On the Dark Web, stolen credit card databases continue to be some of the most valuable commodities for hackers and cybercriminals. And now the biggest credit card database of all time – a whopping 1.3 million cards in total – is now for sale on one of the Dark Web’s most notorious underground marketplaces, known as Joker’s Stash. For cyber thieves looking to get their hands on stolen credit card details, the latest data dump is a treasure trove, filled with all of the information needed to make online banking transactions or create cloned versions of the bank cards. According to Singapore-based cybersecurity firm Group-IB, which discovered the stolen credit card database, this is now the biggest single card database ever for sale on the Dark Web. The market value of this credit card database is $130 million.
Stolen credit card details now on Joker’s Stash
Unlike other stolen credit card databases that eventually end up on Joker’s Stash, this credit card database is comprised almost entirely of cards from Indian bank customers. According to Group-IB, 98 percent of the stolen credit card database information is from Indian banks, with another 1 percent from Colombian banks. While Group-IB did not disclose the exact identities of the Indian banks involved in the massive data breach, it did note that nearly one-fifth (18%) of the stolen credit card database information was from a single Indian bank. As Ilya Sachkov, CEO and founder of Group-IB, notes, such a credit card database comprised almost entirely of records from the Indian region is extremely rare.
The stolen credit card dump is also unique in terms of the overall size and scope of the database. Most credit card database dumps, for example, are much smaller in size, and are usually introduced in smaller tranches at a time. In this case, though, the hackers are clearly looking to make as much money as possible, as quickly as possible. The list value of each card in the credit card database is $100. According to the information that the hackers posted on Joker’s Stash, the cards have a validity rate of 90-95 percent. This suggests that the stolen credit card data was acquired very recently (probably within the past 12 months), such that all of the key details needed to use the cards have not changed.
Based on screenshot images posted to Joker’s Stash, it appears that the fraudsters are including both Track 1 and Track 2 card information, which means that the credit card thieves are in possession of the magnetic stripe information of the cards. This information is very valuable for cybercriminals because it includes all of the data (brand, card level, expiration date and CVV code) needed to make transactions online. And, if cybercriminals are looking to pull out cash from ATM machines with the cards, then they have all the data needed to make cloned versions of the cards.
In search of the hackers behind the stolen credit card database
Unlike other credit card database dumps, this one posted to Joker’s Stash arrived without any advance fanfare. Usually, hackers use dark net forums to promote new offerings when they have been uploaded on underground markets. In this case, though, the cyber security researchers at Group-IB ran across the stolen credit card database on Joker’s Stash without any tip-off or advance notice. Group-IB, as is protocol, has shared with proper authorities the details of this posting on Joker’s Stash. In addition, the information was also shared with the Indian banks, and their customers have already been notified.
Based on initial forensics evidence from Group-IB’s threat intelligence unit, it appears that the hackers behind this credit card database breach are part of the hacking syndicate known as Fin7. In the past, law enforcement authorities such as the FBI have cracked down on Fin7, including arresting three of its members. So any investigation of this latest data breach is likely to piggyback on what law enforcement officials around the world already know about illicit activities on Joker’s Stash, which now consists of 49 different servers and 543 domain names where cybercriminals can transact business on the Dark Web.
The sale of card dumps on Joker’s Stash is nothing new and not the only big sale that has taken place. In the underground market, Joker’s Stash is one of the most recognizable “brand names” for cybercriminals looking to buy and sell stolen credit card information. The sale of this database might be larger in size than other sales, but it fits the basic pattern of how these credit card dumps end up for sale on the Dark Web. With such a large credit card database of 1.3 million records, the obvious place to offer them for sale was on Joker’s Stash.
Implications of the Indian credit card dump
The big question, of course, is how the hackers managed to collect 1.3 million credit card database records. Since the big sale of card data includes magnetic stripe information, it is highly likely that the stolen data was collected from point-of-sale (POS) or ATM skimmers. This means that the cyber thieves had physical access to ATMs across India, where they were able to insert payment skimmers into machines. As a result, the Indian media is now warning people of ways to recognize when an ATM machine has been tampered with.
One problem, say cyber security researchers, is that there are still a lot of credit cards with magnetic stripes in circulation within India. According to estimates, about 70 percent of cards in circulation are chip-based, while 30 percent have magnetic stripes. Chip-based cards are much more secure, and should be a priority for banking customers looking to protect banking data.
Coordination of global cybercrime authorities
This credit card database dump, while confined almost entirely to Indian bank customers, is another reminder of the need to coordinate cybercrime-fighting activities on a global scale. If law enforcement authorities in the United States, for example, can coordinate their efforts with Indian law enforcement authorities, then they might be able to finally put an end to underground marketplaces like Joker’s Stash.