Business thread: My fucking eyeballs hurt
 

Hey guys. If you or someone you love has a merchant account you want to review the following IP addresses for fraud as on my network all of them showed clear signs of being controlled by carders. I't 9 PM where I am, I have been squinting at data dumps since 7 AM. I am at the 18,000 mark on a spreadsheet with 35,000 records in it. Heads have already rolled and more will roll in the AM but for now, watch out for the following IP's, all but one or 2 of them are for sure proxies with malicious carders behind them. The other 2 are ambiguous but I can't remember which ones they were right now.

107.167.70.228
107.167.81.28
107.167.81.91
107.167.81.99
128.117.43.92
162.243.172.90
162.243.173.146
162.243.173.19
173.206.36.124
173.206.36.241
178.18.17.168
178.18.17.174
184.107.106.111
184.107.106.118
184.107.22.93
184.107.99.135
184.75.211.170
184.75.211.187
184.75.211.214
184.75.211.238
184.75.211.252
184.75.211.43
184.75.211.45
184.75.216.10
184.75.216.132
184.75.216.153
184.75.216.157
184.75.216.203
184.75.217.146
184.75.217.156
184.75.217.165
184.75.218.140
184.75.218.16
184.75.218.210
184.75.218.241
184.75.218.244
184.75.218.52
198.134.106.3
198.136.55.124
63.141.243.132
64.120.50.150
64.187.230.113
64.187.230.26
64.187.231.245
64.187.236.163
64.187.236.229
64.64.127.13
67.205.92.42
67.221.255.55
67.221.255.94
67.221.255.95
67.221.255.96
67.221.255.97
67.221.255.98
74.115.213.89
64.187.236.29
64.233.172.11
64.31.33.38
64.31.33.200
64.134.157.98
176.10.100.226
176.10.100.228
180.94.85.17
198.199.68.73
198.199.88.82
198.199.88.85
198.199.90.119
198.199.91.76
198.203.29.197
198.203.29.20
198.203.29.223
198.203.29.75
198.203.30.113
198.203.30.204
198.211.101.34
198.211.103.252
198.211.104.195
198.211.113.93
198.211.115.116
198.23.68.164
198.7.58.81
198.7.58.133
198.7.58.96
198.7.58.98
198.96.90.150
198.96.90.209
199.115.114.228
199.115.117.199
199.115.117.240
199.188.236.28
204.124.83.130
204.16.69.128
207.204.238.134
207.204.238.139
207.204.238.199
216.169.129.198
216.169.129.194
216.169.129.187
216.169.129.179
216.169.129.175
216.169.129.149
216.169.129.134
216.169.129.133
216.163.115.142
216.169.129.200
216.169.129.206
23.19.172.77
23.19.62.72
23.226.77.135
23.226.77.149
23.226.77.150
23.227.160.2
23.233.213.144
23.238.160.214
23.238.160.237
24.182.204.169
37.221.173.229
37.221.175.38
50.26.70.96

Thanks, we shall keep an eye on our surfers & incoming members!

Seems a lot all at once. Have these all stolen content, I suppose this isn't know yet?

I run a cam site. There is no content to steal. These IP's were used to submit purchases or attempted purchases with presumably stolen cards. i.e.:

Most were used by more than one "customer" in vastly distant geo locations and were "referred" by the same affiliate. So sure you might have more than one surfer with the same IP but if the all come from the same affiliate then that's too much coincidence, right?

More than half came from the same affiliate, the other half came from another dozen or so and they may have been working together.

I looked at 90 days of data today, ordered not by date but by IP address I got halfway through. Thankfully most of the fraud was failed purchases, and most of it was recent.

thanks for the heads up

Are you allowed to give the affiliates details considering the obvious misdemeanour or worse?

They work through a traffic broker in a double blind setup, I can identify individual streams but not their source or the person responsible. Usually the quality is acceptable, though it does require filtering. Lately it's been a little out of control so I had to do a massive audit, and thought I might help by posting some of the results.

Good luck. Could be the Home Depot dumps. Krebs was talking about dumps being sold. Do you block TOR and common proxy ips?

ok, well thanks a lot! Good luck with today :thumbsup

I had a good number of them blocked, but that has to be updated all the time and sadly, it's been awhile.

Right now my process is effective but time consuming, tedious and hard to be consistent with:

I look for multiple signups or attempted signups on a single IP address and then look to see if it's a shared IP like a cell phone tower, also if the referring affiliates are random that's usually no problem. If it's all the same guy that's another story. And once I know someone is a carder, then every IP they touch is suspicious and so is anyone else who's traffic comes from that IP, and any IP's that THEY use.

All the suspicious IP's get a lookup on Maxmind proxy detection, which is decent but will only catch maybe half or less. Then I look them up on whatismyipaddress.com, which IMO is way better, but limits the amount of queries per IP and there seems to be no way to buy the database. On whatismyipaddress I find many of these IP's are webhosts, where presumably some squid configuration, vpn or other such proxy service is installed. whatismyipaddress also lists recent spam sources, which many proxies do double duty as forum and mail spam sources, but not all.

When detecting fraud, few single indicators give a clear picture, but many taken together bring things into focus.