Group-IB, a Moscow-founded cybersecurity firm now based in Singapore, “has detected a massive upload of debit and credit card records …on one of the most popular underground cardshops.”
According to the firm, between October 28th and November 27th of this year, criminals uploaded more than 460,000 records to the underground website Joker’s stash. The card numbers “mostly” pertain to top 10 Turkish banks.
Bank and credit card numbers are regularly purchased en masse on Dark Net marketplaces and are often paid for using cryptocurrencies.
Once they have obtained a stack of numbers, hackers typically use automated software to bulk test the numbers and attempt to access accounts with security holes.
Once they have accessed accounts, balances can be robbed. Accessed accounts can also be used to penetrate a bank’s own systems.
According to Group-IB, the trove of Turkish banking details has an estimated value of more than $0.5 million. Such data can also be copied and sold over and over.
Group-IB says it used, “its own unique tools for underground forums and cardshops monitoring,” to detect the databases and informed, “proper local authorities about the sale of the payment records,” as soon as they were discovered.
The first two databases detected at Joker’s Stash were “TURKEY-MIX-01 (FRESH SNIFFED CVV) 30.000 cards TURKEY MIX, HIGH VALID 85-90%, uploaded 2019-10-28 (NON-REFUNDABLE BASE)” and “TURKEY-MIX-02 (FRESH SNIFFED CVV) 30.000 cards TURKEY MIX, HIGH VALID 85-90%, uploaded 2019-10-28 (NON-REFUNDABLE BASE).”
Group-IB says the 60 000 cards went on sale on October 28th for $3 each.
Two more “Turkey Mix” card sets totalling 290 000 cards were sold off at a rate of $1 each.
Group-IB says, “cards from Turkey are very rare on the cardshops, in the past 12 months this is the only big sale of payment cards related to Turkish banks.”
GDmitry Shestakov, head of the Group-IB’s сybercrime unit says, “breakdown of the data indicated that all the cards could have likely been compromised online either due to phishing, malware or increased activity of Java-Script sniffers or other.”
Shestakov says the stolen card data includes card number, expiration date, CVV/CVC, cardholder name as well as some additional info such as email, name and phone number.
Group-IB says the size of the “carding market” (stolen card number market) grew by 33 percent from H2 2017 to H1 2019. The Group believes the Dark Net carding market is currently worth $879.7 million USD.
The firm offers the following advice:
“To avoid a card being compromised online due to JS-sniffers, Group-IB experts recommend that users should have a separate prepaid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases.”
“The admins of eCommerce websites, in their turn, need to keep their software updated, carry out regular cybersecurity assessments of their websites and not hesitate to seek assistance from cybersecurity specialists whenever needed.”