Figure 1. Fake Rescator credit card shopOnce you login, this pop-up appears and asks you to pay a fee of $49 via Bitcoin to activate the account.
Figure 2. Fake credit card shop asking for a fee to activate accountThe text in the alert reads as:
For account activation New members. Accept the BitCoin. After paying the fee once all options are open. Balance will be credited immediately. Protection from bots, thank you for your understanding. For security and anonymity we offer BitCoin service for our clients. You can exchange your PM, WMZ, etc in Jabber - email@example.com icq: 242200 and btc-e.com Activate account Howto: 1. Make a transaction to the purse above; 17n37iJqQn1aHQqMsoYsXYNfQ5hR646zeq 2. Amount BTC - 49usd (0.1 BTC) 3. Your money will be received within ~15 minutes, your balance will be automatically updated 4. Refresh page. Start shopping Status - Activation waitFor comparison, the actual login page of Rescator looks like this:
Figure 3. Actual Rescator login pageHere is the page that a user sees after logging in:
Figure 4. Actual Rescator panelAll of these online credit card shop are claimed to be forgeries of original shops owned and run by Rescator. Rescator is well known for running online credit card shops and is also the administrator of the carding forum Lampeduza. The "official" shops run by Rescator are:
Figure 5. Announcement of actual Rescator domainsThese fake online credit card shops are definitely scams, but we cannot rule out that the Lampeduza gang are behind these as well. This intriguing post suggests that Rescator is responsible for these fakes as well, however again this could be a false claim:
Figure 6. Complaint about 24exchange shopThe fake sites looks like the old version of the actual shop (as seen in this xylitol blog post), which shows what the Rescator site looked like in February 2013. We have seen multiple posts from Rescator warning users about forgeries, and that he has nothing to do with them. Conclusion It is still unclear who is behind these fake credit card shops. However, it is clear that whoever is responsible is using the fame of the Lampeduza shop, which is well known in the cybercriminal community for providing high-quality credit card information directly related to data breaches in the United States, among other countries. The Bitcoin address appears to have received 55 BTC at this time. Some of these transactions are worth 0.1 BTC (approximately $50), the amount that the fake sites ask from their victims. In addition, this address has only been in use since July 15 of this year. We will continue to monitor this gang and report any new developments. We urge any law enforcement agencies investigating the Lampeduza gang or these fake shops to reach out to us, as we have additional information that is not in this blog post.