and Moses Amenya could have been involved in online business fraud, mostly targeting victims outside the country.
It is also alleged that before they disappeared, they had fleeced their latest victim of Sh1 million.
The killings bring to fore silent happenings in the financial underworld heightened by increased use of cryptic transactions, dubbing software and sophisticated international money transfer modes.
Carding is a term describing the trafficking and unauthorised use of credit cards.
The stolen credit cards or credit card numbers are then used to buy prepaid gift cards to cover up the tracks.
Activities also involve exploitation of personal data, and money laundering techniques.
HOW CARDING SCAM OPERATES
This online card fraud has been in place for the past more than a decade and now and keeps evolving with technology.
A cybersecurity expert James Kibue yesterday told the Star that the earliest known carding methods include "trashing" for financial data, raiding mailboxes and working with insiders.
Traditionally, the data was sold to the dark market where Carders attempted a "distributed guessing attack" to discover valid numbers by submitting them across a high number of eCommerce sites simultaneously.
Successful attempts saw carders purchase luxury items which they later sold at throw-away prices to get money.
Today, Kibue says more sophisticated tools are used to hack into real cards, with scammers looting from unsuspected victims.
''Those scammers now just need to get basic card information like date of birth, card number, phone numbers and addresses to hack real cards,'' he said.
He warned of an emerging trend where local scammers dupe friends or relatives abroad, especially in the US and Canada into sharing their bank details.
They sell such information to a ring of hackers who use it to hack and hijack valid cards in the said nations. They then transfer looted cash to bank accounts given by relatives and friends, promising a reward of up to 30 per cent of the total amount.
He warned those with relatives abroad not to recklessly share their banking credentials with strangers, indicating that this might land them in trouble with security agencies or be deported for aiding theft.
Italian cybersecurity firm D3Labs says that on the more sophisticated sites, individual "dumps" may be purchased by zip code and country so as to avoid alerting banks about their misuse.
''Automatic checker services perform validation en masse in order to quickly check if a card has yet to be blocked. Sellers will advertise their dump's "valid rate", based on estimates or checker data,'' the firm said in a thought leadership piece.
Cards with a greater than 90 per cent valid rate command higher prices.
According to D3Labs changes of billing referred to as 'Cobs' are highly valued, where sufficient information is captured to allow redirection of the registered card's billing and shipping addresses to one under the carder's control.
Whilst some Carding Forums will exist only on the dark web, today most exist on the internet, and many will use the Cloudflare network protection service.
Last year, for instance, a cybercriminal entity dubbed All World Cards published details of 2.5 million stolen credit cards on its website, selling between $0.30 and $14.40.
Over 1.1 million credit cards were stolen from victims in the United States.
On June 15, another team of hackers 'BidenCash' uploaded an advertisement with a link for downloading free carding information on underground forums.
At least 7.9 million carding information is freely available on the platform, including the cardholder’s name, city, country, bank, address, phone number, CVV among others.
HOME-GROWN HACKER CARTEL
In Kenya, the Star first reported on bank card racketing in 2019, after OnNet Services, a Poland-based cyber security firm tipped the paper of the reemergence of a homegrown cyber cartel, dubbed SilentsCards.
The firm foretold the theft of Sh11 million at four Barclays Bank Auto Teller Machines (ATM) over the Easter holiday, linking it to three local hacker communities to bank heists in the country.
SilentsCards is a homegrown cyber cartel that sprung from Forkbombo Group, which terrorised local banks in 2016 and 2017 before being quelled by a multi-agency team of experts from the Kenya Revenue Authority, Banking Fraud Unit and Cyber Crime Unit.
This led to the arrest of some of its members including 35-year-old Calvin Otieno Ogalo, a former police officer and bank employee believed to be the gang leader.
Also arrested were two American citizens who have since been deported.
According to OnNet, the gang is involved in debit and credit bank buying syndicates in the country and abroad, settling data to organised gangs, especially in Eastern Europe.
FINANCIAL LOSS
Although banks do not reveal details on the amount looted by hackers, Bright Mawudor, the co-founder of Africahackon told writer then that billions are looted every year.
He called on financial institutions to modernise their card system and always be a step ahead of scammers.
A CBK and Visa cyber security workshop held in 2019 revealed that ignorant customers and rogue bank officers collude with hackers to aid ATM-induced cash-outs.
Bevan Smith, head of the risk, Visa sub-Saharan Africa, said hackers looking for an easy way into bank systems are having a field day using genuine cards.
According to the Kenya National Bureau of Statistics (KNBS), cyber security advisories issued to companies increased by 3,693 percent from 81,727 in 2020 to 3.1 million advisories in 2021.
The increased advisories were attributed to new systems to detect cyber crimes installed.
Over the same period, total cyber threats rose by 142 per cent from 139.1 million to 339.1 million.
Out of the cyber threats reported, system vulnerabilities had the highest increment from 114,675 in 2020 to 58 million in 2021.
Reported Botnet/DDOs threats also increased from 4.1 million in 2020 to 92.1 million in 2021.
According to the Cybercrime Investigations Unit, the country lost over 170 billion to hackers, with theft of credit or debit card data, financial scams, bank salami attacks and hacking of mobile banking systems being the biggest targets.
This is 10 times more than what was reported in 2016.